Exchange 2007 certificate problem
I have a third party certificate on my Exchange 2007 configuration. OA and OWA work fine from outside the LAN. Internally, however, I get a "certifcate has expired" and "name on the certifcate is invalid or does not match the name of the site". When I
click on view certificate, the certifcate listed is issued to "localhost.localdomain" and issued by "localhost.localdomain". Please help. I have changed all references on Exchange from the netbios name to the public name of the server, e.g. mail.mydomain.com,
which is also the name on the certifcate.
July 6th, 2010 2:46pm
Hi
Can you run get-exchangecertificates | fl and post the result in here
Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog:
http://www.testlabs.se/blog
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 3:48pm
Hi Jonas,
Thanks for the swift response. Here's the output. I have replaced my domain with
mydomain.co.za.
[PS] C:\Documents and Settings\Administrator>get-exchangecertificate | fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {winserv2-ex, winserv2-ex.mydomain.co.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=winserv2-ex
NotAfter : 2011/05/04 11:13:49 AM
NotBefore : 2010/05/04 11:13:49 AM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 83E9F452CCF20C8345C2E9F034A66303
Services : SMTP
Status : Valid
Subject : CN=winserv2-ex
Thumbprint : 8E6FAF90453CF82670E8F45C520B162DB864BE91
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {winserv2-ex.mydomain.co.za}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=webmail.mydomain.co.za, DC=d-v, DC=co, DC=za
NotAfter : 2011/04/19 05:54:01 PM
NotBefore : 2010/04/19 05:54:01 PM
PublicKeySize : 1024
RootCAType : Registry
SerialNumber : 3A662E66000000000007
Services : None
Status : Valid
Subject : CN=winserv2-ex.mydomain.co.za
Thumbprint : 7EA1873B05194B07F6BD9A85C5C6331525EFE66C
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.mydomain.co.za, mydomain.co.za}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=StartCom Class 1 Primary Intermediate Server CA, OU=Sec
ure Digital Certificate Signing, O=StartCom Ltd., C=IL
NotAfter : 2011/02/11 10:53:42 PM
NotBefore : 2010/02/11 07:47:41 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 013148
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject :
E=webmaster@mydomain.co.za, CN=webmail.mydomain.co.za, OU=StartCom F
ree Certificate Member, O=Persona Not Validated, C=ZA, Des
cription=145793-a2dpA6k689Q06H8Z
Thumbprint : 51D10ACE9FC5E59472FAFFAB481FC29B2F54B1AC
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule, System.Securi
ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.mydomain.co.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=webmail.mydomain.co.za, DC=d-v, DC=co, DC=za
NotAfter : 2014/02/11 04:25:19 PM
NotBefore : 2009/02/11 04:17:27 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 188475C758A283B4407DDEB802170D20
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=webmail.mydomain.co.za, DC=d-v, DC=co, DC=za
Thumbprint : 1F54DE25C7B8D7F2E1CA259868E0D5C17D1EC9C9
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System
.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {winserv2-ex.mydomain.co.za}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=winserv2-ex.mydomain.co.za, O="", L=Gauteng, S=Gauteng, C=ZA
NotAfter : 2009/08/04 05:04:40 PM
NotBefore : 2008/08/04 11:04:40 AM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 9BF0F06BA38014984DFBD8121901ACBF
Services : None
Status : Invalid
Subject : CN=winserv2-ex.mydomain.co.za, O="", L=Gauteng, S=Gauteng, C=ZA
Thumbprint : 151FD5A3AA9055E2E8B4C2EB3E1F03AA995350FD
[PS] C:\Documents and Settings\Administrator>
July 6th, 2010 4:46pm
I'm guessing that you want to use mail.mydomain.com internally as well? Have you also set the AutoDiscoverServiceInternalUri?
You can check this by running the following command and look for the value of the AutoDiscoverServiceInternalUri parameter:
Get-ClientAccessServer | flMartin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 |
http://msundis.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 5:00pm
Hi Martin,
I ran the set-clientaccesserver commands on a previous occassion. This is the output of get request:
PS] C:\Documents and Settings\Administrator>Get-ClientAccessServer | fl
Name : WINSERV2-EX
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : winserv2-ex
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
https://webmail.mydomain.co.za/autodiscover/autodis
cover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
IsValid : True
OriginatingServer : winserv2-ex.mydomain.co.za
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=WINSERV2-EX,CN=Servers,CN=Exchange Administ
rative Group (FYDIBOHF23SPDLT),CN=Administrati
ve Groups,CN=First Organization,CN=Microsoft E
xchange,CN=Services,CN=Configuration,DC=mydomain,DC
=co,DC=za
Identity : WINSERV2-EX
Guid : e5edc133-a6fa-4468-804a-46b9def26fa9
ObjectCategory : d-v.co.za/Configuration/Schema/ms-Exch-Exchang
e-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 2010/05/17 11:51:13 AM
WhenCreated : 2007/08/03 03:37:38 PM
July 6th, 2010 5:12pm
Hi
In your DNS internally, do you have one zone called: mydomain.co.za ?
Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog:
http://www.testlabs.se/blog
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 5:27pm
Hi Jonas,
Yes I do, and have an entry for webmail.
July 6th, 2010 5:31pm
Pointing directly to your CAS server/CAS Array?Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog:
http://www.testlabs.se/blog
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 5:38pm
Great, please check the InternalUrl parameter that you get when running the following commands and make sure that they are set to mail.mydomain.co.za:
Get-AutodiscoverVirtualDirectory | fl
Get-WebServicesVirtualDirectory | fl
Get-OABVirtualDirectory | fl
Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 |
http://msundis.wordpress.com
July 6th, 2010 5:40pm
Hi,
Yes, it's pointing directly at the CAS server. We have a single-server deployment. All the roles are on this server.
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 5:51pm
Hi,
Here's the output:
[PS] C:\Documents and Settings\Administrator>Get-AutodiscoverVirtualDirectory |
fl
Name : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://winserv2-ex.mydomain.co.za/W3SVC/1/ROOT/Autodi
scover
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\Autodiscover
Server : WINSERV2-EX
InternalUrl :
ExternalUrl :
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (Default Web Site),CN=HTTP,CN=P
rotocols,CN=WINSERV2-EX,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Admin
istrative Groups,CN=First Organization,CN=Micro
soft Exchange,CN=Services,CN=Configuration,DC=d
-v,DC=co,DC=za
Identity : WINSERV2-EX\Autodiscover (Default Web Site)
Guid : 74ee0dec-9507-4d3e-a130-7f3e13ed1ee2
ObjectCategory : mydomain.co.za/Configuration/Schema/ms-Exch-Auto-Dis
cover-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove
rVirtualDirectory}
WhenChanged : 2007/08/03 03:52:40 PM
WhenCreated : 2007/08/03 03:52:40 PM
OriginatingServer : winserv2-ex.mydomain.co.za
IsValid : True
[PS] C:\Documents and Settings\Administrator>Get-WebServicesVirtualDirectory | f
l
InternalNLBBypassUrl :
https://winserv2-ex.mydomain.co.za/ews/exchange.asmx
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://winserv2-ex.mydomain.co.za/W3SVC/1/ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\exchweb\EWS
Server : WINSERV2-EX
InternalUrl :
https://webmail.mydomain.co.za/ews/exchange.asmx
ExternalUrl :
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,
CN=WINSERV2-EX,CN=Servers,CN=Exchange Administr
ative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=First Organization,CN=Microsoft Exch
ange,CN=Services,CN=Configuration,DC=mydomain,DC=co,
DC=za
Identity : WINSERV2-EX\EWS (Default Web Site)
Guid : f85203ad-7080-4102-8378-f34a4ef525f5
ObjectCategory : mydomain.co.za/Configuration/Schema/ms-Exch-Web-Serv
ices-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServices
VirtualDirectory}
WhenChanged : 2010/05/17 12:01:40 PM
WhenCreated : 2007/08/03 03:53:35 PM
OriginatingServer : winserv2-ex.mydomain.co.za
IsValid : True
[PS] C:\Documents and Settings\Administrator>
[PS] C:\Documents and Settings\Administrator>Get-OABVirtualDirectory | fl
Name : OAB (Default Web Site)
PollInterval : 480
OfflineAddressBooks : {Default Offline Address Book}
RequireSSL : True
BasicAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://winserv2-ex.mydomain.co.za/W3SVC/1/ROOT/OAB
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\OAB
Server : WINSERV2-EX
InternalUrl :
https://webmail.mydomain.co.za/oab
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalUrl :
ExternalAuthenticationMethods : {WindowsIntegrated}
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,
CN=WINSERV2-EX,CN=Servers,CN=Exchange Administr
ative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=First Organization,CN=Microsoft Exch
ange,CN=Services,CN=Configuration,DC=mydomain,DC=co,
DC=za
Identity : WINSERV2-EX\OAB (Default Web Site)
Guid : a7e41738-f822-4c04-a089-589225e02306
ObjectCategory : mydomain.co.za/Configuration/Schema/ms-Exch-OAB-Virt
ual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualD
irectory}
WhenChanged : 2010/02/11 11:11:55 AM
WhenCreated : 2007/08/03 03:52:19 PM
OriginatingServer : winserv2-ex.mydomain.co.za
IsValid : True
[PS] C:\Documents and Settings\Administrator>
July 6th, 2010 5:57pm
Ok, you should set the External Url with the following commands:
Set-WebServicesVirtualDirectory -ExternalUrl "https://webmail.mydomain.co.za/ews/exchange.asmx"
Set-OABVirtualDirectory -ExternalUrl "https://webmail.mydomain.co.za/oab"
Also, have you set autodiscover SRV records for mydomain.co.za in both internal and external DNS?
Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 |
http://msundis.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2010 9:47am
I do not have autodiscover SRV records. I have never had to do anything around autodiscover. I'm a consultant and deal with several clients. This implementation works at all my other sites except this particular one.
I will try the set-external urls. But remember, this issue only affects Outlook and Office Web Access within the LAN.
July 7th, 2010 6:06pm
Is it anything with this implementation that differs from the other ones you have done? Since the other implementations are working...
Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 |
http://msundis.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2010 9:25am
Hi,
Please try to press Ctrl+right click Outlook icon in System Tray, select Test E-mail AutoConfiguration, click Test button, then post the information here under Results Tab.
Additionally, what's the url of OWA did you use?
Thanks
Allen
July 8th, 2010 10:05am
As far as I can tell, the difference could be in deleting the original self-signed certificate. But I have regenerated a new one since then.
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2010 2:17pm
What really beats me is that the certificate is issued to localhost.localdomain by localhost.localdomain. It's the first such error I've come across.
July 12th, 2010 3:07pm
OWA: https:webmail.mydomain.co.za/owa
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2010 3:08pm
Autodiscover fails with the following errors:
autodiscover to
https://webmail.mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x0800c8203)
autodiscover request completed with http status code 404
autodiscover to
https://mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x080004005)
autodiscover to
https://autodiscover.mydomain.co.za/autodiscover/autodiscover.xml FAILED
(0x80004005)
Local autodiscover for mydoamin.co.za FAILED (0x8004010F)
SRV Record lookup for d-v.co.za FAILED (0x8004010F)
July 12th, 2010 3:17pm
404 means webmail.mydomain.co.za is not found. Start with DNS.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.
"Xisingwana [MCSE]" wrote in message
news:56a6abdf-2aed-424d-a850-a9f576375196...
Autodiscover fails with the following errors:
autodiscover to
https://webmail.mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x0800c8203)
autodiscover request completed with http status code 404
autodiscover to
https://mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x080004005)
autodiscover to
https://autodiscover.mydomain.co.za/autodiscover/autodiscover.xml FAILED
(0x80004005)
Local autodiscover for mydoamin.co.za FAILED (0x8004010F)
SRV Record lookup for d-v.co.za FAILED (0x8004010F)
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
July 12th, 2010 5:37pm
Hi,
Please check whether the webmail.mydomain.co.za record is existing in the internal DNS.
Thanks
Allen
July 13th, 2010 11:08am
Oh, sorry. Sorted. What lead me to the solution was that the returned certifcate was localhost.localdomain, which happens to be the default Linux certificate, which happens to be our firewall, which runs the proxy server. Set GPOs to bypass the proxy for
local IP addresses and that solved the problem.
Thanks.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 7:29pm