Start Free Trial

asked on

Re-keyed Exchange 2010 SSL cert now getting Security Alert on PC's

I had to re-key my cert for my exchange server and once completed all pc's are getting a security alert pop-up about the certificate. I have attached the pop-up.
error.png

Vincent Bastianon

Hi,

Don't think it is a "proper" problem, as you had to reissue the certkey.
Simply install the certificate (View Certificate....Add...).

You just have to do this once for each client, and then evertyhing should be ok !

V.

Reinstall the rekey'ed certificate and make sure the intermediate certificate is on there. Also make sure the Root CA exists :)

This looks like a self signed certificate, is this a correct assumption ?

If so you have to ensure the root is trusted by all your clients.
You can do this via GPO for domain machines or simply have the clients view and install the chain manually as Vincent indicated.

ASKER

I verified the "proper" name was correct, I verified the intermediate is there and not sure how to check the Root CA.

ASKER

There is one in there that is self signed (I did not put it there) and then we have the Re-keyed one that is signed by Godaddy.

The alert you are getting indicates the certificate is not trusted.

The fact it is a .local certificate tells me this one is most probably not a go-daddy certificate.

You will need to distribute the root and CA (if applicable) to the Trusted root and intermediate store of the client computer.

Alternatively you can simply use split dns and have your .local mapped to your .com and bind the .com certificate.

You will then simply have to map your internal exchange urls ecp/autodiscover to match your external and this should go away

Run the following and post it here:

Get-ExchangeCertificate | FL

Post it in a text file please.

ASKER

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.reindeerauto.com, www.mail.reindeerauto.com, autodiscover.reindeerauto.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2/20/2016 2:53:01 PM
NotBefore : 11/3/2014 11:33:22 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 04610F15142534
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=mail.reindeerauto.com, OU=Domain Control Validated
Thumbprint : 4594D9A2A4646BB42AC473C4CCFF27C0998E631A

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {RAREXCHANGE, RAREXCHANGE.reindeerauto.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=RAREXCHANGE
NotAfter : 2/20/2016 3:41:35 PM
NotBefore : 2/20/2011 3:41:35 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1910EBC470F02689498B24913EADF4DE
Services : SMTP
Status : Valid
Subject : CN=RAREXCHANGE
Thumbprint : E42817C397B73445289636A876270155CE09D988

You did run IISRESET /NOFORCE afterwards right? Are you sure the intermediate certificate is installed on the local computer in the correct location?

ASKER

I just did the IISRESET /NOFORCE, and the service did not restart

ASKER

Ok I reran the IIS command and it stopped and started correctly.

ASKER

Adam,

The local cert is in the Intermediate Certification Authorities

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

I think I pretty much started on that path 7 posts ago lol.

I guess like me you needed to look at the actual error a second time :~)

lol @becraig its been a while since I have been on, and I looked at the error today on the ferry into work :) Next time I think I should just pop open my laptop lol.

ASKER

I already have a A record in there for "mail" that points to the exchange server IP plus "mail.reindeerauto.com"

SOLUTION

Simon Butler (Sembee)

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

I had to re-key my SSL cert for exchange due to going from SHA-1 TO SHA-2, once completed I noticed that it was no good this morning. I re-keyed it again and now am having all these problems. This is not a new cert so not sure why it is not working correctly.

ASKER

Could the issue be that there is a "self-signed" certificate on the exchange server along with my signed cert from Godaddy. Will deleting the "self-signed" cert solve the problem that I am having?

ASKER

Also, when I go to OWA it is showing an red X saying "Mismatched address" but if I view the cert it is showing the Godaddy cert.

The issue is just your internal Uri not matching the certificate you need to update them to match since .local domains are no longer secured by major certificate providers (proof of ownership and such)

Run the commands below and share the output (obscure personally identifiable information)
get-AutodiscoverVirtualDirectory | fl
get-ClientAccessServer | fl
get-webservicesvirtualdirectory | fl
get-oabvirtualdirectory | fl
get-owavirtualdirectory | fl
get-ecpvirtualdirectory | fl
get-ActiveSyncVirtualDirectory | fl

This should help to pinpoint the changes needed.

Simon's link is also super helpful as this has been handled on here a lot of times.

ASKER

While viewing the details of the cert, I noticed that "basic constraints and Key Usage" both have a yellow triangle with an exclamation point.

I wouldn't be concerned about that, since your screen shot you posted in the original question speaks for it. Your autodiscover SCP object is going to a .local which is not a valid TLD. I would recommend following the direction of becraig, Simon and myself in checking the InternalURL for your CAS services along with changing the AutoDiscover Internal URI which is actually the SCP in Active Directory.

ASKER

[PS] C:\Windows\system32>get-AutodiscoverVirtualDirectory | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication : False
WSSecurityAuthentication : False
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/Autodiscover
Path : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : RAREXCHANGE
InternalUrl :
ExternalUrl :
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=
Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerA
uto,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity : RAREXCHANGE\Autodiscover (Default Web Site)
Guid : 58f2b2fe-f3a5-4bf5-9a53-9bdad5660d6d
ObjectCategory : domain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged : 3/4/2011 2:02:59 PM
WhenCreated : 3/4/2011 2:02:44 PM
WhenChangedUTC : 3/4/2011 7:02:59 PM
WhenCreatedUTC : 3/4/2011 7:02:44 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local
IsValid : True

[PS] C:\Windows\system32>get-ClientAccessServer | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name : RAREXCHANGE
Fqdn : RAREXCHANGE.domain.local
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : RAREXCHANGE
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.domain.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled : True
IrmLogMaxAge : 30.00:00:00
IrmLogMaxDirectorySize : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize : 10 MB (10,485,760 bytes)
IrmLogPath : E:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel : Information
MigrationLogFilePath :
MigrationLogMaxAge : 180.00:00:00
MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize : 100 MB (104,857,600 bytes)
IsValid : True
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=RAREXCHANGE,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
Administrative Groups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Confi
guration,DC=reindeerauto,DC=local
Identity : RAREXCHANGE
Guid : 9d4a4fb0-e2b7-491b-b751-d1b57b9b6a9f
ObjectCategory : reindeerauto.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 11/3/2014 11:40:18 AM
WhenCreated : 1/13/2011 2:19:12 PM
WhenChangedUTC : 11/3/2014 4:40:18 PM
WhenCreatedUTC : 1/13/2011 7:19:12 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local

[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
CertificateAuthentication :
InternalNLBBypassUrl : https://rarexchange.domain.local/ews/exchange.asmx
GzipLevel : High
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/EWS
Path : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : RAREXCHANGE
InternalUrl : https://rarexchange.domain.local/EWS/Exchange.asmx
ExternalUrl : https://mail.domain.com/ews/exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=domain,CN=Mi
crosoft Exchange,CN=Services,CN=Configuration,DC=reindeerauto,DC=local
Identity : RAREXCHANGE\EWS (Default Web Site)
Guid : 1ab2a69b-8a6b-435a-9293-921cf0e17b89
ObjectCategory : reindeerauto.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged : 1/13/2011 2:23:43 PM
WhenCreated : 1/13/2011 2:23:34 PM
WhenChangedUTC : 1/13/2011 7:23:43 PM
WhenCreatedUTC : 1/13/2011 7:23:34 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local
IsValid : True

[PS] C:\Windows\system32>get-oabvirtualdirectory | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name : OAB (Default Web Site)
PollInterval : 480
OfflineAddressBooks : {\Default Offline Address Book}
RequireSSL : False
BasicAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/OAB
Path : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : RAREXCHANGE
InternalUrl : http://mail.domain.com/oab
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalUrl : https://mail.domain.com/OAB
ExternalAuthenticationMethods : {WindowsIntegrated}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerAuto,CN=Mi
crosoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity : RAREXCHANGE\OAB (Default Web Site)
Guid : 672a2aee-c717-47cf-9ce4-0ab169b29349
ObjectCategory : reindeerauto.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualDirectory}
WhenChanged : 3/29/2011 12:26:12 PM
WhenCreated : 1/13/2011 2:23:08 PM
WhenChangedUTC : 3/29/2011 4:26:12 PM
WhenCreatedUTC : 1/13/2011 7:23:08 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local
IsValid : True

[PS] C:\Windows\system32>get-owavirtualdirectory | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
DirectFileAccessOnPublicComputersEnabled : True
DirectFileAccessOnPrivateComputersEnabled : True
WebReadyDocumentViewingOnPublicComputersEnabled : True
WebReadyDocumentViewingOnPrivateComputersEnabled : True
ForceWebReadyDocumentViewingFirstOnPublicComputers : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers : Block
ActionForUnknownFileAndMIMETypes : ForceSave
WebReadyFileTypes : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes : {application/vnd.openxmlformats-officedocument.presentationml.pre
sentation, application/vnd.openxmlformats-officedocument.wordproc
essingml.document, application/vnd.openxmlformats-officedocument.
spreadsheetml.sheet, application/vnd.ms-powerpoint, application/x
-mspowerpoint, application/vnd.ms-excel, application/x-msexcel, a
pplication/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes : True
WebReadyDocumentViewingSupportedMimeTypes : {application/msword, application/vnd.ms-excel, application/x-msex
cel, application/vnd.ms-powerpoint, application/x-mspowerpoint, a
pplication/pdf, application/vnd.openxmlformats-officedocument.wor
dprocessingml.document, application/vnd.openxmlformats-officedocu
ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
cument.presentationml.presentation}
WebReadyDocumentViewingSupportedFileTypes : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm,
.docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
AllowedMimeTypes : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
ForceSaveMimeTypes : {Application/x-shockwave-flash, Application/octet-stream, Applica
tion/futuresplash, Application/x-director}
BlockedFileTypes : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
}
BlockedMimeTypes : {application/x-javascript, application/javascript, application/ms
access, x-internet-signup, text/javascript, application/xml, appl
ication/prg, application/hta, text/scriplet, text/xml}
RemoteDocumentsAllowedServers : {}
RemoteDocumentsBlockedServers : {}
RemoteDocumentsInternalDomainSuffixList : {}
FolderPathname :
Url : {}
LogonFormat : FullDomain
ClientAuthCleanupLevel : High
FilterWebBeaconsAndHtmlForms : UserFilterChoice
NotificationInterval : 120
DefaultTheme :
UserContextTimeout : 60
ExchwebProxyDestination :
VirtualDirectoryType :
OwaVersion : Exchange2010
ServerName : RAREXCHANGE
InstantMessagingCertificateThumbprint :
InstantMessagingServerName :
RedirectToOptimalOWAServer : True
DefaultClientLanguage : 0
LogonAndErrorLanguage : 0
UseGB18030 : False
UseISO885915 : False
OutboundCharset : AutoDetect
GlobalAddressListEnabled : True
OrganizationEnabled : True
ExplicitLogonEnabled : True
OWALightEnabled : True
DelegateAccessEnabled : True
IRMEnabled : True
CalendarEnabled : True
ContactsEnabled : True
TasksEnabled : True
JournalEnabled : True
NotesEnabled : True
RemindersAndNotificationsEnabled : True
PremiumClientEnabled : True
SpellCheckerEnabled : True
SearchFoldersEnabled : True
SignaturesEnabled : True
ThemeSelectionEnabled : True
JunkEmailEnabled : True
UMIntegrationEnabled : True
WSSAccessOnPublicComputersEnabled : True
WSSAccessOnPrivateComputersEnabled : True
ChangePasswordEnabled : True
UNCAccessOnPublicComputersEnabled : True
UNCAccessOnPrivateComputersEnabled : True
ActiveSyncIntegrationEnabled : True
AllAddressListsEnabled : True
RulesEnabled : True
PublicFoldersEnabled : True
SMimeEnabled : True
RecoverDeletedItemsEnabled : True
InstantMessagingEnabled : True
TextMessagingEnabled : True
ForceSaveAttachmentFilteringEnabled : False
SilverlightEnabled : True
CalendarPublishingEnabled : True
InstantMessagingType : None
Exchange2003Url :
FailbackUrl :
LegacyRedirectType : Silent
Name : owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
MetabasePath : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/owa
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
DefaultDomain :
GzipLevel : High
WebSite : Default Web Site
DisplayName : owa
Path : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : RAREXCHANGE
InternalUrl : https://rarexchange.domain.local/owa
ExternalUrl : https://mail.domain.com/owa
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=
Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Adm
inistrative Groups,CN=domain,CN=Microsoft Exchange,CN=Servi
ces,CN=Configuration,DC=reindeerauto,DC=local
Identity : RAREXCHANGE\owa (Default Web Site)
Guid : 53cabee1-4091-41dc-8de0-2d6e2fc68fcd
ObjectCategory : reindeerauto.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direc
tory
ObjectClass : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged : 1/13/2011 2:23:16 PM
WhenCreated : 1/13/2011 2:23:06 PM
WhenChangedUTC : 1/13/2011 7:23:16 PM
WhenCreatedUTC : 1/13/2011 7:23:06 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local
IsValid : True

[PS] C:\Windows\system32>get-ecpvirtualdirectory | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name : ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
MetabasePath : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/ecp
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
DefaultDomain :
GzipLevel : High
WebSite : Default Web Site
DisplayName : ecp
Path : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : RAREXCHANGE
InternalUrl : https://rarexchange.domain.local/ecp
ExternalUrl : https://mail.domain.com/ecp
ExternalAuthenticationMethods : {Fba}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=ecp (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerAuto,CN=Mi
crosoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity : RAREXCHANGE\ecp (Default Web Site)
Guid : 53a97647-05f9-43ed-8275-9cfdad35b81a
ObjectCategory : reindeerauto.local/Configuration/Schema/ms-Exch-ECP-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchECPVirtualDirectory}
WhenChanged : 1/13/2011 2:23:16 PM
WhenCreated : 1/13/2011 2:23:10 PM
WhenChangedUTC : 1/13/2011 7:23:16 PM
WhenCreatedUTC : 1/13/2011 7:23:10 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local
IsValid : True

[PS] C:\Windows\system32>get-ActiveSyncVirtualDirectory | fl

RunspaceId : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
MobileClientFlags : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled : True
SendWatsonReport : True
MobileClientCertificateAuthorityURL :
MobileClientCertTemplateName :
ActiveSyncServer : https://mail.reindeerauto.com/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUnknownServers : Allow
RemoteDocumentsAllowedServers : {}
RemoteDocumentsBlockedServers : {}
RemoteDocumentsInternalDomainSuffixList : {}
MetabasePath : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/Microsoft-Server-ActiveS
ync
BasicAuthEnabled : True
WindowsAuthEnabled : True
CompressionEnabled : True
ClientCertAuth : Ignore
WebsiteName : Default Web Site
WebSiteSSLEnabled : True
VirtualDirectoryName : Microsoft-Server-ActiveSync
ProxyVdirExtendedProtectionTokenChecking : None
ProxyVdirExtendedProtectionFlags : {}
ProxyVdirExtendedProtectionSPNList : {}
Path :
Server : RAREXCHANGE
InternalUrl : https://rarexchange.domain.local/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalUrl : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMethods : {}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Microsoft-Server-ActiveSync (Default Web Site)
DistinguishedName : CN=Microsoft-Server-ActiveSync (Default Web Site),CN=HTTP,CN=Protocols,CN=
RAREXCHANGE,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
CN=Administrative Groups,CN=domain,CN=Microsoft Exchange,CN=Services
,CN=Configuration,DC=reindeerauto,DC=local
Identity : RAREXCHANGE\Microsoft-Server-ActiveSync (Default Web Site)
Guid : 5f3004fd-3026-429e-bb12-0b2735a83450
ObjectCategory : reindeerauto.local/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged : 1/27/2011 12:00:52 PM
WhenCreated : 1/13/2011 2:23:31 PM
WhenChangedUTC : 1/27/2011 5:00:52 PM
WhenCreatedUTC : 1/13/2011 7:23:31 PM
OrganizationId :
OriginatingServer : RARDC2.domain.local
IsValid : True

Simon Butler (Sembee)

I don't know why people insist on saying about checking the settings of the Autodiscover virtual directory, because that isn't used internally. The URLs on the virtual directory do not matter one bit.

This is a very common problem, and the fact that you have rekeyed means it is a NEW certificate. It might have the same names on it, but it is subject to the new rules and if issued with the new intermediate certificates those need to be installed as well.

The link I have provided above, resolves the problem. it is the same configuration I use on all of my builds.

Simon.

ASKER

Ok so I understand this is only affecting me internally, my OWA from external link is working correctly. My issue is my OWA link internally and issues with my autodiscover I believe. I think I am lost a bit on what the actual issue is, I am reading the link you posted Simon and to be honest I am not sure what changes to make.

@Simon, I said check the CAS services virtual directories + the AutoDiscoverServiceInternalUri (e.g: AD SCP object). It could be (not saying it is) EWS trying to pull the InternalURL and hitting an SSL error.

He should be fixing all of his internalURL to match his external, fix the AutoDiscover SCP and setting up an internal forward lookup zone (internal meaning DNS)

:) I haven't lost my touch yet.

Here are the three internal urls that would probably error based on the new cert:
InternalUrl : https://rarexchange.domain.local/owa
InternalUrl : https://rarexchange.domain.local/ecp
InternalUrl : https://rarexchange.domain.local/Microsoft-Server-ActiveSync

Esp EWS, since that would be used the most from the Outlook client side (availability service).

ASKER

So you are saying I need to change all my internal URL's to match the external URL's (e.g: https://mail.reindeerauto.com/owa)? Also I have a forward lookup zone for "domain.com" and "domain.local", both have A records that point to the external URL. If I change the internal URL's won't that screw everything up internally for my users?

Your semi correct. You need to change the internalurl to match the externalurl, and then setup a forward lookup zone for domain.com. Within there you point mail and autodiscover to the CAS (if its a single CAS deployment) of the load balancer VIP (for a HA CAS deployment). This wont screw anything up. Do NOT point this externally from the internal forward lookup zone.

Once that is done remove the old A records for mail and autodiscover if they exist in the .local lookup zone.

ASKER

Would it just be easier for me to Re-key the cert using "Rarexchange.domain.local" as the common name? Would that solve all my problems with the least amount of changes?

Nope. The .local domain is not a public *TLD* so you cannot get a publicly trusted certificate for it. I would recommend following the guidance here as once you have this setup properly you are set.

*edit*

Sorry - I did not mean TLDR (iPhone auto correct, gotta love it), I meant TLD (for top level domain). If the domain is not available to the public for verification of ownership, then it cannot be on a public SSL certificate.

ASKER

Adam & Simon,

Ok I understand all the changes that need to be made to the URL's, not sure what changed with the new cert but whatever. My question is about the A records and what needs to be added/deleted or changed.

Now in DNS forward lookup zone, "domain.com" I have an A record for "mail" which points to my exchange server IP with FQDN "mail.domain.com".

Forward lookup zone, "domain.local" I have an A record for "autodiscover" that points to my exchange server IP with FQDN "autodiscover.domain.local".

Please match your external and internal URL to the Certificate.

On your DNS server create a forward lookup zone to match the URL and create an A record to point to your exchange server's internal IP.

Reset your IIS.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Thank you all for your help, here are the changes I am going to make. Sorry for being a pain, this is live and I do not want downtime. Here are the steps I am going to follow, if I am missing something please let me know.

1.I am changing InternalURL of OWA, ECP, Active Sync, OAB and Client Receiver Connector to "https://mail.domain.com/".

2. Changing autodiscover to "To change the autodiscover endpoint it is Set-ClientAccessServer <servername> -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml"

3. and Webservices URL to "Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://mail.example.net/ews/exchange.asmx -ExternalUrl https://mail.domain.com/ews/exchange.asmx"

4. Then "Afterwards in the forward lookup zone for domain.com add an A record going to autodiscover.domain.com and remove the old record in the forward lookup zone for domain.local."

Looks right.

No!!!

if your external name is mail.domain.com

autodiscover-->autodiscovery.mail.domain.com
OWA,ECP, etc.-->mail.domain.com
webservices-->mail.domain.com

You mentioned a .net

You should have in your DNS a forward zone called domain.com with the following domains:

mail with an A record to your server
autodiscover with an A record to your server
owa with an A record to your server

Or you can a forward zone for each one like:

mail.domain.com with an A record to your server
owa.domain.com with an A record to your server
autodiscover.domain.com with an A record to your server

He isn't using OWA as a namespace, and I think the .net was a typo right?

ASKER

We do use OWA, and yes the .net was a type. When I make the DNS entry I want the FQDN to be "mail.domain.com" and the IP points to the exchange server? correct?

Yea. The endpoints within the DNS A record should point to the same location.

ASKER

Ok I followed this link, http://exchange.sembee.info/2010/install/clientaccesshostnames.asp and then created the A records to point to the exchange server. I reset the IIS and flushed the DNS, but we are still getting the certificate pop-up when we open Outlook.

run the following:

Get-ExchangeCertificate | FL

Post the output here.

Also pull the autodiscover SCP again as I am curious to see what it is:

Get-ClientAccessServer | Select AutoDiscoverServiceInternalUri

ASKER

Here is the Output.

[PS] C:\Windows\system32>Get-ExchangeCertificate | FL

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.reindeerauto.com, www.mail.reindeerauto.com, autodiscover.reindeerauto.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2/20/2016 2:53:01 PM
NotBefore : 11/3/2014 11:33:22 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 04610F15142534
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=mail.reindeerauto.com, OU=Domain Control Validated
Thumbprint : 4594D9A2A4646BB42AC473C4CCFF27C0998E631A

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {RAREXCHANGE, RAREXCHANGE.reindeerauto.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=RAREXCHANGE
NotAfter : 2/20/2016 3:41:35 PM
NotBefore : 2/20/2011 3:41:35 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1910EBC470F02689498B24913EADF4DE
Services : SMTP
Status : Valid
Subject : CN=RAREXCHANGE
Thumbprint : E42817C397B73445289636A876270155CE09D988

[PS] C:\Windows\system32> Get-ClientAccessServer | Select AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri
------------------------------
https://autodiscover.mail.reindeerauto.com/autodiscover/autodiscover.xml

SSL is right, autodiscover is not..

Run this command just like I have it written below:

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://autodiscover.reindeerauto.com/autodiscover/autodiscover.xml

Open in new window

That will fix it! :)

NOTE: The AutoDiscoverServiceInternalUri is actually within AD, so it might not update immediately but when AD replicates. Just keep that in mind.

ASKER

Ok I ran the command, anything I need to do now or just wait for AD to replicate?

that's it basically. I would restart Outlook now and see if it clears up.

Update? I am curious now :)

ASKER

Still getting the pop-up

Post the pop up here.. and then run the Outlook Test E-mail AutoConfiguration also...

Ctrl - Right Click the Outlook icon in the system tray
Select Test E-mail AutoConfiguration
Run the test and screen shot it for us here

I refuse the throw in the towel, as I know this should work as we all described.

ASKER

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Bob Albertson</DisplayName>
<LegacyDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bob Albertson03b739f2</LegacyDN>
<AutoDiscoverSMTPAddress>bob.albertson@reindeerauto.com</AutoDiscoverSMTPAddress>
<DeploymentId>eaf9eea2-c843-4696-9fa7-b68c3b61a646</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>RAREXCHANGE.reindeerauto.local</Server>
<ServerDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE</ServerDN>
<ServerVersion>738180DA</ServerVersion>
<MdbDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>RAREXCHANGE.reindeerauto.local</PublicFolderServer>
<AD>RARDC2.reindeerauto.local</AD>
<ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://rarexchange.reindeerauto.local/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>http://mail.reindeerauto.com/oab/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.reindeerauto.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
<EwsUrl>https://mail.reindeerauto.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://mail.reindeerauto.com/ews/exchange.asmx</OOFUrl>
<UMUrl>https://mail.reindeerauto.com/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>
Untitled.jpg

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Ok no more pop-up and here are the results from the test again.

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Bob Albertson</DisplayName>
<LegacyDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bob Albertson03b739f2</LegacyDN>
<AutoDiscoverSMTPAddress>bob.albertson@reindeerauto.com</AutoDiscoverSMTPAddress>
<DeploymentId>eaf9eea2-c843-4696-9fa7-b68c3b61a646</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>RAREXCHANGE.reindeerauto.local</Server>
<ServerDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE</ServerDN>
<ServerVersion>738180DA</ServerVersion>
<MdbDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>RAREXCHANGE.reindeerauto.local</PublicFolderServer>
<AD>RARDC1.reindeerauto.local</AD>
<ASUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://mail.reindeerauto.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>http://mail.reindeerauto.com/oab/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.reindeerauto.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
<EwsUrl>https://mail.reindeerauto.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://mail.reindeerauto.com/ews/exchange.asmx</OOFUrl>
<UMUrl>https://mail.reindeerauto.com/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>

that looks correct. congratulations, you now know certificate and namespace for the CAS role (something a lot of people mess up). Cheers pal and let us know if it comes back in the future.

ASKER

Thanks everyone, you were a huge help.