Solved

Outlook 2013 have certificate warning with sbs2011 (Exchange 2010). Selfsigned cert is used. Only domain-members have the problem

Posted on 2014-09-12
10
453 Views
Last Modified: 2014-10-08
Hi,

we have a sbs2011 with Exchange 2010. As domain we have via wizard in the console used remote.realdomainname.com . If i ping remote.realdomainname.com it ping sthe ip of the local server. In DNS there is the right Entry i think. On top we entered the line "192.168.10.2 remote.realdomainname.com" in the hosts file.
We have some workstations which are members of the network-domain and some workstations are only in a workgroup.
Only the workstations which are domainmembers, throw a warning at the start of Outlook. Outlooks says that the certificate realdomainname.com is not valid.
Outlook tries to go out on the webserver a looks at this ssl-certificate instead of looking directly over lan to the exchange-server.
I tried to use proxy-settings in outlook without any success.

Any ideas ?

loosain
0
Comment
Question by:loosain
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 3

Assisted Solution

by:MIRSYS
MIRSYS earned 250 total points
ID: 40320068
Well it's probably because you didn't create an A record for "autodiscover.yourrealdomain.com" in the internal DNS.
Also don't use hostfile entries. If your DNS is functioning well you wouldn't need it.
However I'm not clear on how you wouldn't get a certificate warning on all clients given you're not using a trusted cert.
0
 

Author Comment

by:loosain
ID: 40320175
The cert on the server is trusted. But the non-domain-members talk directly with the server and trust his cert. The domain-members go via internet and use the ssl-cert of the webserver. I don´t know the reason. Therefor i added the hosts entries for testing. ITs much faster and easier than testing by configuring dns-server...
0
 
LVL 3

Expert Comment

by:MIRSYS
ID: 40320186
like I said it's probably because they are doing a lookup to autodiscover.
What does the certificate warning say exactly?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:loosain
ID: 40320195
It says that the certificate is not valid because of wrong domainname and validation time is over.
That´s because it is the ssl-certificate of the webserver not of the local exchange server. There is no ssl in use on webserver so there is an old provider-cert there.
I dont get the point why those computers which are domain-members look at the internet and the non-domain-members look directly to the exchange server.
If it would be a dns problem, it should have been fixed by adding remote.domain.com and autodiscover.domain.com to the hosts file.
0
 
LVL 3

Expert Comment

by:MIRSYS
ID: 40320236
what happens when you manually configure outlook and enter the hostname of the server?
Or are you trying to use outlook anywhere?
0
 

Author Comment

by:loosain
ID: 40320242
Just tested - same warning by manually configuring it.
Normaly outlook finds out by itself name, server etc if the computer is domain-member. Now i just tried to enter those data manually. It worked and outlook connected but there was again this certification warning belonging to the certificate of the internet-webserver.
0
 

Author Comment

by:loosain
ID: 40320243
It must have been something with active directory, because only domain-members are trying to connect over internet. The other computers cant connect to AD and then they just talk via lan to the exchange server (as i want them to)
0
 

Author Comment

by:loosain
ID: 40320296
Found out something new:
If i start "Email Autoconfiguration" in Outlook it always shows the wrong url for inernal and external Url:
yourrealdomain.com instead of remote.yourrealdomain.com

So i (just for testing) add server-ip with yourrealdomain.com in hosts...
No warning, no error ! But now i cant surf to the website yourrealdomain.com, because it is placed on the webserver and not on the Exchange-server...
What can i do to change the information about internal urls provided to the clients via autoconfiguration ?
0
 
LVL 25

Accepted Solution

by:
-MAS earned 250 total points
ID: 40324649
0
 

Author Closing Comment

by:loosain
ID: 40369723
The clue was to make a working SSL-cert for the webserver. In DNS we let show autodiscover.domain.tld to the wrong IP. Then Outlook tries remote.domain.tld .This is hosted by the Exchange-Server and therefor there is the right cert there. Now everything works
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question