Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Outlook certificate warning
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Outlook certificate warning - 25.Jan.2010 10:50:04 AM
|
|
|
garyrm
Posts: 3
Joined: 17.Aug.2007
Status: offline
|
Interesting error after upgrading to Exchange 2010.
Outside our network, Outlook 2007 starts, reports a certificate error from the domain, asks for permission to proceed, loads and works ok if Yes is selected.
I notice the error comes from our domain name, which resolves to our website/webserver, hosted at an entirely different IP address from our mail server. When I view the certificate, it's coming from www.ourdomainname.com and from an expired certificate on our web site (that cert's no longer in use).
From what I learned, that action is consitent with the search order of autodiscover;
https://domainname.tld/autodiscover/autodiscover.xml
https://host.domainname.tld/autodiscover/autodiscover.xml
http://host.domainname.tld/autodiscover/autodiscover.xml
DNS SRV lookup for _autodiscover._tcp.domain.com
Since the first item cheked is our domain name, which resolves to an IP address different from our mail server, the certificate which produces an error is 'exposed'. The cert is from a trusted source, but expired a few days ago. Worse, even if renewed, will still have the wrong host name - www instead of mail. In process of cert renewal, but leary this will fully resolve the problem.
Ran the Outlook Autodiscover test at https://www.testexchangeconnectivity.com, which completes sucessfully but drilling into the details of the test I see the certificate from our website which fails, then the test moves on.
This did not happen with Exchange 2007, only began to appear after upgrading to 2010.
Am I'm right in thinking the autodiscover search order is set (hard coded) in Outlook and can not be changed?
Since this is seemingly only a cosmetic error, we're not incurring any productivity loss, but still I'd like to eliminate this. Any thoughts will be appreciated!
|
|
|
|
|
RE: Outlook certificate warning - 26.Jan.2010 3:43:53 AM
|
|
|
neilho
Posts: 793
Joined: 25.Oct.2004
From: UK
Status: offline
|
How do you publish your autodiscover service? By ISA, etc?
Autodiscover uses the right-hand portion of the user's SMTP address, i.e. if a user has an SMTP address of user@domain.com, then the first hard-coded URL that Outlook will try is https://domain.com/autodiscover/autodiscover.xml. This URL should ultimately resolve to the CAS server. Specifically, this should now resolve to your CAS 2010 server since you've transitioned to Exchange 2010.
Of course, I'm assuming here that you're using the first URL from the list you've posted as your autodiscover URL.
_____________________________
Neil Hobson
http://www.msexchange.org/Neil_Hobson
http://www.simple-talk.com/author/neil-hobson/
|
|
|
|
|
RE: Outlook certificate warning - 28.Jan.2010 12:18:19 PM
|
|
|
garyrm
Posts: 3
Joined: 17.Aug.2007
Status: offline
|
quote:
ORIGINAL: neilho
How do you publish your autodiscover service? By ISA, etc?
Autodiscover uses the right-hand portion of the user's SMTP address, i.e. if a user has an SMTP address of user@domain.com, then the first hard-coded URL that Outlook will try is https://domain.com/autodiscover/autodiscover.xml. This URL should ultimately resolve to the CAS server. Specifically, this should now resolve to your CAS 2010 server since you've transitioned to Exchange 2010.
Of course, I'm assuming here that you're using the first URL from the list you've posted as your autodiscover URL.
Thanks for your input!!!
DNS, no ISA Server.
The external DNS records works fine, other than the fact that https://domain.com/autodiscover/autodiscover.xml does not exist. There's a certificate there for our website, and that certificate has a different host name - www - our Exchange server's host name is mail.
When the autodiscover service connects to https://domain.com it gripes about the certificate, then moves on down the list to https://hostname.domain.com/autodiscover/autodiscover.xml. When it gripes, users (including me!) get a warning message about that certificate not matching the host name in Outlook's Exchange configuration. Even though the warning message is displayed, the service seems to continue to the next item on the list, which does resolve, has a proper certificate and works. My goal is to eliminate the warning message.
I just noticed the certificate at https://domain.com has expired. I'll either remove it or replace with a valid one and see if that changes things and post the results.
Gary
|
|
|
|
|
RE: Outlook certificate warning - 10.Feb.2010 1:46:25 PM
|
|
|
garyrm
Posts: 3
Joined: 17.Aug.2007
Status: offline
|
Sorry for the delay in updating this thread!
Replaced the expired certificate on our web server - Outlook error vanished. Thanks for your input!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
