[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

Outlook Anywhere Exchange 2010

Hey guys,

We have SBS 2011 with Exchange 2010 installed. We have some new remote users who want to use Outlook Anywhere. When they try to connect, they get a error message saying an unencrypted connection is not available. Previous users from last year are still connected and working fine. What could cause this?
0
Cobra25
Asked:
Cobra25
  • 13
  • 6
  • 5
  • +1
2 Solutions
 
akalyan911Commented:
Hi Cobra25,

Please find the below answer from Microsoft .. for the same issue.. just go through this .. hope you will get the solution.

This issue occurs for one of the following reasons:
The wrong email address was entered on the Auto Account Setup page of the Add New Account Wizard in Outlook.
The required updates for Outlook to automatically connect to Exchange Online aren't installed for the version of Outlook that you're running.
The Autodiscover CNAME record for your domain doesn’t exist or isn’t set up correctly.
In organizations that use Active Directory synchronization, the mail, mailNickname, displayName, and proxyAddresses attributes are not set up correctly for the synced user in the on-premises Active Directory.

Link: http://support.microsoft.com/kb/2404385/en-us
0
 
Cliff GaliherCommented:
Microsoft has an nine website that can teat outlook anywhere. It is great for finding the detailed reason for error messages and failures.

https://testconnectivity.microsoft.com/
0
 
Cobra25Author Commented:
Cliff, thanks for the tip. here's the errors:

Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.

&

Certificate trust is being validated.
       Certificate trust validation failed.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=remote.companyx.com.
       A certificate chain couldn't be constructed for the certificate.
       
      Additional Details
       Host name remote.companyx.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
The certificate chain couldn't be built. You may be missing required intermediate certificates.
Elapsed Time: 40 ms.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
Cliff GaliherCommented:
Are you using a self-issued (sometimes called a self-signed) certificate? If so, you should use the certificate deployment package that SBS creates. It needs to be run on each client that wants access.

Personally, I prefer and recommend just purchasing a certificate from a trusted third party. It doesn't require deploying a special package, and is easier to troubleshoot. They are so inexpensive, it'd have already paid for itself in man-hours troubleshooting.
0
 
Cobra25Author Commented:
Cliff, I am it appears. Ive attached the Certificate section from the Exchange console.

SSL
0
 
Cliff GaliherCommented:
Well then there you go. The clients that are working already had the package installed.

Like I said, you can give this package to the users who have issues so they can install it (documented here): http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

Or you can buy a third-party cert from companies that sell them and install it using the SBS certificate wizard (NOT any exchange wizards or documentation!!! SBS is different!)

The blog is for SBS 2008, but applies to 2011 as well.
0
 
Cobra25Author Commented:
Cliff,

I bought a SSL cert from GoDaddy. How do i go about installing? I dont want to break anything with Exchange. Thanks!
0
 
Cliff GaliherCommented:
Run the certificate wizard from the SBS dashboard.
0
 
Cobra25Author Commented:
Cliff - any risk that it could break anything? We are dependent on email.

If so, i dont mind using the default cert and add to each machine.
0
 
Cliff GaliherCommented:
As long as the server was set up with the wizards, the risk is minimal. But any server change does carry a small risk, always. Make a backup.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you have bought a certificate from GoDaddy, then as long as you use the same name as you have on your unsigned certificate (remote.example.com by default) then it will not cause any issues.

Did you buy a single name certificate, or a UC/SAN type certificate? If a single name certificate, then you can do the request through the SBS management console, and then the installation as well.
If UC type, then you need to do the request and installation through Exchange, but enable the certificate through SBS.

http://semb.ee/sbs2011ssl

Do note, that you will also need to cover Autodiscover for those external clients to work correctly externally. On a single name SSL certificate that usually means an SRV record.

Simon.
0
 
Cobra25Author Commented:
Simon, i have the single name certificate. I am going the through the wizard now and will keep the name the same.

I will create a SRV record as well for autodiscover. Will report back how it goes. Thanks!
0
 
Cobra25Author Commented:
Simon:

When i go to the Add a Trusted Certificate option in the SBS 2011 Console, it asks me:
"My certificate provider needs more to time to process the request"
"I have a certificate from my certificate provider"
"i want to cancel my request"

im assuming there was an SSL Cert on here before and it expired?
0
 
Cobra25Author Commented:
Any thoughts guys?
0
 
Simon Butler (Sembee)ConsultantCommented:
That sounds like someone created a certificate request in the past and hasn't completed it.
Therefore you need to choose the option to cancel the request, then you should be able to either create a new request or choose an existing certificate.

Also - don't bump questions. No one on this site is paid to answer your questions and not everyone is in the USA. Your last post was gone midnight in my time zone and today is a public holiday. Therefore you will often have to wait for a response. If you cannot wait, call Microsoft or engage a consultant.

Simon.
0
 
Cobra25Author Commented:
Thanks simon, will report back shortly.
0
 
Cobra25Author Commented:
Simon, we lost access to our domain (its a long story). Anyways, im ready to get this going now, so for godaddy am i fine with a single name or is the UC one necessary?
0
 
Simon Butler (Sembee)ConsultantCommented:
Personally I would deploy a UC certificate, then you can include Autodiscover.example.com as an additional name on the certificate. Otherwise you need to cover external Autodiscover in another method, which isn't always possible.

Simon.
0
 
Cobra25Author Commented:
Simon, i purchased the UCC cert from godaddy. It is approved.

Now on the godaddy site, to download the certificate its asking for my server type,

Do i want to choose Exchange 2010 or IIS7?
0
 
Cobra25Author Commented:
Also, do i need to install the intermediaries? Im using the wizard inside SBS manager and its just asking for the file location.
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to install the intermediate certificates manually using the SSL MMC applet. Once you have done that then you can install the certificate through the SBS console.

IIS 7/Exchange 2010 is fine. Doesn't matter which as they are both the same.

Simon.
0
 
Cobra25Author Commented:
Simon, thanks for getting back to me.

I just went ahead and installed the cert without the intermediate. It accepted the cert and i no longer have any of the warnings.

I tested using https://testconnectivity.microsoft.com/ and now the tests pass. I just need to add the autodiscover dns record and hopefully i should be set.
0
 
Simon Butler (Sembee)ConsultantCommented:
Why didn't you install the intermediate certificate? Windows can be more forgiving over the chain of trust, but the intermediate is required, that is why it is provided. It takes all of 30 seconds to install but can save you a lot of pain.

Simon.
0
 
Cobra25Author Commented:
Is it too late to install now?
0
 
Simon Butler (Sembee)ConsultantCommented:
You can install it at any time that you like. It has no effect on the certificate that you have already installed.

Simon.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 13
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now