none
Problem with security certificate connecting outlook to Exchage server.

    Question

  • Last week, my Outlook clients started getting persistent pop-up messages when connecting to my Exchange server on a SBS 2010 server.  When installing SBS, I followed the recommendation of having SBS create a set of DNS records  for remote.domain.name.  My ISP's DNS points to my server's public address, and my local DNS points to the same server's internal address.

    The pop-up security alert says my security certificate is trusted, my security date is valid, but my security certificate does not match the name of the site.  Further diagnostics show the security certificate is trusted is using the remote.domain.name (which I bought from my ISO.  The security certificate date is valid message is also using the remote.domain.name certificate.  However, the error stating the security certificate does not match the name of the site is looking a a different certificate servername.domain.local.   I couldn't figure out how to get that 3rd check to look at the remote.domain.name certificate I bought.  To rid myself of these pop-up security alerts, I had to change outlook's server authentication to Negotiate authentication (Actually I tried so many combinations, I can't guarantee that was the vital revision).  Now, instead of my local outlook clients immediately connecting to the server, it takes about 3 minutes to connect and then only after it prompts me for my userid/password.

    I have no idea why I started to get these security alert pop-ups last week when I had no problems earlier.  Something unknown to me changed.  I also have no idea (after much research) how to correct the problem so that Outlook uses the correct certificate and connects immediately to the server.  Would someone please give me some guidance here?

    By the way; outlook running on the server has no problem connecting.  I don't usually run outlook from the server, but I did so just to isolate this problem connecting from my other machines.


    - Michael Faklis
    • Changed type Gavin-Zhang Monday, July 11, 2011 9:56 AM
    Sunday, July 10, 2011 6:06 PM

All replies

  • I now recall that before last week, all of my remote access was via HTTPS over RPC.  I create a VPN service on the server as an alternative method to connect.  I haven't tested the VPN yet, and I don't know if that created the problem.  The timing is suspicious.
    - Michael Faklis
    Sunday, July 10, 2011 6:14 PM
  • Hi Michael,

    Per your description, you are using SBS, I would suggest that you could post it on below forum:
    http://social.technet.microsoft.com/Forums/en-us/category/sbsserver
    Do  you mean you have configured the VPN on the SBS server, I would not do that, I would use other server to do that.
    Per the issue you referred, it seems a CERT issue, 
    could you please use the get-exchangecertificate |fl and post the information here.
    And use the get-owavirtualdirectory |fl and post the information here.
    What the record created on your ISP DNS server?
    Some information for you:
    http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

    Regards!
    Gavin
    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, July 11, 2011 10:06 AM
  • Thank you Gavin.  Yes I'm on Small Business Server 2011 and I have no problem moving the issue there.  I see your point of using a different server for VPN.  I'm realizing now why I shouldn't put too many services on a single Windows server. 

    SBS server install creates a remote.domain.name pointer at the ISP's (GoDaddy) DNS pointing to the public address of my SBS server, and another remote.domain.name pointer on the SBS DSN which points to the private LAN address.

    Below are the results of the two shell commands you requested.  I will read the reference you gave me.

    I've been using FreeBSD servers for the last year and finally getting back to Windows Server.  I'm on long-term disability and use TechNet to test the limits of not only the software, but my mind.  Long-term disability can turn your mind to applesauce.

     

     

    [PS] C:\Windows\system32>get-exchangecertificate

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    DC80322A2713F2D9D89C92DD24CEE539E11F9DC1  ...WS.     CN=remote.EvolSwSys.net, OU=Domain Control Validated, O=remote....
    379EAB969457EE253F9BB2FC4E0E9535891AEBD1  IP....
    97F01438930BBFFAEED1EE82F72CC997DB2C1852  IP....
    0F04D223F060CC49D9DC4180D74BB7EF626D2CB9  IP..S.     CN=remote.EvolSwSys.net
    EE77CCA4264C456DA918DC76463FB9E5BC9E0C02  IP..S.     CN=Sites
    893437588178881569288B27C143683CD5A673C0  ......     CN=evolswsys-ESSSBS2011-CA
    A4EC719E6059A85D0A1E63BEBBF4353337162703  ......     CN=WMSvc-WIN-J3UNG0JG44T


    [PS] C:\Windows\system32>

     


    [PS] C:\Windows\system32>get-owavirtualdirectory

    Name                                    Server                                  OwaVersion
    ----                                    ------                                  ----------
    owa (Default Web Site)                  ESSSBS2011                              Exchange2010


    [PS] C:\Windows\system32>


    - Michael Faklis
    Tuesday, July 12, 2011 2:51 AM
  • Hi Michael,

    Per my know, for exchange application server, it is not suggested that install other web server on the exchange server role, I am not familiar with SBS, so, it is better to post the issue on the correct forum, you will get more help from there.
    the script are as below, you post are some general information.
    get-exchangecertificate |fl
    get-owavirtualdirectory |fl
    Those will give you more detailed information, and the you could refer to the link, the issue seems a CERT issue, that means the CERT is better a SAN CERT, and contains some needed names like: domain.com and autodiscover.domain.com.
    If you use the sbs 2011, you also could refer to below information:
    http://technet.microsoft.com/en-us/library/dd351044.aspx

    Regards!
    Gavin
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     


    Tuesday, July 12, 2011 9:37 AM