none
New Autodiscover/Certificate/DNS Problem

    Question

  •  Hi

    I have no split dns config

    on my test environmet i have 3 physical devices

    one of them is the first forest root dc addc1.domain.com

    and the other two are hypervisors running 2008r2 ENT

    one virtual addc2.domain.com

    one virtual rodc1.domain.com this one is a read only domain controller published out by

    tmg1.domain.com threat management gateway 2010

    one exc1.domain.com is the exchange server

    tmg1 also consolidates with exchange edge transport role and also installed forefront protection for exchange

    on device addc1.domain.com i installed the role ad certificate services

    generated a web server certificate request on the exc1.domain.com including the subject alternative names as below

    DNS name=exc1.domain.com

    DNS name=domain.com

    DNS name=mail.domain.com

    DNS name=autodiscover.domain.com

    the srv record for the autodiscovery is pointed to mail.domain.com assigned to a global ip adress of mine given by my isp with an (A) record in my dns records.  (mail  Host (A)    xx.xx.xx.xx     static)

    there is no conflict about the OWA while accessing from the address https://mail.domain.com/owa ,and also the ecp path is working fine (about the clients settings tab in owa).

    while testing the connectivity with the https://www.testexchangeconnectivity.com/ i have no problems with in and outbound smtp, no problems with the ActiveSync and ActiveSync Autodiscovery, no problems with the Outlook Autodiscovery but having the issue with the Outlook Anywhere (RPC over HTTP) as below

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /><title>Untitled Document</title>

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Testing RPC/HTTP connectivity.

    The RPC/HTTP test failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    ExRCA is attempting to test Autodiscover for test01@yuksel.tk.

    Testing Autodiscover failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting each method of contacting the Autodiscover service.

    The Autodiscover service couldn't be contacted successfully by any method.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to test potential Autodiscover URL https://yuksel.tk/AutoDiscover/AutoDiscover.xml

    Testing of this potential Autodiscover URL failed.

    Description: https://www.testexchangeconnectivity.com/Images/Plus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Attempting to resolve the host name yuksel.tk in DNS.

    The host name resolved successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    IP addresses returned: 192.168.1.1, 78.188.37.174, 192.168.1.2

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Testing TCP port 443 on host yuksel.tk to ensure it's listening and open.

    The port was opened successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Testing the SSL certificate to make sure it's valid.

    The SSL certificate failed one or more certificate validation checks.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    ExRCA is attempting to obtain the SSL certificate from remote server yuksel.tk on port 443.

    ExRCA successfully obtained the remote SSL certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Remote Certificate Subject: CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR, Issuer: CN=YUKSEL ITS CA, DC=yuksel, DC=tk.

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Validating the certificate name.

    The certificate name was validated successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host name yuksel.tk was found in the Certificate Subject Common name.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Certificate trust is being validated.

    Certificate trust validation failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    ExRCA is attempting to build certificate chains for certificate CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR.

    A certificate chain couldn't be constructed for the certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    The certificate chain couldn't be built. You may be missing required intermediate certificates.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to test potential Autodiscover URL https://autodiscover.yuksel.tk/AutoDiscover/AutoDiscover.xml

    Testing of this potential Autodiscover URL failed.

    Description: https://www.testexchangeconnectivity.com/Images/Plus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to resolve the host name autodiscover.yuksel.tk in DNS.

    The host name couldn't be resolved.

    Description: https://www.testexchangeconnectivity.com/Images/GreenRtArrow.jpgTell me more about this issue and how to resolve it

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host autodiscover.yuksel.tk couldn't be resolved in DNS InfoDomainNonexistent.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to contact the Autodiscover service using the HTTP redirect method.

    The attempt to contact Autodiscover using the HTTP Redirect method failed.

    Description: https://www.testexchangeconnectivity.com/Images/Plus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to resolve the host name autodiscover.yuksel.tk in DNS.

    The host name couldn't be resolved.

    Description: https://www.testexchangeconnectivity.com/Images/GreenRtArrow.jpgTell me more about this issue and how to resolve it

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host autodiscover.yuksel.tk couldn't be resolved in DNS InfoDomainNonexistent.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to contact the Autodiscover service using the DNS SRV redirect method.

    ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Attempting to locate SRV record _autodiscover._tcp.yuksel.tk in DNS.

    The Autodiscover SRV record was successfully retrieved from DNS.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    The Service Location (SRV) record lookup returned host mail.yuksel.tk.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to test potential Autodiscover URL https://mail.yuksel.tk/Autodiscover/Autodiscover.xml

    Testing of this potential Autodiscover URL failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Attempting to resolve the host name mail.yuksel.tk in DNS.

    The host name resolved successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    IP addresses returned: 78.188.37.174

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Testing TCP port 443 on host mail.yuksel.tk to ensure it's listening and open.

    The port was opened successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Testing the SSL certificate to make sure it's valid.

    The SSL certificate failed one or more certificate validation checks.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    ExRCA is attempting to obtain the SSL certificate from remote server mail.yuksel.tk on port 443.

    ExRCA successfully obtained the remote SSL certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Remote Certificate Subject: CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR, Issuer: CN=YUKSEL ITS CA, DC=yuksel, DC=tk.

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Validating the certificate name.

    The certificate name was validated successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host name mail.yuksel.tk was found in the Certificate Subject Alternative Name entry.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Certificate trust is being validated.

    Certificate trust validation failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    ExRCA is attempting to build certificate chains for certificate CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR.

    A certificate chain couldn't be constructed for the certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    The certificate chain couldn't be built. You may be missing required intermediate certificates.

    i am really confused

    if i had created these certificate from a trusted CA what should be different?

    Sunday, June 17, 2012 8:38 PM

Answers

All replies

  •  Hi

    I have no split dns config

    on my test environmet i have 3 physical devices

    one of them is the first forest root dc addc1.domain.com

    and the other two are hypervisors running 2008r2 ENT

    one virtual addc2.domain.com

    one virtual rodc1.domain.com this one is a read only domain controller published out by

    tmg1.domain.com threat management gateway 2010

    one exc1.domain.com is the exchange server

    tmg1 also consolidates with exchange edge transport role and also installed forefront protection for exchange

    on device addc1.domain.com i installed the role ad certificate services

    generated a web server certificate request on the exc1.domain.com including the subject alternative names as below

    DNS name=exc1.domain.com

    DNS name=domain.com

    DNS name=mail.domain.com

    DNS name=autodiscover.domain.com

    the srv record for the autodiscovery is pointed to mail.domain.com assigned to a global ip adress of mine given by my isp with an (A) record in my dns records.  (mail  Host (A)    xx.xx.xx.xx     static)

    there is no conflict about the OWA while accessing from the address https://mail.domain.com/owa ,and also the ecp path is working fine (about the clients settings tab in owa).

    while testing the connectivity with the https://www.testexchangeconnectivity.com/ i have no problems with in and outbound smtp, no problems with the ActiveSync and ActiveSync Autodiscovery, no problems with the Outlook Autodiscovery but having the issue with the Outlook Anywhere (RPC over HTTP) as below

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /><title>Untitled Document</title>

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Testing RPC/HTTP connectivity.

    The RPC/HTTP test failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    ExRCA is attempting to test Autodiscover for test01@yuksel.tk.

    Testing Autodiscover failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting each method of contacting the Autodiscover service.

    The Autodiscover service couldn't be contacted successfully by any method.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to test potential Autodiscover URL https://yuksel.tk/AutoDiscover/AutoDiscover.xml

    Testing of this potential Autodiscover URL failed.

    Description: https://www.testexchangeconnectivity.com/Images/Plus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Attempting to resolve the host name yuksel.tk in DNS.

    The host name resolved successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    IP addresses returned: 192.168.1.1, 78.188.37.174, 192.168.1.2

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Testing TCP port 443 on host yuksel.tk to ensure it's listening and open.

    The port was opened successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Testing the SSL certificate to make sure it's valid.

    The SSL certificate failed one or more certificate validation checks.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    ExRCA is attempting to obtain the SSL certificate from remote server yuksel.tk on port 443.

    ExRCA successfully obtained the remote SSL certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Remote Certificate Subject: CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR, Issuer: CN=YUKSEL ITS CA, DC=yuksel, DC=tk.

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Validating the certificate name.

    The certificate name was validated successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host name yuksel.tk was found in the Certificate Subject Common name.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Certificate trust is being validated.

    Certificate trust validation failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    ExRCA is attempting to build certificate chains for certificate CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR.

    A certificate chain couldn't be constructed for the certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    The certificate chain couldn't be built. You may be missing required intermediate certificates.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to test potential Autodiscover URL https://autodiscover.yuksel.tk/AutoDiscover/AutoDiscover.xml

    Testing of this potential Autodiscover URL failed.

    Description: https://www.testexchangeconnectivity.com/Images/Plus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to resolve the host name autodiscover.yuksel.tk in DNS.

    The host name couldn't be resolved.

    Description: https://www.testexchangeconnectivity.com/Images/GreenRtArrow.jpgTell me more about this issue and how to resolve it

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host autodiscover.yuksel.tk couldn't be resolved in DNS InfoDomainNonexistent.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to contact the Autodiscover service using the HTTP redirect method.

    The attempt to contact Autodiscover using the HTTP Redirect method failed.

    Description: https://www.testexchangeconnectivity.com/Images/Plus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to resolve the host name autodiscover.yuksel.tk in DNS.

    The host name couldn't be resolved.

    Description: https://www.testexchangeconnectivity.com/Images/GreenRtArrow.jpgTell me more about this issue and how to resolve it

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host autodiscover.yuksel.tk couldn't be resolved in DNS InfoDomainNonexistent.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to contact the Autodiscover service using the DNS SRV redirect method.

    ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Attempting to locate SRV record _autodiscover._tcp.yuksel.tk in DNS.

    The Autodiscover SRV record was successfully retrieved from DNS.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    The Service Location (SRV) record lookup returned host mail.yuksel.tk.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Attempting to test potential Autodiscover URL https://mail.yuksel.tk/Autodiscover/Autodiscover.xml

    Testing of this potential Autodiscover URL failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Attempting to resolve the host name mail.yuksel.tk in DNS.

    The host name resolved successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    IP addresses returned: 78.188.37.174

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Testing TCP port 443 on host mail.yuksel.tk to ensure it's listening and open.

    The port was opened successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Testing the SSL certificate to make sure it's valid.

    The SSL certificate failed one or more certificate validation checks.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    ExRCA is attempting to obtain the SSL certificate from remote server mail.yuksel.tk on port 443.

    ExRCA successfully obtained the remote SSL certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Remote Certificate Subject: CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR, Issuer: CN=YUKSEL ITS CA, DC=yuksel, DC=tk.

    Description: https://www.testexchangeconnectivity.com/Images/Success.png

    Validating the certificate name.

    The certificate name was validated successfully.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    Host name mail.yuksel.tk was found in the Certificate Subject Alternative Name entry.

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    Certificate trust is being validated.

    Certificate trust validation failed.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Test Steps

    Description: https://www.testexchangeconnectivity.com/Images/Error.png

    ExRCA is attempting to build certificate chains for certificate CN=yuksel.tk, OU=exchange, O=yuksel.tk, L=Gaziosmanpaşa, S=İstanbul, C=TR.

    A certificate chain couldn't be constructed for the certificate.

    Description: https://www.testexchangeconnectivity.com/Images/Minus.gif

    Additional Details

    The certificate chain couldn't be built. You may be missing required intermediate certificates.

    i am really confused

    if i had created these certificate from a trusted CA what should be different?

    Sunday, June 17, 2012 8:44 PM
  • Hi,

    What is the error? Can't you connect via Outlook Anywhere?


    Marking the replies that has answered the question may help others who have got the same or a similar question.

    Monday, June 18, 2012 9:55 AM
  • i have done the method http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-to-connect-to-your-exchange-server-without-a-vpn-HP010355551.aspx?CTT=1  at the address as described but  outlook is asking for the password of the account and couldn't log on to server. Maybe i have a problem about the authentication method but i couldn't figure it out.
    Monday, June 18, 2012 5:00 PM
  • Hi there,

    I tested your extenal url and found that the certificate is issued by your company. the certificate is a self-signed certificate which is NOT supported by Outlook Anywhere.

    To troubleshoot this issue, you may add the certificate into the client computer's trust domain, or purchase a trusted third party certificate.


    Fiona Liao

    TechNet Community Support

    Tuesday, June 19, 2012 1:47 AM
  • i have already added the certificate to the client computers personal certificates location.

    also added the issuer CA's certificate to the trusted root certification authorities location


    • Edited by abuscrx Tuesday, June 19, 2012 9:30 PM
    Tuesday, June 19, 2012 7:57 PM
  • Hi,

    Thanks for your update.

    I am not very sure how to make a certificate be trusted. You may post this uestion in Server forum for more professional suggestion. Or just change to a trusted certificate. Your understanding would be appreciated.


    Fiona Liao

    TechNet Community Support

    Wednesday, June 20, 2012 2:44 AM
  • Correct me if this is wrong, but it looks like you requested the cert from Windows certificate services running on your internal DC?   You used the web server template? 

    Can you also state what OS the external test device is please?


    Cheers, Rhoderick NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, June 20, 2012 4:00 AM
  • yes as wrote before i requested the certificate from my CA and i used the web server template

    the external test devices OS is Windows 7 Professional

    Wednesday, June 20, 2012 4:12 AM
  • Ok - and what is going on with TMG for publishing this out?  Are you doing SSL tunneling or SSL bridging?

    I would ask what happens if you try outlook anywhere inside the TMG, and do it on the local network.  use a hosts file to go direct to CAS to test. 


    Cheers, Rhoderick NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, June 20, 2012 4:18 AM
  • it was all about the authentication method

    problem solved

    thanks to all

    best regards

    Wednesday, June 20, 2012 4:47 AM
  • soon i am going to add the full description of the solution to the problem but i need to sleep now no sleep more than 1 day

    ;)

    Wednesday, June 20, 2012 4:48 AM
  • Good to hear its working !

    Cheers, Rhoderick NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, June 20, 2012 1:27 PM