Avatar of SooHow Cheng
SooHow Cheng
Flag for Singapore asked on

Why cert error for this ms outlook?

This is using MS Exchange Server 2016. This exchange server is hosting few email domains, such as, abc.com, def.com, and ghi.com. A user has her ms outlook setup with shirley@abc.com, shirleym@def.com, and shirley.mun@ghi.com was greeted with the following cert warning,



Note: the autodiscover is autodiscover.def.com

We pressed the "view Certificate...", both the CA and exchange certs are valid, not exclamation mark. As for the "mx" and "autodiscover" hosts, all these already listed in the certificate. 

In MS outlook, we found that when highlighting "shirleym@def.com", a "disconnect from exchange" was found on the task bar. Other 2 is without problem.


What is missing from the settings? and how to solve the problem?


Thanks,

OutlookExchange

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
DEMAN-BARCELO (MVP) Thierry

The "full" name used for the access is not in the certificate.

Note that the name Autodiscover is only used for configuration, Another name has been configured in Exchange to access the data.

Have you configured a CNAME for Autodiscover in all domains (abc.com, def,com, ghi.com and Proseware.com) defined in the local DNS ?
Pete Long

ASKER CERTIFIED SOLUTION
David Favor

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
David Favor

What you'll get, from the above command, is output like this...

# echo QUIT | openssl s_client -connect davidfavor.com:443 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
            Not After : Dec 18 20:06:44 2021 GMT
                DNS:*.davidfavor.com, DNS:davidfavor.com

Open in new window


So you'll see the expiration date, along with each property covered... which in this specific case is a wildcard cert covering all hosts for this domain, along with the bare domain.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SooHow Cheng

ASKER
Hi all,

Please give me some time to go through your suggested steps
SooHow Cheng

ASKER
Hi Pete Long,

Thanks for sharing the various URL settings for internal and external. However, think the server side is working fine. The problem should be only on this user desktop.
David Favor

There's still a server side problem...

# This is correct, although best avoid CloudFlare at all costs, if stable tech is your goal...
net15 # echo QUIT | openssl s_client -connect def.com:443 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
            Not After : Nov 15 23:59:59 2022 GMT
                DNS:sni.cloudflaressl.com, DNS:*.def.com, DNS:def.com

# This is incorrect, so no lookup for the autodiscover host will ever work...
net15 # echo QUIT | openssl s_client -connect autodiscover.def.com:443 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
unable to load certificate
140332014576960:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Open in new window


So what appears to be happening.

1) Your wildcard cert covering *.def.com (all hosts) is correct.

2) Your HTTPS config for autodiscover.def.com is incorrect.

Fix: Is to add an HTTPS stanza to cover the autodiscover host.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.