Still stuck with autodiscover and certificates
I'm still struggling to understand why my Outlook 2007 clients are being bugged by my SBS 2008 server. I've never read so much material that didn't seem to apply to me. I may sound really stupid being on this forum not even knowing what a CAS is in relation to my setup, but hey, I would have thought I was the more common case. I have ONE server. It has SBS 2008 on it and it is connected to the same LAN as all the workstations in question. All clients connect locally, I do not require SSL, OWA, EWS, UMC, or ANYTHING other that Outlook to work with Exchange IN THE SAME BUILDING.[sarcasm]This is a massively complex task for the 12th version mail client/server, and hardly one which it was designed for.[/sarcasm]I've done NOTHING to IIS or Exchange except try to apply the autodiscover service location fixes recommended by Microsoft. These were ambiguous - what is autodiscover.contoso.com supposed to read in my setup? That did get rid of the message, but didn't seem to stick.So having been through all the hoops now I just want at least one unambiguous answer to ANY of the following.1 - Why is this happening, i.e. why can't I accept the certificate at the client end?2 - Where did my server get the certificate which claims the name of my router?3 - Having set up my server to generate certificates and made one, what do I do with it?3a - How does one generate a certificate for autodiscover.contoso.com when the certificate generator accepts no arguments?4 - I don't have any certificates for my FQDN and I'm certainly not paying for TWO. How many people honestly do?
February 18th, 2009 8:16am

Hi,1, For the domain-connected user, the certificate is trusted by the Outlook clients by default. Thus, there is no need to accept the certificate at the client end.2, After installing the SBS 2008, there will be generated a self-certificate. By default, the internal communication and servicesare using the self-certificate.To generate a certificate for autodiscover.contoso.com, you need to install CA on the Exchange server or buy one from third party CA.ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
February 19th, 2009 12:17pm

Hi Allen,Thanks for the reply, I've covered each of your points in order below.Sorry for the confusion but these *are*domain connected clients. They are getting certificate warnings and are unable to access Out Of Office settings.As for your second point I would have assumed this is the case, however what I *think* is happening is that the clients are looking for autodiscover.contoso.com, which fails internally and goes out onto the 'net and back to my router, hence the certificate from 192.168.0.1.Finally, when I used the certificate generator it didn't ask me for any arguments AT ALL. No name, address, nothing. Do I need to do some other step?TIA for any further advice. Aaron Oxford - Innovative Computer Solutions - VioLet Composer (sourceforge.net/projects/buzz-like)
February 20th, 2009 1:17am

Hi,What the exact warning information was received?For the internal users who connected Exhange server, the default autodiscover url is https://FQDN/autodiscover/autodiscover.xml which will be connected by the clients.The autodiscover.contoso.com is thepredefined url of the autodiscover service for the external access (non-domain-connected user).Of course, we can also make the internal clients connect autodiscover by using autodiscover.contoso.com as long as change the autodiscover url in SCP object.Did you add the A record for the autodiscover.contoso.com in DNS?Now please run get-clientaccessserver |fl and get-exchangecertificate |fl command respectively in EMS, then post the information on the forum.Additionally, to understand the relationship between autodiscover and the certificate, please view the below article:http://technet.microsoft.com/en-us/library/bb332063.aspxThanksAllen
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2009 5:56am

Hi Allen and thanks again.The exact warning I receive is that the name on the certificate is incorrect. [Sigh] This 'new' console is a joke... Couldn't find time to make Ctrl+C and Ctrl+V work, guys?OK, so the autodiscover URL I have played with this morning, as per the instructions at http://support.microsoft.com/?kbid=940726. I have tried setting it to https://myserver/autodiscover/autodiscover.xmlhttps://myserver.contoso.local/autodiscover/autodiscover.xmlhttps://autodiscover.contoso.com/autodiscover/autodiscover.xmlhttps://mail.contoso.com/autodiscover/autodiscover.xmlBut it has very little effect on the outcome of Test-OutlookWebServices.I'm unsure about adding a record to the DNS - that should only be necessary for external connections shouldn't it? In any case I don't think it is resolving the IP that is the problem at this time. Anyway, here are the results of running the commands you suggested:Name : WINSERVEROutlookAnywhereEnabled : TrueAutoDiscoverServiceCN : WINSERVERAutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-ServiceAutoDiscoverServiceInternalUri : https://mail.lakegroupstrata.com/autodiscover/autodiscover.xmlAutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596AutoDiscoverSiteScope : {Default-First-Site-Name}IsValid : TrueOriginatingServer : WINSERVER.lakegroup.localExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=WINSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=M icrosoft Exchange,CN=Services,CN=Configuration,DC=lakegroup,DC=localIdentity : WINSERVERGuid : affa49f3-be3e-4077-b744-f899619325baObjectCategory : lakegroup.local/Configuration/Schema/ms-Exch-Exchange-ServerObjectClass : {top, server, msExchExchangeServer}WhenChanged : 16/01/2009 11:35:57 PMWhenCreated : 16/01/2009 11:19:00 PM---------------------------------------------------------------------------------------------------------------------------------------------------------------------AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt oKeyAccessRule}CertificateDomains : {mail.lakegroupstrata.com, lakegroupstrata.com, WINSERVER.lakegroup.local}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=lakegroup-WINSERVER-CANotAfter : 16/01/2011 11:25:36 PMNotBefore : 16/01/2009 11:25:36 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 6106F1F4000000000004Services : IMAP, POP, IIS, SMTPStatus : ValidSubject : CN=mail.lakegroupstrata.comThumbprint : 1B6C071D4AA669F51F8519D91EDDEDC7A0B189CBAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {WINSERVER.lakegroup.local}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=lakegroup-WINSERVER-CANotAfter : 16/01/2010 11:10:36 PMNotBefore : 16/01/2009 11:10:36 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 61075AA1000000000003Services : IMAP, POPStatus : ValidSubject : CN=WINSERVER.lakegroup.localThumbprint : 904F99DB27DF2B94180786B722F2A69CCC96ACFBAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt oKeyAccessRule}CertificateDomains : {Sites, WINSERVER.lakegroup.local}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=lakegroup-WINSERVER-CANotAfter : 16/01/2011 11:06:34 PMNotBefore : 16/01/2009 11:06:34 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 6103ABA2000000000002Services : IMAP, POP, SMTPStatus : ValidSubject : CN=SitesThumbprint : 56C5CBCDC4CE81A146FF91577C9C0F7E49B8333EAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {lakegroup-WINSERVER-CA}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=lakegroup-WINSERVER-CANotAfter : 16/01/2014 11:16:18 PMNotBefore : 16/01/2009 11:06:19 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 542B9B0BF78F58B54F4D0EC1E41EC9ECServices : NoneStatus : ValidSubject : CN=lakegroup-WINSERVER-CAThumbprint : 6E97BD62FBC25258DAC5B99DF04C89EBA2CB845AAccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {WMSvc-WIN-ZM6OXM4DCW4}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=WMSvc-WIN-ZM6OXM4DCW4NotAfter : 14/01/2019 10:52:56 PMNotBefore : 16/01/2009 10:52:56 PMPublicKeySize : 2048RootCAType : RegistrySerialNumber : 4E882F9DE2F9D2A94627B2228886BC6DServices : NoneStatus : ValidSubject : CN=WMSvc-WIN-ZM6OXM4DCW4Thumbprint : FF723DBF11F933B621934A3826DEA5B8CB813726--------------------------------------------------------------------------------------------------------------------------------------------------------------------- Right now I think maybe my server needs a reboot, because when I run Test-OutlookWebServices I get the following:Id : 1003Message : About to test AutoDiscover with the e-mail address icsolutions@lakegroupstrata.com.Id : 1007Message : Testing server WINSERVER.lakegroup.local with the published name https://winserver.lakegroup.local/ews/exchange.asmx & https://mail.lakegroupstrata.com/EWS/Exchange.asmx.Id : 1019Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://mail.lakegroupstrata.com/autodiscover/autodiscover.xml.Id : 1013Message : When contacting https://mail.lakegroupstrata.com/autodiscover/autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.Id : 1006Message : The Autodiscover service could not be contacted.This is different to what I was getting before today. Before it used to list some more adresses and fail contacting those. I can't remember the reasons listed.I'm unsure if this is any help. I hope you can understand it all. I will reboot the server this weekend and let you know if I get any different results.Aaron. Aaron Oxford - Innovative Computer Solutions - VioLet Composer (sourceforge.net/projects/buzz-like)
February 20th, 2009 6:21am

Hi,Outlook 2007 uses two possible methods to find out how to connect to Autodiscover to make a request: SCP and DNS.For internal user, when Outlook connects Exchange server, it first contact Autodiscover service by obtaining a URL from the SCP object based on your settings, such as https://netbios/autodiscover/autodiscover.xml or https://fqdn/autodiscover/autodiscover.xml. Then, if that fails,Outlook must take a different approach. Outlook uses DNS to locate Autodiscover. Outlook takes your E-mailAddress it requested from you (or automatically found for you in Active Directory) and parses out the domain (SMTP suffix). Then, using that suffix Outlook starts making connection attempts using a predetermined order of URLs. For example, if your e-mail address is User@fourthcoffee.com Outlook tries POST commands to the following order of URLs:https://fourthcoffee.com/autodiscover/autodiscover.xmlhttps://autodiscover.fourthcoffee.com/autodiscover/autodiscover.xmlFor the external user, sinceyou are not logged into the domain, the SCP object cannot be found, or all retrieved URLs from all SCP objects fail. Thus, the DNS is used directly. The two predefined URLs arehttps://fourthcoffee.com/autodiscover/autodiscover.xmlandhttps://autodiscover.fourthcoffee.com/autodiscover/autodiscover.xmlFrom the error message that you tested, pleasetry the method 1 on the below linkto fix your issue:http://support.microsoft.com/kb/896861ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2009 9:03am

Hi Allen and thanks for your ongoing help.I believe I have managed to solve this issue after finally figuring out how to change the certificate on the server.For anyone's reference, the threads are:(further info) http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/34b0a337-fbf4-4095-ab08-bdedbad1d5d9(solution) http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/7f9b2c81-4eff-4996-af8f-6e501e95fde8 Aaron Oxford - Innovative Computer Solutions - VioLet Composer (sourceforge.net/projects/buzz-like)
February 23rd, 2009 9:19am

Hi,I am glad to hear that the issue was resolved by your positive action on this issue.Thanks for your devoted time on this issue. I believe that anyone who has the similar issue will be benefit from your case.Allen
Free Windows Admin Tool Kit Click here and download it now
February 23rd, 2009 9:52am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics