Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Certificate Issue 1

Status
Not open for further replies.
TekSolutions

TekSolutions

IS-IT--Management
Jul 15, 2011
71
0
0
I recently had to renew my SSL certificate.

Now every time I open Outlook I get a security alert. The alert reads:

autodiscover.mydomain.com

Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.

[green check mark] The security certificate is from a trusted certifying authority

[green check mark] The security certificate date is valid

[RED X] The name of the security certificate is invalid or does not match the name of the site

Do you want to proceed?

Viewing the certificate verifies that it was issued to mail.mydomain.com which is correct.

I do have autodiscover set up. I did not have this problem until I renewed the certificate.

I have rekeyed the certificate so many times that it is getting old. When open the outlook web app everything is fine, I get no errors. I also get no errors on my phone or tablet. When I issued a new certificate with in exchange mail and autodiscover were in the list of Certificate Domains.

Any assistance would be greatly appreciated
 
Sort by date Sort by votes
Do you still have the old certificate on the server? What SANs are on it?

Sounds to me that one of your URLs isn't on the cert. Check your autodiscover, webservices, activesync, OWA URL configs.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.
 
Upvote 0 Downvote
It may be that the new cert doesn't have a private key.

Download the Digicert Cert Utility and test that cert. It may find that it's missing the private key and fix it for you, if you haven't deleted the expired cert yet.
Did you change anything when you renewed the cert? Did you make the common-name one of the alternative names and use a new common-name? If the old cert used "Autodiscover.domainname.com" as the common-name and you changed that, then Outlook clients may get that error if they have the "Only connect to proxy servers that have this principal name in their certificate check box" checked and it has "msstd:Autodiscover.domainname.com" in that field. Can you go to that setting on a problematic Outlook client and see what it's set to?

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Thanks guys for the replies.

58sniper
I removed the certificates from with in Exchange when I renewed it, Upon trying to fix the issue I created new ones several times and removed the one I was replacing to avoid confusion. As far as I can remember when I first created the certificate last year, I selected the same options this time around as I did last time.

Shackdaddy
I downloaded the app as you suggested, there were a couple of the certs that I had create over the past couple of days. I removed all of them except the current one in use.

The issue still remains

On one of my systems I view the certificate, any thing that has a URL has mail.mydomain.com. I do not see autodiscover.mydomain.com anywhere.
 
Upvote 0 Downvote
So when you view the cert from a workstation, there is no autodiscover.mydomain.com in the SubjectAlternativeNames list?

Can you do a "get-exchangecertificates" command from Powershell and paste the results after changing the names?

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
The output from the following commands will show URLs. Those domain names need to be in your certificate:
Get-OABVirtualDirectory
Get-WebServicesVirtualDirectory
Get-ECPVirtualDirectory
Get-OWAVirtualDirectory
Get-ActiveSyncVirtualDirectory
Get-ClientAccessServer

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.
 
Upvote 0 Downvote
When running the suggested commands on the server in a powershell I get the following error:

PS C:\Users\administrator> get-exchangecertificates
The term 'get-exchangecertificates' is not recognized as the name of a cmdlet, function, script file, or operable progr
am. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:25
+ get-exchangecertificates <<<<
+ CategoryInfo : ObjectNotFound: (get-exchangecertificates:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException


I get also get errors for the commands suggested by 58sniper. I am logged in as administrator with domain admin and all exchange rights.
 
Upvote 0 Downvote
Either you've only got a PowerShell window open (and not Exchange Management Shell), or you don't have a connection to any exchange server, including the local server.

Do you have your Tek-Tips.com Swag? I've got mine!

Stop by the new Tek-Tips group at LinkedIn.
 
Upvote 0 Downvote
58 Sniper, yes you were correct. I was in power shell not EMC shell. Here is the output with only the domain name changed. Everything points to mail


Welcome to the Exchange Management Shell!

Full list of cmdlets: get-command
Only Exchange cmdlets: get-excommand
Cmdlets for a specific role: get-help -role *UM* or *Mailbox*
Get general help: help
Get help for a cmdlet: help <cmdlet-name> or <cmdlet-name> -?
Show quick reference guide: quickref
Exchange team blog: get-exblog
Show full output for a cmd: <cmd> | format-list

Tip of the day #3:

The Exchange Management Shell is a calculator too! Try it directly at a command prompt:

1.2343+3123 or (23/435)*2

VERBOSE: Connecting to mail.mydomain.com
VERBOSE: Connected to mail.mydomain.com
[PS] C:\Windows\system32>get-OABVirtualDirectory

Server Name Internal Url External Url
------ ---- ------------ ------------
MAIL OAB (Default Web Site)

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory

Name Server InternalUrl
---- ------ -----------
EWS (Default Web Site) MAIL

[PS] C:\Windows\system32>Get-ECPVirtualDirectory

Name Server
---- ------
ecp (Default Web Site) MAIL


[PS] C:\Windows\system32>Get-OWAVirtualDirectory

Name Server OwaVersion
---- ------ ----------
owa (Default Web Site) MAIL Exchange2010


[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory

Name Server InternalUrl
---- ------ -----------
Microsoft-Server-ActiveSync (Default... MAIL

[PS] C:\Windows\system32>Get-ClientAccessServer

Name
----
MAIL
 
Upvote 0 Downvote
Shackdaddy
I was also running get-exchangecertificates from a powershell. When I ran get-exchangeertificates -no S from the EMC shell I got
[PS] C:\Windows\system32>get-exchangecertificate -no S
A positional parameter cannot be found that accepts argument 'S'.
+ CategoryInfo : InvalidArgument: :)) [Get-ExchangeCertificate], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Get-ExchangeCertificate

However when I ran just get-exchangecertificates I got the following. I substituted x's for the actually thumbprint

[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint Services Subject
---------- -------- -------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx IP.WS. CN=mail.mydomain.com, OU=Domain Control Validated
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx IP..S. CN=mail
 
Upvote 0 Downvote
Can you try these:

get-autodiscovervirtualdirectory | fl internalurl,externalurl
get-ecpvirtualdirectory | fl internalurl,externalurl
get-webservicesvirtualdirectory | fl internalurl,externalurl
get-clientaccessserver | fl autodiscoverserviceinternaluri

That should give us the exact things we are wondering about in an untruncated form.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Here is the output

[PS] C:\Users\administrator\Desktop>get-autodiscovervirtualdirectory | fl internalurl,externalurl


InternalUrl :
ExternalUrl :



[PS] C:\Users\administrator\Desktop>get-ecpvirtualdirectory | fl internalurl,externalurl


InternalUrl : ExternalUrl :


[PS] C:\Users\administrator\Desktop>get-webservicesvirtualdirectory | fl internalurl,externalurl


InternalUrl : ExternalUrl :


[PS] C:\Users\administrator\Desktop>get-clientaccessserver | fl autodiscoverserviceinternaluri


AutoDiscoverServiceInternalUri :


[PS] C:\Users\administrator\Desktop>
 
Upvote 0 Downvote
Ok, so do you have a single-name cert? From the results, it seems like you have an SBS 2011 server with a single-name cert.

Assuming that this is an SBS 2011 server with a single name cert, I think the problem may be that you have an internal DNS record for "autodiscover.yourdomain.com" or "autodiscover.yourdomain.local" that's causing some of your Outlook clients to query, find the Autodiscover record, and attempt to connect to your server with that name when they shouldn't be. There should be no "autodiscover" records in your internal DNS.

Externally there should be an SRV record that points to the name that's on your cert.

All this assumes you have a single-name cert.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Shackdaddy
I am running Exchange 2010 on Enterprise Server 2008 R2 with all updates except IE 10 installed

I have a Standard Multiple Domain SSL. I was told by the CA (GoDaddy) that a single domain SSL for Exchange would not work.

I have cname for autodiscover pointing to mail.mydomain.com in my public and private dns. No A records for autodiscover, the A record is mail. Of course I also have the MX records.

This issue occurs whether on my local LAN or not.

When I downloaded the certificate I selected Exchange 2010
 
Upvote 0 Downvote
Hmmm... I would try getting rid of the CNAME records for both autodiscover records, and create new A-records instead that use the same IP as mail.mydomain.com, internal IP and external IPs respectively.

I think you should use A-records. I have set up more than 30 Exchange 2010 servers and have only used the CNAME records when asked to do so for 3rd-party hosting. For on-premise it's always been A-records.


Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Thanks for the advice, but I do not understand how changing the DNS can fix the current issue.

I did change it locally, but it did not work.
 
Upvote 0 Downvote
[PS] C:\Users\administrator\Desktop>get-exchangecertificate | fl certificatedomains,subject


CertificateDomains : {mail.mydomain.com, Subject : CN=mail.mydomain.com, OU=Domain Control Validated

CertificateDomains : {mail, mail.mydomain.com}
Subject : CN=mail
 
Upvote 0 Downvote
So the problem is that you don't have "Autodiscover.mydomain.com" on your certificate. Plain and simple.

If you did purchase that cert, it's not showing up here. The "certificatedomains" property should contain all the names that the cert covers. This looks to me like a single-name cert, not a multi-name cert. GoDaddy automatically puts "www" into every cert, so it's not technically a multi-name cert, even though it has two names.

If you want to keep this cert, you can tweak some internal vdir URLs and set up an SRV record like I described earlier and here:
The article was written for SBS, but it applies in the same way to the type of SRV record you'd need to create if you don't want to redo your cert.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Issue removing large deleted items folder's contents
Replies
1
Views
477
DrB0b
DrB0b
sreejay2211
  • Locked
  • Question
email issue
Replies
0
Views
508
sreejay2211
sreejay2211
sreejay2211
  • Locked
  • Question
Group issue
Replies
0
Views
486
sreejay2211
sreejay2211
sreejay2211
  • Locked
  • Question
0365 Group issue
Replies
0
Views
483
sreejay2211
sreejay2211
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
521
Wesaf
Wesaf

Part and Inventory Search

Sponsor

Back
Top