Solved

Microsoft Connectivity Analyzer reports wrong SSL cert on port 443

Posted on 2014-11-13
5
609 Views
Last Modified: 2014-12-16
Small Business Server 2011
New SSL cert installed using SBS Console wizard.  SSL Cert installed without errors.  Verified that 443 * binding in IIS 7 was using correct cert.  Verified Exchange (via EMC) that the new cert had loaded.

Upgraded GFI software to current version of EmailEssentials and discovered that transfer from Email Essentials to Exchange was not working.  Review of the logs indicated a problem with Autodiscover.

Double checked DNS server; autodiscover resolves to the public IP address of the SBS.

Ran Microsoft Connectivity Analyzer / Autodiscover and Active Sync option; got this error:



The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server ____.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
 Additional Details
 
Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.

Elapsed Time: 205 ms.  

 

 Validating the certificate name.
  Certificate name validation failed.


This is not the cert that I installed; could not find this certificate anywhere.  How do I fix this?
0
Comment
Question by:CocosDad
  • 3
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40439838
This is part of how Microsoft's Remote Connectivity Analyzer tool works when you opt for the Use Autodiscover to detect my server settings option, as it is testing for a potential Autodiscover address.

You will most likely find that this certificate is the one that has been installed for your public-facing website (i.e. www.yourcompany.com) by your website hosting company. As the majority of website people request you configure the DNS A record for yourcompany.com to match the DNS A record for www.yourcompany.com to prevent errors when accessing your company's website via a web browser, the RCA tool will fail this check if your web hosting company has assigned a SSL certificate to your site (which is perfectly fine when required).

You should find that the test completes fine. If it doesn't, post up the result you got from the RCA test and we can help you further.

As for actually testing your new SSL certificate, I find it's just easier to load OWA or RWA on an external machine as you can then just check the SSL certificate through the browser itself. This is what I do whenever I renew an SSL certificate to verify if it has been applied properly.
0
 

Author Comment

by:CocosDad
ID: 40441118
Ran the RCA on 6 other SBS 2011 installations each with a GoDaddy cert.  In each case, the RCA located the SSL on port 443 and found that the certificate name matched the domain name.

With this particular problem child, The RCA reports that the SSL cert on port 443 name was =*.bluehost.com, that it is a wild card SSL and that the SSL appears to be for a company in Great Britain.
Unless I am reading the error message from the RCA incorrectly.  I posted a copy of the error with my domain name underlined out in my original question.

Another reason why I think the issue is on our server is that when the GFI anti-spam software goes to transfer the email to Exchange, it checks the http://MYDOMAIN.COM/autodiscover/autodiscover.hm file and gives an error of "invalid user name".

Is it possible to edit this file or have the system regenerate a new one?

I have no control over the website hosting company or the company that created the website.  Is there someway of determining whether or not either of them have installed an SSL cert?  The web site is informational only and collects requests for information.  No commerce.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40441787
You can try going to https://www.yourcompany.com in a web browser to determine if a SSL certificate installed. If there is one installed, you'll most likely run into the familiar There is a problem with this website’s security certificate error message. Click Continue to this website (not recommended) > click on Certificate error at the top then View Certificate.

Did you purchase the SSL certificate for the company.com address? Only reason I ask is because I usually configure a prefix for the domain name (e.g. remote.company.com) within the Set up your Internet address wizard in the SBS Console to avoid the above issue.
0
 

Author Comment

by:CocosDad
ID: 40442357
Thanks for getting back to me.  You are correct, the hosting company (Bluenote) installed a wild card SSL cert on their web server so all their client's web sites have this cert whether they need it or not.

I entered https://www.mycompany.com, selected Continue to web site.  A screen for Bluenote Web Hosting flashed by followed by my client's web site.

The ssl cert I purchased was named mail.mycompany.com with alternate names remote.mycompany.com and autodiscover.mycompany.com.  

The DNS zone file that I have control over has remote, mail and autodiscover pointing to public IP address of my SBS.  www and mycompany.com both point to the public IP address of the Bluenote web server.

They must have done this recently because this configuration has been working fine for the last 2 years.

There must be some solution to be had in either the DNS Zone File or rekeying the cert.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40442613
In that case everything that you have done so far regarding the certificate sounds right.

As I stated previously, the Exchange ActiveSync and Exchange ActiveSync Autodiscover tests are only testing for a potential Autodiscover URL (being https://yourcompany.com:443/Autodiscover/Autodiscover.xml). This doesn't actually mean that they have detected that this is your Autodiscover URL, they're just covering their bases by checking yourcompany.com first.

All that really matters is whether the tests pass or not. Are the tests successful?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2003 Boot Problem after recovery. 0x0000007b 12 62
Install windows on dell power edge t320 6 552
Windows Mirrored Raid - Failed HD *urgent* 7 72
OpenVMS Training 1 29
Problem: Windows 32bit running out of paging space. Solution: Add additional page files on separate partitions. Background: By default Windows creates only one page file on the partition you install Windows on. You may know that the maximu…
Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now