Server Fault Asked by Clay Powell on December 24, 2020
Recently replaced the SSL cert on our Exchange 2010 box with a new wildcard cert. Assigned services, reconfigured all URL’s for external and internal access to be identical (previous cert was a SAN cert with .local domain names and since they are no longer available we are having to change this), setup split DNS so internal and external clients all use the same DNS name for access.
Everything works as expected, with the exception of Outlook clients receiving a mismatch certificate error… it appears the server is presenting the server.domain.local FQDN to the client and with the SSL being *.domain.com it doesn’t match…
I have followed all guides/articles I found ensuring that all URL’s are setup properly and all point to the same external DNS name. Autodiscover internally also works and passes (we do not have it setup to autodiscover externally but Outlook anywhere does function as it should when manually configured, this has been tested)
What has me perplexed with this issue is that newly created profiles/accounts do not have this issue so it seems to be more of an Outlook profile issue rather than a server issue. I can open Outlook and use my previously configured profile and I get the SSL mismatch error.. If I create a new Outlook profile and setup my account within it, there are no SSL errors at all.
Not certain if anyone has come across this before or not but any advice/help would be greatly appreciated… while rebuilding the Outlook profile does fix the issue, with 25 – 30 users that isn’t exactly something I want to have to do…. It isn’t something that should have to be done…. Thanks in advance for any response/assistance.
Clay
Edit –
My issue isn’t quite like the referenced Outlook Security Alert question… but more so Like this one – Outlook/Exchange certificate errors after setting clientaccessserver, etc… properties… this one seems to be almost identical to my problem… sadly it has no answer though
I have come across same issue while doing migration to Exchange 2013 requiring to replace SSL cert on Exchange 2010 and configure OA to enable proxying through Exchange 2013. Solution to avoid cert pop ups on desktops was to import Outlook 2013 GPO template and enable GPO for Autodiscover to ExcludeLastKnownGoodUrl.
Outlook 2013's new feature to store last known good urls and order of processing connectivity when launched is the culprit :)
Correct answer by Azhar Pasha Syed on December 24, 2020
I know this is old but still relevant in 2020 with office 2016 and 2019, Exchange 2016 and 2019
After spending days on this issue, (re)setting internal and external URLs of exchange, SSL certificate rebuilds and complete workstation rebuilds I came across this post. Azhar Pasha Syed answered the question above (https://serverfault.com/a/721380/235674) witch pointed me in the right direction so I felt the need to comment and help others
My issue in the end was that the autodiscover server is cached in the users Outlook profile.
Here is a Microsoft link to the issue https://support.microsoft.com/en-gb/help/3073002/after-migration-to-office-365-outlook-doesn-t-connect-or-web-services
Fix with reg key on the local machine(s) for Outlook 2016, 2019 and 365
HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0OutlookAutodiscover
DWORD: ExcludeLastKnownGoodUrl
Value: 1
Or download and configure the Office Group Policy template for office 2016, 2019 and 365 from your server https://www.microsoft.com/en-us/download/details.aspx?id=49030
Answered by Sparki on December 24, 2020
We had the same issue after removing our local domain from our Exchange certs and went down the same troubleshooting path, Clay.
We found that the 'last known good' cache in Outlook 2013 was the culprit by turning this feature off via the registry for a couple affected PCs.
Then we realized the root cause was because we had left the old "local" record in dns. Outlook 2013 was looking to cache for the old autodiscover, and because it still existed despite not matching the cert, it was never going out to get the new address.
I know this is old but thought it may help someone else.
Answered by Leah on December 24, 2020
So I had the exact same issue after installing an SSL certificate into our local Exchange server for mail.company.com.
All Outlook clients on LAN started receiving "The name on the security certificate is invalid or does not match the name of the site", followed by a "Allow this website to configure [email protected] server settings? https://autodiscover.company.com/autodiscover/autodiscover.xml" prompt.
I ran through the DigiCert Exchange utility, generated a script, checked it, retrieved and backed up all existing configuration by using "Get-" and then executed the script in the Exchange Management Shell:
Set-ClientAccessServer -Identity "LocalServer" -AutodiscoverServiceInternalUri "https://mail.company.com/Autodiscover/Autodiscover.xml"
Set-OABVirtualDirectory -Identity "LocalServerOAB (Default Web Site)" -InternalUrl "http://mail.company.com/OAB"
Set-WebServicesVirtualDirectory -Identity "LocalServerEWS (Default Web Site)" -InternalUrl "https://mail.company.com/EWS/Exchange.asmx"
Set-ActiveSyncVirtualDirectory -Identity "LocalServerMicrosoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://mail.company.com/Microsoft-Server-ActiveSync"
Set-OWAVirtualDirectory -Identity "LocalServerowa (Default Web Site)" -InternalUrl "https://mail.company.com/owa"
Set-ECPVirtualDirectory -Identity "LocalServerecp (Default Web Site)" -InternalUrl "https://mail.company.com/ecp"
This didn't solve the warning prompts on the clients after a ipconfig /flushdns, gpupdate /force, and a restart, so I then double checked some other items:
mail.company.com was registered in the SSL certificate - okay.
Local DNS server Alias entry mail.company.com to LocalServer.company.com - okay
Found a duplicate local DNS server Host LocalServer.company.com to 192.168.1.11 and to 192.168.1.60 - Deleted incorrect 2nd entry.
Found local DNS server Alias autodiscover.company.com to LocalServer.company.com - Deleted this entry, ipconfig /flushdns and close and open Outlook on clients and everything seemed to work!
What the Microsoft KB article https://support.microsoft.com/en-gb/kb/940726, and the DigiCert Exchange tool eluded to, is another setting which I have discovered subsequently which most likely would have addressed the AutoDiscover prompt correctly:
Set-AutodiscoverVirtualDirectory -Identity "LocalServerAutodiscover (Default Web Site)" -InternalUrl "https://mail.company.com/autodiscover/autodiscover.xml"
Set-AutodiscoverVirtualDirectory -Identity "LocalServerAutodiscover (Default Web Site)" -ExternalUrl "https://mail.company.com/autodiscover/autodiscover.xml"
Both of these entries are blank on my Exchange server, so will test populating them and feed back again.
EDIT: So I put in the InternalUrl for mail.company.com/autodiscover/autodiscover.xml, and when I checked the Outlook clients by CTRL+Right-click on Outlook tray icon, Test E-mail AutoConfiguration..., Test, Log, scroll down and find the line Autodiscover to, it has the new address in there and has a success status!
I have seen another article where they have added autodiscover.company.com into the SSL certificate as a solution, which would also solve the problem in this scenario, this however is a wasted resource in my circumstance as we have limited SSL certificates.
All working, now just to figure out connections from the outside, and routing through the firewall :)
Answered by Edward on December 24, 2020
I just had the exact same issue as you are describing, down to the T.
Resolution was to disable Cached mode on the affected profiles. Open Outlook, close outlook. Re-enable cached mode and the issue went away.
I hope this saves others time :)
Answered by Jeff W. on December 24, 2020
Based on a comment you made above, I would like to provide you a clear picture as to what you need to validate in order to make the environment work properly. I'm going to cover all the aspects, so some things you probably already have working. 1. Make sure you have "RPC over HTTP" installed on the Exchange server and properly operating (corresponding event logs can be seen when server boots, for example.
Since you have replaced your SSL cert with wildcard one, you would need to decide how are you going to reference the Exchange server inside your internal network, for a sake of the example, let's make it mail.domain.com for the fqdn and mail for the netbios name.
Run the following CMD-lets to find and SET the correct information as for the virtual directories perspective:
Exchange Control Panel: Get-ecpVirtualDirectory -Server mail | Set-ecpVirtualDirectory -InternalURL https://mail.domain.com/ecp -ExternalURL https://mail.domain.com/ecp
Get-ECPVirtualDirectory -Server mail | Fl InternalURL,ExternalURL
Outlook Web App: Get-OwaVirtualDirectory -Server mail | Set-OwaVirtualDirectory -InternalURL https://mail.domain.com/owa -ExternalURL https://mail.domain.com/owa
Get-OWAVirtualDirectory -Server mail | Fl internalUrl,ExternalURL
EWS (Exchange Web Services): Get-WebservicesVirtualDirectory -Server mail | Set-WebservicesVirtualDirectory -InternalURL https://mail.domain.com/EWS/Exchange.asmx -ExternalURL https://mail.domain.com/EWS/Exchange.asmx
Get-WebservicesVirtualDirectory -Server mail |Fl internalURL,ExternalURL
Autodiscover: Set-ClientAccessServer mail -AutodiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml
Get-ClientAccessServer mail | Fl AutodiscoverServiceInternalUri
ActiveSync: Get-ActiveSyncVirtualDirectory -Server mail | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domain.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domain.com/Microsoft-Server-ActiveSync
Get-ActiveSyncVirtualDirectory -Server mail | Fl InternalURL,ExternalURL
Offline Address Book: Get-OABVirtualDirectory -Server mail | Set-OABVirtualDirectory -InternalUrl https://mail.domain.com/OAB -ExternalURL https://mail.domain.com/OAB
Get-OABVirtualDirectory -Server mail | Fl InternalURL,ExternalURL
OutlookAnywhere: Set-OutlookAnywhere -Identity mailRpc (Default Web Site)" -InternalHostname mail.domain.com -ExternalHostName mail.domain.com -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl:$True
Get-OutlookAnywhere -Identity mailrpc (Default Web Site)" |fl InternalHostName,InternalClientAuthenticationMethod,InternalClientsRequiressl, ExternalHostName,ExternalClientAuthenticationMethod,ExternalClientsRequiressl
Perform iisreset /restart
after the script above, remember to replace mail with the actual netbios name of the server and mail.domain.com with the actual fqdn of your Exchange server.
In regards to the Outlook provider see here: http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx
Let me know if you have any questions.
Answered by Vick Vega on December 24, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP