[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

Unable to access Exchange from Remote Outlook Client

Hi just today one of our outlook clients is experiencing issues trying to connect to exchange

when opening outlook he is getting the following

Security Alert Box

Information you exchange with this site cannot be viewed or changed by others however there is a problem with the sites security certificate

There is a cross by the following

The name on the security certificate is invalid or does not match the name of the site do you wish to proceed.

If I click yes nothing happens.

This issue has only just occurred everything has been fine

John
0
pepps11976
Asked:
pepps11976
  • 14
  • 11
  • 5
1 Solution
 
cpmcomputersCommented:
What operating system on the server ?
Do you use a self cert or a third party one ?
0
 
pepps11976Author Commented:
Its a SBS 2003 Server

what is the easiest way to check if its a self cert etc,

I did not set this up
0
 
Simon Butler (Sembee)ConsultantCommented:
SBS 2003 doesn't use web services to connect the client, so the error is coming from somewhere else.
I presume this is Outlook 2007 or higher? If so it is probably Autodiscover, which is an Exchange 2007 or higher feature. However Outlook 2007 and higher doesn't know that you aren't using Exchange 2007 so will attempt to do Autodiscover.

Autodiscover attempts to connect to https://example.com/Autodiscover/Autodiscover.xml and then https://autodiscover.example.com/Autodiscover/Autodiscover.xml (where example.com is your domain name after the @ in the email address).

When you get the SSL error, you can choose to look at the SSL certificate. That should give you an indication of where the prompt is coming from. It could be a router or it could be your web host.

Check whether Autodiscover.example.com resolves. If it does, then you need to remove the wildcard from the DNS entry.
If it does not, then check whether the first URL I posted works. If it does, then check where example.com resolves to. If it is the web host, speak to the web host about turning off the Autodiscover feature that comes with their control panel.

Simon.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
pepps11976Author Commented:
also if I view the certificate on the client machine when you open up exchange it looks like a completely different one it has no reference to the company etc
0
 
cpmcomputersCommented:
http://blog.feutl.com/2011/05/25/self-signed-ssl-certificat-with-windows-sbs-2003/

This should help
Also you can view certificate from the error message on the client


For sbs running a repair using the Internet connection wizard in server management might help

Is this just one client or all of them ?
0
 
pepps11976Author Commented:
Hi Simon this only just seems to have happened though why would it have been working then just stop?
0
 
Simon Butler (Sembee)ConsultantCommented:
It would start happening because the source of the certificate has changed something, that now means you get the errors. As I wrote above, as you are using SBS 2003 this is NOT coming from the Exchange server, so the change was not something made by you, but by an outside party, most likely the web host.

Simon.
0
 
pepps11976Author Commented:
Just realised that I cannot browse

https://domain.com/exchnage

I have checked the server and all services are running?
0
 
pepps11976Author Commented:
and I cannot browse locally either https://127.0.0.1/exchange
0
 
Simon Butler (Sembee)ConsultantCommented:
That would be an unrelated issue, because Autodiscover goes elsewhere.
Is the internal WINDOWS domain domain.com? If not then I wouldn't expect you to be able to browse to domain.com/exchange.

Does the non-https URL work? It might be that someone has tried to fix it by removing the SSL certificate.

Simon.
0
 
pepps11976Author Commented:
the domain is domain.local

HTTP://127.0.0.1/exchnage also not working

I have restarted IIS and also Exchange Services
0
 
cpmcomputersCommented:
Just to be sure can you confirm
Exchange version on sbs and
Client outlook version and they are not using OWA or webbrowsing to email

Check your cert and that it is valid
0
 
cpmcomputersCommented:
Also check the time and date on your server ?
0
 
Simon Butler (Sembee)ConsultantCommented:
If the WINDOWS domain is domain.local, then domain.com almost certainly does NOT resolve to the SBS Server. It will probably resolve elsewhere.

You need to look through the event viewer to see if there is a problem with IIS.

Simon.
0
 
pepps11976Author Commented:
Hi cpmcomputers

Time is fine, im going to forget client side for the minute because if you cannot even browse from the actual machine, then this is going to be the cause I assume

version 6.5 (Build 7226.6 Service pack 1
0
 
cpmcomputersCommented:
Check your certificate If it is a self-cert the following may help

The self-issued certificate that the CEICW creates is valid for five years. Therefore, if you plan to continue using a self-issued certificate, you should create a new certificate before the existing certificate expires. As a best practice, after you create a self-issued certificate, set a reminder in your calendar to notify you when the expiration date is near. Self-issued certificates for early installations of Windows SBS 2003 begin to expire in 2008. After you create a new certificate, you must distribute it to your network client computers and mobile devices.
 
You can use the Configure E-mail and Internet Connection Wizard (CEICW) that is included with Windows SBS 2003 to create a certificate that is signed by your server.
 
For more information about Creating, Obtaining, and Installing Trusted Certificates in a Windows SBS 2003 Network Environment:
 
http://technet.microsoft.com/en-us/library/cc949119(WS.10).aspx
0
 
pepps11976Author Commented:
ok I will give that a go,

ill post back
0
 
cpmcomputersCommented:
Something you might want to try to help diagnose your problem

goto https://testconnectivity.microsoft.com/

Run the manual activesync test for your mailserver with a valid user and domain,etc

When the test completes - view the full results

It should return the following if it is sbs2003 with a valid self-cert
Any error will at least show what cert your server is using and allow us to check whether the problem is server side or something to do with autodiscover/DNS as simon suggests



Exchange ActiveSync was tested successfully.
       Additional Details
      Elapsed Time: 91021 ms.

       Test Steps
             Attempting to resolve the host name mail.cpmcomputers.com in DNS.
      The host name resolved successfully.
             Additional Details
      IP addresses returned: 11.11.11.11
Elapsed Time: 2668 ms.

       Testing TCP port 443 on host mail.cpmcomputers.com to ensure it's listening and open.
      The port was opened successfully.
             Additional Details
      Elapsed Time: 740 ms.

       Testing the SSL certificate to make sure it's valid.
      The certificate passed all validation requirements.
             Additional Details
      Elapsed Time: 611 ms.

             Test Steps
             The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.cpmcomputers.com on port 443.
      The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
             Additional Details
      Remote Certificate Subject: CN=mail.cpmcomputers.com, Issuer: CN=mail.cpmcomputers.com.
Elapsed Time: 502 ms.

       Validating the certificate name.
      The certificate name was validated successfully.
             Additional Details
      Host name mail.cpmcomputers.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.

       Testing the certificate date to confirm the certificate is valid.
      Date validation passed. The certificate hasn't expired.
             Additional Details
      The certificate is valid. NotBefore = 4/20/2010 8:53:28 AM, NotAfter = 4/20/2015 8:53:28 AM
Elapsed Time: 0 ms.



       Checking the IIS configuration for client certificate authentication.
      Client certificate authentication wasn't detected.
             Additional Details
      Accept/Require Client Certificates isn't configured.
Elapsed Time: 736 ms.
0
 
pepps11976Author Commented:
I Have checked the Server Certificate and it says that the issuer seems to be itself although I am unsure whether that determines if it is a third party one or not.

it also says that it expires 03 August 2014
0
 
pepps11976Author Commented:
Also even if the Certificate had expired you should still get some kind of login page?
0
 
pepps11976Author Commented:
would it be worth recreating directories as in this article?

http://support.microsoft.com/kb/883380
0
 
Simon Butler (Sembee)ConsultantCommented:
You should be able to browse https://localhost - at most get an SSL prompt, then the default IIS screen. If you don't get that then recreating the virtual directories isn't going to get you anywhere.

Simon.
0
 
cpmcomputersCommented:
Thats a real sledge hammer to crack a nut at the moment

did you run the testexchange connectivity test ?
If so can you post the results ( Alter the IP info before posting)

How many users on the system ?
Is email in outlook and or Outlook Web access working for them ?
0
 
cpmcomputersCommented:
Agree with Simon here

There is something basic here ?

Check all sites are started in IIS
0
 
pepps11976Author Commented:
Ok I can confirm I cannot even browse http://localhost

I have checked sites and all are started
0
 
cpmcomputersCommented:
If you cannot browse http://localhost or http://serveripaddress then this is a more fundamental problem than the certificate

(Either should take you to companyweb homepage)

I would revisit each stage as follows :

Check you have sufficient hard drive space on the server drives and that there are no apparent errors/corruption

Check the event logs for any significant errors

Reboot the server

Run the internet connection wizard from the server management console
This will identify and hopefully fix any basic errors on the server.

SBS loves doing things with the wizards !!

Then check all services are up and running
Check basic server connectivity and outlook connectivity from a local client?

How many clients on the system - are they all affected ?
0
 
pepps11976Author Commented:
Internal Clients are fine, its just external clients

I have rerun Internet connection wizard with no luck.

I have checked services

the server can access the internet etc

the only think I have not done is rebooted it
0
 
cpmcomputersCommented:
struggling :-)

reboot might help

can you run the testexchangeconnectivity test
0
 
pepps11976Author Commented:
Yep good old Reboot did the trick Thanks
0
 
cpmcomputersCommented:
think it was probably the internet connection wizard and reboot perhaps?

Glad you got it fixed either way
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 14
  • 11
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now