Exchange email setup on mobile devices pulling wrong cert and failing to setup account
I cannot get Exchange email accounts setup on any mobile device like Android or IOS devices.
OWA internal/external and internal Outlook clients work flawless - zero issues.
The mobile devices keep saying "The name of the site does not match the name on the certificate". When I view the details it says the RapidSSL SHA256 CA-G3 Cert is from wpengine. That's coming from where our web site is hosted and it doesn't even have an SSL cert, going to https://ourdomain.com says not secure.
Our Exchange Cert is a GoDaddy Secure Certificate Authority - G2.
Here is how we are setup:
Our email is hosted at web.com
Our web site is hosted at a 3rd party who uses wordpress
Our DNS is managed at Network Solutions
We have an internal 2016 Exchange Server that has:
- our router port 443 forwarding to our internal 2016 Exchange Server static IP
- the GoDaddy cert installed
- we use a product called POPCON to pull down mail from our mail host web.com and delivery to Exchange user mailboxes
- OWA and Outlook working internal and external, zero issues
Here is our DNS setup at Network Solutions:
A records:
www - points to static IP address where our web site is hosted
@ (none) - points to static IP address where our web site is hosted
* (all others) - points to static IP address where our web site is hosted
autodiscover.ourdomain.com
remote.ourdomain.com - points to our buildings static IP (this is how we get to OWA)
MX Record:
points to "inbound.registeredsite.co
SRV Record:
points to service: "_autodiscover", protocol: "_tcp", port: "443", target: "remote.ourdomain.com."
CNAME records:
have them for ftp, imap, pop, smtp - not affecting this.
If I go to https://ourdomain.com/autodiscover/autodiscover.xml it takes me to that wordpress cert
If I go to https://autodiscover.ourdomain.com it takes me right to our OWA and works. Our users actually use https://remote.ourdomain.com/owa and that works great.
I did the https://testconnectivity.microsoft.com and get no errors. It even shows our correct internal static IP where our Exchange Server 2016 is and our GoDaddy SSL cert is installed.
Why are all mobile devices failing? Why do they try to go to our web site cert that we don't even have and not seeing the autodiscover, SRV, remote.ourdomain.com records correctly to resolve?
I can't point all other traffic DNS record to our Exchange Server because then our web site is only accessible by typing the full www.ourdomain.com. Just typing domain.com breaks - it try to go to our Exchange Server. Very few people type www. in front of a web site when they go to it.
Any help would be greatly appreciated in resolving this issue, thank you!
Regards,
Torrey
OWA internal/external and internal Outlook clients work flawless - zero issues.
The mobile devices keep saying "The name of the site does not match the name on the certificate". When I view the details it says the RapidSSL SHA256 CA-G3 Cert is from wpengine. That's coming from where our web site is hosted and it doesn't even have an SSL cert, going to https://ourdomain.com says not secure.
Our Exchange Cert is a GoDaddy Secure Certificate Authority - G2.
Here is how we are setup:
Our email is hosted at web.com
Our web site is hosted at a 3rd party who uses wordpress
Our DNS is managed at Network Solutions
We have an internal 2016 Exchange Server that has:
- our router port 443 forwarding to our internal 2016 Exchange Server static IP
- the GoDaddy cert installed
- we use a product called POPCON to pull down mail from our mail host web.com and delivery to Exchange user mailboxes
- OWA and Outlook working internal and external, zero issues
Here is our DNS setup at Network Solutions:
A records:
www - points to static IP address where our web site is hosted
@ (none) - points to static IP address where our web site is hosted
* (all others) - points to static IP address where our web site is hosted
autodiscover.ourdomain.com
remote.ourdomain.com - points to our buildings static IP (this is how we get to OWA)
MX Record:
points to "inbound.registeredsite.co
SRV Record:
points to service: "_autodiscover", protocol: "_tcp", port: "443", target: "remote.ourdomain.com."
CNAME records:
have them for ftp, imap, pop, smtp - not affecting this.
If I go to https://ourdomain.com/autodiscover/autodiscover.xml it takes me to that wordpress cert
If I go to https://autodiscover.ourdomain.com it takes me right to our OWA and works. Our users actually use https://remote.ourdomain.com/owa and that works great.
I did the https://testconnectivity.microsoft.com and get no errors. It even shows our correct internal static IP where our Exchange Server 2016 is and our GoDaddy SSL cert is installed.
Why are all mobile devices failing? Why do they try to go to our web site cert that we don't even have and not seeing the autodiscover, SRV, remote.ourdomain.com records correctly to resolve?
I can't point all other traffic DNS record to our Exchange Server because then our web site is only accessible by typing the full www.ourdomain.com. Just typing domain.com breaks - it try to go to our Exchange Server. Very few people type www. in front of a web site when they go to it.
Any help would be greatly appreciated in resolving this issue, thank you!
Regards,
Torrey
You can try to ignore the warning of a wrong cert.
The easy answer is to go into the Advanced settings of the email account and make sure Accept All Certificates is checked. If that isn't checked, check it and try again. If it is checked and it's still not working, try the following:
Make sure your Android platform is fully up to date. If it isn't, update and try again.
Once you get to the point where the setup has connected to the server (but giving you the warning), you should be able to uncheck the Verify Certificate section in your incoming and outgoing settings.
Source: http://www.techrepublic.com/blog/tr-dojo/solutions-to-an-android-email-and-untrusted-server-certificate-problem/
The easy answer is to go into the Advanced settings of the email account and make sure Accept All Certificates is checked. If that isn't checked, check it and try again. If it is checked and it's still not working, try the following:
Make sure your Android platform is fully up to date. If it isn't, update and try again.
Once you get to the point where the setup has connected to the server (but giving you the warning), you should be able to uncheck the Verify Certificate section in your incoming and outgoing settings.
Source: http://www.techrepublic.com/blog/tr-dojo/solutions-to-an-android-email-and-untrusted-server-certificate-problem/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!
This is common issues in Autodiscover root Domain lookup.
Note:
Basically ActiveSync Autodiscover client lookup process is
1)The client sends an Autodiscover request to https://domain.com/autodiscover/autodiscover.xml
2)Then client will look up for https://Autodiscover.domain.com/autodiscover/autodiscover.xml
3) Get Http://Autodiscover.domain.com/autodiscover/autodiscover.xml it will redirect to URL set it on IIS Https:// (Note that this is a non-SSL endpoint)
4)The client performs a DNS query for an SRV record for _autodiscover._tcp.domain.
=Most of the clients will handle Autodiscover lookup failure gracefully (Like Remote connectivity Analyzer) move on to next Autodiscover method.
But, for a random assortment of devices and applications, the root domain failure is interpreted as a complete Autodiscover failure, and the user is prompted to manually configure server details. This can occur when the root domain resolves to a web server (which is normally where it resolves to) that has HTTPS enabled and listening, but has an SSL certificate installed that doesn’t match the root domain name that the device is trying to connect to. This is very common when shared hosting is used to host multiple websites for different domains.
Regards,
Kumar