0

I've just installed Outlook 2013 and have all the clients connecting to it, however, whenever a client connects via outlook they are prompted with an invalid SSL message for myserver.mydomain.local. I have a wildcard certificate setup and assigned in IIS for *.example.com so I understand why the message appears but I am not exactly sure what to do about it and where to start looking without poking random things.

From the research I've done, I can see that this can be caused by the autodiscover service so I have changed the domain DNS records to not use an A record but instead use an SRV record inline with this Microsoft article. Should this be sorting the issue and I am just being impatient with propagation or am I barking up the wrong tree?

This post fixed the issue with an SRV record: Exchange 2013 SSL Warning in Outlook

Edit Interestingly running get-ClientAccessServer | ft identity,AutodiscoverServiceInternalUri shows my internal FQDN and not my external one which I assume is the issue. I am going to try changing this now.

Community
  • 1
webnoob
  • 455
  • 2
  • 16
  • 35

1 Answers1

2

Make sure the URL fit the certificate.

Issue those command via powershell to validate;

Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
Get-ECPVirtualDirectory | fl internalurl,externalurl
Get-OabVirtualDirectory | fl internalurl,externalurl
Get-WebServicesVirtualDirectory | fl internalurl,externalurl

Change them to make them match the certificate;

Get-ActiveSyncVirtualDirectory -server EXCHANGE | Set-ActiveSyncVirtualDirectory -ExternalUrl 'https://mail.example.com/Microsoft-Server-ActiveSync' -InternalUrl 'https://mail.example.com/Microsoft-Server-ActiveSync'
Get-AutodiscoverVirtualDirectory -server EXCHANGE | Set-AutodiscoverVirtualDirectory -ExternalUrl 'https://mail.example.com/Autodiscover/Autodiscover.xml' -InternalUrl 'https://mail.example.com/Autodiscover/Autodiscover.xml'
Get-ECPVirtualDirectory -server EXCHANGE | Set-ECPVirtualDirectory -ExternalUrl 'https://mail.example.com/ECP' -InternalUrl 'https://mail.example.com/ECP'
Get-OabVirtualDirectory -server EXCHANGE | Set-OabVirtualDirectory -ExternalUrl 'https://mail.example.com/OAB' -InternalUrl 'https://mail.example.com/OAB'
Get-WebServicesVirtualDirectory -server EXCHANGE | Set-WebServicesVirtualDirectory -ExternalUrl 'https://mail.example.com/EWS/Exchange.asmx' -InternalUrl 'https://mail.example.com/EWS/Exchange.asmx'

A example using the GUI there

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • I'll take a look at this now, many thanks. I'll report back. – webnoob Jan 09 '15 at 14:13
  • Two things: 1 - The autodiscover one has nothing set in it already, why would this be? 2 - Just to confirm, I'm even changing the internal ones to do an external lookup? – webnoob Jan 09 '15 at 14:15
  • I would do a split DNS setup, so internaly the mail.example.com will resolve to the internal IP, while user on the road will still get the public IP – yagmoth555 Jan 09 '15 at 14:17
  • Set it with the powershell listed above (for internalurl and external), as it will modify the IIS correctly. Do a iisreset too after – yagmoth555 Jan 09 '15 at 14:24
  • Ok, I've done as stated above and restarted IIS but I still get the SSL warning on outlook startup. Any ideas? – webnoob Jan 09 '15 at 14:34
  • Ah, interestingly now though, I only get one SSL prompt. Not 2. I guess something else needs changing? – webnoob Jan 09 '15 at 14:35
  • Did you assigned the certiticate to all service ? Try Get-ExchangeCertificate and validate, you can assign after with command like; Enable-ExchangeCertificate -Server 'SERVERNAME' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'EDF57B5F9D81F1EC329BFB77ADD4465B426A40FB' (thumbprint got with the get-exchangecertificate) – yagmoth555 Jan 09 '15 at 14:39
  • Ok, from what I can see everything has a certificate assigned properly. The error is still showing that it's looking for `server.localdomain.local` so I assume something else is pointing to the wrong place. Is there anyway to get a list of all the requests it makes? – webnoob Jan 09 '15 at 15:00
  • Check how it write the server name in outlook, but check that link, some step you can do in the outlook to enable more logging; http://www.theemailadmin.com/2010/08/troubleshooting-outlook-2010-connections/ The last step, to HOLD Ctrl over the tray icon is the test I use the most. – yagmoth555 Jan 09 '15 at 15:12
  • I was doing that as you wrote the comment. I've now sorted the initial open SSL issue with `Set-ClientAccessServer -AutodiscoverServiceInternalURI` but I get another prompt come up instead about 30 seconds after opening outlook. I'm still diagnosing this one. – webnoob Jan 09 '15 at 15:15
  • If 30seconds after opening outlook it can be the OAB url. Click to not receive it in outlook and test outlook again. If the error does not show validate the OAB url again, maybe the cmdlet did not worked as expected. – yagmoth555 Jan 09 '15 at 15:34
  • I think it might have been a cache issue or something. It's working properly now. I really appreciate your help on this, if you're ever in Gratham, Lincs, UK send me a mail and I'll buy you a beer ;) – webnoob Jan 09 '15 at 15:37
  • Any chance you could comment on this post: http://serverfault.com/questions/659694/constant-login-prompts-since-changing-exchange-2013-virtual-directory-urls I'm having issues since making the above changes – webnoob Jan 15 '15 at 13:06
  • @webnoob hi! too late i think as i seen you resolved your other trouble, im happy you find the answer fast :) – yagmoth555 Jan 15 '15 at 20:55
  • Yes, thanks very much. Basically just missing some more damned Urls :) Thanks for responding nonetheless. – webnoob Jan 15 '15 at 21:15