Solved

Exchange Certificate Prompt

Posted on 2014-11-18
33
65 Views
Last Modified: 2014-12-07
Hi!

We have a weird issue at one of our clients.

here is the scenario:

They have a local SBS2008 with Exchange 2007 but do not use the local Exchange. Instead, they use a hosted exchange from a nerby company. The problem is that when we configure Outlook, we have a certificate error message that refers to the Outlook Anywhere of the local Exchange.

Here is what we have tried so far:

-Deleted/recreated the Outlook Profile
-Did the Outlook connectivity test and nowhere does it refer to the URL in the certificate error.
-Removed the computer from the domain and tried configuring the Profile in a workgroup (It worked)
0
Comment
Question by:Frederic Lalonde
  • 17
  • 15
33 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Remove the Autodiscover Virtual Directory on the SBS server and make sure there are no Exchange accounts for the local users on the SBS server.

Ensure that auto discover.yourdomain.com resolves in internal DNS to the hosted Exchange domain and not your internal domain and the errors should go away.

You can use the following to find / remove the Autodiscover Virtual Directory:

get-autodiscovervirtualdirectory | remove-autodiscovervirtualdirectory

Just curious though why you have SBS and then pay for Exchange hosted elsewhere?

Alan
0
 
LVL 4

Expert Comment

by:Sabi Goraya
Comment Utility
The reason why this happens.
1) SBS created DNS entries for the exchange and are taking priority over the external resolution.

Modify the DNS to resolve to the IP address of the Hosting provide rather than the Local server.

the ones that you need to look at are
SRV records and Auto discover .

if not present add a SRV record with the details of the hosting provider.

Also stop the relevant application directories within IIS instead of deleting them (Just in case you need them for
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Hi,

thanks for both your replies.

I did delete the autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the problem persists. As for the autodiscover, I am configuring the email settings manually so there are no dns records with autodiscover internally or externally.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If you use the following command in a command prompt on a local computer in your network:

nslookup autodiscover.yourdomain.com (obviously change the yourdomain.com part)

What is returned as the result?
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Here are the results

C:\Users\terminal>nslookup autodiscover.********quebec.local
Serveur :   pension-srv.*********quebec.local
Address:  10.10.0.5

*** pension-srv.*********quebec.local ne parvient pas à trouver autodiscover.*********quebec.local : Non-existent domain
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - so it looks like you have an autodiscover DNS record locally which you need to delete.
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
I can't seem to find the record in the DNS manager of the server.

ALso if I run the same command of the server itslef, here is the result I get.

C:\Users\terminal>nslookup autodiscover.*******quebec.local
Server:  UnKnown
Address:  fe80::****:****:****:****

*** UnKnown can't find autodiscover.******quebec.local: Non-existent domain

I did ipconfig /flushdns on the client machine and still get the same result
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Are you using the 10.10.0.x IP range internally?
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Yes
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The it must either be in the DNSsettings or it's hard coded in the HOSTS fileon the server or client(s) (or the LMHOSTS file)

Please check c:\windows\system32\drivers\etc for both files locally and on the server(s).
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
I just checked both HOSTS & LMHOsts files on an affected machine and the server and they are both at the default state with no added lines.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
It has to be somewhere in DNS then on your servers.  You need to find it and remove it, or if there is a * set that resolves anything that isn't specified, that needs removing.
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Wouldn't the server give me the same result if that was the case? Also, I double checked and that station is using that server as it's DNS.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Depends on how the network and DNS is configured.

Please post the IP configuration settings of the server and a workstation please showing the DNS Servers used for each (and please specify which are the server IP settings and which are the workstation settings).

Thanks

Alan
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Here is one client station:


Configuration IP de Windows

   Nom de l'hôte . . . . . . . . . . : t2013-02
   Suffixe DNS principal . . . . . . : ******quebec.local
   Type de noeud. . . . . . . . . .  : Hybride
   Routage IP activé . . . . . . . . : Non
   Proxy WINS activé . . . . . . . . : Non
   Liste de recherche du suffixe DNS.: ******quebec.local

Carte Ethernet Ethernet :

   Suffixe DNS propre à la connexion. . . : *******quebec.local
   Description. . . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Adresse physique . . . . . . . . . . . : 74-D0-**-**-**-C7
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv6 de liaison locale. . . . .: fe80::****:****:****:f0b%3(préféré)

   Adresse IPv4. . . . . . . . . . . . . .: 10.10.0.102(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : 24 novembre 2014 08:18:58
   Bail expirant. . . . . . . . . . . . . : 2 décembre 2014 08:19:18
   Passerelle par défaut. . . . . . . . . : 10.10.0.1
   Serveur DHCP . . . . . . . . . . . . . : 10.10.0.5
   IAID DHCPv6 . . . . . . . . . . . : 256919133
   DUID de client DHCPv6. . . . . . . . : 00-01-00-01-19-**-**-**-**-D0-2B-2B-03
-C7
   Serveurs DNS. . .  . . . . . . . . . . : 10.10.0.5
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

Carte Tunnel isatap.******quebec.local :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :
   Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
   Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP activé. . . . . . . . . . . . . . : Non
   Configuration automatique activée. . . : Oui




Here is the Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PENSION-SRV
   Primary Dns Suffix  . . . . . . . : *******quebec.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ********quebec.local

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : A4-BA-**-**-8C-10
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : A4-BA-**-**-8C-11
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3d2c:****:****:7e82%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8cce:****:****:717c%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 228899547
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-**-**-**-**-A4-BA-DB-53-8C-11

   DNS Servers . . . . . . . . . . . : fe80::3d2c:****:****:7e82%10
                                       10.10.0.5
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{D95D3C6E-1884-4D9C-9879-A50E78396
588}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{64C8DA7C-8595-4B47-91F9-EE171D948
9A3}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Well that all looks normal (sadly).

So what have you got configured in DNS internally?

Can you post a screen shot of the DNS Zones (obscuring anything identifying but not so that the names can't be identified as internal / external ones).

Thanks

Alan
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 

Author Comment

by:Frederic Lalonde
Comment Utility
Thanks for your replies.

Here are the screenshots as asked.
dns1.jpg
dns2.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Thanks for those.  Can you show me the .org DNS zone too.

Many thanks

Alan
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Here it is
dns3.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Sorry - just reviewed the earlier comments and I asked you to lookup auto discover.yourdomain.com and you posted the result as:

nslookup autodiscover.********quebec.local

This is not the correct domain - it needs to be your external (Public domain) not your internal domain.

Please re-run the command using autodiscover.yourdomain.org and post the result.

Thanks

Alan
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Here is the result from the server

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\terminal>nslookup autodiscover.******.org
Server:  UnKnown
Address:  fe80::****:****:****:7e82

*** UnKnown can't find autodiscover.*******.org: Non-existent domain

C:\Users\terminal>
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - so is there an Autodiscover A record setup in your External DNS records (not locally on your server) that points to the Public IP Address of your hosting company, or if they don't have auto discover.yourdomain.org added to their SSL certificate, which they probably won't, do you have an SRV record that points to a name included in their SSL certificate?

Here is a guide in case you need help setting it up:
http://support.microsoft.com/kb/940881

This will normally be setup where you login to a Control Panel and may be where your domain is hosted / purchased.

Alan
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Okay here is more information on this case:

We recently took over the IT for this company and it's a little messy but we have to deal with it for now.
The hosted exchange is actually on another SBS Server with exchange in the same LAN but separated by VLANs
We happens to also manage the other SBS so if you need info there, I can supply it also. They put all the mailboxes on one server to save cost on backup licences. (I think?)

That being said, If I create an SRV record that points to the another exchange, it resolves it just fine, but I also get the annoying DNSAlias.org certificate. It seems to come from the local AD and comes before anything else.

Once again, thanks for your help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Is the server hosting Exchange not on a Fixed IP Address?
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
It is yes, but it can also be reached locally with the local IP address 10.9.0.2 through a firewall rule within the VLANs.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - if it is on a fixed Public IP Address - why is it using a dnsalias.org certificate
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
The dnsalias.org certificate is the one from the local/decomissionned exchange which they are not using anymore.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - how decommissioned is the server as if it is throwing up cert prompts, it doesn't sound very decommissioned to me?
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
Well that's pretty much the root of my problem.

As stated previously, I did delete the local autodiscover virtual directory and there is currently no mailboxes on the local Exchange server but the certificate prompt of the local exchange persists. The next step could be to completely uninstall exchange but I am very hesitant to do that since it is a Windows Small Business server and that exchange is so closely tied to the SBS Console.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Can you disable all the Exchange services and stop the default website without knowingly causing other issues?

Alan
0
 

Author Comment

by:Frederic Lalonde
Comment Utility
I just did but I get the same results unfortunately.
0
 

Accepted Solution

by:
Frederic Lalonde earned 0 total points
Comment Utility
I just found the solution:

I had to delete the Autodiscover folder in Active Directory Sites and Services.

It was located in: Services, Microsoft Exchange, First Organization, Administrative Groups, Exchange Administrative Group, Servers, (Name of the Server), Protocols.
0
 

Author Closing Comment

by:Frederic Lalonde
Comment Utility
It fixed the problem
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now