asked on
Echange security certificate issues
Exchange 2010 / Outlook 2010 environment. We applied updates to Exchange over the weekend, and now clients seem to be getting security certificate errors because of it. it my only be coincidental with an expiration date as well - can't be sure. But what we are seeing is a similar issue both with Outlook clients, as well as iPhone Exchange Active Sync devices. The Outlook client shows an error saying "The security certificate has expired or is not yet valid". The Iphones give 2 different messages, depending on the person. One message is "Server is not trusted due to invalid certificate" and then allows the user to select "Continue" or "Trust" and they work fine after that. Others, however, do not get that option and say something to the affect of "Certificate has expired" and they aren't presented an option to continue or trust the server, and they're stuck. So - is this an issue on the client side, on the server side, where I need to recreate the expired certificate? And if I do that, I assume it will upset the 90% of the users that are working. Thanks for your help.
ExchangeOutlookSecurity
Last Comment
Damian Gardner
PS. If you need help analyzing the resulting list, copy and paste it into this thread and we can help you. You may want to be sure to change or erase any text that would expose potentially sensitive info, like your domain name, server names, etc.
You have to read this article :
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/
What kind of update you applied during the weekend. Also, check, if your Exchange certificates expired or not. As error indicates certificate expired and you need to renew it again.
If certificate not expired on your Exchange server, do you have any HLB between client and server, where certificate might expired and need to be updated.
If certificate not expired on your Exchange server, do you have any HLB between client and server, where certificate might expired and need to be updated.
as a start open exchange management console and click on server configuration, scroll down through each server listed and check the certs are valid (have a blue tick on the icon next to the name)
ASKER
Sorry for the delay everybody. here's what I See listed for certs on Exchange:
AccessRules : {System.Security.AccessCon
ule, System.Security.AccessCont
CertificateDomains : {AERPClient}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=AERPClient, OU=AERP, O=ARCSERVE, L=Hyderabad, S=TS, C=IN
NotAfter : 11/30/2015 1:04:36 AM
NotBefore : 9/1/2015 2:04:36 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 694C1744
Services : None
Status : Invalid
Subject : CN=AERPClient, OU=AERP, O=ARCSERVE, L=Hyderabad, S=TS, C=IN
Thumbprint : CC93058334A0E3ABBEBDF*****
AccessRules : {System.Security.AccessCon
ule, System.Security.AccessCont
essRule}
CertificateDomains : {exchange, exchange.XXXXXX.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=exchange
NotAfter : 10/6/2018 1:12:09 PM
NotBefore : 10/6/2013 1:12:09 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 7A071381E466C08D4C51E6F3EC
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : CN=exchange
Thumbprint : 42118DA7BBA73F1881B3AEC522
Looks like there are TWO that are "invalid" . I"m not sure what each one is for or what's the difference.
AccessRules : {System.Security.AccessCon
ule, System.Security.AccessCont
CertificateDomains : {AERPClient}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=AERPClient, OU=AERP, O=ARCSERVE, L=Hyderabad, S=TS, C=IN
NotAfter : 11/30/2015 1:04:36 AM
NotBefore : 9/1/2015 2:04:36 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 694C1744
Services : None
Status : Invalid
Subject : CN=AERPClient, OU=AERP, O=ARCSERVE, L=Hyderabad, S=TS, C=IN
Thumbprint : CC93058334A0E3ABBEBDF*****
AccessRules : {System.Security.AccessCon
ule, System.Security.AccessCont
essRule}
CertificateDomains : {exchange, exchange.XXXXXX.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=exchange
NotAfter : 10/6/2018 1:12:09 PM
NotBefore : 10/6/2013 1:12:09 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 7A071381E466C08D4C51E6F3EC
Services : IMAP, POP, IIS, SMTP
Status : Invalid
Subject : CN=exchange
Thumbprint : 42118DA7BBA73F1881B3AEC522
Looks like there are TWO that are "invalid" . I"m not sure what each one is for or what's the difference.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
And I checked the server config, as suggested by Daryl, and I do see some expired certs. I took a screenshot and attached it.
Exchange.rtf
Exchange.rtf
right click on the cert that is assigned to the services and renew it and make sure the new one is assigned to the services IMAP, POP, IIS, SMTP , then both the invalid ones can be removed
ASKER
ok. so I understand what will happen, will there be any effect on the users who do not seem to be having a problem with their Outlooks/Iphones?
Thanks Daryl.
Thanks Daryl.
ASKER
When I right-click it, the options are Remove / Open / Help. Now - I see that there is a 3rd cert in there that is valid until 2023 - but no services are assigned to it. Do I simply need to assign services to it, and then remove the other two? you can see the valid one in the screenshot.
yes assign the services to the valid one, how many servers do you have? check the others to make sure they have valid certs , Transport servers need smtp and cas need IMAP, POP, IIS but you might have the same server doing all roles?
i cant see the screenshot for some reason
i cant see the screenshot for some reason
ASKER
oh - yeah its just 1 server. sorry you can't see the screenshot. what the valid one says is "this certificate is valid for Exchange Server usage". but under services, it shows "none". let me try assigning the ones in the expired one over to the valid one. then I should be able to safely remove the invalid two others right?
yes thats right
ASKER
I assigned them over. do I need to reboot Exchange or anything to take effect?
should be fine without reboot
ASKER
ok. looks like it works ok on mine, once I tell Outlook to install the cert. we'll see what happens with the network tomorrow. I'm the admin here. thanks for your help and I'll update the thread tomorrow.
Thanks!
Thanks!
ASKER
Morning. So its much better - I have 2/3 green check marks on the security certificate screen that pops up. only thing now is "The name on the certificate does not match the name of the site"
think that is because the cert will be called Microsoft exchange
do you have an internal PKI ? if so you could generate a cert with all subject alternate names (SAN) for all servers or addresses like smtp.domain.org and install it and then assign the services etc to it and you shoulndt have the problem
do you have an internal PKI ? if so you could generate a cert with all subject alternate names (SAN) for all servers or addresses like smtp.domain.org and install it and then assign the services etc to it and you shoulndt have the problem
You have to read this article :
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/
ASKER
sorry for delay. ok let me read the article and see what I need to do. thanks guys
ASKER
sorry for the delay guys - I'm buried with other "fires" here this week. will be getting back to this issue soon. standby!
ASKER
sorry for the long delay. I read the article Hani suggested, and I believe I need to add the FQDN to our internal site's certificate - I am not sure how to do this, however. (I assume this is an internal IIS "site" it is referring to, and not our company's public website for customers). So the name that is causing the error in Outlook is specifying the FQDN of our Exchange server, which is "exchange.lacoinc1.local" - that's what is named at the top of the certificate error. So where is the certificate that I need to add this FQDN to?
Here's the fix from the article:
"•Add the domain.com to your Public Facing Website’s certificate. That way, Outlook makes a successful connection to https://domain.com, determines it’s not Exchange, and will fallback to attempting autodiscover via https://autodiscover.domain.com. (Preferred Option for obvious secure reason)
thanks guys
Here's the fix from the article:
"•Add the domain.com to your Public Facing Website’s certificate. That way, Outlook makes a successful connection to https://domain.com, determines it’s not Exchange, and will fallback to attempting autodiscover via https://autodiscover.domain.com. (Preferred Option for obvious secure reason)
thanks guys
ASKER
update - we will be moving to Exchange Online momentarily. will this security certificate most likely vanish after that?
You can find this out easily from the Exchange management shell with the following command: get-exchangecertificate |FL. The result will be a list of all of the Exchange certificates that are installed and will show details about their application to various services, whether they're self-signed or not and if they are expired or valid. Once you find that out, you'll know which certificate is causing the problem and can go on to renewal steps from there.