Autodiscover popoup message error
Hifew of the users are getting below pop message daily. Autodiscover.domain.com Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. x The security certifiacte is from a trusted certifying authority x The security certificate has expired or is not yet vaild x The name on the security certificate is invalid or does not match the name of the site. Do you want to proceedThis is the output of Get-ClientAccessServer -Identity CASServer | FL [PS] C:\Documents and Settings\username\Desktop>Get-ClientAccessServer -IdentityCASserver | FL Name : CASservernameOutlookAnywhereEnabled : TrueAutoDiscoverServiceCN : CASservernameAutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-ServiceAutoDiscoverServiceInternalUri : https://webmail.domain.com/autodiscover/au todiscover.xmlAutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596AutoDiscoverSiteScope : {Default-First-Site-Name}IsValid : TrueOriginatingServer : CASsever.domain.localExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=CASsever,CN=Servers,CN=Exchange Adminis trative Group (FYDIBOHF23SPDLT),CN=Administrat ive Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=localIdentity : CASseverGuid : 8d83560d-d311-4373-8274-a247c36503c5ObjectCategory : domain.local/Configuration/Schema/ms-Exch- Exchange-ServerObjectClass : {top, server, msExchExchangeServer}WhenChanged : 1/27/2010 9:03:19 AMWhenCreated : 9/17/2008 1:25:33 PMThis pop is only getting few of the users. I press ctrl button on outllok and test email configuration and found below errorAuto configuration was unable to determine your settingsAny would help appreciated.RegardsAkther
February 7th, 2010 8:49am

Akther,Please have a look at Elan's blog http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ this post discusses simillar issue.Milind Naphade | MCTS:M (Exchange 2007 and 2010) | http://www.msexchangegeek.com
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2010 1:40pm

Hi MilindI followed this Elan's link already but after that also i am getting this error.RegardsAkther
February 7th, 2010 4:18pm

Please post:Get-WebServicesVirtualDirectory |fl *url*Get-UMVirtualDirectory | fl *url*Get-oabVirtualDirectory | fl *url*Active Directory, 4th Edition - www.briandesmond.com/ad4/
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2010 3:55am

Hi [PS] C:\Documents and Settings\username\Desktop>Get-WebServicesVirtualDirectory |fl *url* InternalNLBBypassUrl : https://CASservername.domain.local/ews/exchange.asmxInternalUrl : https://webmail.domain.com/EWS/Exchange.asmxExternalUrl : [PS] C:\Documents and Settings\username\Desktop>Get-UMVirtualDirectory |fl *url* InternalUrl : https://CASservername.domain.local/UnifiedMessaging/Service.as mxExternalUrl : [PS] C:\Documents and Settings\username\Desktop>Get-OabVirtualDirectory |fl *url* InternalUrl : https://webmail.domain.com/OABExternalUrl :
February 8th, 2010 11:50am

Ah this is yourproblem.Do a:Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalURL https://webmail.domain.com/EWS/Exchange.asmx Get-UMVirtualDirectory | Set-UMVirtualDirectory -ExternalURL https://webmail.domain.com/UnifiedMessaging/Service.asmxGet-OabVirtualDirectoy | Set-OabVirtualDirectory -ExternalURL https://webmail.domain.com/oabIt may take half an hour to an hour for this to take effect unless you do an IISReset on the CAS box (which would kick out your users temporarily).Active Directory, 4th Edition - www.briandesmond.com/ad4/
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2010 7:24am

Hi BrianThanks for the post. Let me monitor the issue is coming or not after setting externel URL in CAS server. Will update you..RegardsAkther
February 9th, 2010 8:23am

Hi No luck. It throws the same error again. :(regardsAkther
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2010 1:57pm

Well here is something I can suggest you to check:1. Check the certificate validity by running Get-ExchangeCertificate |FL NotAfter, CertificateDomains - See if the NotAfter value is not the date in past.2. See if you have your exchange server FQDN, FQDN that you used for your internal and external URLs for OWA, Autodiscover, and Web Services directory.More to this it would be really great if you can paste the output of Get-ExchangeCertificate |FL here. Make sure you change the thumbprint and other sensitive information before pasting. Milind Naphade | MCTS:M (Exchange 2007 and 2010) | http://www.msexchangegeek.com
February 9th, 2010 3:01pm

Hi Milind1. [PS] C:\Documents and Settings\username\Desktop>Get-ExchangeCertificate |FL NotAfter, CertificateDomains NotAfter : 9/30/2010 10:12:04 PMCertificateDomains : {CASservername, CASserver.domain.local} NotAfter : 11/25/2011 2:59:59 AMCertificateDomains : {webmail.domain.com}2. [PS] C:\Documents and Settings\username\Desktop>Get-WebServicesVirtualDirectory |fl *url*InternalNLBBypassUrl : https://CASservername.domain.local/ews/exchange.asmxInternalUrl : https://webmail.domain.com/EWS/Exchange.asmxExternalUrl : https://webmail.domain.com/EWS/Exchange.asmx [PS] C:\Documents and Settings\username\Desktop>Get-WebServicesVirtualDirectory |fl *url*InternalNLBBypassUrl : https://CASservername.domain.local/ews/exchange.asmxInternalUrl : https://webmail.domain.com/EWS/Exchange.asmxExternalUrl : https://webmail.domain.com/EWS/Exchange.asmx [PS] C:\Documents and Settings\username\Desktop>get-UMVirtualDirectory | fl *url*InternalUrl : https://CASservername.domain.local/UnifiedMessaging/Service.as mxExternalUrl : https://webmail.domain.com/UnifiedMessaging/Service.asmx3. [PS] C:\Documents and Settings\exadmin\Desktop>Get-ExchangeCertificate |FL AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {CASServername, CASserver.domain.local}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=CASServernameNotAfter : 9/30/2010 10:12:04 PMNotBefore : 9/30/2009 10:12:04 PMPublicKeySize : 2048RootCAType : NoneSerialNumber : 70F31067254D31B2473103966F6F51ADServices : IMAP, POP, SMTPStatus : ValidSubject : CN=CASservernameThumbprint : 81DE66B652F6014B95EF8A387074AD95A38A9493 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {webmail.domain.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust NetworkNotAfter : 11/25/2011 2:59:59 AMNotBefore : 11/24/2008 3:00:00 AMPublicKeySize : 1024RootCAType : ThirdPartySerialNumber : 02A9B0F1791C9D87A4A50D8B611AF590Services : IISStatus : ValidSubject : CN=webmail.domain.com, OU="Member, VeriSign Trust Netw ork", OU=Authenticated by VeriSign, OU=Terms of use at www .verisign.ch/rpa (c)05, OU=domain, O=Company name L=Location, S= "Eastern ", C=SAThumbprint : 706DC83E5F2193FCD599B81DC5E5DA6E39B923EF
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2010 4:08pm

It's kind of a shot in the dark, but I had similar symtoms on some of my client computers that was caused by a software installation that modified their default proxy setting. Running proxycfg -u on the affected machines corrected the problem.
February 9th, 2010 4:49pm

Hi Akhter, Certificate configuration seems pretty good. Can you run the https://testexchangeconnectivity.com against your exchange org once? May be that will give some idea?Milind Naphade | MCTS:M (Exchange 2007 and 2010) | http://www.msexchangegeek.com
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2010 9:54am

Hi MilindThanks for the post. I ran the outlook auto discovery test in https://testexchangeconnectivity.com. These are the below resultsAttempting to test Autodiscover for babuts@domain.com Testing Autodiscover failed Test Steps Attempting each method of contacting the AutoDiscover Service Failed to contact the AutoDiscover service successfully by any method Test Steps Attempting to test potential AutoDiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml Failed testing this potential AutoDiscover URL Test Steps Attempting to resolve the host name domain.com in DNS. Host successfully resolved Additional Details IP(s) returned: 212.76.68.106 Testing TCP Port 443 on host domain.com to ensure it is listening and open. The port was opened successfully. Testing SSL Certificate for validity. The SSL Certificate failed one or more certificate validation checks. Test Steps Validating certificate name Certificate name validation failed Tell me more about this issue and how to resolve it Additional Details Host name domain.com does not match any name found on the server certificate E=someone@defaultsite.com, CN=Default Web Site, OU=IT, O=Default Web Site, L=SunnyVale, S=CA, C=En Attempting to test potential AutoDiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml Failed testing this potential AutoDiscover URL Test Steps Attempting to resolve the host name autodiscover.domain.com in DNS. Host successfully resolved Additional Details IP(s) returned: 212.76.68.106 Testing TCP Port 443 on host autodiscover.domain.com to ensure it is listening and open. The port was opened successfully. Testing SSL Certificate for validity. The SSL Certificate failed one or more certificate validation checks. Test Steps Validating certificate name Certificate name validation failed Tell me more about this issue and how to resolve it Additional Details Host name autodiscover.domain.com does not match any name found on the server certificate E=someone@defaultsite.com, CN=Default Web Site, OU=IT, O=Default Web Site, L=SunnyVale, S=CA, C=En Attempting to contact the AutoDiscover service using the HTTP redirect method. Failed to contact AutoDiscover using the HTTP Redirect method Test Steps Attempting to resolve the host name autodiscover.domain.com in DNS. Host successfully resolved Additional Details IP(s) returned: 212.76.68.106 Testing TCP Port 80 on host autodiscover.domain.com to ensure it is listening and open. The port was opened successfully. Checking Host autodiscover. domain.com for an HTTP redirect to AutoDiscover Failed to get an HTTP redirect response for AutoDiscover Additional Details A Web Exception occurred because an HTTP 404 - NotFound response was received from IIS6 Attempting to contact the AutoDiscover service using the DNS SRV redirect method. Failed to contact AutoDiscover using the DNS SRV redirect method. Test Steps Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS. Failed to find AutoDiscover SRV record in DNS. Tell me more about this issue and how to resolve it
February 10th, 2010 11:23am

Hi,Does your Outlook client connect Exchange server by using Outlook Anywhere?If it is, that seems the certificate name doesn't match the Autodiscover URL. For the Outlook Anywhere, the client uses the two predefined URL: https://domain.com or https://autodiscover.domain.com to contact the Autodiscover service.Thus, you need to ensure the domain.com or autodiscover.domain.com is included in the certificate name.ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2010 12:40pm

HiOutlook anywhere is working fine. Can you please clarify domain.com or autodiscover.domain.com is included in which certificate? Thanks
February 13th, 2010 11:23am

Hi,You need to include the domain.com or autodiscover.com in the certificate which is applied for the IIS. From your previous information, that is the second certificate.White Paper: Exchange 2007 Autodiscover Servicehttp://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspxThanksAllen
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2010 8:44am

Hi AllenMay i know how to add domain.com or autodiscover.com in the certificate ( 2nd certificate).Thanks
March 2nd, 2010 12:19pm

It depends on your certificate authority. If it's internal, it's probably easiest to just issue another certificate.-- Ed Crowley MVP"There are seldom good technological solutions to behavioral problems.". "akther_mohd" wrote in message news:8e2f848b-07ba-4a3b-8e07-9b1b4e32e55e...Hi AllenMay i know how to add domain.com or autodiscover.com in the certificate ( 2nd certificate).Thanks Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2010 10:07pm

Hi,If it's third party certificate, you need to request a new certificate which includes the name.http://msexchangeteam.com/archive/2007/07/02/445698.aspxThanksAllen
March 3rd, 2010 5:08am

Hi it's a internal certificate. and i tired the below commands Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://webmail.domain.loca/Autodiscover/Autodiscover.xml Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://webmail.domain.local/EWS/Exchange.asmx -ExternalURL https://webmail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$trueSet-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://webmail.domain.local/OAB -ExternalURL webmail.domain.com/OAB -RequireSSL:$trueSet-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://webmail.domain.local/UnifiedMessaging/Service.asmx -ExternalURL https://webmail.domain.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$true I restarted IIS after applying these commands but it's appearing again. correct me if i put any thing wrong.Thanks
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2010 5:54pm

Hi, You should request a new certificate not set the URL for the virtual directory. As I said, non-domain connected clients use two predefine URL to connect the Autodiscover service. That are: https://domain.com/autodiscover/Autodiscover.xml or https://autodiscover.domain.com/autodiscover/autodiscover.xml. From your previous testing information, the Outlook client uses https://autodiscover.domain.com/autodiscover/autodiscover.xml to do this connection. And the autodiscover.domain.com can be resolved without issue except for the certificate name validation failed. Thus, you need to ensure the certificate name to be validated successful. Two methods are for your reference: a,Request a new certificate which includes the autodiscover.domain.com in SAN. b, Use SRV record to workaround this (http://support.microsoft.com/?kbid=940881)Thanks Allen
March 4th, 2010 5:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics