nigelbeatson
asked on
certificate errors in local outlook 2016 startup
I wonder if anyone can assist in improving my understanding of how certificates work with exchange and outlook 2016?
I have broached this before, but I have not managed to fully understand what is going wrong.
When we install exchange 2016 and then outlook 2016, just using the certificates generated by the system, we get a certificate warning on starting outlook 2016, asking whether we trust the exchange 2016 server. We can import the certificate, and all is well.
We also do get a warning when accessing owa externally, because we don't have a suitable ssl certificate installed, which I understand.
However, we have just purchased a suitable san for our exchange server, and having installed it, we resolve the external certificate error, as that now works fine, but we now get a local error when opening outlook, as follows :-
I have tried importing the certificate again, but this time, although it says it completed ok, each and every time we startup outlook 2016, we get the same warning.
I presume that I am doing something fundamentally wrong here, as I cant believe it should be this difficult to get a local copy of outlook to trust its own local server??
People have mentioned split dns in the past, but is there a simpler way to make sure that we don't get this issue in the first place, particularly with new installations.
Have we got the correct type of ssl / san? can we add an ssl certificate for the local connection, and can we just generate this from our server?
Can we rename our server to match the external SAN?
Can we get the local copy of exchange to use the same url as our external connection?
I know its my lack of understanding that is causing this issue, so if anyone can assist in improving this, I would be extremely grateful, as I now have 2 networks displaying the same behaviour.
Many thanks.
I have broached this before, but I have not managed to fully understand what is going wrong.
When we install exchange 2016 and then outlook 2016, just using the certificates generated by the system, we get a certificate warning on starting outlook 2016, asking whether we trust the exchange 2016 server. We can import the certificate, and all is well.
We also do get a warning when accessing owa externally, because we don't have a suitable ssl certificate installed, which I understand.
However, we have just purchased a suitable san for our exchange server, and having installed it, we resolve the external certificate error, as that now works fine, but we now get a local error when opening outlook, as follows :-
I have tried importing the certificate again, but this time, although it says it completed ok, each and every time we startup outlook 2016, we get the same warning.
I presume that I am doing something fundamentally wrong here, as I cant believe it should be this difficult to get a local copy of outlook to trust its own local server??
People have mentioned split dns in the past, but is there a simpler way to make sure that we don't get this issue in the first place, particularly with new installations.
Have we got the correct type of ssl / san? can we add an ssl certificate for the local connection, and can we just generate this from our server?
Can we rename our server to match the external SAN?
Can we get the local copy of exchange to use the same url as our external connection?
I know its my lack of understanding that is causing this issue, so if anyone can assist in improving this, I would be extremely grateful, as I now have 2 networks displaying the same behaviour.
Many thanks.
ASKER
Thanks for your reply
I have checked through the list of things and can confirm that :-
I have created a new zone for domainaname.co.uk and added both remote and autodicover A host records.
I have re loaded the zone
IIS is enabled for the SAN
both autodiscover.domainname.co .uk and remote.domainname.co.uk are covered by the SAN we have installed from Geotrust
I have checked that internal and external url is set within the ECP are set to remote.domainname.co.uk including the OAB, OWA and ECP. Others left as is.
I can also confirm that OOF is set to the local url ie OOF URL:https://exch2016.domainname.local/EWS/Exchange.asmx
We are using outlook 2016 and am unsure as to whether this needs changing, and whether this is the cause of our warning. If so, how is it done with outlook / exchange 2016?
Very confused about this.
Can anyone help further?
I have checked through the list of things and can confirm that :-
I have created a new zone for domainaname.co.uk and added both remote and autodicover A host records.
I have re loaded the zone
IIS is enabled for the SAN
both autodiscover.domainname.co
I have checked that internal and external url is set within the ECP are set to remote.domainname.co.uk including the OAB, OWA and ECP. Others left as is.
I can also confirm that OOF is set to the local url ie OOF URL:https://exch2016.domainname.local/EWS/Exchange.asmx
We are using outlook 2016 and am unsure as to whether this needs changing, and whether this is the cause of our warning. If so, how is it done with outlook / exchange 2016?
Very confused about this.
Can anyone help further?
ASKER
I have just checked the document suggested and can see that :-
[PS] C:\Windows\system32>Get-Cl ientAccess Service | fl AutoDiscoverServiceInterna lUri
AutoDiscoverServiceInterna lUri : https://exch2016.xxx.local/Autodiscover/Autodiscover.xml
I presume this is the problem, as we are finding the local name, not the name we are using with our SAN.
I have copied the command suggested to change this, changing the URL to ours but getting an error so far. Will continue to try this.
Can we not change this within the ECP instead?
[PS] C:\Windows\system32>Get-Cl
AutoDiscoverServiceInterna
I presume this is the problem, as we are finding the local name, not the name we are using with our SAN.
I have copied the command suggested to change this, changing the URL to ours but getting an error so far. Will continue to try this.
Can we not change this within the ECP instead?
ASKER
Sorry, our posts crossed. Will check out your new document.
Thanks
Thanks
ASKER
Thanks MAS.
I went through the documents step by step. set all of the internal and external urls as suggested.
Ran all of the shell commands as suggested, which complete OK
I have restarted the workstation we are testing, but we still have the same problem.
I can see that the OOF described in the test email auto configuration is still showing the local name.
What can I do next?
Any help very much appreciated.
I went through the documents step by step. set all of the internal and external urls as suggested.
Ran all of the shell commands as suggested, which complete OK
I have restarted the workstation we are testing, but we still have the same problem.
I can see that the OOF described in the test email auto configuration is still showing the local name.
What can I do next?
Any help very much appreciated.
ASKER
We now get :-
[PS] C:\Windows\system32>Get-Cl ientAccess Service | fl AutoDiscoverServiceInterna lUri
AutoDiscoverServiceInterna lUri : https://autodiscover.domainname.co.uk/Autodiscover/Autodiscover.xml
which looks OK to me, but we still get the warning on starting outlook.
Any help very much appreciated??
[PS] C:\Windows\system32>Get-Cl
AutoDiscoverServiceInterna
which looks OK to me, but we still get the warning on starting outlook.
Any help very much appreciated??
Please post the result of these commands
Get-ClientAccessService | fl AutoDiscoverServiceInterna lUri
Get-MapiVirtualDirectory -Identity "EX01\mapi (Default Web Site)" | fl server, internalurl, externalurl
Get-EcpVirtualDirectory "EXCH01\ECP (Default Web Site)" | FL InternalUrl,ExternalUrl
Get-WebServicesVirtualDire ctory "EXCH01\EWS (Default Web Site)" | FL InternalUrl,ExternalUrl
Get-OabVirtualDirectory "EXCH01\OAB (Default Web Site)" | fl InternalUrl,ExternalUrl
Get-OutlookAnywhere -Server EXCH01
Get-ClientAccessService | fl AutoDiscoverServiceInterna
Get-MapiVirtualDirectory -Identity "EX01\mapi (Default Web Site)" | fl server, internalurl, externalurl
Get-EcpVirtualDirectory "EXCH01\ECP (Default Web Site)" | FL InternalUrl,ExternalUrl
Get-WebServicesVirtualDire
Get-OabVirtualDirectory "EXCH01\OAB (Default Web Site)" | fl InternalUrl,ExternalUrl
Get-OutlookAnywhere -Server EXCH01
ASKER
thanks mas
I will post them as soon as I get back to site in the morning. the office is now closed for the day.
I will post them as soon as I get back to site in the morning. the office is now closed for the day.
ASKER
Here are the results of the commands requested, as follows :-
[PS] C:\Windows\system32>Get-Cl ientAccess Service | fl AutoDiscoverServiceInterna lUri
AutoDiscoverServiceInterna lUri : https://autodiscover.DOMAINNAME.co.uk/Autodiscover/Autodiscover.xml
[PS] C:\Windows\system32>Get-Oa bVirtualDi rectory | fl Server,Name,internalurl,ex ternalurl
Server : EXCH2016
Name : OAB (Default Web Site)
InternalUrl : https://remote.DOMAINNAME.co.uk/oab
ExternalUrl : https://remote.DOMAINNAME.co.uk/oab
[PS] C:\Windows\system32>Get-We bServicesV irtualDire ctory | fl name,internalurl,externalu rl
Name : EWS (Default Web Site)
InternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
ExternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
[PS] C:\Windows\system32>Get-Cl ientAccess Service | fl AutoDiscoverServiceInterna lUri
Creating a new session for implicit remoting of "Get-ClientAccessService" command...
AutoDiscoverServiceInterna lUri : https://autodiscover.DOMAINNAME.co.uk/Autodiscover/Autodiscover.xml
[PS] C:\Windows\system32>Get-Ma piVirtualD irectory -Identity "EXch2016\mapi (Default Web Site)" | fl server, internalurl,
externalurl
Server : EXCH2016
InternalUrl : https://remote.DOMAINNAME.co.uk/mapi
ExternalUrl : https://remote.DOMAINNAME.co.uk/mapi
[PS] C:\Windows\system32>Get-Ec pVirtualDi rectory "EXCH2016\ECP (Default Web Site)" | FL InternalUrl,ExternalUrl
InternalUrl : https://remote.DOMAINNAME.co.uk/ecp
ExternalUrl : https://remote.DOMAINNAME.co.uk/ecp
[PS] C:\Windows\system32>Get-We bServicesV irtualDire ctory "EXCH2016\EWS (Default Web Site)" | FL InternalUrl,ExternalUrl
InternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
ExternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
[PS] C:\Windows\system32>Get-Oa bVirtualDi rectory "EXCH2016\OAB (Default Web Site)" | fl InternalUrl,ExternalUrl
InternalUrl : https://remote.DOMAINNAME.co.uk/oab
ExternalUrl : https://remote.DOMAINNAME.co.uk/oab
[PS] C:\Windows\system32> Get-OutlookAnywhere -Server EXCH2016
RunspaceId : 7b9b268c-28d0-48cf-9396-b1 2e85b47cd6
ServerName : EXCH2016
SSLOffloading : True
ExternalHostname : remote.DOMAINNAME.co.uk
InternalHostname : remote.DOMAINNAME.co.uk
ExternalClientAuthenticati onMethod : Negotiate
InternalClientAuthenticati onMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://exch2016.domain.loca l/W3SVC/1/ ROOT/Rpc
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpPr oxy\rpc
ExtendedProtectionTokenChe cking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.1 (Build 225.42)
Server : EXCH2016
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols ,CN=EXCH20 16,CN=Serv ers,CN=Exc hange
Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative
Groups,CN=domain,CN=Micros oft Exchange,CN=Services,CN=Co nfiguratio n,DC=domai n,DC=local
Identity : EXCH2016\Rpc (Default Web Site)
Guid : f1980f39-c81f-4350-bf78-84 52e48c1bf1
ObjectCategory : domain.local/Configuration /Schema/ms -Exch-Rpc- Http-Virtu al-Directo ry
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirect ory}
WhenChanged : 24/05/2016 13:33:23
WhenCreated : 13/05/2016 15:20:28
WhenChangedUTC : 24/05/2016 12:33:23
WhenCreatedUTC : 13/05/2016 14:20:28
OrganizationId :
Id : EXCH2016\Rpc (Default Web Site)
OriginatingServer : 2012serv.domain.local
IsValid : True
ObjectState : Changed
Does this reveal anything?
Many thanks,
[PS] C:\Windows\system32>Get-Cl
AutoDiscoverServiceInterna
[PS] C:\Windows\system32>Get-Oa
Server : EXCH2016
Name : OAB (Default Web Site)
InternalUrl : https://remote.DOMAINNAME.co.uk/oab
ExternalUrl : https://remote.DOMAINNAME.co.uk/oab
[PS] C:\Windows\system32>Get-We
Name : EWS (Default Web Site)
InternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
ExternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
[PS] C:\Windows\system32>Get-Cl
Creating a new session for implicit remoting of "Get-ClientAccessService" command...
AutoDiscoverServiceInterna
[PS] C:\Windows\system32>Get-Ma
externalurl
Server : EXCH2016
InternalUrl : https://remote.DOMAINNAME.co.uk/mapi
ExternalUrl : https://remote.DOMAINNAME.co.uk/mapi
[PS] C:\Windows\system32>Get-Ec
InternalUrl : https://remote.DOMAINNAME.co.uk/ecp
ExternalUrl : https://remote.DOMAINNAME.co.uk/ecp
[PS] C:\Windows\system32>Get-We
InternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
ExternalUrl : https://remote.DOMAINNAME.co.uk/EWS/Exchange.asmx
[PS] C:\Windows\system32>Get-Oa
InternalUrl : https://remote.DOMAINNAME.co.uk/oab
ExternalUrl : https://remote.DOMAINNAME.co.uk/oab
[PS] C:\Windows\system32> Get-OutlookAnywhere -Server EXCH2016
RunspaceId : 7b9b268c-28d0-48cf-9396-b1
ServerName : EXCH2016
SSLOffloading : True
ExternalHostname : remote.DOMAINNAME.co.uk
InternalHostname : remote.DOMAINNAME.co.uk
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://exch2016.domain.loca
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpPr
ExtendedProtectionTokenChe
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.1 (Build 225.42)
Server : EXCH2016
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols
Administrative Group (FYDIBOHF23SPDLT),CN=Admin
Groups,CN=domain,CN=Micros
Identity : EXCH2016\Rpc (Default Web Site)
Guid : f1980f39-c81f-4350-bf78-84
ObjectCategory : domain.local/Configuration
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirect
WhenChanged : 24/05/2016 13:33:23
WhenCreated : 13/05/2016 15:20:28
WhenChangedUTC : 24/05/2016 12:33:23
WhenCreatedUTC : 13/05/2016 14:20:28
OrganizationId :
Id : EXCH2016\Rpc (Default Web Site)
OriginatingServer : 2012serv.domain.local
IsValid : True
ObjectState : Changed
Does this reveal anything?
Many thanks,
Hi,
have you restarted IIS on Exchange, after you made change to those services?
From cmd> iisreset /noforce
Regards,
Ivan.
have you restarted IIS on Exchange, after you made change to those services?
From cmd> iisreset /noforce
Regards,
Ivan.
Thanks Ivan for pointing the missed part.
Please restart IIS using the command above.
Please restart IIS using the command above.
ASKER
No, I had not, however, when I just did, we got :-
[PS] C:\Windows\system32>iisres et /noforce
Attempting stop...
Restart attempt failed.
The service did not respond to the start or control request in a timely fashion. (2147943453, 8007041d)
[PS] C:\Windows\system32>
Would a server restart be required?
[PS] C:\Windows\system32>iisres
Attempting stop...
Restart attempt failed.
The service did not respond to the start or control request in a timely fashion. (2147943453, 8007041d)
[PS] C:\Windows\system32>
Would a server restart be required?
Hi,
no, don't restart server. Try just with iisreset, or go to services, and restart IIS from there.
Sometime it takes a bit more time to restart IIS, and that is why you get timeout. If you try few times, or go to admin tools and restart IIS from there, it will work.
no, don't restart server. Try just with iisreset, or go to services, and restart IIS from there.
Sometime it takes a bit more time to restart IIS, and that is why you get timeout. If you try few times, or go to admin tools and restart IIS from there, it will work.
ASKER
is that the iis admin service?
ASKER
I thought that had cured it, but the same warning popped up a couple of minutes after outlook started and connected to the exchange server.
How frustrating.
How can a pinpoint why this is occurring? Any suggestions?
Do I need to flushdns on each ws?
How frustrating.
How can a pinpoint why this is occurring? Any suggestions?
Do I need to flushdns on each ws?
ASKER
Tried flushdns, but it has not helped.
Any advice VERY much appreciated.
Thanks
Any advice VERY much appreciated.
Thanks
ASKER
so sorry for the delay in responding to this incident, but we have a rather strange situation where 20 of the 30 workstations have outlook starting as it should and around 10 of them still get the dreaded security certificate warning.
any suggestions?
many thanks
any suggestions?
many thanks
Try to create a new profile for the problematic users.
ASKER
I'm not sure what happened to this incident. I am trying to locate the initial reply from mas to award points to, and I can't see it anymore?
the first response detailed above from Seth, refers to it, but it's just missing?
can you re post it?
many thanks
the first response detailed above from Seth, refers to it, but it's just missing?
can you re post it?
many thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
many thanks to all
you need to change the exchange URLs to match your external domain suffix
see my comment in the second link MAS posted