Certificate renewal caused clients to be prompted for credentials in Domain - joined configuration
We updated our SSL certificate for our IIS, IMAP, SMTP services on our Exchange 2007 SP1 server. Since then all our customers get prompted for credentials when opening thier Outlook 2007 client in a directly connected LAN and DOMAIN setting. Also, when setting up new clients, the "autodiscover" process that would take authenticated users and search for thier email account and then populate the rest of the Outlook settings fails when supplying the server name in a FQDN setting (which is what it wants to fill in automatically and what worked beofre) but when supplying only the servername without domain suffix, it works and the setup completes without issue except for the constant request for credentials when opening the client. I beleive it is related to the certificate and assigned services, the autodiscover settings in the global catalog and how the server was setup before the certificate renewal. Any help is appreciated and Thank You In Advance. JT
June 23rd, 2010 10:31pm

Jason, It looks like that for some kind of strange reason the authentication methods have changed. Could you verify them ? JohanExchange-blog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 12:30am

Johan, My AD Authentication Methods or Exchange? Where can I review them? UPDATE: AD Default Domain Ploicy Set to LM & NTLM responses Jason T.
June 24th, 2010 12:42am

Hi, how did you renew your cert? Built a new request or simply tried to renew it via iis?Viele Gre Walter Steinsdorfer MVP Exchange Server http://msmvps.org/blogs/wstein
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 2:22am

I created a new request from within Exchange not IIS: New-ExchangeCertificate -GenerateRequest -Path D:\CertRequest\CertReq.csr -KeySize 1024 -SubjectName “o=Company Name, c=US, s=STATE, l=City, ou=Company Name, cn=servername.domain.com” -PrivateKeyExportable $True But the connections that use this certificate (from outside) are all working. Only my local Outlook clients are having this problem. All our phones and OWA website are working perfectly. and P.S. I removed my account from my local outlook client and recreated it and gave it the servername only and not the FQDN (that it automatically populated) and now I do not get prompted when I open my outlook client. Everyone else is still getting it.
June 24th, 2010 2:36am

After you ran the Import-ExchangeCertificate command did you run the Enable-ExchangeCertificate command to apply it to the correct services? Have you opened the certificate from a web browser to verify that it is pulling the correct cert? Again to Walter's question, how did you request the new cert: as a renew or a new CSR?Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2010 2:58am

Hi, What is the exact message in the certificate warning? Does it indicate that your certificate is issued to a different website's address? This problem may happens if your certificate is only issued for server’s NetBIOS name. Please follow these steps to check the properties of your current certificate: 1. Open EMS, type: Get-ExchangeCertificate |fl Locate your current certificate. Please check if the “certificateDomains” contains the both NetBIOS name and FQDN. For example, if your exchange server’s NetBIOS name is ‘ex2007’ and the FQDN is ‘ex2007.domian.com’. The ‘certificateDomains’ should have the value: {ex2007, ex2007.domain.com} You can also compare the domainName value between your current certificate and the old one. 2. If there’s only FQDN, Please specify a value for “DomainName” and request a new certificate by the following command: New-ExchangeCertificate -GenerateRequest -Path D:\CertRequest\CertReq.csr -KeySize 1024 -SubjectName “o=Company Name, c=US, s=STATE, l=City, ou=Company Name, cn=servername.domain.com” -domainName ex2007, ex2007.domain.com -PrivateKeyExportable $True 3. Enable this new certificate for the services. 4. Restart IIS.
June 24th, 2010 11:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics