Solved

exchange certificate issues, there is a problem with the proxy server's security certificate.

Posted on 2015-01-09
22
305 Views
Last Modified: 2015-01-09
we have moved from exchange 2003 -> 2007 -> 2013 on windows 2012 r2

all went well until the SSL was played with!

i have never done this before so had a third party do this and thats where the problems start, the first SSL was to the wrong domain, i have fixed the SSL certificate its self now, but unsure if i missed anything.

so the problem i am having is on some not all computers the outlook is reporting

there is a problem with the proxy server's security certificate.
outlook isunable to connect to the proxy server

i did find a blog that told me to go to the owa site on the computer and install the certificate this did fix 3 of the computers but not the rest.

and computers are ,XP, Vista, windows 7 and windows 8

also outlook 2007 and outlook 2013.
0
Comment
Question by:Damon Repton
  • 11
  • 11
22 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Do you have multiple CAS servers in your environment using a hardware load balancer? When you are getting the certificate error launching Outlook what cert is it using. You need to ensure that once the cert has been instlaled on the correcpoinding CAS server that you have to Enable the certificate services.

Run the following commands directly from the EMS on the CAS server in question.
Get-ExchangeCertificate | ft

You will see all of the certs that are installed on this server. When you have found the one you are looking for you need to enable the service for this cert.

Enable-ExchangeCertificate -Thumbprint <thumbprinthere> -Services "pop,imap,smtp,iis"

If you have multiple CAS servers you will need to do these steps on all of them.

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
no this is a single server build

screenshot
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
the new SSL is the top one of course :)
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Does it have the proper SAN names in the cert?
mail.domain.com
autodiscover.domain.com

Also have you setup all of your external URL accordingly to reflect the new cert?

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
this is the part i am not sure about, as never done it before, so here is what i have.

Cerificate SAN's are:

ssl

URLs are:

urlecpewsoabowa
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
All looks correct, from an Exchange 2013 perspective. Do you still have Exchange 2007 in your environment? If you do you need to have legacy.domain.com added as a DNS SAN name, export the cert from Exchange 2013 import the cert into your Exchange 2007 servers and update the URL's on Exchange 2007 to point to legacy.domain.com/owa/ews/etc.

Where are the mailboxes located for the users that are running into the cert issue with Outlook? You need to check that, click on the warning and open the cert and go to Certification Path and see what cert it is pointing to.

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
all other exchanges are now removed, all mailboxes are on exchange 2013, all users are working via OWA at the moment with no problems, and about 20 users (40 users total) are using outlook without any problems.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
So the users using the Outlook client that are having issues, if you right click on the Outlook icon in the system tray and select autoconfig test what URL's are they connecting to? Also check the Connection status and see if they are connecting to all of the appropriate servers?

Are you still using Public Folders in Exchange 2007?

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
i see the following

connection
no public folders in use at all.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Ok what about when you run the Auto Config test? This will ensure that you are pointing to the correct URL's to get the services? Also you have not specified which cert the Outlook clients having the issue are pointing to. Is this one of the self-signed certs?

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
here you go

12.png3
4
and the error is

e
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Have you checked in the users certificate store to ensure that the cert is in there? Have you tried to start Outlook in safemode "Outlook.exe /safe"? Does this work if Outlook is not in cached mode?

On the machines where this is not working can you go to https://mail.domain.com/rpc and login successfully?

Also check this link for additional details
Cettificate Troubleshooting

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
tried outlook.exe /safe, same issue.

can go to the RPC site and log on ok.

that link i have already tried, but one thing i did notice, on the certificate when i view it i dont have an install button, is that cause its already installed??

n
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
If you go to the Certification Path is it correct? Have you checked the cert thumbprint to ensure that the certs are the same?

Go into the Details tab and look for thumbprint and reference it to the one that is on the server make sure they are the same.

Also use the MMC on the local machine and open certs look in the personal store and also look in the Trusted Root Certificate Authorities store as well ensure that the cert paths are correct and that the hierarchy's are correct.

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
should the certificate be in personal?? as its not....

personal
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
It should not be required, in the personal store. Have you checked the Trusted Root Certification Authorities?

Have you cross referenced some of thing things we have gone over with a client that is working correctly?

Seems very odd that your URL's are correct when you do AutoConfig but you are still getting the security error.

The machine that is having issues, can you have someone else login to this machine where their account is working else where and see if it still fails? This would be a good test to see if it is machine related or possible profile/caching of some sort.

Have you also checked the event log on the machines that are not working?

Will.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Another thing, on the client that is getting this error message can you do the following...
- open Outlook
- Account Settings
- Change, More Settings
- Connection Tab
- Exchange Proxy Settings
- Do you have the correct data in this field

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
results of first test, if i log on as me, on the same machine it works fine, log on as user 1 it does not.

exchange proxy settings are the same on both

XXXmail.XXXXXX.com

msstd:XXXmail.XXXXXX.com

everything ticked, and NTLM Authentication.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
Weird, could this be a corrupt Outlook profile? Create a new Outlook profile and see if this correct this issue for the user. If that does not work try deleting/renaming the windows profile for the user and recreate a new windows profile.

Seems to be some sort of caching or corruption in the profiles. If that works it is weird that it happened to that many users.

Will.
0
 
LVL 5

Author Comment

by:Damon Repton
Comment Utility
odd very odd, removing the outlook account and re-adding seems to have fixed it, going to be a pain to do it to the rest.

any idea what could have happen to it?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
No idea at all. Probably some cached setting in the Outlook profile itself. As stated before weird that it happened to this may people. I have done several migrations and i never had this issue that you have had.

Will.
0
 
LVL 5

Author Closing Comment

by:Damon Repton
Comment Utility
Thanks for the help
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now