Outlook Anywhere Certificate Warnings

We have an Exchange 2010 server.  We have a public SAN SSL Certificate covering mail.domain.com, exchange.domain.com, autodiscover.domain.com.  We have 1 internal AD domain - domain.com.  The Exchange server is called Exchange, so the Certificate covers internal and external usage.  No problems using it for ActiveSync or OWA.  The problem is Outlook Anywhere.  We have a dozen email domains.  So if a user's email address is user1@domain2.com, when running Outlook Anywhere they use the SAN SSL Certificate, but get a warning because autodiscover.domain2.com is not listed in the Certificate.  I do not want to buy certificates for every email domain.  Is there anyway around this?  When we setup Outlook Anywhere, the server name is Exchange and the proxy server is exchange.domain.com.  No where is the setup do we put anything about domain2.com, other than its the user's email address.
pcservneAsked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
That is correct. You can use Autodiscover or strictly the Outlook Anywhere URL.

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
We have a dozen email domains.  So if a user's email address is user1@domain2.com, when running Outlook Anywhere they use the SAN SSL Certificate, but get a warning because autodiscover.domain2.com is not listed in the Certificate

Not sure how you are getting a cert issue? Typically what you would do is you have autodiscover.domain.com and mail.domain.com (being the external facing smtp domain). You said that you have multiple domains within Exchange like accepted domains? You would then have multiple email address policies to accommodate for all of the accepted domains and which users inherite which domains.

If this is correct so far this should not create a certificate issue. Cert issues happend when the virtual directory URL domain names are different than what is presented on the cert.

For example
if you have a cert for mail.domain.com and SAN dns names for autodiscover.domain.com and mail.domain.com your vitrual directories for External URL should be like https://mail.domain.com/owa, https://mail.domain.com/autodiscover/ews/exchange.asmx, etc...

Also if you have a split dns configuration you can also use the external domain name on the internal URL once you have configued your DNS zones properly.

So all of that said I am not sure how you are getting a cert error.

What servers are you connecting to for Outlook Anywhere and what are the external virtual directories configured as?

Will.
0
 
pcservneAuthor Commented:
I'm not sure why I'm getting the error either - hence the question.

We only have 1 Exchange server hosting all the roles.  We have a SANS Certificate with mail.domain.com, exchange.domain.com, and autodiscover.domain.com.  The virtual directories are correct - https://exchange.domain.com.  OWA works fine.  When setting up a user whose email is user@domain2.com, every time Outlook is opened it gives a Certificate warning saying autodiscover.domain2.com isn't valid because the certificate it is looking at only contains autodiscover.domain.com.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Will SzymkowskiSenior Solution ArchitectCommented:
Where is autodiscover.domain2.com coming from? The URL is not correclty configured. Do you have multiple CAS severs in your environment? If so you need to configure the same URLs on all CAS servers and ensure that you have them properly load balanced.

When you open Outlook using Outlook Anywhere can you hold ctrl+right click the Outlook icon and run the Test Email Auto Config and ensure that your autodiscover should be autodiscover.domain.com rather than autodiscover.domain2.com. Also using the same method you can check the connection status as well to check what servers your clients are connecting to.

You may also want to check the Outlook Anywhere setting within the Outlook client itself.

Will.
0
 
pcservneAuthor Commented:
It has to be getting autodiscover.domain2.com from the email address of the user being setup - user@domain2.com.  No where else is there any reference to domain2.com.  Which URL is not correctly configured?  As I said in the previous post, only 1 server running all the roles.  https://exchange.domain.com is what I enter for the proxy server in Outlook.  The server name is just Exchange.  The autodiscover auto config works fine.  Here is the XML log.  The only reference to domain2.com is towards the top stating the AutoDiscoverSMTPAddress is support@domain2.com.  I couldn't copy & paste it, but the log tab is all trying to find the autodiscover.domain2.com DNS entries until the end when the SRV record for autodiscover at domain2.com refers to exchange.domain.com.  (Autodiscover to https://domain2.com/autodiscover FAILED.  Autodiscover to autodiscover.domain2.com FAILED.  Local Autodiscover for domain2.com FAILED, etc).

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Test Tester</DisplayName>
      <LegacyDN>/o=TMC/ou=First Administrative Group/cn=Recipients/cn=testt</LegacyDN>
      <AutoDiscoverSMTPAddress>support@domain2.com</AutoDiscoverSMTPAddress>
      <DeploymentId>d2f1243e-b6e9-4ae0-bb78-d36aedb4c8c5</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>EXCHANGE.domain.com</Server>
        <ServerDN>/o=ABC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE</ServerDN>
        <ServerVersion>7383807B</ServerVersion>
        <MdbDN>/o=ABC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>EXCHANGE.domain.com</PublicFolderServer>
        <AD>SERVER.domain.com</AD>
        <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://exchange.domain.com/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://exchange.domain.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://exchange.ddomain.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://exchange.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://exchange.domain.com/OAB/3da1a7b5-c3ee-4f8b-be05-693148d156c9/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>exchange.domain.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://exchange.domain.com/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://exchange.domain.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://exchange.domain.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://exchange.domain.com/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://exchange.domain.com/OAB/3da1a7b5-c3ee-4f8b-be05-693148d156c9/</OABUrl>
        <CertPrincipalName>msstd:exchange.domain.com</CertPrincipalName>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Ntlm, Fba, WindowsIntegrated">https://exchange.domain.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Fba">https://exchange.domain.com/OWA/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://exchange.domain.com/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
How do you have the user getting the smtp address of domain2.com? Do you have multiple accepted domains on your Exchange Server? Then associating them with Email address policies?

Will.
0
 
pcservneAuthor Commented:
Yes - just like you said. When i configure Outlook I put support in as the username and it changes it to support@domain2.com, which is that user's reply to address. As I said, we have 12 email domains and they all do the same thing.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
I have actually just tested this out with a different SMTP domain which is not the default using Outlook Anywhere, and i did not have any cert issues, like you are experiencing. I guess what you could do ultimately is add the domain names you have internally to your SAN cert DNS names. That should resolve the cert error. However this should not happen.

Will.
0
 
pcservneAuthor Commented:
Did you test Outlook Anywhere on a PC that was a domain member or not?  It seems I only get the Certificate Warnings on non-domain PCs.  I know this should not happen, which is the point of asking the question.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
I did this on my home PC which is not on the domain.

I know this should not happen, which is the point of asking the question
I really can only go from what you have provided in regards to info. I can provide assistance with regards on where to look i.e URLs certs ect, but ultimately you know how your environment is setup.

Have you tried the Outlook/autodiscover tests using the Microsoft Connectivity Analyzer?
https://testconnectivity.microsoft.com/

This should show if you in fact have a cert error with the account you are using.

Will.
0
 
pcservneAuthor Commented:
No errors on the Microsoft Connectivity Analyzer.  Why does Outlook Anywhere even rely on Autodiscover when you manually configure it?  Wouldn't Outlook Anywhere work even if you didn't have Autodiscover setup?
0
 
pcservneAuthor Commented:
I guess I solved it by removing the autodiscover CNAME DNS records for the domains. Autodiscover still seems to be working because I left the SVR DNS records for autodiscover that all point to exchange.domain.com and I no longer get the certificate warnings. Seems like there should be some other way to fix it, but unless anyone has a better idea, it'll have to do.
0
 
pcservneAuthor Commented:
I also had to remove the * or 'any'  DNS A records or autodiscover.domain#.com would still resolve.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Perfect, glad that it is resolved.

Will.
0
 
hecgomrecCommented:
Please note that any computer will need an address where to find yourdomain#.com.

If you have DNS records for all your domains pointing to the same device (internal and external) you should not have problems.
0
All Courses

From novice to tech pro — start learning today.