Solved

Outlook Anywhere Certificate Warnings

Posted on 2015-02-14
15
41 Views
Last Modified: 2015-10-28
We have an Exchange 2010 server.  We have a public SAN SSL Certificate covering mail.domain.com, exchange.domain.com, autodiscover.domain.com.  We have 1 internal AD domain - domain.com.  The Exchange server is called Exchange, so the Certificate covers internal and external usage.  No problems using it for ActiveSync or OWA.  The problem is Outlook Anywhere.  We have a dozen email domains.  So if a user's email address is user1@domain2.com, when running Outlook Anywhere they use the SAN SSL Certificate, but get a warning because autodiscover.domain2.com is not listed in the Certificate.  I do not want to buy certificates for every email domain.  Is there anyway around this?  When we setup Outlook Anywhere, the server name is Exchange and the proxy server is exchange.domain.com.  No where is the setup do we put anything about domain2.com, other than its the user's email address.
0
Comment
Question by:pcservne
  • 7
  • 7
15 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
We have a dozen email domains.  So if a user's email address is user1@domain2.com, when running Outlook Anywhere they use the SAN SSL Certificate, but get a warning because autodiscover.domain2.com is not listed in the Certificate

Not sure how you are getting a cert issue? Typically what you would do is you have autodiscover.domain.com and mail.domain.com (being the external facing smtp domain). You said that you have multiple domains within Exchange like accepted domains? You would then have multiple email address policies to accommodate for all of the accepted domains and which users inherite which domains.

If this is correct so far this should not create a certificate issue. Cert issues happend when the virtual directory URL domain names are different than what is presented on the cert.

For example
if you have a cert for mail.domain.com and SAN dns names for autodiscover.domain.com and mail.domain.com your vitrual directories for External URL should be like https://mail.domain.com/owa, https://mail.domain.com/autodiscover/ews/exchange.asmx, etc...

Also if you have a split dns configuration you can also use the external domain name on the internal URL once you have configued your DNS zones properly.

So all of that said I am not sure how you are getting a cert error.

What servers are you connecting to for Outlook Anywhere and what are the external virtual directories configured as?

Will.
0
 

Author Comment

by:pcservne
Comment Utility
I'm not sure why I'm getting the error either - hence the question.

We only have 1 Exchange server hosting all the roles.  We have a SANS Certificate with mail.domain.com, exchange.domain.com, and autodiscover.domain.com.  The virtual directories are correct - https://exchange.domain.com.  OWA works fine.  When setting up a user whose email is user@domain2.com, every time Outlook is opened it gives a Certificate warning saying autodiscover.domain2.com isn't valid because the certificate it is looking at only contains autodiscover.domain.com.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Where is autodiscover.domain2.com coming from? The URL is not correclty configured. Do you have multiple CAS severs in your environment? If so you need to configure the same URLs on all CAS servers and ensure that you have them properly load balanced.

When you open Outlook using Outlook Anywhere can you hold ctrl+right click the Outlook icon and run the Test Email Auto Config and ensure that your autodiscover should be autodiscover.domain.com rather than autodiscover.domain2.com. Also using the same method you can check the connection status as well to check what servers your clients are connecting to.

You may also want to check the Outlook Anywhere setting within the Outlook client itself.

Will.
0
 

Author Comment

by:pcservne
Comment Utility
It has to be getting autodiscover.domain2.com from the email address of the user being setup - user@domain2.com.  No where else is there any reference to domain2.com.  Which URL is not correctly configured?  As I said in the previous post, only 1 server running all the roles.  https://exchange.domain.com is what I enter for the proxy server in Outlook.  The server name is just Exchange.  The autodiscover auto config works fine.  Here is the XML log.  The only reference to domain2.com is towards the top stating the AutoDiscoverSMTPAddress is support@domain2.com.  I couldn't copy & paste it, but the log tab is all trying to find the autodiscover.domain2.com DNS entries until the end when the SRV record for autodiscover at domain2.com refers to exchange.domain.com.  (Autodiscover to https://domain2.com/autodiscover FAILED.  Autodiscover to autodiscover.domain2.com FAILED.  Local Autodiscover for domain2.com FAILED, etc).

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Test Tester</DisplayName>
      <LegacyDN>/o=TMC/ou=First Administrative Group/cn=Recipients/cn=testt</LegacyDN>
      <AutoDiscoverSMTPAddress>support@domain2.com</AutoDiscoverSMTPAddress>
      <DeploymentId>d2f1243e-b6e9-4ae0-bb78-d36aedb4c8c5</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>EXCHANGE.domain.com</Server>
        <ServerDN>/o=ABC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE</ServerDN>
        <ServerVersion>7383807B</ServerVersion>
        <MdbDN>/o=ABC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>EXCHANGE.domain.com</PublicFolderServer>
        <AD>SERVER.domain.com</AD>
        <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://exchange.domain.com/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://exchange.domain.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://exchange.ddomain.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://exchange.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://exchange.domain.com/OAB/3da1a7b5-c3ee-4f8b-be05-693148d156c9/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>exchange.domain.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://exchange.domain.com/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://exchange.domain.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://exchange.domain.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://exchange.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://exchange.domain.com/OAB/3da1a7b5-c3ee-4f8b-be05-693148d156c9/</OABUrl>
        <CertPrincipalName>msstd:exchange.domain.com</CertPrincipalName>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Ntlm, Fba, WindowsIntegrated">https://exchange.domain.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Fba">https://exchange.domain.com/OWA/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
How do you have the user getting the smtp address of domain2.com? Do you have multiple accepted domains on your Exchange Server? Then associating them with Email address policies?

Will.
0
 

Author Comment

by:pcservne
Comment Utility
Yes - just like you said. When i configure Outlook I put support in as the username and it changes it to support@domain2.com, which is that user's reply to address. As I said, we have 12 email domains and they all do the same thing.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
I have actually just tested this out with a different SMTP domain which is not the default using Outlook Anywhere, and i did not have any cert issues, like you are experiencing. I guess what you could do ultimately is add the domain names you have internally to your SAN cert DNS names. That should resolve the cert error. However this should not happen.

Will.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:pcservne
Comment Utility
Did you test Outlook Anywhere on a PC that was a domain member or not?  It seems I only get the Certificate Warnings on non-domain PCs.  I know this should not happen, which is the point of asking the question.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
I did this on my home PC which is not on the domain.

I know this should not happen, which is the point of asking the question
I really can only go from what you have provided in regards to info. I can provide assistance with regards on where to look i.e URLs certs ect, but ultimately you know how your environment is setup.

Have you tried the Outlook/autodiscover tests using the Microsoft Connectivity Analyzer?
https://testconnectivity.microsoft.com/

This should show if you in fact have a cert error with the account you are using.

Will.
0
 

Author Comment

by:pcservne
Comment Utility
No errors on the Microsoft Connectivity Analyzer.  Why does Outlook Anywhere even rely on Autodiscover when you manually configure it?  Wouldn't Outlook Anywhere work even if you didn't have Autodiscover setup?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
That is correct. You can use Autodiscover or strictly the Outlook Anywhere URL.

Will.
0
 

Author Comment

by:pcservne
Comment Utility
I guess I solved it by removing the autodiscover CNAME DNS records for the domains. Autodiscover still seems to be working because I left the SVR DNS records for autodiscover that all point to exchange.domain.com and I no longer get the certificate warnings. Seems like there should be some other way to fix it, but unless anyone has a better idea, it'll have to do.
0
 

Author Comment

by:pcservne
Comment Utility
I also had to remove the * or 'any'  DNS A records or autodiscover.domain#.com would still resolve.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Perfect, glad that it is resolved.

Will.
0
 
LVL 11

Expert Comment

by:hecgomrec
Comment Utility
Please note that any computer will need an address where to find yourdomain#.com.

If you have DNS records for all your domains pointing to the same device (internal and external) you should not have problems.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now