Autodiscover error Oulook 2010 SBS 2011 third party certificate

Hi I am having issues with Autodiscover sbs 2011 Outlook 2010 internal Domain, third party cert, only some users.

I made simple changes to these users in exchange management console then they started getting cert errors in exchange.

They were simple changes like adding a second alias email or sharing an email or deleting an alias nothing that should cause an error. Attached is the cert error. When opening Outlook It seems to find an old cert that does not exist on the server. Press yes to cert error and Outlook works fine.

If I logon as the same user on another PC no cert error logs in fine. Seems only certain users on certain PC's.

OWA works fine

I'm thinking there might be an external dns or srv issue, or something is just messed up.

I went here
https://testconnectivity.microsoft.com/ and below is my autodiscovery results


 The Microsoft Connectivity Analyzer is attempting to test Autodiscover for emailaddress@ domain.com.
  Testing Autodiscover failed.
 
 Additional Details
 
Elapsed Time: 1149 ms.  

 
 
 Test Steps
 
 Attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
 
 Additional Details
 
Elapsed Time: 1149 ms.  

 
 
 Test Steps
 
 Attempting to test potential Autodiscover URL https://domain.com:443/Autodiscover/Autodiscover.xml 
  Testing of this potential Autodiscover URL failed.
 
 Additional Details
 
Elapsed Time: 311 ms.  

 
 
 Test Steps
 
 Attempting to resolve the host name domain.com in DNS.
  The host name resolved successfully.
 
 Additional Details
 
IP addresses returned: 50.62.135.66

Elapsed Time: 59 ms.  

 

 Testing TCP port 443 on host domain.com to ensure it's listening and open.
  The port was opened successfully.
 
 Additional Details
 
Elapsed Time: 65 ms.  

 

 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
 Additional Details
 
Elapsed Time: 186 ms.  

 
 
 Test Steps
 
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server domain.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
 Additional Details
 
Remote Certificate Subject: CN=www.jazmarketingsslmessage.com, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

Elapsed Time: 137 ms.  

 

 Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
 
 Additional Details
 
Host name domain.com doesn't match any name found on the server certificate CN=www.jazmarketingsslmessage.com, OU=Domain Control Validated.

Elapsed Time: 1 ms.  

 
 
 
 
 

 Attempting to test potential Autodiscover URL https://autodiscover. domain.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
 
 Additional Details
 
Elapsed Time: 460 ms.  

 
 
 Test Steps
 
 Attempting to resolve the host name autodiscover. domain.com in DNS.
  The host name resolved successfully.
 
 Additional Details
 
IP addresses returned: correct public Ip

Elapsed Time: 145 ms.  

 

 Testing TCP port 443 on host autodiscover. domain.com to ensure it's listening and open.
  The port was opened successfully.
 
 Additional Details
 
Elapsed Time: 98 ms.  

 

 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
 Additional Details
 
Elapsed Time: 217 ms.  

 
 
 Test Steps
 
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover. domain.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
 Additional Details
 
Remote Certificate Subject: CN=mail. domain.com, OU=Domain Control Validated - QuickSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)14, OU=GT29813719, Issuer: CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US.

Elapsed Time: 169 ms.  

 

 Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
 
 Additional Details
 
Host name autodiscover. domain.com doesn't match any name found on the server certificate CN=mail. domain.com, OU=Domain Control Validated - QuickSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)14, OU=GT29813719.

Elapsed Time: 1 ms.  

 
 
 
 
 

 Attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
 
 Additional Details
 
Elapsed Time: 292 ms.  

 
 
 Test Steps
 
 Attempting to resolve the host name autodiscover. domain.com in DNS.
  The host name resolved successfully.
 
 Additional Details
 
IP addresses returned: correct public IP

Elapsed Time: 16 ms.  

 

 Testing TCP port 80 on host autodiscover. domain.com to ensure it's listening and open.
  The port was opened successfully.
 
 Additional Details
 
Elapsed Time: 107 ms.  

 

 The Microsoft Connectivity Analyzer is checking the host autodiscover. domain.com for an HTTP redirect to the Autodiscover service.
  The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
 
 Additional Details
 
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
HTTP Response Headers:
Connection: close
Content-Encoding: identity
Accept-Ranges: none
Content-Length: 0
Content-Type: text/plain
Date: Fri, 17 Jul 2015 04:56:49 GMT
Server: IST OIS


Elapsed Time: 168 ms.  

 
 
 

 Attempting to contact the Autodiscover service using the DNS SRV redirect method.
  The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
 
 Additional Details
 
Elapsed Time: 42 ms.  

 
 
 Test Steps
 
 Attempting to locate SRV record _autodiscover._tcp. domain.com in DNS.
  The Autodiscover SRV record wasn't found in DNS.
   Tell me more about this issue and how to resolve it
 
 Additional Details
 
Elapsed Time: 42 ms.  

 
 
 

 Checking if there is an autodiscover CNAME record in DNS for your domain ' domain.com' for Office 365.
  Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning.
   Tell me more about this issue and how to resolve it
 
 Additional Details
 
There is no Autodiscover CNAME record for your domain ' domain.com'.

Elapsed Time: 42 ms.  
 
any help would be greatly appreciated thanks.
jduczmanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin YeungSenior Systems EngineerCommented:
2 things you will need to fix

first
 Test Steps
     The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server domain.com on port 443.
   The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
     Additional Details
   
 Remote Certificate Subject: CN=www.jazmarketingsslmessage.com, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

on your cert, it doesn't have the SAN with autodiscover.yourdomain.com  or your cert is not a wild card cert.

to resolve this issue
1. a get a cert with the name above apply it to your exchange server.
2. create a SRV record _autodiscover._tcp.yourdomain.com and target to a name that the cert contain.

second

 Test Steps
     Attempting to test potential Autodiscover URL https://domain.com:443/Autodiscover/Autodiscover.xml 
   Testing of this potential Autodiscover URL failed.

The URL www.yourdomain.com/autodiscover/autodiscover.xml is not valid.

https://technet.microsoft.com/en-us/library/Bb201695(v=EXCHG.141).aspx

set your autodiscover URL to www.yourdomain.com/autodiscover/autodiscover.xml
jduczmanAuthor Commented:
Thanks Justin,

I will let you know once I have a chance to make some o these changes.
jduczmanAuthor Commented:
I solved the issue, what was causing the issue is I removed Old users and mail boxes from the SBS server.

When I share someones email I do it from the EMC, their old I.T guy shared emails through Outlook - More Settings - Advanced

So the removed users were still added in Outlook even though they no longer existed on the SBS server.

As soon as I removed them from Outlook the Autodiscover mismatch cert error went away.

Thanks you everyone for your time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Justin YeungSenior Systems EngineerCommented:
so the issue is the old user mailbox which their primary email address domain probably doesn't match your cert/autodiscover.

anyway glad that you found the issue.
jduczmanAuthor Commented:
Hey Justin,

The old user had the exact same email domain,

When I ran the Outlook - Test E-mail AutoConfiguration it said autodiscover was successful.

But the cert error was still popping up everytime Outlook was opened.

But when I went here https://testconnectivity.microsoft.com/ test failed.

Soon as I removed the Outlook shared added user from Outlook that no longer existed on the SBS exchange server the cert error went away.

The cert error never popped up when the old user existed on the sbs exchange server and was added as shared user in Outlook.
Justin YeungSenior Systems EngineerCommented:
so what if you run test outlook connectivity again?
jduczmanAuthor Commented:
I will try that and let you know the results. I will have to it remotely tonight or tomorrow when I am there, as I only go there once a week.
jduczmanAuthor Commented:
The Autodiscovery test in outlook passes and no certificate error pops up.

 https://testconnectivity.microsoft.com/ this test still fails all autodiscover test.

But everything is working fine, and there are no certificate errors.

The cert error did not start popping up until I deleted users from exchange.
 
and above is the reason why.
jduczmanAuthor Commented:
Because I was duped looking in the wrong direction, I spent many hours looking in the wrong direction even after speaking to experienced techs. And I am sure others will run into this situation also, and this might be the reason why.

 Also doesn't the solution that solved the problem have to be marked as the Accepted Solution. I am a green newbie.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.