Security warning - Exchange 2003

Discussion in 'Software' started by Danmurph, Feb 23, 2011.

  1. Danmurph

    Danmurph Byte Poster

    127
    1
    27
    Hi Guys,

    I am getting this error when a user is trying to log into his outlook 2003 account using a 2003 exchange server.

    Security warning when you start Outlook and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"

    The problem is all of the resources I have found to resolve this issue are only if you are using a 2007/2010 exchange, with access to a management shell.

    Does anyone know how I can apply this fix without the shell as it is not included with exchange 2003?

    Thanks alot

    Danny
     
    Certifications: MCDST, MCP, A+
    WIP: Everything!!
  2. Danmurph

    Danmurph Byte Poster

    127
    1
    27
    Anyone got any ideas on this?

    Thanks
     
    Certifications: MCDST, MCP, A+
    WIP: Everything!!
  3. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Can you describe your configuration a little bit more?

    Do you have both Exchange 2003 and Exchange 2007/2010 in your organisation?
     
    WIP: Uhmm... not sure
  4. Danmurph

    Danmurph Byte Poster

    127
    1
    27
    Just the one server running server/exchange 2003. We took over the support for the company a while ago and have created a new cert on the server mail.companydomain.co.uk but the security warning is looking for an old cert autodiscover.companydomain.co.uk.
    This is a well known issue with exchange 2007/2010 with well documented resolutions but none for exchange 2003 as the fix requires the power management shell and of course this was not introduced with exchange until 2007 release, the commands are these and I have performed this procedure successfully for a different client of ours with a 2007 exchange her are the commands if its any help:

    Start the Exchange Management Shell.
    Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

    Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

    Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

    Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
    Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
     
    Certifications: MCDST, MCP, A+
    WIP: Everything!!
  5. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,292
    265
    329
    I am no expert and could be totally wrong but dont you have to delete the old certificate?
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  6. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    The certificate you are using does not match the internal name of the exchange server.

    Do you have a proper certificate from a third party certificate authority?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  7. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Autodiscover is a purely Exchange 2007/2010 feature (provides Outlook 2007/2010 clients automatic discovery of their mailbox servers) and would require a Client Access Server (CAS) for you to even be able to get the Powershell commands to execute properly (so it wouldn't be enough to just install the Exchange tools in order to have the EMC/EMS).

    Sounds like this company has done something fishy, like trying to introduce Exchange 2007/2010 to the environment and then removing it without proper ado.

    Can you find out if an Exchange 2007/2010 schema was introduced to their AD forest? You can do this by checking the Schema values on the Schema Master under the following entries:
    • rangeUpper attribute of ms-Exch-Schema-Version-Pt is 10,628 or higher
    • Setup /PrepareAD sets objectVersion attribute of Organization container in Configuration NC to 10,666 or higher
    • objectVersion attribute on Microsoft Exchange System Objects container in Domain NC is 10,628 or higher

    Then it means that an Exchange 2007 RTM or higher schema update was performed and your customer hasn't told you everything. Check to see if an autodiscover DNS entry exists in the user domain, if so, time to remove it as it isn't serving a purpose.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  8. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Actually I misread your first post – didn’t realise it was a Exchange 2003 environment.

    Sure you don’t have a Exchange 2007 box lurking in the corner?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  9. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    I'm very curious about the fact that it is Outlook 2003 clients reporting autodiscover certificate issues... Outlook 2003 has no notion of Client Access Servers or the Autodiscover service.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  10. Danmurph

    Danmurph Byte Poster

    127
    1
    27
    I'll try this tomorrow as I am no longer at the office.

    Sparky I will check to see if a 2007/2010 exchange server was introduced into the forest and taken out (I have heard that the previous IT company had made a right mess of the mail setup, apparently there were connectors sending mail all over the place,

    Thanks for the advice guys, It did seem a bit strange that I couldn't find any information on this, something isn't quite right here I agree.:rolleyes:

    To be continued.....
     
    Certifications: MCDST, MCP, A+
    WIP: Everything!!
  11. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Has the client machine always been in your environment? Create a new Outlook profile, do they have any random DNS entries in the host files?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  12. Danmurph

    Danmurph Byte Poster

    127
    1
    27
    Ok so I have run this dsquery:

    "dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr

    rangeUpper"

    and it reported the rangeUpper at 6870
     
    Certifications: MCDST, MCP, A+
    WIP: Everything!!
  13. Danmurph

    Danmurph Byte Poster

    127
    1
    27
    Hi Guys,

    Just to let you know for some very strange reason it stopped asking me for the auto discover cert but kept refusing me connection and asking for credentials.

    Had to change the rpc settings in IIS to allow intergrated windows authentication and wallop, all working correctly :D

    Thanks again for all your input, still learnt some useful stuff whilst diagnosing this issue so cheers! :)
     
    Certifications: MCDST, MCP, A+
    WIP: Everything!!

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.