Solved

Re-keyed Exchange 2010 SSL cert now getting Security Alert on PC's

Posted on 2014-11-03
57
247 Views
Last Modified: 2014-11-05
I had to re-key my cert for my exchange server and once completed all pc's are getting a security alert pop-up about the certificate. I have attached the pop-up.
error.png
0
Comment
Question by:reindeerauto
  • 25
  • 22
  • 5
  • +3
57 Comments
 
LVL 4

Expert Comment

by:Vincent Bastianon
Comment Utility
Hi,

Don't think it is a "proper" problem, as you had to reissue the certkey.
Simply install the certificate (View Certificate....Add...).

You just have to do this once for each client, and then evertyhing should be ok !

V.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Reinstall the rekey'ed certificate and make sure the intermediate certificate is on there. Also make sure the Root CA exists :)
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
This looks like a self signed certificate, is this a correct assumption ?

If so you have to ensure the root is trusted by all your clients.
You can do this via GPO for domain machines or simply have the clients view and install the chain manually  as Vincent indicated.
0
 

Author Comment

by:reindeerauto
Comment Utility
I verified the "proper" name was correct, I verified the intermediate is there and not sure how to check the Root CA.
0
 

Author Comment

by:reindeerauto
Comment Utility
There is one in there that is self signed (I did not put it there) and then we have the Re-keyed one that is signed by Godaddy.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
The alert you are getting indicates the certificate is not trusted.

The fact it is a .local certificate tells me this one is most probably not a go-daddy certificate.

You will need to distribute the root and CA (if applicable) to the Trusted root and intermediate store of the client computer.

Alternatively you can simply use split dns and have your .local mapped to your .com and bind the .com certificate.

You will then simply have to map your internal exchange urls ecp/autodiscover to match your external and this should go away
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Run the following and post it here:

Get-ExchangeCertificate | FL

Post it in a text file please.
0
 

Author Comment

by:reindeerauto
Comment Utility
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.reindeerauto.com, www.mail.reindeerauto.com, autodiscover.reindeerauto.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
                     .com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 2/20/2016 2:53:01 PM
NotBefore          : 11/3/2014 11:33:22 AM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04610F15142534
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.reindeerauto.com, OU=Domain Control Validated
Thumbprint         : 4594D9A2A4646BB42AC473C4CCFF27C0998E631A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {RAREXCHANGE, RAREXCHANGE.reindeerauto.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=RAREXCHANGE
NotAfter           : 2/20/2016 3:41:35 PM
NotBefore          : 2/20/2011 3:41:35 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1910EBC470F02689498B24913EADF4DE
Services           : SMTP
Status             : Valid
Subject            : CN=RAREXCHANGE
Thumbprint         : E42817C397B73445289636A876270155CE09D988
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
You did run IISRESET /NOFORCE afterwards right? Are you sure the intermediate certificate is installed on the local computer in the correct location?
0
 

Author Comment

by:reindeerauto
Comment Utility
I just did the IISRESET /NOFORCE, and the service did not restart
0
 

Author Comment

by:reindeerauto
Comment Utility
Ok I reran the IIS command and it stopped and started correctly.
0
 

Author Comment

by:reindeerauto
Comment Utility
Adam,

The local cert is in the Intermediate Certification Authorities
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 375 total points
Comment Utility
God.. I am an idiot.. your autodiscover SCP object is not located at the correct location.

1) If not already in existence within internal DNS (most likely AD DS DNS) create a forward lookup zone for reindeerauto.com and create an A record for mail.reindeerauto.com and autodiscover.reindeerauto.com that points to the VIP of your load balancer (or in a single CAS environment point the A record to that IP)

2) Run the following command:

Set-ClientAccessServer -Identity <CASNAMEwithoutBRACKETS> -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml

3) Wait for AD replication and reap the benefits of a problem solved.

What happened here is that your autodiscover SCP object (which internal clients use) is most likely the default, which is the servername. When a client (domain joined) uses AutoDiscover it queries Active Directory's Autodiscover Service Connection Point (SCP) for the AutoDiscover URL. Since .local is not a TLD (top level domain) it cannot be contained in the certificate, and you already have a UC that has autodiscover.company.com in there so all you have to do are the steps above.

The reason I know this is because the SSL error is for an internal .local domain, so that is what the outlook client is pulling from the AutoDiscover SCP :) If I read this more clearly I would have noticed that.

Sorry, I am half asleep today apparently.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
I think I pretty much started on that path 7 posts ago lol.

I guess like me you needed to look at the actual error a second time :~)
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
lol @becraig its been a while since I have been on, and I looked at the error today on the ferry into work :) Next time I think I should just pop open my laptop lol.
0
 

Author Comment

by:reindeerauto
Comment Utility
I already have a A record in there for "mail" that points to the exchange server IP plus "mail.reindeerauto.com"
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 125 total points
Comment Utility
Have you changed all of the host names within Exchange to use the public name on the SSL certificate?
If you rekeyed the certificate from one a while ago internal names would have been removed.
Also ensure that you have the latest GoDaddy intermediate certificates in place, as they changed earlier this year.

http://semb.ee/hostnames2010

It is important that all URLs are changed.

Simon.
0
 

Author Comment

by:reindeerauto
Comment Utility
I had to re-key my SSL cert for exchange due to going from SHA-1 TO SHA-2, once completed I noticed that it was no good this morning. I re-keyed it again and now am having all these problems. This is not a new cert so not sure why it is not working correctly.
0
 

Author Comment

by:reindeerauto
Comment Utility
Could the issue be that there is a "self-signed" certificate on the exchange server along with my signed cert from Godaddy. Will deleting the "self-signed" cert solve the problem that I am having?
0
 

Author Comment

by:reindeerauto
Comment Utility
Also, when I go to OWA it is showing an red X saying "Mismatched address" but if I view the cert it is showing the Godaddy cert.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
The issue is just your internal Uri not matching the certificate you need to update them to match since .local domains are no longer secured by major certificate providers (proof of ownership and such)

Run the commands below and share the output (obscure personally identifiable information)
get-AutodiscoverVirtualDirectory  | fl
get-ClientAccessServer  | fl
get-webservicesvirtualdirectory  | fl
get-oabvirtualdirectory  | fl
get-owavirtualdirectory  | fl
get-ecpvirtualdirectory  | fl
get-ActiveSyncVirtualDirectory | fl

This should help to pinpoint the changes needed.

Simon's link is also super helpful as this has been handled on here a lot of times.
0
 

Author Comment

by:reindeerauto
Comment Utility
While viewing the details of the cert, I noticed that "basic constraints and Key Usage" both have a yellow triangle with an exclamation point.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
I wouldn't be concerned about that, since your screen shot you posted in the original question speaks for it. Your autodiscover SCP object is going to a .local which is not a valid TLD. I would recommend following the direction of becraig, Simon and myself in checking the InternalURL for your CAS services along with changing the AutoDiscover Internal URI which is actually the SCP in Active Directory.
0
 

Author Comment

by:reindeerauto
Comment Utility
[PS] C:\Windows\system32>get-AutodiscoverVirtualDirectory  | fl


RunspaceId                      : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : False
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/Autodiscover
Path                            : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RAREXCHANGE
InternalUrl                     :
ExternalUrl                     :
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=
                                  Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerA
                                  uto,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                        : RAREXCHANGE\Autodiscover (Default Web Site)
Guid                            : 58f2b2fe-f3a5-4bf5-9a53-9bdad5660d6d
ObjectCategory                  : domain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 3/4/2011 2:02:59 PM
WhenCreated                     : 3/4/2011 2:02:44 PM
WhenChangedUTC                  : 3/4/2011 7:02:59 PM
WhenCreatedUTC                  : 3/4/2011 7:02:44 PM
OrganizationId                  :
OriginatingServer               : RARDC2.domain.local
IsValid                         : True


[PS] C:\Windows\system32>get-ClientAccessServer  | fl


RunspaceId                           : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name                                 : RAREXCHANGE
Fqdn                                 : RAREXCHANGE.domain.local
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : RAREXCHANGE
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://mail.domain.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : E:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=RAREXCHANGE,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
                                       Administrative Groups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Confi
                                       guration,DC=reindeerauto,DC=local
Identity                             : RAREXCHANGE
Guid                                 : 9d4a4fb0-e2b7-491b-b751-d1b57b9b6a9f
ObjectCategory                       : reindeerauto.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 11/3/2014 11:40:18 AM
WhenCreated                          : 1/13/2011 2:19:12 PM
WhenChangedUTC                       : 11/3/2014 4:40:18 PM
WhenCreatedUTC                       : 1/13/2011 7:19:12 PM
OrganizationId                       :
OriginatingServer                    : RARDC2.domain.local


[PS] C:\Windows\system32>get-webservicesvirtualdirectory  | fl


RunspaceId                      : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
CertificateAuthentication       :
InternalNLBBypassUrl            : https://rarexchange.domain.local/ews/exchange.asmx
GzipLevel                       : High
Name                            : EWS (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/EWS
Path                            : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RAREXCHANGE
InternalUrl                     : https://rarexchange.domain.local/EWS/Exchange.asmx
ExternalUrl                     : https://mail.domain.com/ews/exchange.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=domain,CN=Mi
                                  crosoft Exchange,CN=Services,CN=Configuration,DC=reindeerauto,DC=local
Identity                        : RAREXCHANGE\EWS (Default Web Site)
Guid                            : 1ab2a69b-8a6b-435a-9293-921cf0e17b89
ObjectCategory                  : reindeerauto.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged                     : 1/13/2011 2:23:43 PM
WhenCreated                     : 1/13/2011 2:23:34 PM
WhenChangedUTC                  : 1/13/2011 7:23:43 PM
WhenCreatedUTC                  : 1/13/2011 7:23:34 PM
OrganizationId                  :
OriginatingServer               : RARDC2.domain.local
IsValid                         : True


[PS] C:\Windows\system32>get-oabvirtualdirectory  | fl


RunspaceId                      : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name                            : OAB (Default Web Site)
PollInterval                    : 480
OfflineAddressBooks             : {\Default Offline Address Book}
RequireSSL                      : False
BasicAuthentication             : False
WindowsAuthentication           : True
MetabasePath                    : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/OAB
Path                            : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RAREXCHANGE
InternalUrl                     : http://mail.domain.com/oab
InternalAuthenticationMethods   : {WindowsIntegrated}
ExternalUrl                     : https://mail.domain.com/OAB
ExternalAuthenticationMethods   : {WindowsIntegrated}
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerAuto,CN=Mi
                                  crosoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                        : RAREXCHANGE\OAB (Default Web Site)
Guid                            : 672a2aee-c717-47cf-9ce4-0ab169b29349
ObjectCategory                  : reindeerauto.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchOABVirtualDirectory}
WhenChanged                     : 3/29/2011 12:26:12 PM
WhenCreated                     : 1/13/2011 2:23:08 PM
WhenChangedUTC                  : 3/29/2011 4:26:12 PM
WhenCreatedUTC                  : 1/13/2011 7:23:08 PM
OrganizationId                  :
OriginatingServer               : RARDC2.domain.local
IsValid                         : True


[PS] C:\Windows\system32>get-owavirtualdirectory  | fl


RunspaceId                                          : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
DirectFileAccessOnPublicComputersEnabled            : True
DirectFileAccessOnPrivateComputersEnabled           : True
WebReadyDocumentViewingOnPublicComputersEnabled     : True
WebReadyDocumentViewingOnPrivateComputersEnabled    : True
ForceWebReadyDocumentViewingFirstOnPublicComputers  : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers              : Block
ActionForUnknownFileAndMIMETypes                    : ForceSave
WebReadyFileTypes                                   : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes                                   : {application/vnd.openxmlformats-officedocument.presentationml.pre
                                                      sentation, application/vnd.openxmlformats-officedocument.wordproc
                                                      essingml.document, application/vnd.openxmlformats-officedocument.
                                                      spreadsheetml.sheet, application/vnd.ms-powerpoint, application/x
                                                      -mspowerpoint, application/vnd.ms-excel, application/x-msexcel, a
                                                      pplication/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes         : True
WebReadyDocumentViewingSupportedMimeTypes           : {application/msword, application/vnd.ms-excel, application/x-msex
                                                      cel, application/vnd.ms-powerpoint, application/x-mspowerpoint, a
                                                      pplication/pdf, application/vnd.openxmlformats-officedocument.wor
                                                      dprocessingml.document, application/vnd.openxmlformats-officedocu
                                                      ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
                                                      cument.presentationml.presentation}
WebReadyDocumentViewingSupportedFileTypes           : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes                                    : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm,
                                                      .docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
AllowedMimeTypes                                    : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes                                  : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
                                                      px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
ForceSaveMimeTypes                                  : {Application/x-shockwave-flash, Application/octet-stream, Applica
                                                      tion/futuresplash, Application/x-director}
BlockedFileTypes                                    : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
                                                      t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
                                                      }
BlockedMimeTypes                                    : {application/x-javascript, application/javascript, application/ms
                                                      access, x-internet-signup, text/javascript, application/xml, appl
                                                      ication/prg, application/hta, text/scriplet, text/xml}
RemoteDocumentsAllowedServers                       : {}
RemoteDocumentsBlockedServers                       : {}
RemoteDocumentsInternalDomainSuffixList             : {}
FolderPathname                                      :
Url                                                 : {}
LogonFormat                                         : FullDomain
ClientAuthCleanupLevel                              : High
FilterWebBeaconsAndHtmlForms                        : UserFilterChoice
NotificationInterval                                : 120
DefaultTheme                                        :
UserContextTimeout                                  : 60
ExchwebProxyDestination                             :
VirtualDirectoryType                                :
OwaVersion                                          : Exchange2010
ServerName                                          : RAREXCHANGE
InstantMessagingCertificateThumbprint               :
InstantMessagingServerName                          :
RedirectToOptimalOWAServer                          : True
DefaultClientLanguage                               : 0
LogonAndErrorLanguage                               : 0
UseGB18030                                          : False
UseISO885915                                        : False
OutboundCharset                                     : AutoDetect
GlobalAddressListEnabled                            : True
OrganizationEnabled                                 : True
ExplicitLogonEnabled                                : True
OWALightEnabled                                     : True
DelegateAccessEnabled                               : True
IRMEnabled                                          : True
CalendarEnabled                                     : True
ContactsEnabled                                     : True
TasksEnabled                                        : True
JournalEnabled                                      : True
NotesEnabled                                        : True
RemindersAndNotificationsEnabled                    : True
PremiumClientEnabled                                : True
SpellCheckerEnabled                                 : True
SearchFoldersEnabled                                : True
SignaturesEnabled                                   : True
ThemeSelectionEnabled                               : True
JunkEmailEnabled                                    : True
UMIntegrationEnabled                                : True
WSSAccessOnPublicComputersEnabled                   : True
WSSAccessOnPrivateComputersEnabled                  : True
ChangePasswordEnabled                               : True
UNCAccessOnPublicComputersEnabled                   : True
UNCAccessOnPrivateComputersEnabled                  : True
ActiveSyncIntegrationEnabled                        : True
AllAddressListsEnabled                              : True
RulesEnabled                                        : True
PublicFoldersEnabled                                : True
SMimeEnabled                                        : True
RecoverDeletedItemsEnabled                          : True
InstantMessagingEnabled                             : True
TextMessagingEnabled                                : True
ForceSaveAttachmentFilteringEnabled                 : False
SilverlightEnabled                                  : True
CalendarPublishingEnabled                           : True
InstantMessagingType                                : None
Exchange2003Url                                     :
FailbackUrl                                         :
LegacyRedirectType                                  : Silent
Name                                                : owa (Default Web Site)
InternalAuthenticationMethods                       : {Basic, Fba}
MetabasePath                                        : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/owa
BasicAuthentication                                 : True
WindowsAuthentication                               : False
DigestAuthentication                                : False
FormsAuthentication                                 : True
LiveIdAuthentication                                : False
DefaultDomain                                       :
GzipLevel                                           : High
WebSite                                             : Default Web Site
DisplayName                                         : owa
Path                                                : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
ExtendedProtectionTokenChecking                     : None
ExtendedProtectionFlags                             : {}
ExtendedProtectionSPNList                           : {}
Server                                              : RAREXCHANGE
InternalUrl                                         : https://rarexchange.domain.local/owa
ExternalUrl                                         : https://mail.domain.com/owa
ExternalAuthenticationMethods                       : {Fba}
AdminDisplayName                                    :
ExchangeVersion                                     : 0.10 (14.0.100.0)
DistinguishedName                                   : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=
                                                      Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Adm
                                                      inistrative Groups,CN=domain,CN=Microsoft Exchange,CN=Servi
                                                      ces,CN=Configuration,DC=reindeerauto,DC=local
Identity                                            : RAREXCHANGE\owa (Default Web Site)
Guid                                                : 53cabee1-4091-41dc-8de0-2d6e2fc68fcd
ObjectCategory                                      : reindeerauto.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direc
                                                      tory
ObjectClass                                         : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged                                         : 1/13/2011 2:23:16 PM
WhenCreated                                         : 1/13/2011 2:23:06 PM
WhenChangedUTC                                      : 1/13/2011 7:23:16 PM
WhenCreatedUTC                                      : 1/13/2011 7:23:06 PM
OrganizationId                                      :
OriginatingServer                                   : RARDC2.domain.local
IsValid                                             : True



[PS] C:\Windows\system32>get-ecpvirtualdirectory  | fl


RunspaceId                      : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
Name                            : ecp (Default Web Site)
InternalAuthenticationMethods   : {Basic, Fba}
MetabasePath                    : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/ecp
BasicAuthentication             : True
WindowsAuthentication           : False
DigestAuthentication            : False
FormsAuthentication             : True
LiveIdAuthentication            : False
DefaultDomain                   :
GzipLevel                       : High
WebSite                         : Default Web Site
DisplayName                     : ecp
Path                            : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RAREXCHANGE
InternalUrl                     : https://rarexchange.domain.local/ecp
ExternalUrl                     : https://mail.domain.com/ecp
ExternalAuthenticationMethods   : {Fba}
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=ecp (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerAuto,CN=Mi
                                  crosoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                        : RAREXCHANGE\ecp (Default Web Site)
Guid                            : 53a97647-05f9-43ed-8275-9cfdad35b81a
ObjectCategory                  : reindeerauto.local/Configuration/Schema/ms-Exch-ECP-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchECPVirtualDirectory}
WhenChanged                     : 1/13/2011 2:23:16 PM
WhenCreated                     : 1/13/2011 2:23:10 PM
WhenChangedUTC                  : 1/13/2011 7:23:16 PM
WhenCreatedUTC                  : 1/13/2011 7:23:10 PM
OrganizationId                  :
OriginatingServer               : RARDC2.domain.local
IsValid                         : True



[PS] C:\Windows\system32>get-ActiveSyncVirtualDirectory | fl


RunspaceId                                 : dd2a2dd7-2971-47d1-8aac-86f9c3ef880b
MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled                    : True
SendWatsonReport                           : True
MobileClientCertificateAuthorityURL        :
MobileClientCertTemplateName               :
ActiveSyncServer                           : https://mail.reindeerauto.com/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUnknownServers     : Allow
RemoteDocumentsAllowedServers              : {}
RemoteDocumentsBlockedServers              : {}
RemoteDocumentsInternalDomainSuffixList    : {}
MetabasePath                               : IIS://RAREXCHANGE.domain.local/W3SVC/1/ROOT/Microsoft-Server-ActiveS
                                             ync
BasicAuthEnabled                           : True
WindowsAuthEnabled                         : True
CompressionEnabled                         : True
ClientCertAuth                             : Ignore
WebsiteName                                : Default Web Site
WebSiteSSLEnabled                          : True
VirtualDirectoryName                       : Microsoft-Server-ActiveSync
ProxyVdirExtendedProtectionTokenChecking   : None
ProxyVdirExtendedProtectionFlags           : {}
ProxyVdirExtendedProtectionSPNList         : {}
Path                                       :
Server                                     : RAREXCHANGE
InternalUrl                                : https://rarexchange.domain.local/Microsoft-Server-ActiveSync
InternalAuthenticationMethods              : {}
ExternalUrl                                : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMethods              : {}
AdminDisplayName                           :
ExchangeVersion                            : 0.10 (14.0.100.0)
Name                                       : Microsoft-Server-ActiveSync (Default Web Site)
DistinguishedName                          : CN=Microsoft-Server-ActiveSync (Default Web Site),CN=HTTP,CN=Protocols,CN=
                                             RAREXCHANGE,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),
                                             CN=Administrative Groups,CN=domain,CN=Microsoft Exchange,CN=Services
                                             ,CN=Configuration,DC=reindeerauto,DC=local
Identity                                   : RAREXCHANGE\Microsoft-Server-ActiveSync (Default Web Site)
Guid                                       : 5f3004fd-3026-429e-bb12-0b2735a83450
ObjectCategory                             : reindeerauto.local/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged                                : 1/27/2011 12:00:52 PM
WhenCreated                                : 1/13/2011 2:23:31 PM
WhenChangedUTC                             : 1/27/2011 5:00:52 PM
WhenCreatedUTC                             : 1/13/2011 7:23:31 PM
OrganizationId                             :
OriginatingServer                          : RARDC2.domain.local
IsValid                                    : True
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
I don't know why people insist on saying about checking the settings of the Autodiscover virtual directory, because that isn't used internally. The URLs on the virtual directory do not matter one bit.

This is a very common problem, and the fact that you have rekeyed means it is a NEW certificate. It might have the same names on it, but it is subject to the new rules and if issued with the new intermediate certificates those need to be installed as well.

The link I have provided above, resolves the problem. it is the same configuration I use on all of my builds.

Simon.
0
 

Author Comment

by:reindeerauto
Comment Utility
Ok so I understand this is only affecting me internally, my OWA from external link is working correctly. My issue is my OWA link internally and issues with my autodiscover I believe. I think I am lost a bit on what the actual issue is, I am reading the link you posted Simon and to be honest I am not sure what changes to make.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
@Simon, I said check the CAS services virtual directories + the AutoDiscoverServiceInternalUri (e.g: AD SCP object). It could be (not saying it is) EWS trying to pull the InternalURL and hitting an SSL error.

He should be fixing all of his internalURL to match his external, fix the AutoDiscover SCP and setting up an internal forward lookup zone (internal meaning DNS)

:) I haven't lost my touch yet.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Here are the three internal urls that would probably error based on the new cert:
 InternalUrl                                         : https://rarexchange.domain.local/owa
 InternalUrl                     : https://rarexchange.domain.local/ecp
InternalUrl                                : https://rarexchange.domain.local/Microsoft-Server-ActiveSync
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Esp EWS, since that would be used the most from the Outlook client side (availability service).
0
 

Author Comment

by:reindeerauto
Comment Utility
So you are saying I need to change all my internal URL's to match the external URL's (e.g: https://mail.reindeerauto.com/owa)? Also I have a forward lookup zone for "domain.com" and "domain.local", both have A records that point to the external URL. If I change the internal URL's won't that screw everything up internally for my users?
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Your semi correct. You need to change the internalurl to match the externalurl, and then setup a forward lookup zone for domain.com. Within there you point mail and autodiscover to the CAS (if its a single CAS deployment) of the load balancer VIP (for a HA CAS deployment). This wont screw anything up. Do NOT point this externally from the internal forward lookup zone.

Once that is done remove the old A records for mail and autodiscover if they exist in the .local lookup zone.
0
 

Author Comment

by:reindeerauto
Comment Utility
Would it just be easier for me to Re-key the cert using "Rarexchange.domain.local" as the common name? Would that solve all my problems with the least amount of changes?
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Nope. The .local domain is not a public *TLD* so you cannot get a publicly trusted certificate for it. I would recommend following the guidance here as once you have this setup properly you are set.

*edit*

Sorry - I did not mean TLDR (iPhone auto correct, gotta love it), I meant TLD (for top level domain). If the domain is not available to the public for verification of ownership, then it cannot be on a public SSL certificate.
0
 

Author Comment

by:reindeerauto
Comment Utility
Adam & Simon,

Ok I understand all the changes that need to be made to the URL's, not sure what changed with the new cert but whatever. My question is about the A records and what needs to be added/deleted or changed.

Now in DNS forward lookup zone, "domain.com" I have an A record for "mail" which points to my exchange server IP with FQDN "mail.domain.com".

Forward lookup zone, "domain.local" I have an A record for "autodiscover"  that points to my exchange server IP with FQDN "autodiscover.domain.local".
0
 
LVL 11

Expert Comment

by:hecgomrec
Comment Utility
Please match your external and internal URL to the Certificate.

On your DNS server create a forward lookup zone to match the URL and create an A record to point to your exchange server's internal IP.

Reset your IIS.
0
 
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 375 total points
Comment Utility
Ok I understand all the changes that need to be made to the URL's, not sure what changed with the new cert but whatever

.local cannot be verified as it is not a public TLD, so it cannot be on a public SSL certificate. You are applying a public SSL certificate to Exchange's IIS service, thus why you received these errors as your FQDN on the CAS services was set to .local TLD.

Forward lookup zone, "domain.local" I have an A record for "autodiscover"  that points to my exchange server IP with FQDN "autodiscover.domain.local".

No. Set the autodiscover endpoint internally (the AD SCP object) to https://autodiscover.domain.com/autodiscover/autodiscover.xml. Afterwards in the forward lookup zone for domain.com add an A record going to autodiscover.domain.com and remove the old record in the forward lookup zone for domain.local.

To change the autodiscover endpoint it is Set-ClientAccessServer <servername> -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Let DNS replicate (as its most likely AD DS DNS) and then flush the clients DNS cache (ipconfig /flushdns, ipconfig /registerdns). Afterwards restart Outlook and see if this error continues.
0
 

Author Comment

by:reindeerauto
Comment Utility
Thank you all for your help, here are the changes I am going to make. Sorry for being a pain, this is live and I do not want downtime. Here are the steps I am going to follow, if I am missing something please let me know.

1.I am changing InternalURL of OWA, ECP, Active Sync, OAB and Client Receiver Connector to "https://mail.domain.com/".

2. Changing autodiscover to "To change the autodiscover endpoint it is Set-ClientAccessServer <servername> -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml"

3. and Webservices URL to "Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://mail.example.net/ews/exchange.asmx -ExternalUrl https://mail.domain.com/ews/exchange.asmx"

4. Then "Afterwards in the forward lookup zone for domain.com add an A record going to autodiscover.domain.com and remove the old record in the forward lookup zone for domain.local."
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Looks right.
0
 
LVL 11

Expert Comment

by:hecgomrec
Comment Utility
No!!!

if your external name is mail.domain.com

autodiscover-->autodiscovery.mail.domain.com
OWA,ECP, etc.-->mail.domain.com
webservices-->mail.domain.com

You mentioned a .net

You should have in your DNS a forward zone called domain.com with the following domains:

mail                     with an A record to your server
autodiscover     with an A record to your server
owa                     with an A record to your server

Or you can a forward zone for each one like:

mail.domain.com      with an A record to your server
owa.domain.com      with an A record to your server
autodiscover.domain.com     with an A record to your server
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
He isn't using OWA as a namespace, and I think the .net was a typo right?
0
 

Author Comment

by:reindeerauto
Comment Utility
We do use OWA, and yes the .net was a type.  When I make the DNS entry I want the FQDN to be "mail.domain.com" and the IP points to the exchange server? correct?
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Yea. The endpoints within the DNS A record should point to the same location.
0
 

Author Comment

by:reindeerauto
Comment Utility
Ok I followed this link, http://exchange.sembee.info/2010/install/clientaccesshostnames.asp and then created the A records to point to the exchange server. I reset the IIS and flushed the DNS, but we are still getting the certificate pop-up when we open Outlook.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
run the following:

Get-ExchangeCertificate | FL

Post the output here.

Also pull the autodiscover SCP again as I am curious to see what it is:

Get-ClientAccessServer | Select AutoDiscoverServiceInternalUri
0
 

Author Comment

by:reindeerauto
Comment Utility
Here is the Output.

[PS] C:\Windows\system32>Get-ExchangeCertificate | FL


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.reindeerauto.com, www.mail.reindeerauto.com, autodiscover.reindeerauto.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy
                     .com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 2/20/2016 2:53:01 PM
NotBefore          : 11/3/2014 11:33:22 AM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 04610F15142534
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.reindeerauto.com, OU=Domain Control Validated
Thumbprint         : 4594D9A2A4646BB42AC473C4CCFF27C0998E631A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {RAREXCHANGE, RAREXCHANGE.reindeerauto.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=RAREXCHANGE
NotAfter           : 2/20/2016 3:41:35 PM
NotBefore          : 2/20/2011 3:41:35 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1910EBC470F02689498B24913EADF4DE
Services           : SMTP
Status             : Valid
Subject            : CN=RAREXCHANGE
Thumbprint         : E42817C397B73445289636A876270155CE09D988


[PS] C:\Windows\system32> Get-ClientAccessServer | Select AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri
------------------------------
https://autodiscover.mail.reindeerauto.com/autodiscover/autodiscover.xml
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
SSL is right, autodiscover is not..

Run this command just like I have it written below:

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://autodiscover.reindeerauto.com/autodiscover/autodiscover.xml

Open in new window


That will fix it! :)
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
NOTE: The AutoDiscoverServiceInternalUri is actually within AD, so it might not update immediately but when AD replicates. Just keep that in mind.
0
 

Author Comment

by:reindeerauto
Comment Utility
Ok I ran the command, anything I need to do now or just wait for AD to replicate?
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
that's it basically. I would restart Outlook now and see if it clears up.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Update? I am curious now :)
0
 

Author Comment

by:reindeerauto
Comment Utility
Still getting the pop-up
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Post the pop up here.. and then run the Outlook Test E-mail AutoConfiguration also...

Ctrl - Right Click the Outlook icon in the system tray
Select Test E-mail AutoConfiguration
Run the test and screen shot it for us here

I refuse the throw in the towel, as I know this should work as we all described.
0
 

Author Comment

by:reindeerauto
Comment Utility
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Bob Albertson</DisplayName>
      <LegacyDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bob Albertson03b739f2</LegacyDN>
      <AutoDiscoverSMTPAddress>bob.albertson@reindeerauto.com</AutoDiscoverSMTPAddress>
      <DeploymentId>eaf9eea2-c843-4696-9fa7-b68c3b61a646</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>RAREXCHANGE.reindeerauto.local</Server>
        <ServerDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE</ServerDN>
        <ServerVersion>738180DA</ServerVersion>
        <MdbDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>RAREXCHANGE.reindeerauto.local</PublicFolderServer>
        <AD>RARDC2.reindeerauto.local</AD>
        <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://rarexchange.reindeerauto.local/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>http://mail.reindeerauto.com/oab/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>mail.reindeerauto.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://mail.reindeerauto.com/ews/exchange.asmx</EwsUrl>
        <EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://mail.reindeerauto.com/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://mail.reindeerauto.com/ews/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
Untitled.jpg
0
 
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 375 total points
Comment Utility
Your EWS InternalURL (EXCH Outlook provider record entry) is showing <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>... when it should be https://mail.reindeerauto.com/ews/exchange.asmx

Change the EWS InternalURL but first verify that it is that:

Get-ClientAccessServer | Get-WebServicesVirtualDirectory | Select *URL*

Open in new window


Post the output here, but if it is that then change it:

Get-ClientAccessServer | Get-WebServicesVirtualDirectory -InternalURL https://mail.reindeerauto.com/ews/exchange.asmx

Open in new window


When you are done on the CAS restart IIS (IISRESET /NOFORCE) and try again by restarting Outlook when AD replication, along with rerunning this test above.

*edit*

To explain a bit further, Outlook (for internal, domain joined clients) will query the Active Directory AutoDiscover Service Connection Point which is AutoDiscoverServiceInternalUri. When that is found it is returned to the client and the client then (using DNS) looks it up and connects. When Outlook connects it requests the Internal URL's (EXPR Outlook provider records) for core services along with the RPC Client Access RPC Ports. The EXPR is mainly stuff like availability service (which does free / busy) and the Oab URL. Your EWS url (at least from the screen shot and the test ran above you posted) still points to the .local address which is not on the SSL certificate, thus the error.
0
 

Author Comment

by:reindeerauto
Comment Utility
Ok no more pop-up and here are the results from the test again.

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Bob Albertson</DisplayName>
      <LegacyDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bob Albertson03b739f2</LegacyDN>
      <AutoDiscoverSMTPAddress>bob.albertson@reindeerauto.com</AutoDiscoverSMTPAddress>
      <DeploymentId>eaf9eea2-c843-4696-9fa7-b68c3b61a646</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>RAREXCHANGE.reindeerauto.local</Server>
        <ServerDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE</ServerDN>
        <ServerVersion>738180DA</ServerVersion>
        <MdbDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>RAREXCHANGE.reindeerauto.local</PublicFolderServer>
        <AD>RARDC1.reindeerauto.local</AD>
        <ASUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://mail.reindeerauto.com/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>http://mail.reindeerauto.com/oab/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>mail.reindeerauto.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://mail.reindeerauto.com/ews/exchange.asmx</EwsUrl>
        <EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://mail.reindeerauto.com/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://mail.reindeerauto.com/ews/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://mail.reindeerauto.com/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
that looks correct. congratulations, you now know certificate and namespace for the CAS role (something a lot of people mess up). Cheers pal and let us know if it comes back in the future.
0
 

Author Comment

by:reindeerauto
Comment Utility
Thanks everyone, you were a huge help.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now