Exchange Certificate - Outlook clients prompted for login/cert install
It looks like the certificate that you are using for the web server (CAS) does not contain the vmexc01 name nor the autodiscover name. You really need a certificate that has all of the names for exchange referenced in it and apply it to all services
required with those names.
You can use Get-ExchangeCertificate to see what certs are installed and what services they apply to, then review the certs installed to make sure they have the appropriate names in them.
June 14th, 2012 10:48am
It looks like the certificate that you are using for the web server (CAS) does not contain the vmexc01 name nor the autodiscover name. You really need a certificate that has all of the names for exchange referenced in it and apply it to all services
required with those names.
You can use Get-ExchangeCertificate to see what certs are installed and what services they apply to, then review the certs installed to make sure they have the appropriate names in them.
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 10:48am
Hi, Im by no means a Exchange 2010 expert so please bear with me. I am experiencing some frustration with the client certificate requirements for Exchange 2010 SP1 (no rollups installed). All my clients use Outlook 2010. Ive recently completed a transition
from Exchange 2003, all mailboxes are now located on the Exc2010 server. Exc2003 still exists in the organisation, not sure how relevant this is - but there you go.
During UAT I never saw this happen but now many of my clients are seeing certificate prompts. Some are also being prompted for login credentials. Initially I worked around the login prompt issue by deleting or renaming the c:\users\USERNAME\AppData\Roaming\Microsoft\Protect\<GUID>
folder and changing the logon network security setting in Outlook from "Negotiate Authentication" to "Password Authentication NTLM". This seemed to work but users are reporting a week or 10 days later that this is happening again.
As mentioned, im also seeing various certificate security alerts, 3 in fact, although all three certificate alerts seem to be for the same certificate:
IIS configuration is all default. Get-WebServicesVirtualDirectory
returns the following:
CertificateAuthentication :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication : False
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
Get-RpcClientAccess returns the following:
RunspaceId : f130bbc8-e421-473a-bcca-569fe5ea770d
Server : VMEXC01
MaximumConnections : 65536
EncryptionRequired : False
BlockedClientVersions :
Responsibility : Mailboxes, PublicFolders
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : RpcClientAccess
DistinguishedName : CN=RpcClientAccess,CN=Protocols,CN=VMEXC01,CN=Servers,CN=Exchange Administrative Group (FYDIBOH
F23SPDLT),CN=Administrative Groups,CN=contoso plc,CN=Microsoft Exchange,CN=Services,CN=Config
uration,DC=contoso,DC=com
Identity : RpcClientAccess
Guid : 26399e86-7352-412b-b194-2a175451b1ad
ObjectCategory : contoso.com/Configuration/Schema/ms-Exch-Protocol-Cfg-Exchange-RPC-Service
ObjectClass : {top, msExchProtocolCfgExchangeRPCService}
WhenChanged : 18/03/2012 10:42:17
WhenCreated : 18/03/2012 10:42:17
WhenChangedUTC : 18/03/2012 10:42:17
WhenCreatedUTC : 18/03/2012 10:42:17
OrganizationId :
OriginatingServer : VMDC1.contoso.com
IsValid : True
Im guessing that there is a DNS issue somewhere and im slowly starting to accept that I would have to deploy a Trusted Publisher policy via GPO to get rid of the prompts. Can someone point me in the right direction to get this rolled out?
Also, im out of ideas as to what is causing the password prompts, but im guessing its got somethign to do with the untrusted certificate publisher?
Thanks for your time!
Chris
June 14th, 2012 10:48am
It looks like the certificate that you are using for the web server (CAS) does not contain the vmexc01 name nor the autodiscover name. You really need a certificate that has all of the names for exchange referenced in it and apply it to all services
required with those names.
You can use Get-ExchangeCertificate to see what certs are installed and what services they apply to, then review the certs installed to make sure they have the appropriate names in them.
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 10:55am
Thanks Russ, the certificate contains both FQDN and NETBIOS names for the CAS (VMECX01):
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
essRule}
CertificateDomains : {VMEXC01, VMEXC01.contoso.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=VMEXC01
NotAfter : 18/03/2017 10:39:41
NotBefore : 18/03/2012 10:39:41
PublicKeySize : 2048
RootCAType : None
SerialNumber : 1E7F4C803442B6AE4C83DEC80FA3406A
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=VMEXC01
Thumbprint : 379CB084ED6620960CF49F5E91B574D25CC79CFB
June 14th, 2012 11:17am
This is a self-signed certificate, so it will need to be imported to the client machine(s). Here is a blog article about this:
http://blogs.technet.com/b/asiasupp/archive/2007/05/29/self-signed-certificate-issue-when-connecting-to-the-exchange-server.aspx
But you also need to include autodiscover, so I would generate a new self signed certificate and include autodiscover and assign it to the server
New-ExchangeCertificate -IncludeAutoDiscover
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 11:32am