Link to home
Start Free TrialLog in
Avatar of SooHow Cheng
SooHow ChengFlag for Singapore

asked on

Why cert error for this ms outlook?

This is using MS Exchange Server 2016. This exchange server is hosting few email domains, such as, abc.com, def.com, and ghi.com. A user has her ms outlook setup with shirley@abc.com, shirleym@def.com, and shirley.mun@ghi.com was greeted with the following cert warning,


User generated image


Note: the autodiscover is autodiscover.def.com

We pressed the "view Certificate...", both the CA and exchange certs are valid, not exclamation mark. As for the "mx" and "autodiscover" hosts, all these already listed in the certificate. 

In MS outlook, we found that when highlighting "shirleym@def.com", a "disconnect from exchange" was found on the task bar. Other 2 is without problem.


What is missing from the settings? and how to solve the problem?


Thanks,

Avatar of DEMAN-BARCELO (MVP) Thierry
DEMAN-BARCELO (MVP) Thierry
Flag of France image

The "full" name used for the access is not in the certificate.

Note that the name Autodiscover is only used for configuration, Another name has been configured in Exchange to access the data.

Have you configured a CNAME for Autodiscover in all domains (abc.com, def,com, ghi.com and Proseware.com) defined in the local DNS ?
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What you'll get, from the above command, is output like this...

# echo QUIT | openssl s_client -connect davidfavor.com:443 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
            Not After : Dec 18 20:06:44 2021 GMT
                DNS:*.davidfavor.com, DNS:davidfavor.com

Open in new window


So you'll see the expiration date, along with each property covered... which in this specific case is a wildcard cert covering all hosts for this domain, along with the bare domain.
Avatar of SooHow Cheng

ASKER

Hi all,

Please give me some time to go through your suggested steps
Hi Pete Long,

Thanks for sharing the various URL settings for internal and external. However, think the server side is working fine. The problem should be only on this user desktop.
There's still a server side problem...

# This is correct, although best avoid CloudFlare at all costs, if stable tech is your goal...
net15 # echo QUIT | openssl s_client -connect def.com:443 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
            Not After : Nov 15 23:59:59 2022 GMT
                DNS:sni.cloudflaressl.com, DNS:*.def.com, DNS:def.com

# This is incorrect, so no lookup for the autodiscover host will ever work...
net15 # echo QUIT | openssl s_client -connect autodiscover.def.com:443 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
unable to load certificate
140332014576960:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Open in new window


So what appears to be happening.

1) Your wildcard cert covering *.def.com (all hosts) is correct.

2) Your HTTPS config for autodiscover.def.com is incorrect.

Fix: Is to add an HTTPS stanza to cover the autodiscover host.