djaycee
asked on
Get stuck in a certificate issue
Hi all,
This is our setup:
- Sonic Firewall TZ300
- Barracuda Email security
- Server 2012 r2 with Exhange 2016
Latest updates are installed.
OWA works fine, outlook anywhere works fine.
Application Symprex for email signatures has an error trying to connect locally
MigrationWiz for migrating mailboxes doesn't work either.
Checking testconnectivity.microsoft .com results in error. Contacted above application providers: could be the problem with autodiscover.
Error is:
Attempting to test potential Autodiscover URL https://autodiscover.domain.nl:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 1860 ms.
Test Steps
Attempting to resolve the host name autodiscover.domain.nl in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 123.123.123.123 (correct of course)
Elapsed Time: 730 ms.
Testing TCP port 443 on host autodiscover.domain.nl to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 510 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 619 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.nl on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 595 ms.
Checked the certificate and that's ok.
Am really stuck right now. Any help please!
Thanks in advance.
Regards,
Hans
This is our setup:
- Sonic Firewall TZ300
- Barracuda Email security
- Server 2012 r2 with Exhange 2016
Latest updates are installed.
OWA works fine, outlook anywhere works fine.
Application Symprex for email signatures has an error trying to connect locally
MigrationWiz for migrating mailboxes doesn't work either.
Checking testconnectivity.microsoft
Error is:
Attempting to test potential Autodiscover URL https://autodiscover.domain.nl:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 1860 ms.
Test Steps
Attempting to resolve the host name autodiscover.domain.nl in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 123.123.123.123 (correct of course)
Elapsed Time: 730 ms.
Testing TCP port 443 on host autodiscover.domain.nl to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 510 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 619 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.nl on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 595 ms.
Checked the certificate and that's ok.
Am really stuck right now. Any help please!
Thanks in advance.
Regards,
Hans
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So when you configure outlook from Internet client using autodiscover does it give any error?
Also verify with your certificate vendor if your certificate is revoked for some reason.
Also verify with your certificate vendor if your certificate is revoked for some reason.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ideal configuration is working as expected so don't think issue is there with your Exchange setup.
Check with both vendors further what are there requirement to access Exchange setup.
Check with both vendors further what are there requirement to access Exchange setup.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have HTTPS/SSL inspection enabled on this firewall rule then disable it and check.
I mean check all unified inspections are enabled on this firewall rule.
I mean check all unified inspections are enabled on this firewall rule.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you check if your certificate is revoked by your vendor?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
can you get complete result of testconnectivity portal and give me as an attachment in text without changing anything to check more on this?
or a test account if possible for you to test it by myself. You can share creds in private message.
or a test account if possible for you to test it by myself. You can share creds in private message.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please provide a test account creds.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No i just need a standard with minimum privileged account. Just enable mailbox and all mailbox feature like ActiveSync, OWA and Outlook that's all.
Ping that creds in private message.
Ping that creds in private message.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok, so I think I found issue.
you have published your autodiscover SRV record with wrong DNS name
Non-authoritative answer:
_autodiscover._tcp.ttabv.n l SRV service location:
priority = 100
weight = 1
port = 443
svr hostname = webmail.ttabv.nl.ttabv.nl
webmail.ttabv.nl.ttabv.nl internet address = 193.172.165.145
Correct it and then we will have another test. DNS changes will take few hours.
it should be webmail.ttabv.nl
you have published your autodiscover SRV record with wrong DNS name
Non-authoritative answer:
_autodiscover._tcp.ttabv.n
priority = 100
weight = 1
port = 443
svr hostname = webmail.ttabv.nl.ttabv.nl
webmail.ttabv.nl.ttabv.nl internet address = 193.172.165.145
Correct it and then we will have another test. DNS changes will take few hours.
it should be webmail.ttabv.nl
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes I tested but result is same.
Few things to check now:
1. Please paste result of this powershell from all CAS servers:
2. Do you have any HLB ahead of CAS servers?
3. Monitor Firewall traffic while running test over https://testconnectivity.microsoft.com. When traffic hits so is there anything which is getting blocked/denied by firewall.
Few things to check now:
1. Please paste result of this powershell from all CAS servers:
Get-ExchangeCertificate | ft -AutoSize
2. Do you have any HLB ahead of CAS servers?
3. Monitor Firewall traffic while running test over https://testconnectivity.microsoft.com. When traffic hits so is there anything which is getting blocked/denied by firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solved it ourselves.
try opening this URL: https://autodiscover.domain.nl:443/Autodiscover/Autodiscover.xml on Internet connected computer (Not in Corporate LAN) and copy results here.
Note: you need to change domain in URL.