aangerson
asked on
Exchange Server 2016 certifiate error
Please read all details before posting a solution as I have seen many that do not fix the issue.
I am in the process of migrating from Exchange 2010 to 2016.
I have 2 exchange 2016 servers up and running and have migrated some test mailboxes. Mail flow works no problem/Webmail works no certificate errors but when the client opens Outlook 2010 they receive this error both Internally and Externally. I have the proper patches applied to outlook as this error happens with other version of Office/Outlook.
"there is a problem with the proxy server's security certificate error code 10"
I am aware that this error seems to be coming from the proxy settings in outlook which is currently resolving to the internal server name. Server.XXXX.com-
I currently have a valid third party certificate installed on the 2016 Server for Webamil.XXXX.com and have all of the virtual directories pointing to this address.
I do have the settings for outlook anywhere set to internal - Server.XXXX.com and external to the Webmail address as I have read this is how it should be configured.
Also I have tested changing the External to Webmail.XXX.com and still receive the error.
I believe the issue is with check box in Outlook that says Only connect to proxy servers that have this principal name in the certificate" which is the internal server name.
Do I need to add the internal servers to the Published certificate?
Any help is appreciated.
I am in the process of migrating from Exchange 2010 to 2016.
I have 2 exchange 2016 servers up and running and have migrated some test mailboxes. Mail flow works no problem/Webmail works no certificate errors but when the client opens Outlook 2010 they receive this error both Internally and Externally. I have the proper patches applied to outlook as this error happens with other version of Office/Outlook.
"there is a problem with the proxy server's security certificate error code 10"
I am aware that this error seems to be coming from the proxy settings in outlook which is currently resolving to the internal server name. Server.XXXX.com-
I currently have a valid third party certificate installed on the 2016 Server for Webamil.XXXX.com and have all of the virtual directories pointing to this address.
I do have the settings for outlook anywhere set to internal - Server.XXXX.com and external to the Webmail address as I have read this is how it should be configured.
Also I have tested changing the External to Webmail.XXX.com and still receive the error.
I believe the issue is with check box in Outlook that says Only connect to proxy servers that have this principal name in the certificate" which is the internal server name.
Do I need to add the internal servers to the Published certificate?
Any help is appreciated.
Hi,
just to add to @Tom Cieslik reply
If you choose to go that way, make sure to create ALL DNS records in that zone, as you have them on public DNS server. If you forgot to add record for some website or something, that you have in public DNS, then computers in your LAN will never be able to get to them, since they will ask only your private DNS server.
Regards,
Ivan.
just to add to @Tom Cieslik reply
If you choose to go that way, make sure to create ALL DNS records in that zone, as you have them on public DNS server. If you forgot to add record for some website or something, that you have in public DNS, then computers in your LAN will never be able to get to them, since they will ask only your private DNS server.
Regards,
Ivan.
@Ivan
Yes, but that's only if you're using same certificate to get your website. If not then there is no point to add ALL to certificate since is going to be used only for Exchange
Yes, but that's only if you're using same certificate to get your website. If not then there is no point to add ALL to certificate since is going to be used only for Exchange
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
@Tom Cieslik
Maybe I was not clear :) I don't mean to add names to certificate, but to add names to internal dns zone, that you have created.
If you don't add names to internal zone, and you have some additional names in public dns zone, then your internal users wont be able to get to those resources, sites...
Regards,
Ivan.
@Tom Cieslik
Maybe I was not clear :) I don't mean to add names to certificate, but to add names to internal dns zone, that you have created.
If you don't add names to internal zone, and you have some additional names in public dns zone, then your internal users wont be able to get to those resources, sites...
Regards,
Ivan.
ASKER
Tom and others
Thanks for your reply. I am a bit confused though. So i'll will provide more details as this may help. I have a split DNS Internal/External.
I am running in a 2016 ( 2 servers with DAG) and 2010 Coexistence as I am going to start moving mailbox to the 2016n once the error is resolved. As it stand the DNS records are set as the following.
Webmail.XXX.com points to the 2016 server- both Internal and external records_ moble device use this address to connect
Autodiscover.XXX.com points to the 2016 server- both Internal and external records
I have set ALL of the virtual directories internal and external configuration to Webmail.XXX.com ( per Viral's comment above). I currently own a third party certificate for webmail which has been configured on both 2016 Exchange servers
The only Virtual Directory that has the internal setting set to Server.XXX.com is Outlook Anywhere. Do to the error that i am receiving i have tested changing this to webmail.xxx.com as the message i am recving states that it is looking for webmail. This did not resolve the issues.
According to Symantec support who we buy our certificates from they said you can add Server.XXX.com to the existing certificate its called a replacement.
I don't understand how creating a reverse DNS is going to solve the issue and also already have the webmail record configured. If you can please explain in more detail.
Thanks for your reply. I am a bit confused though. So i'll will provide more details as this may help. I have a split DNS Internal/External.
I am running in a 2016 ( 2 servers with DAG) and 2010 Coexistence as I am going to start moving mailbox to the 2016n once the error is resolved. As it stand the DNS records are set as the following.
Webmail.XXX.com points to the 2016 server- both Internal and external records_ moble device use this address to connect
Autodiscover.XXX.com points to the 2016 server- both Internal and external records
I have set ALL of the virtual directories internal and external configuration to Webmail.XXX.com ( per Viral's comment above). I currently own a third party certificate for webmail which has been configured on both 2016 Exchange servers
The only Virtual Directory that has the internal setting set to Server.XXX.com is Outlook Anywhere. Do to the error that i am receiving i have tested changing this to webmail.xxx.com as the message i am recving states that it is looking for webmail. This did not resolve the issues.
According to Symantec support who we buy our certificates from they said you can add Server.XXX.com to the existing certificate its called a replacement.
I don't understand how creating a reverse DNS is going to solve the issue and also already have the webmail record configured. If you can please explain in more detail.
Dont worry, there is no need to add domain.xxxx.com in certificate the certificate warning is expected.
See in our case we don't have autodiscover.xxxxx.com in our certificate ,we have webmail.xxxx.com in our certificate
So now when you are starting outlook autodicover is not getting name in certificate so we are getting certificate warning.
See in our case we don't have autodiscover.xxxxx.com in our certificate ,we have webmail.xxxx.com in our certificate
So now when you are starting outlook autodicover is not getting name in certificate so we are getting certificate warning.
While creating SRV records the host offering service should be webmail.domain.com
Externally also you have to create SRV records,
Following Records must be there in External DNS
Previously,
FQDN DNS record type Value
domain.com MX Mail.domain.com
mail.domain.com A 172.16.10.11
autodiscover.domain.com A 172.16.10.11 - (Deleted)
After creating SRV records,
FQDN DNS record type Value
domain.com MX Mail.contoso.com
mail.domain.com A 172.16.10.11
mail. domain. com SRV _autodiscover
Following Records must be there in External DNS
Previously,
FQDN DNS record type Value
domain.com MX Mail.domain.com
mail.domain.com A 172.16.10.11
autodiscover.domain.com A 172.16.10.11 - (Deleted)
After creating SRV records,
FQDN DNS record type Value
domain.com MX Mail.contoso.com
mail.domain.com A 172.16.10.11
mail. domain. com SRV _autodiscover
Since you need detailed explanation please refer following articles which shows how autodiscover works and why need to create SRV records
information and to fix this issue
https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/
information and to fix this issue
https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/
ASKER
So as it turns out I was able to add the Webmail.xxx.com to the Outlook anywhere internal setting and that seemed to resolve the issues. Thanks for your assistance.
ASKER
Thanks Viral. Both internal and external Outlook anywhere servers need to be the same
name it like your external email server (same as in certificate) for example exchange.mydomain.com
Insert create A record and point it to your local Exchange IP address
Create second forward lookup zone autodiscover.yourlocaldoma
Inside leave only your DNS (or more if you have more)
like
(same as parent folder) Name Server (NS) dnsserver.yourdomain.local
This will allow you to ping your local exchange using external name from inside and ask your local DNS server(s) about connection.
Try to go to local owa from inside using External address and check if there is a certificate error
Then create new profile in Outlook. In proxy setting use(external name) https://exchange.yourdomain.com and in SSL connector use same address msstd:exchange.yourdomain.
This is my setup and is working with no problem.
I hope that inside your certificate you have your all names registered
exchange.yourdomaon.com
autodiscover.yourdoamn.com
and you have A record in External DNS for autodiscover and Exchange server pointing to your External IP and also you have SPF record pointed to your exchange name is MX IP address.
It should work now.