| T O P I C R E V I E W |
| lacrosseboy |
Posted - 06/05/2012 : 12:59:33 PM
We have two sites, we have two autodiscover names, we have one wildcard certificate and we support many email addresses for *.ca and *.com. The wildcard certificate is *.nameofcompany.com. In the one site, the users are prompted for a certificate issue when starting Outlook. The users at the other site never see this certificate error.
What I am missing? I thought, longshot, it was the *.ca piece as their primary email address but I am not sure.
Interestingly, when the users signed onto another domain first, then signed to Outlook/Exchange on our domain, they didn't get this message. |
| 15 L A T E S T R E P L I E S (Newest First) |
| lacrosseboy |
Posted - 07/13/2012 : 09:53:57 AM
Log Name: Application
Source: MSExchange OWA
Date: 7/13/2012 2:41:54 AM
Event ID: 40
Task Category: Proxy
Level: Error
Keywords: Classic
User: N/A
Computer: CHIHUBCA.xxxxxxxx.com
Description:
Client Access server "https://webmail.xxxxxxxxx.com/owa" tried to proxy Outlook Web App traffic to Client Access server "https://xxxxxxx.com/owa". This failed because "https://xxxxxxxx.coverdell.com/owa" didn't respond.
I found this is the logs but the remote site doesn't have owa installed. Is this the error? |
| lacrosseboy |
Posted - 06/26/2012 : 3:01:59 PM
Only one for IIS, it's the wildcard cert.
Thumbprint Services Subject
---------- -------- -------
F3ED3DF956CA146D7759E5AB1B71031E108F3003 ...... CN=Federation
902C28D5DE4C35049E474A4C966230DB56DDBCC0 ...WS. CN=*.coverdell.com, OU=Enterprise SSL Wildcard, OU=Provided by ...
A07A76C0BF4E10777ABB19208A4E15748B10D24F IP..S. CN=CHIHUBCA
C253C61E86084908966DA64EAD7DE33A13FF51E1 IP..S. CN=CHIHUBCA
|
| Jazzy |
Posted - 06/26/2012 : 2:54:02 PM
Excellent, now we're getting somewhere. Apparently you still have the self-signed certificate assigned to IIS on the CHIHUBCA server. Can you compare the certificates on both servers with the Get-ExchangeCertificate cmdlet or in Exchange Management Console? I guess one of them has a certificate signed by a corporate CA or a public trusted CA, the other doesn't. |
| lacrosseboy |
Posted - 06/26/2012 : 2:45:48 PM
The name on the security certificate is invalid or does not match the name of the site.
The certificate was originally installed on the CHIHUBCA server.
Certificate status: The issuer of this certificate could not be found.
|
| Jazzy |
Posted - 06/26/2012 : 2:40:14 PM
Okay, I'm (almost) out of options. Now back to the certificate warning, what information is on the certificate? Maybe this gives away to what server Outlook is trying to connect to.
Assuming that your certificates on Exchange are installed correctly. |
| lacrosseboy |
Posted - 06/26/2012 : 2:24:59 PM
SMTP=thomas.deimel@coverdell.com
Attempting URL https://CHIHUBCA.coverdell.com/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://CHIHUBCA.coverdell.com/Autodiscover/Autodiscover.xml starting
GetLastError=0; httpStatus=200
Autodiscover to https://CHIHUBCA.coverdell.com/Autodiscover/Autodiscover.xml Succeeded (0x00000000)
SMTP=thomasdeimeltest@coverdell.com
Attempting URL https://MTLHUBCA.coverdell.com/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://MTLHUBCA.coverdell.com/Autodiscover/Autodiscover.xml starting
GetLastError=0; httpStatus=200
Autodiscover to https://MTLHUBCA.coverdell.com/Autodiscover/Autodiscover.xml Succeeded (0x00000000)
The same except for the servers at the site. |
| Jazzy |
Posted - 06/26/2012 : 2:13:43 PM
Okay, then the error is apperantly in the Autodiscover process itself, not in the results Outlook gets from Exchange. Can you run the tests again and look at the second tab, Log. If they're not exaclty the same, can you post screenshots of them? |
| lacrosseboy |
Posted - 06/26/2012 : 07:23:54 AM
We moved the workstations from one domain to our domain. The users use to sign into the other domain then start Outlook and sign into our domain to get their email. We moved them and then the cert. error started.
Now all users are on one domain, the same as the Exchange servers. |
| Jazzy |
Posted - 06/25/2012 : 3:27:38 PM
Thanks. Can you further explain this? "Interestingly, when the users signed onto another domain first, then signed to Outlook/Exchange on our domain, they didn't get this message. "
Are all users working on domain member workstations in the same domain as the Exchange servers? |
| lacrosseboy |
Posted - 06/25/2012 : 09:44:36 AM
Site1
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Thomas Deimel</DisplayName>
<LegacyDN>/O=Coverdell & Company/OU=COVERDELL/cn=Recipients/cn=tdeimel</LegacyDN>
<AutoDiscoverSMTPAddress>thomas.deimel@coverdell.com</AutoDiscoverSMTPAddress>
<DeploymentId>803a66ac-79c0-49fc-b3a1-ce682f4d92d0</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>CHIOutlook.coverdell.com</Server>
<ServerDN>/o=Coverdell & Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CHIOutlook.coverdell.com</ServerDN>
<ServerVersion>738280F7</ServerVersion>
<MdbDN>/o=Coverdell & Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CHIOutlook.coverdell.com/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>CHIMAILSTORE.coverdell.com</PublicFolderServer>
<AD>CHIDC1.coverdell.com</AD>
<ASUrl>https://chihubca.coverdell.com/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://chihubca.coverdell.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://webmail.coverdell.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<OOFUrl>https://chihubca.coverdell.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://chihubca.coverdell.com/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>http://chihubca.coverdell.com/OAB/acf50cd9-fe03-492a-ae15-21fca45db057/</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.coverdell.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://mtlhubca/ews/exchange.asmx</ASUrl>
<EwsUrl>https://mtlhubca/ews/exchange.asmx</EwsUrl>
<OOFUrl>https://mtlhubca/ews/exchange.asmx</OOFUrl>
<UMUrl>https://mtlhubca/ews/UM2007Legacy.asmx</UMUrl>
<CertPrincipalName>msstd:*.coverdell.com</CertPrincipalName>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">https://webmail.coverdell.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://chihubca.coverdell.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
<AlternativeMailbox>
<Type>Delegate</Type>
<DisplayName>Thomas Deimel</DisplayName>
<LegacyDN>/O=Coverdell & Company/OU=COVERDELL/cn=Recipients/cn=tdeimel</LegacyDN>
<Server>CHIOutlook.coverdell.com</Server>
</AlternativeMailbox>
</Account>
</Response>
</Autodiscover>
Site2
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Thomas Deimel - CSR</DisplayName>
<LegacyDN>/o=Coverdell & Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Thomas Deimel2be</LegacyDN>
<AutoDiscoverSMTPAddress>ThomasDeimelTest@COVERDELL.com</AutoDiscoverSMTPAddress>
<DeploymentId>803a66ac-79c0-49fc-b3a1-ce682f4d92d0</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>MTLOutlook.coverdell.com</Server>
<ServerDN>/o=Coverdell & Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MTLOutlook.coverdell.com</ServerDN>
<ServerVersion>738280F7</ServerVersion>
<MdbDN>/o=Coverdell & Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MTLOutlook.coverdell.com/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>CHIMAILSTORE.coverdell.com</PublicFolderServer>
<AD>MTLDCVM.coverdell.com</AD>
<ASUrl>https://mtlhubca/ews/Exchange.asmx</ASUrl>
<EwsUrl>https://mtlhubca/ews/Exchange.asmx</EwsUrl>
<EcpUrl>https://mtlhubca.coverdell.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://mtlhubca/ews/Exchange.asmx</OOFUrl>
<UMUrl>https://mtlhubca/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>http://chihubca.coverdell.com/OAB/acf50cd9-fe03-492a-ae15-21fca45db057/</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.coverdell.com</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://mtlhubca/ews/exchange.asmx</ASUrl>
<EwsUrl>https://mtlhubca/ews/exchange.asmx</EwsUrl>
<OOFUrl>https://mtlhubca/ews/exchange.asmx</OOFUrl>
<UMUrl>https://mtlhubca/ews/UM2007Legacy.asmx</UMUrl>
<CertPrincipalName>msstd:*.coverdell.com</CertPrincipalName>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">https://mtlhubca.coverdell.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://mtlhubca/ews/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
</Account>
</Response>
</Autodiscover> |
| Jazzy |
Posted - 06/21/2012 : 11:00:23 AM
Please give some more details. Can you please copy and past the complete XML output from the test in the two sites? My guess is there are more servernames than MTLOUTLOOK and CHIOUTLOOK. Amirite? |
| lacrosseboy |
Posted - 06/21/2012 : 08:22:30 AM
Yes, server names are different because of the site. MTLOUTLOOK for one site and CHIOUTLOOK for the other. The public folder is working ok. |
| Jazzy |
Posted - 06/18/2012 : 4:16:44 PM
Ran the test and connection is ok? Did you see the same steps on both sides? Same servernames? |
| lacrosseboy |
Posted - 06/18/2012 : 2:43:31 PM
Ran the test, sorry away on vacation, and the connection is ok but the error I am getting is "The issuer of the certificate could not be found". The name on the security certificate is invalid or does not match the name of the site. Ok, I am confused. The certificate is a wildcard cert *.coverdell.com and work fine on one site but errors on the other.
Thanks.
|
| Jazzy |
Posted - 06/05/2012 : 1:25:33 PM
It's important to underdstand how Outlook locates the user's server with help of Autodiscover. Short version:
- Outlook looks in AD for a SCP to locate a server for Autodiscover
- When that fails (disconnected from domain, no domain member, no SCP in AD) it creates an url from the user's email address domain part: https://mydomain.ca/autodiscover/autodiscover.xml
- When that fails it goes to https://autodiscover.mydomain.ca/autodiscover/autodiscover.xml
- Next step: http://Autodiscover.domein.com/Autodiscover/Autodiscover.xml
- and a few other steps.
To understand how your clients behave, well how their Outlook behaves, you can run the Test Automatic Configuration wizard in Outlook. Press CTRL en rightclick on the systray icon of Outlook. Deselect Guessmart en enter the user's primary email address and password. Next the test will show you what steps it takes, to what server it talks and what the result is. Maybe this helps you understand whu you see the errors. |
