locked
security alert from an old certificate keeps popping up in Outlook RRS feed

  • Question

  • I am getting a Security Alert from a security certificate while opening Outlook.  The name of the certificate is from my old Exchange 2010 server.  That Exchange server crashed back at Sept. and was never recovered.  Instead, we moved to the Exchange Cloud.  Our Outlook 2010 are configured using Outlook Anywhere to point to the cloud but for some reason some Outlook users are getting that Security Alert trying to get the user to accept or deny the old Exchange Server certificate.  First I thought it had something to do with the users old Outlook profile before the crash, but we have one new user getting that Security Alert even though he has a new computer and Outlook was freshly installed and configured.

    This issue started happening about three days ago.  Only a couple people reported it but now it’s spreading.  I tell the users to click “No” to the alert but the alert keeps popping up every time they reopen Outlook.

    What changed you ask about three days ago?  Well, we have a Lync 2010 server we are trying to implement and it requires a certificate.  We think they Lync Certificate control panel pushed that old Exchange certificate somehow. 

    I read a post where someone had this same Security Alert issue because they didn’t decommission their old Exchange server correctly.  They had to go back to their old Exchange server to prevent the old certificate from popping up.  Unfortunately I can’t go back to my old Exchange Server.

    Recap Environment:

    Window Server 2008 Domain

    Exchange 2010 Server (old server which crashed)

    Exchange 2010 Cloud (current server)

    Lync 2010

    Outlook 2010

    How can I get rid of that old Exchange certificate alert from popping up without my old Exchange server?

    Thanks.


    Rogie O



    • Edited by Rogie O Thursday, February 7, 2013 5:03 PM
    Thursday, February 7, 2013 5:01 PM

All replies

  • On Thu, 7 Feb 2013 17:01:03 +0000, Rogie O wrote:
     
    >I am getting a Security Alert from a security certificate while opening Outlook. The name of the certificate is from my old Exchange 2010 server. That Exchange server crashed back at Sept. and was never recovered. Instead, we moved to the Exchange Cloud. Our Outlook 2010 are configured using Outlook Anywhere to point to the cloud but for some reason some Outlook users are getting that Security Alert trying to get the user to accept or deny the old Exchange Server certificate. First I thought it had something to do with the users old Outlook profile before the crash, but we have one new user getting that Security Alert even though he has a new computer and Outlook was freshly installed and configured.
    >
    >This issue started happening about three days ago. Only a couple people reported it but now it’s spreading. I tell the users to click “No” to the alert but the alert keeps popping up every time they reopen Outlook.
    >
    >What changed you ask about three days ago? Well, we have a Lync 2010 server we are trying to implement and it requires a certificate. We think they Lync Certificate control panel pushed that old Exchange certificate somehow.
    >
    >I read a post where someone had this same Security Alert issue because they didn’t decommission their old Exchange server correctly. They had to go back to their old Exchange server to prevent the old certificate from popping up. Unfortunately I can’t go back to my old Exchange Server.
    >
    >Recap Environment:
    >
    >Window Server 2008 Domain
    >
    >Exchange 2010 Server (old server which crashed)
    >
    >Exchange 2010 Cloud (current server)
    >
    >Lync 2010
    >
    >Outlook 2010
    >
    >How can I get rid of that old Exchange certificate alert from popping up without my old Exchange server?
     
    I think I'd start by creating a new Outlook profile.
     
    Does this happen if you exit Outlook AND exit the Lync client and then
    start Outlook?
     
    Lync is going to use your Outlook client's profile to get at your
    calendar for presence information and for contacts. If there's some
    crud left over in the profile that may be the source of the problem.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Zi FengModerator Monday, February 18, 2013 2:20 AM
    • Unmarked as answer by Rogie O Monday, February 18, 2013 8:59 PM
    Friday, February 8, 2013 2:25 AM
  • Rich,

    I uninstalled Lync client to take it out of the equation but it didn't help.  I also created a new Oulook profile but I still get that security pop-up.

    Rogie


    Rogie O

    Thursday, February 14, 2013 4:46 PM
  • On Thu, 14 Feb 2013 16:46:48 +0000, Rogie O wrote:
     
    >I uninstalled Lync client to take it out of the equation but it didn't help. I also created a new Oulook profile but I still get that security pop-up.
     
    For the people that get that credential dialog, have you tries using
    https://testexchangeconnectivity.com/ to see what might be going on?
     
    Do you have a DNS "A" record for autodiscover.compucom.com? Do the
    people that have problems have anything in their HOSTS file?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Zi FengModerator Monday, February 18, 2013 2:20 AM
    • Unmarked as answer by Rogie O Monday, February 18, 2013 8:59 PM
    Thursday, February 14, 2013 11:24 PM
  • Rich,

    I ran the ExRCA for ActiveSync and got failures on the following:

    Validating the certificate name
    Testing TCP port 443 on autodiscover.domain.com


    Before I opened this thread, I had a DNS "A" record "mail.domain.com",  mail.domain.com is the same name of the certificate that is popping up that i'm trying to get rid of.  I did remove that "A" record before posting this thread.

    HOSTS file is empty.

    Do you think it's validating the certificate?  Thanks for your help.


    Rogie O

    Monday, February 18, 2013 5:18 PM
  • On Mon, 18 Feb 2013 17:18:01 +0000, Rogie O wrote:
     
    >I ran the ExRCA for ActiveSync and got failures on the following:
    >
    >Validating the certificate name Testing TCP port 443 on autodiscover.domain.com
     
    Do you have an "A" record for autodiscover.domain.com? Does the test
    succeed when it uses just domain.com? Is port 443 open on your
    firewall? Do the IIS log files on the server show any activity for IP
    addresses outside your LAN?
     
    >Before I opened this thread, I had a DNS "A" record "mail.domain.com", mail.domain.com is the same name of the certificate that is popping up that i'm trying to get rid of. I did remove that "A" record before posting this thread. HOSTS file is empty. Do you think it's validating the certificate? Thanks for your help.
     
    Autodiscover isn't going to try mail.domain.com. It's going to try
    https://domain.com/... and https://autodiscover.domain.com/... If your
    certificate has only mail.domain.com in it then you'll alway get a
    certificate failure. If that's your situation you can try using a
    service (SRV) record for autodiscover.
     
    http://support.microsoft.com/kb/940881
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by IT SPFCU Monday, May 16, 2016 5:48 PM
    • Unproposed as answer by IT SPFCU Monday, May 16, 2016 5:49 PM
    Tuesday, February 19, 2013 3:55 AM
  • Rich,

    I do have another "A" record called "domain.com".  I also have a "CNAME" called "autodiscovered_________.com"

    Yes, we have port 443 open.

    I don't have access to the IIS log files, we have a vendor that host our Exchange on the cloud.

    Yes, autodiscover isn't going to try mail.domain.com.  mail.domain.com was for our old Exchange server that was inhouse and local to me.  But the inhouse Exchange server crashed and we moved to the cloud.

    Here is a piece of the ExRCA report that failed:

    ------------------------

    Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml

    Testing of this potential Autodiscover URL failed.

    Test Steps

    Attempting to resolve the host name domain.com in DNS.

    The host name resolved successfully.

    Additional Details

    IP addresses returned: xxx.xxx.xxx.xxx

    Testing TCP port 443 on host domain.com to ensure it's listening and open.

    The port was opened successfully.

    Testing the SSL certificate to make sure it's valid.

    The SSL certificate failed one or more certificate validation checks.

    Test Steps

    ExRCA is attempting to obtain the SSL certificate from remote server domain.com on port 443.

    ExRCA successfully obtained the remote SSL certificate.

    Additional Details

    Remote Certificate Subject: CN=*.sites.myregisteredsite.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, OU=GT37193146, O=*.sites.myregisteredsite.com, C=US, SERIALNUMBER=_______________________, Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US.

    Validating the certificate name.

    Certificate name validation failed.

    Tell me more about this issue and how to resolve it

    Additional Details

    Host name domain.com doesn't match any name found on the server certificate CN=*.sites.myregisteredsite.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, OU=GT37193146, O=*.sites.myregisteredsite.com, C=US, SERIALNUMBER=___________________________________.

    Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml

    Testing of this potential Autodiscover URL failed.

    Test Steps

    Attempting to resolve the host name autodiscover.domain.com in DNS.

    The host name resolved successfully.

    Additional Details

    IP addresses returned: xxx.xxx.xxx.xxx

    Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.

    The specified port is either blocked, not listening, or not producing the expected response.

     Tell me more about this issue and how to resolve it

    -----------------------

    Thanks again for your advice.


    Rogie O

    Tuesday, February 19, 2013 3:35 PM
  • On Tue, 19 Feb 2013 15:35:49 +0000, Rogie O wrote:
     
    >Rich, I do have another "A" record called "domain.com".
     
    Okay. And there's a web site there that allows the use of port 443 but
    it doesn't contain the name "domain.com". So take the "A" record out
    of your external DNS, or use a certificate on that web site that has
    the correct name in the certificate. That's pretty easy to fix.
     
    >I also have a "CNAME" called "autodiscovered_________.com" Yes, we have port 443 open. I don't have access to the IIS log files, we have a vendor that host our Exchange on the cloud.
     
    Why a CNAME and not an "A" resource record?
     
    >Yes, autodiscover isn't going to try mail.domain.com. mail.domain.com was for our old Exchange server that was inhouse and local to me. But the inhouse Exchange server crashed and we moved to the cloud. Here is a piece of the ExRCA report that failed: ------------------------
    >
    >Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
     
    [ snip ]
     
    >Host name domain.com doesn't match any name found on the server certificate CN=*.sites.myregisteredsite.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, OU=GT37193146, O=*.sites.myregisteredsite.com, C=US, SERIALNUMBER=___________________________________.
     
    As I said, the "A" record points to a working web site with a
    certificate that doesn't have the name in it. So remove the "A" record
    if the site doesn't belong to you. If it does belong to you then use a
    correct certificate on the site.
     
     
    >Attempting to resolve the host name autodiscover.domain.com in DNS.
    >
    >The host name resolved successfully.
    >
    >Additional Details
    >
    >IP addresses returned: xxx.xxx.xxx.xxx
    >Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
    >The specified port is either blocked, not listening, or not producing the expected response.
     
    Either the CNAME is taking you to an incorrect IP address or port 443
    is blocked. Which of these is the problem I can't tell, but you can.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, February 20, 2013 3:02 AM
  • Rich,

    Thanks for your input.  I've been out sick for a few days and now catching up at work.  I will look into this and get back to you.  Thanks again.


    Rogie O

    Tuesday, February 26, 2013 8:16 PM
  • We have a similar issue, and are also running a 2008 domain.  We moved email to the cloud and are receiving the security warning from what appears to be our old server.  The funny thing is that if we use a computer not on our network we do not get the warning and so it leads us to believe there is something lingering in AD.

    When I say that it appears to be the old server, the name on the security alert is mail.ourdomainname.com, but the certificate belongs to our cloud provider.  We still have our 2007 Exchange server installed, and may just need to decomission it and ensure that the AD gets cleaned up properly.

    Oh, one thing that suppresses the alert is to add a record to our hosts file pointing mail.ourdomain.com to an address that will not resolve.  The reason that I tried that was to test our SRV record which points mail.ourdomain.com to our cloud provider.  The DNS for ourdomainname.com is not a zone in our DNS, and from our network things are resolving properly.  Anyhow, we would like to keep our mail server online in case we need to restore anything, and so figuring out what is causing this alert would help

    Thanks,

    Jon


    • Edited by JonHarder Thursday, July 18, 2013 3:50 PM Added info about our DNS not being hosted internally
    Thursday, July 18, 2013 3:41 PM