Outlook Clients continue to ask for Cert to be installed Exchange 2016

Exchange 2016 CU9 DAG 2 Node
Windows 2016 DataCenter
Outlook 2012/2016 clients.

After installing my DigiCert cert for Exchange my clients still keep asking to install the certificate

I continue to install the cert but every time we restart outlook i asks the same question  

any ideas
certissue1.PNG
certissue2.PNG
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
the first error just select the check box not to ask you again.
the second error I would suggest getting instructions from digicert site on installing the cert correctly to exchange.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim
It is installed on the exchange server correctly the helped me on the phone as I created the cert.

If client gets a different message

Some get the red x on the top message others get that as a green check

The second line all have green check

The third line some have a green check and other have a red check


Thoughts

Tom
0
timgreen7077Exchange EngineerCommented:
oh ok. if this was done during business hours just allow time for outlook to pick up the new cert.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Thomas GrassiSystems AdministratorAuthor Commented:
Tim

This have been going on for several weeks now

How long does it take outlook to pick up the cert?

I even tried manually added the cert to the desktop using MMC

It shows cert is installed

I am thinking it is something else?

Thanks

Tom
0
timgreen7077Exchange EngineerCommented:
have you assigned the services to the certs. it doesnt take that long.
0
timgreen7077Exchange EngineerCommented:
also do you have multiple exchange servers did you add the cert to all of the servers, and did you delete the old expired cert?
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Yes two Exchanges Servers this is a DAG with two Nodes.

Only have one cert and that is installed on both servers

Both servers have 4 other certs but the are all self signed certs  the same on both and the are still al valid

I think this might be the issue.

On Node 2 the Cert is not assigned to any services and it is the primary Node at the moment.

Am i on the right track ?

If so is there a command line to assign the same roles as node 1?

Thanks
Tom
certissue3.PNG
certissue4.PNG
0
timgreen7077Exchange EngineerCommented:
You need to assign the services to on all the exchange servers. Just go into the EAC and assign the services to the cert. The self-signed certs are fine, but you need to assign the services to the digicert cert. That will fix your issue.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Added the same services as Node1 on Node 2  

I went to a workstation running outlook 2016 close it started it I got both messages so on message 1 I clicked on do not show this again and hit allow.

The second one I installed the cert again.

I closed outlook and started again and this time no cert messages  

I will continue to test over the weekend with the other client.

Stand by for my results.

Thanks for you help
0
timgreen7077Exchange EngineerCommented:
you should be good now.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

My clients are all getting this now

At least they are getting the same error now.

Any ideas?

Thank you,

Tom
certissue5.PNG
0
timgreen7077Exchange EngineerCommented:
That is because your outlook clients are connecting to a name space that is not on your cert. Run the below and let me know the results. you will need to run this on both servers.

$Server = "exchange server name"
Get-OutlookAnywhere –Server $Server | ft Internalhostname, Externalhostname
Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ClientAccessServer | select identity,autodiscoverserviceinternaluri

Looking specifically at the results from outlook anywhere, MAPI, and client access server, does your SSL cert have the names space listed that these virtual directories show?
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Node 1
[[PS] C:\Windows\system32>$Server = "TGCS021-N1"
[PS] C:\Windows\system32>Get-OutlookAnywhere -Server $Server | ft Internalhostname, Externalhostname

InternalHostname    ExternalHostname
----------------    ----------------
webmail.tgcsnet.com webmail.tgcsnet.com


[PS] C:\Windows\system32>Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                     ExternalUrl
-----------                     -----------
https://webmail.tgcsnet.com/owa https://webmail.tgcsnet.com/owa


[PS] C:\Windows\system32> Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                     ExternalUrl
-----------                     -----------
https://webmail.tgcsnet.com/ecp https://webmail.tgcsnet.com/ecp


[PS] C:\Windows\system32>Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                     ExternalUrl
-----------                     -----------
https://webmail.tgcsnet.com/oab https://webmail.tgcsnet.com/oab


[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                             ExternalUrl
-----------                                             -----------
https://webmail.tgcsnet.com/Microsoft-Server-ActiveSync https://webmail.tgcsnet.com/Microsoft-Server-ActiveSync


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                   ExternalUrl
-----------                                   -----------
https://webmail.tgcsnet.com/EWS/Exchange.asmx https://webmail.tgcsnet.com/EWS/Exchange.asmx


[PS] C:\Windows\system32>Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                      ExternalUrl
-----------                      -----------
https://webmail.tgcsnet.com/mapi https://webmail.tgcsnet.com/mapi


[PS] C:\Windows\system32>Get-ClientAccessServer | select identity,autodiscoverserviceinternaluri
WARNING:  The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
 to use the Get-ClientAccessService cmdlet.  For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.

Identity   AutoDiscoverServiceInternalUri
--------   ------------------------------
TGCS021-N1 https://autodiscover.tgcsnet.com/autodiscover/autodiscover.xml
TGCS021-N2 https://autodiscover.tgcsnet.com/autodiscover/autodiscover.xml


[PS] C:\Windows\system32>/code]


Node 2

[code][PS] C:\Windows\system32>$Server = "TGCS021-N2"
[PS] C:\Windows\system32>Get-OutlookAnywhere -Server $Server | ft Internalhostname, Externalhostname
Creating a new session for implicit remoting of "Get-OutlookAnywhere" command...

InternalHostname    ExternalHostname
----------------    ----------------
webmail.tgcsnet.com webmail.tgcsnet.com


[PS] C:\Windows\system32>Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                     ExternalUrl
-----------                     -----------
https://webmail.tgcsnet.com/owa https://webmail.tgcsnet.com/owa


[PS] C:\Windows\system32>Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                     ExternalUrl
-----------                     -----------
https://webmail.tgcsnet.com/ecp https://webmail.tgcsnet.com/ecp


[PS] C:\Windows\system32>Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                     ExternalUrl
-----------                     -----------
https://webmail.tgcsnet.com/oab https://webmail.tgcsnet.com/oab


[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                             ExternalUrl
-----------                                             -----------
https://webmail.tgcsnet.com/Microsoft-Server-ActiveSync https://webmail.tgcsnet.com/Microsoft-Server-ActiveSync


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                   ExternalUrl
-----------                                   -----------
https://webmail.tgcsnet.com/EWS/Exchange.asmx https://webmail.tgcsnet.com/EWS/Exchange.asmx


[PS] C:\Windows\system32>Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                      ExternalUrl
-----------                      -----------
https://webmail.tgcsnet.com/mapi https://webmail.tgcsnet.com/mapi


[PS] C:\Windows\system32>Get-ClientAccessServer | select identity,autodiscoverserviceinternaluri
WARNING:  The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
 to use the Get-ClientAccessService cmdlet.  For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.

Identity   AutoDiscoverServiceInternalUri
--------   ------------------------------
TGCS021-N1 https://autodiscover.tgcsnet.com/autodiscover/autodiscover.xml
TGCS021-N2 https://autodiscover.tgcsnet.com/autodiscover/autodiscover.xml


[PS] C:\Windows\system32>

Open in new window


My SANs from DigiCert

Certificate Type  Multi-Domain SSL  
Common Name  tgcsnet.com ( Check Installation)  
 SANs   tgcsnet.com
webmail.tgcsnet.com
mail.tgcsnet.com
autodiscover.tgcsnet.com
tgcs021-n1.our.network.tgcsnet.com 

Open in new window



Thoughts?     DNS? maybe?
0
timgreen7077Exchange EngineerCommented:
That looks good. Maybe DNS. Do you have 2 internal DNS records for autodiscover pointing to both of your exchange servers? If not, create 2 internal DNS autodiscover A records and point them to the servers.

autodiscover.tgcsnet.com point to internal IP of first server
autodiscover.tgcsnet.com point to internal IP of second server

allow for AD DNS replication.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

I have two Windows 2012 R2 Servers as DC's both running internal DNS servers

Here is my DNS records for this

They are SRV records
dns3.PNG
0
timgreen7077Exchange EngineerCommented:
I believe that is the issue. I have never used a srv for autodiscover. your clientaccessseever name space doesnt match so outlook is giving that error. I would have used a normal A record because you can match that name space. since you are using the srv record and I have never used that method, I'm completely sure on how to tell you to fix it, but I'm pretty sure that is the issue.
0
timgreen7077Exchange EngineerCommented:
you can test by removing the SCP since you have a srv autodiscover record. run the following and remove the SCP since outlook looks at the srv record instead.

Set-ClientAccessServer –Identity ServerName -AutoDiscoverServiceInternalUri $null

you will need to remove it from both servers. that may fix your issue because outlook will not look at SCP record, yours look at srv.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

would it be better to create the A Records and then remove the SRV records?
dns4.PNG
0
timgreen7077Exchange EngineerCommented:
I would first try to clear the SCP first because you can always change it back. leave the srv. you will need to restart IIS
0
timgreen7077Exchange EngineerCommented:
If you still get the error then you can remove the SRV and create the A records for the SCP, but still restart IIS even if you remove the srv record and use the SCP.
0
timgreen7077Exchange EngineerCommented:
Also looking at your screen shot, don't use the underscord (_) just use autodiscover, and create 2 of them with each pointing to one of the exchange servers.
If you choose to go this route anyway.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Created two A records on my internal DNS servers and I am still getting the popup message about the server

The third line has the error. red X on it

Thoughts.
0
timgreen7077Exchange EngineerCommented:
did you remove the SRV records?
also the 2 DNS autodiscover records is that exact name on your cert, like autodiscover.domain.com
you are not using local host files are you?
0
timgreen7077Exchange EngineerCommented:
Can you show me the A record you created?
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Yes in my cert the name matches  hope it is not case sensitive? My SANs in the certs was posted in this thread.

image attached of the A Records.

I did not delete the srv records  

What is the difference with _autodiscover and just autodiscover?
dns5.PNG
0
timgreen7077Exchange EngineerCommented:
you need to delete those srv records, or try my recommendation of clearing the SCP with the cmdlets I sent.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Just deleted the SRV records and checked on both DNS Servers they are now gone.

How long before I can check my outlook clients?
0
timgreen7077Exchange EngineerCommented:
wait for AD replication and also restart IIS.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

I will wait  for awhile to restart IIS
0
timgreen7077Exchange EngineerCommented:
that's fine
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

Just restarted IIS on my of my clients I closed out look and started it up again

Same results 'security Alert'  The name of the security certificate is invalid or does not match the name of the site RED X

Any ideas?

Maybe I did not wait long enough?
0
timgreen7077Exchange EngineerCommented:
you have to restart IIS on both exchange servers, not the client computers. if it still error try to recreate the profile on one account or create a test account and mailbox and see if the same result.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
After you try that let me know and there is something else I would like you to check.
0
timgreen7077Exchange EngineerCommented:
If it's still failing test the configuration settings, so open outlook and on the outlook icon in the lower right corner do the following:

Hold the ctrl key and right click the outlook icon, and select Test email auto-configuration and test with the options I have selected and he know the results of the log. See my screenshot:

SCREENSHOT
0
Thomas GrassiSystems AdministratorAuthor Commented:
Tim

After all the changes to DNS and recreating all users profile in outlook the problem seems to have bee corrected


Thank you

Tom
0
timgreen7077Exchange EngineerCommented:
Good deal.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.