locked
Exchange Server 2010 and Outlook Anywhere Cert warnings RRS feed

  • Question

  • All,

    When users connect externally via Outlook Anywhere they receive a certificate warning stating that the certificate has expired.  When I view the certificate it has in fact expired.  If the users connect to OWA or internally to Exchange everything works fine and I notice the user is pulling the correct cert.  However, I cannot locate the cert that Outlook anywhere is using in order to renew or replace it.  Does anyone know where this cert is located and how to replace it?



    • Edited by Brope30 Tuesday, May 8, 2012 2:33 PM
    Tuesday, May 8, 2012 2:33 PM

Answers

  • Hi,

    Please try to run get-outlookprovider -expr |fl to check the certificate name.

    Then please run get-exchangecertificate |fl to try to find the certificate.

    Renew an Exchange Certificate

    http://technet.microsoft.com/en-us/library/ee332322.aspx

    Note: After you generate a certificate request, you must submit it to a certification authority, obtain a signed certificate and install the certificate on the same server. For details, see Obtain a Server Certificate from a Certification Authority and Install an SSL Certificate on a Client Access Server.


    Xiu Zhang

    TechNet Community Support

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Wednesday, May 9, 2012 7:50 AM
  • How long ago did you change the certificate?  Has the server been rebooted since then?

    And I assume this is for all external users?

    They haven't saved it on their PC?

    Can you test with a PC which hasn't been used before (A test PC)?

    Have you checked the OLK Profile config to check the certificate prinical name?

    And the Outlook proivder Cert principal name?

    http://technet.microsoft.com/en-us/library/bb123683.aspx


    Sukh


    • Edited by Sukh828 Wednesday, May 9, 2012 1:56 PM
    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Wednesday, May 9, 2012 1:54 PM
  • Are you sure the certificate isn't coming from something else? Firewall, web browser somewhere else etc? If you only have one web site on the server then only one SSL certificate can be bound to the web site. If the correct certificate is shown internally then the problem has to be elsewhere.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Wednesday, May 9, 2012 7:59 PM
  • Hi,

    Please try to View Certificates with the MMC Snap-in from your CAS server and Domain Controller. you can refer to the steps in article below:

    How to: View Certificates with the MMC Snap-in

    http://msdn.microsoft.com/en-us/library/ms788967.aspx

    By the way, how many CAS server in the network? How did you publish outlook anywhere?


    Xiu Zhang

    TechNet Community Support

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Thursday, May 10, 2012 2:16 AM

All replies

  • Run - Mmc

    File Add or Remove Snapin

    --

    Certificates - Click ok . Computer Account

    ---

    You should see it in Trusted and Personal Containers


    Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

    Tuesday, May 8, 2012 4:57 PM
  • This would be on the Exchange 2010 CAS server...correct?  I see the correct cert that is not expired.  However, I do not see the cert that users are picking up when connecting externally via Outlook anywhere.


    • Edited by Brope30 Tuesday, May 8, 2012 5:55 PM
    Tuesday, May 8, 2012 5:54 PM
  • See what Get-ExchangeCertificate |fl

    returns on your Exch server, do this on the CAS Server


    Sukh

    Tuesday, May 8, 2012 10:20 PM
  • Hi,

    Please try to run get-outlookprovider -expr |fl to check the certificate name.

    Then please run get-exchangecertificate |fl to try to find the certificate.

    Renew an Exchange Certificate

    http://technet.microsoft.com/en-us/library/ee332322.aspx

    Note: After you generate a certificate request, you must submit it to a certification authority, obtain a signed certificate and install the certificate on the same server. For details, see Obtain a Server Certificate from a Certification Authority and Install an SSL Certificate on a Client Access Server.


    Xiu Zhang

    TechNet Community Support

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Wednesday, May 9, 2012 7:50 AM
  • I have run both get-outlookprovider -expr |fl and get-exchangecertificate |fl.  Running these commands did not locate the expired cert that Outlook anywhere is using.  It found the cert that OWA uses which is not expired. 

    • Edited by Brope30 Wednesday, May 9, 2012 1:45 PM
    Wednesday, May 9, 2012 1:44 PM
  • How long ago did you change the certificate?  Has the server been rebooted since then?

    And I assume this is for all external users?

    They haven't saved it on their PC?

    Can you test with a PC which hasn't been used before (A test PC)?

    Have you checked the OLK Profile config to check the certificate prinical name?

    And the Outlook proivder Cert principal name?

    http://technet.microsoft.com/en-us/library/bb123683.aspx


    Sukh


    • Edited by Sukh828 Wednesday, May 9, 2012 1:56 PM
    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Wednesday, May 9, 2012 1:54 PM
  • The new certificate was put in place April 2012.  The server has been rebooted since.

    Yes, this is only for external users.  I have tried to save it on their PC with no luck. 

    I will try a test PC and check the OLK profile.

    It still will connect to their mailbox via Outlook Anywhere after the user clicks through the certificate warning.  It's more of an annoyance and somewhat baffling.



    • Edited by Brope30 Wednesday, May 9, 2012 3:10 PM
    Wednesday, May 9, 2012 3:10 PM
  • Can you post the results of Get-ExchangeCertificate?

    Sukh

    Wednesday, May 9, 2012 3:26 PM
  • [PS] C:\Windows\system32>Get-ExchangeCertificate | FL


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule}
    CertificateDomains : {HOU-EXC-CAS.vbar.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=Veber Enterprise Certificate Authority, DC=vber, DC=com
    NotAfter           : 2/2/2013 7:48:11 PM
    NotBefore          : 2/3/2012 7:48:11 PM
    PublicKeySize      : 1024
    RootCAType         : Enterprise
    SerialNumber       : 257C50A90001000021AC
    Services           : IMAP, POP
    Status             : Valid
    Subject            : CN=HOU-EXC-CAS.vbar.com
    Thumbprint         : 80E50C85B9BAD3B24E831CFDFC1D12F9F013967C

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule}
    CertificateDomains : {*.vber.com, vber.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                         com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    NotAfter           : 4/9/2014 4:20:43 PM
    NotBefore          : 4/11/2011 9:27:55 AM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 4B440CD73845C7
    Services           : IIS
    Status             : Valid
    Subject            : CN=*.vber.com, OU=IT, O=Veber Inc., L=Houston, S=TX, C=US
    Thumbprint         : 979141860672EB5AA209340148B7047256C9B106

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                         essRule}
    CertificateDomains : {HOU-EXC-CAS, HOU-EXC-CAS.vbar.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=HOU-EXC-CAS
    NotAfter           : 1/11/2015 11:17:11 AM
    NotBefore          : 1/11/2010 11:17:11 AM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 6A7DF00C09A14C9946FEE98EA8F63202
    Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=HOU-EXC-CAS
    Thumbprint         : 3349BDCA749BB99E5C78A4B47108ACEEDD255D62

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                         essRule}
    CertificateDomains : {HOU-EXC-CAS, HOU-EXC-CAS.vbar.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=HOU-EXC-CAS
    NotAfter           : 1/7/2015 9:26:57 PM
    NotBefore          : 1/7/2010 9:26:57 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 53D9ECD33145388F41C7FF664F249799
    Services           : IMAP, POP, SMTP
    Status             : Valid
    Subject            : CN=HOU-EXC-CAS
    Thumbprint         : ED1022D7CD0F02F89DB0BEE35F3004F28CF67C07

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-HOU-EXC-CAS}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-HOU-EXC-CAS
    NotAfter           : 1/5/2020 5:51:24 PM
    NotBefore          : 1/7/2010 5:51:24 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 112DCB5D5957DC8F43A9F411FF9FD5B8
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-HOU-EXC-CAS
    Thumbprint         : 4D706FA04563AE8FD76E04E97C0D0ED94FDBC8B0


    • Edited by Brope30 Wednesday, May 9, 2012 6:10 PM
    Wednesday, May 9, 2012 6:10 PM
  • And what's the external name? Is it covered by that wild card you're using?

    Sukh

    Wednesday, May 9, 2012 6:14 PM
  • Yes, it's covered by the wildcard cert.


    • Edited by Brope30 Wednesday, May 9, 2012 7:45 PM
    Wednesday, May 9, 2012 7:44 PM
  • Are you sure the certificate isn't coming from something else? Firewall, web browser somewhere else etc? If you only have one web site on the server then only one SSL certificate can be bound to the web site. If the correct certificate is shown internally then the problem has to be elsewhere.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Wednesday, May 9, 2012 7:59 PM
  • Hi,

    Please try to View Certificates with the MMC Snap-in from your CAS server and Domain Controller. you can refer to the steps in article below:

    How to: View Certificates with the MMC Snap-in

    http://msdn.microsoft.com/en-us/library/ms788967.aspx

    By the way, how many CAS server in the network? How did you publish outlook anywhere?


    Xiu Zhang

    TechNet Community Support

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:43 AM
    Thursday, May 10, 2012 2:16 AM