| Author |
 Topic  |
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
 Posted - 06/05/2012 : 12:59:33 PM
|
We have two sites, we have two autodiscover names, we have one wildcard certificate and we support many email addresses for *.ca and *.com. The wildcard certificate is *.nameofcompany.com. In the one site, the users are prompted for a certificate issue when starting Outlook. The users at the other site never see this certificate error.
What I am missing? I thought, longshot, it was the *.ca piece as their primary email address but I am not sure.
Interestingly, when the users signed onto another domain first, then signed to Outlook/Exchange on our domain, they didn't get this message.
|
Thomas Deimel
Keeper of the Holy Potato |
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
Posted - 06/05/2012 : 1:25:33 PM
|
It's important to underdstand how Outlook locates the user's server with help of Autodiscover. Short version:
- Outlook looks in AD for a SCP to locate a server for Autodiscover
- When that fails (disconnected from domain, no domain member, no SCP in AD) it creates an url from the user's email address domain part: https://mydomain.ca/autodiscover/autodiscover.xml
- When that fails it goes to https://autodiscover.mydomain.ca/autodiscover/autodiscover.xml
- Next step: http://Autodiscover.domein.com/Autodiscover/Autodiscover.xml
- and a few other steps.
To understand how your clients behave, well how their Outlook behaves, you can run the Test Automatic Configuration wizard in Outlook. Press CTRL en rightclick on the systray icon of Outlook. Deselect Guessmart en enter the user's primary email address and password. Next the test will show you what steps it takes, to what server it talks and what the result is. Maybe this helps you understand whu you see the errors. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
 |
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 06/18/2012 : 2:43:31 PM
|
Ran the test, sorry away on vacation, and the connection is ok but the error I am getting is "The issuer of the certificate could not be found". The name on the security certificate is invalid or does not match the name of the site. Ok, I am confused. The certificate is a wildcard cert *.coverdell.com and work fine on one site but errors on the other.
Thanks.
|
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 06/21/2012 : 08:22:30 AM
|
| Yes, server names are different because of the site. MTLOUTLOOK for one site and CHIOUTLOOK for the other. The public folder is working ok. |
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
Posted - 06/21/2012 : 11:00:23 AM
|
| Please give some more details. Can you please copy and past the complete XML output from the test in the two sites? My guess is there are more servernames than MTLOUTLOOK and CHIOUTLOOK. Amirite? |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
Posted - 06/25/2012 : 3:27:38 PM
|
Thanks. Can you further explain this? "Interestingly, when the users signed onto another domain first, then signed to Outlook/Exchange on our domain, they didn't get this message. "
Are all users working on domain member workstations in the same domain as the Exchange servers? |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 06/26/2012 : 07:23:54 AM
|
We moved the workstations from one domain to our domain. The users use to sign into the other domain then start Outlook and sign into our domain to get their email. We moved them and then the cert. error started.
Now all users are on one domain, the same as the Exchange servers. |
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
Posted - 06/26/2012 : 2:13:43 PM
|
| Okay, then the error is apperantly in the Autodiscover process itself, not in the results Outlook gets from Exchange. Can you run the tests again and look at the second tab, Log. If they're not exaclty the same, can you post screenshots of them? |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
Posted - 06/26/2012 : 2:40:14 PM
|
Okay, I'm (almost) out of options. Now back to the certificate warning, what information is on the certificate? Maybe this gives away to what server Outlook is trying to connect to.
Assuming that your certificates on Exchange are installed correctly. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 06/26/2012 : 2:45:48 PM
|
The name on the security certificate is invalid or does not match the name of the site.
The certificate was originally installed on the CHIHUBCA server.
Certificate status: The issuer of this certificate could not be found.
|
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
Jazzy
Administrator
Netherlands
1932 Posts
Status: offline |
Posted - 06/26/2012 : 2:54:02 PM
|
| Excellent, now we're getting somewhere. Apparently you still have the self-signed certificate assigned to IIS on the CHIHUBCA server. Can you compare the certificates on both servers with the Get-ExchangeCertificate cmdlet or in Exchange Management Console? I guess one of them has a certificate signed by a corporate CA or a public trusted CA, the other doesn't. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 06/26/2012 : 3:01:59 PM
|
Only one for IIS, it's the wildcard cert.
Thumbprint Services Subject
---------- -------- -------
F3ED3DF956CA146D7759E5AB1B71031E108F3003 ...... CN=Federation
902C28D5DE4C35049E474A4C966230DB56DDBCC0 ...WS. CN=*.coverdell.com, OU=Enterprise SSL Wildcard, OU=Provided by ...
A07A76C0BF4E10777ABB19208A4E15748B10D24F IP..S. CN=CHIHUBCA
C253C61E86084908966DA64EAD7DE33A13FF51E1 IP..S. CN=CHIHUBCA
|
Thomas Deimel
Keeper of the Holy Potato |
|
|
|
lacrosseboy
Old Timer
550 Posts
Status: offline |
Posted - 07/13/2012 : 09:53:57 AM
|
Log Name: Application
Source: MSExchange OWA
Date: 7/13/2012 2:41:54 AM
Event ID: 40
Task Category: Proxy
Level: Error
Keywords: Classic
User: N/A
Computer: CHIHUBCA.xxxxxxxx.com
Description:
Client Access server "https://webmail.xxxxxxxxx.com/owa" tried to proxy Outlook Web App traffic to Client Access server "https://xxxxxxx.com/owa". This failed because "https://xxxxxxxx.coverdell.com/owa" didn't respond.
I found this is the logs but the remote site doesn't have owa installed. Is this the error? |
Thomas Deimel
Keeper of the Holy Potato |
|
|
| |
Topic |
|
Wildcard Certificates for Exchange 2010
