locked
SBS 2011 autodiscover problem for Outlook Web Access users RRS feed

  • Question

  • I have just complete a new SBS 2011 install.  There are three remote users that connect to Exchange using Outlook Web Access.  I am getting this autodiscover security alert popuping up on the three computers.  The computers have Office 2007 and I installed the security certificate from the new SBS server on all three remote computers.

    Before the SBS 2011 server we had SBS 2003.  The remote users did not have any warning then.  On one computer I used the certificates MMC to delete the old mail.mydomain.com certificate before installing the new one but this did not make any difference.

    I thought the problem might be an Outlook 2007 problem but one of the remotes has Outlook 2010.  I am not sure at one end the problem is at consider it worked fine with the old SBS server.  The name of the self-assigned certificate is the same from the old server to the new server because it corresponds with our MX record.

    I would appreciate any suggestions.

    Thank you.

    Monday, April 30, 2012 9:35 PM

All replies

  • Maybe some help here...
     
     
    --
    Merv  Porter   [SBS-MVP]
    ============================
    Monday, April 30, 2012 10:28 PM
  • Merv,

    Thank you for the link.  Here's my concern with the the article:  I have many, many SBS 2011 and SBS 2008 installs under my belt and a corresponding number of users in remote or satellite offices using RPC over HTTPS.  I have never created an SRV record and I have never run into this particular problem in the past.  The closest I have to come this was a similar security warning in Outlook on the LAN when you didn't install the Exchange rollups.

    What do you think?

    Monday, April 30, 2012 10:42 PM
  • r055wal,

    To address your issue, the first step is to run the Connect To Internet Wizard.  Next run the Setup your Internet Address Wizard.  Finally run The Add a Trusted Certificate wizard. 

    This does several thing for you.  The CTIW sets up your server and verifies the proper IP and DNS settings. This is required to run the "setup your internet address wizard"

    The Internet Address Wizard fixes all the IIS and Exchange settings to properly reflect your domain name.

    Finally the Trusted Certificate wizard properly adds a Self Signed, or Public SSL cert to your IIS sites. 

    The final affect of these 3 wizards is a properly functioning Exchange 2010 environment on the Domain Controller that does not prompt you for pop ups like you are seeing.  The pop up you are getting is 99% of the time due to improper URLS in Exchange. 

    If you continue to have issues after running the wizard, then let me know and we can further trouble shoot the error. 

    Also, make sure that your Internet Address Wizard is mail.harcinc.ca to match the Self Signed Cert.  Make sure that your clients point to mail.harcinc.ca, NOT mail.harcinc.ca


    Jeremy

    Monday, April 30, 2012 11:25 PM
  •   Make sure that your clients point to mail.harcinc.ca, NOT mail.harcinc.ca


    I think I'm missing something, maybe :-)
    Monday, April 30, 2012 11:27 PM
  • Jeremy,

    Would you suggest I run the wizard a second time?  I ran it during the server installation were I replaced remote.harcinc.ca with mail.harcinc.ca because this is already defined at the DNS host.

    I just want to add that autodiscover works fine on the LAN and there is a DNS zone created for mail.harcinc.ca

    Thanks,


    • Edited by r055wal Monday, April 30, 2012 11:32 PM
    Monday, April 30, 2012 11:31 PM
  •   Make sure that your clients point to mail.harcinc.ca, NOT mail.harcinc.ca


    I think I'm missing something, maybe :-)

    Are the two of these not the same?
    Tuesday, May 1, 2012 12:30 AM
  • I think I was trying to say "Make sure that your clients point to mail.harcinc.ca, NOT remote.harcinc.ca",

    as his certificate is for Mail, and not remote....


    Jeremy

    Tuesday, May 1, 2012 1:11 AM
  • THis is probably the issue, your had it all set up for Remote, you re-ran it as Mail.  All your clients are looking to remote, but your cert is form mail  Instant Fail. 

    Try it, I did, they both work.... 

    https://remote.harcinc.ca/owa

    and

    https://mail.harcinc.ca/owa


    Jeremy

    Tuesday, May 1, 2012 1:13 AM
  • Yes, they definately point to mail.harcinc.ca and they make a successful connection to the Exchange server.  Shorly after the security window pops up.  If you hit OK it seems to work after more popup notifications.

    Thanks

    Tuesday, May 1, 2012 1:14 AM
  • THis is probably the issue, your had it all set up for Remote, you re-ran it as Mail.  All your clients are looking to remote, but your cert is form mail  Instant Fail. 

    Try it, I did, they both work.... 

    https://remote.harcinc.ca/owa

    and

    https://mail.harcinc.ca/owa


    Jeremy

    No that is definately not the case.  'Remote' was changed to 'mail' during the setup.  The cert that gets installed is mail.harcinc.ca. The security error is not even for this cert, it is for autodiscover.harcinc.ca as shown in my first post. I do not think this is related to the cert created by the install. It seems to be with the outodiscover cert.

    I would like to add that a couple of years ago on an SBS install I forgot to change 'remote' to 'mail' during the setup.  This was easy to correct by deleting the remote.mydomain.com looup zone in DNS and to run the CTIW wizard again.

    Tuesday, May 1, 2012 1:30 AM
  • C:\Windows\system32>nslookup autodiscover.harcinc.ca.
    Server:  sbs01.anderson.local
    Address:  172.16.32.5

    Non-authoritative answer:
    Name:    autodiscover.harcinc.ca
    Address:  216.110.234.173


    C:\Windows\system32>nslookup mail.harcinc.ca.
    Server:  sbs01.anderson.local
    Address:  172.16.32.5

    Non-authoritative answer:
    Name:    mail.harcinc.ca
    Address:  216.110.234.173

    It appears that you have an A record for Autodiscover in your external DNS.  Go ahead and remove that, and while you are in there set up the SRV record according to

    Merv Porter  [SBS-MVP] post above.

    Thanks,


    Jeremy

    Tuesday, May 1, 2012 4:43 AM
  • Here is something interesting with our external DNS because I never created a record for 'autodiscover'.  No matter what name you stick in front of xxx.harcinc.ca it will resolve to 216.110.234.173.  There is no autodiscover, ftp, or www a-host records yet they all resolve to 216.110.234.173.
    Tuesday, May 1, 2012 1:37 PM
  • You have a wildcard DNS setting enabled. 

    http://en.wikipedia.org/wiki/Wildcard_DNS_record

    C:\>nslookup sdfjsdfhsd.harcinc.ca
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8

    Non-authoritative answer:
    Name:    sdfjsdfhsd.harcinc.ca
    Address:  216.110.234.173

    The support staff at domainpeople should be able to help you remove it. 

    You could also add a wildcard certificate to the SBS server, but they are more expensive. 
    http://support.godaddy.com/help/article/567


    Jeremy


    Tuesday, May 1, 2012 6:54 PM
  • Thank you Jeremy.  I have a support ticket in with Domain People.  I have never had to create an SRV record to get this to work so I am thinking it has to be unique to this install.  I tested several of my other customers and none of them have a wildcard in their DNS that pointed them to the SBS server.

    Thanks

    Tuesday, May 1, 2012 8:08 PM
  • Hi,

    Towards this warning, I think it’s normal if you are using the self-signed certificate. From Microsoft, SAN supported certificate is recommended. If you would like to use single SSL certificate for Outlook Anywhere, I think you need to configure redirection for Outlook Anywhere with a Single SSL Certificate:

    Title: Understanding Redirection for Outlook Anywhere with a Single SSL Certificate
    URL: http://technet.microsoft.com/en-us/library/ee633470.aspx

    Regards,
    James


    James Xiong

    TechNet Community Support

    Wednesday, May 2, 2012 8:58 AM
  • Hi,

    Towards this warning, I think it’s normal if you are using the self-signed certificate. From Microsoft, SAN supported certificate is recommended. If you would like to use single SSL certificate for Outlook Anywhere, I think you need to configure redirection for Outlook Anywhere with a Single SSL Certificate:

    Title: Understanding Redirection for Outlook Anywhere with a Single SSL Certificate
    URL: http://technet.microsoft.com/en-us/library/ee633470.aspx

    Regards,
    James


    James Xiong

    TechNet Community Support

    This still does not address the reason why  this particular network gets the error and over 35 installations of SBS 208 and SBS 2011 that I have done over the years do not using the self-signed certificate.

    I have installed the self signed certificate using the installer supplied by SBS and I do not have any secuirty warninga accessing SBS.

    Wednesday, May 2, 2012 11:49 AM
  • Update: I have removed the wildcard in the external DNS and installed the latest Exchnage Server 2010 SP1 rollup but the problem still persists.  I have not created an SRV record because I have never had to create this on any other network using Exchange Server 2010 or Outlook 2007.
    If I was to create an SRV record would I do this on the external DNS or the SBS 2011 DNS server?

    Thanks,

    • Edited by r055wal Wednesday, May 2, 2012 7:57 PM
    Wednesday, May 2, 2012 7:54 PM
  • Maybe some help here...
    --
    Merv  Porter   [SBS-MVP]
    ============================

    Is it important that the underscore be in front time _autodiscover and _tcp?

    On the server with the security problems, the external DNS will not accept the underscore.  On the external DNS server for my company I have to use the underscore.

    Thanks

    Wednesday, May 2, 2012 9:23 PM