Certificate error on Windows 7 machine
Hi, The clients with Windows 7 machine reported that they are receiving the following message when they start Outlook: http://img19.imageshack.us/img19/434/screenshot1dj.png WinXP and Vista clients are working fine. Any help would be greatly appreciated
December 5th, 2009 12:04pm
Hi, The clients with Windows 7 machine reported that they are receiving the following message when they start Microsoft Outlook: http://img19.imageshack.us/img19/434/screenshot1dj.png WinXP and Vista clients are not experiencing this. How do i get rid of it? Any help would be greatly appreciated
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2009 12:07pm
Are you using self signed certificate or any SAN certificate?Are you using OL 2003 or 2007?http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/http://forums.msexchange.org/m_1800461983/tm.htmRaj
December 5th, 2009 1:17pm
thanks for the reply i'm using SAN certificate. and this is happening with outlook 2007 and only on windows 7 machines. already checked those articles. what else can i do
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2009 1:27pm
the error states:1. you dont have tthe root certificate that issue the certificate on the client computer..so check that Windows 7 clients are receiveing the root certificate by the gpo (if is an enterprise certification authority) or just put the root certificate on the trusted certificats on the locla machine2. check if your san certificate contains autodiscover.yourdomain.com3. looks like your EWS internal url is pointing to autodiscover.yourdomain.com instead of the local machine uriCapecolMCSA - MCTS Exchange Server 2007
December 5th, 2009 5:33pm
Is it a self signed certificate? To me the Win 7 box doesn't trust the Root CA. Maybe some companies were removed in Win 7?Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:ES, SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2009 7:05pm
it's a SAN certificate
December 6th, 2009 7:32am
Hi,Whether the Windows 7 is a domain-connected client? How does the Outlook connect Exchange server? RPC Over HTTPS or RPC?Whether the connection type is same for the client on the Windows XP (Windows Vista)and Windows 7?Please press Ctrl+ right click the Outlook icon in the system tray, select Connection Status.What's the result?ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 10:24am
Well for this issue it is not important if is a SAN certificate...your problem relates to a not trusted certificate..so try to upload a picture of the certificate properties, when the windows 7 client tries to connect to owa...CapecolMCSA - MCTS Exchange Server 2007
December 9th, 2009 6:29am
Hi,
I've just installed Windows 7 Home Premium, and now i'm getting a similar problem.
This is the closest reference to my problem google could find.
Since this newinstallation, only IEaccesses the internet. No other program I install can access. They all say that there's noconnection.
Outlook and Office Comunicator both give meerrorsabout the proxy's security certificate. Outlook give me the error, and then gives me a no connection warning.
The weird part, that i can put in my info so that outlook seeks the auto configure, it evenasksfor my Exchange password, but then, gives me the certificate error and them the no connection warning.
Does any one got anidea?
Thanks ahead!
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 5:21am
hi, One clarification I would like to make is that it's happening on some not all of the machines. But on those machines, it happens regardless they're joined to the domain or not. please help
January 13th, 2010 3:57pm
http://img19.imageshack.us/img19/434/screenshot1dj.png http://img684.imageshack.us/img684/3530/cert2req.jpg http://img99.imageshack.us/img99/1668/cert4req.jpg any help would be extremely appreciated p.s. i, myself am facing this when i am outside the network connecting through outlook anywhere
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2010 5:48pm
Well as i said before, that error means that you are using an incorrect certificate, i can see:1. you don´t have the trusted root certificate2. that certificate does not work bcause is issue to a name that is not correct3. the certificate does not have any SANso you need to issue a certificate that have the following SAN:autodiscover.domain.comfqdn exchange servernetbios exchange serveraddress that you will use to connect using OWA, Active Sync and/or Outlook anywherefinally let us know how exchange certificate are configure at the exchange side, so upload pictures of certificates mmc at computer level with the certificate details and the output of the next cmdlet using EMS get-exchangecertificate |flCapecolMCSA - MCTS Exchange Server 2007 - 2010
January 15th, 2010 8:55pm
we are using a certificate from digicert bought a year ago. everything was running fine until recently we started receiving cert. warning in the outlook http://img682.imageshack.us/img682/8726/cert1b.jpg http://img682.imageshack.us/img682/223/cert2b.jpg http://img23.imageshack.us/img23/874/cert3a.jpg http://img138.imageshack.us/img138/6489/certdetails2.jpg
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2010 1:00am
is there a way to suppress this warning message? after i press "Yes" on the warning dialogue box everything starts to function normally..
January 16th, 2010 3:13pm
On Fri, 15-Jan-10 22:00:48 GMT, Undying Lament wrote:>we are using a certificate from digicert bought a year ago. everything was running fine until recently we started receiving cert. warning in the outlook http://img682.imageshack.us/img682/8726/cert1b.jpg http://img682.imageshack.us/img682/223/cert2b.jpg http://img23.imageshack.us/img23/874/cert3a.jpg http://img138.imageshack.us/img138/6489/certdetails2.jpg Have you visited this web page?http://www.digicert.com/help/---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2010 7:31pm
i did check the website. http://img33.imageshack.us/img33/8808/digicer.jpg everything appears to be normal...
January 17th, 2010 10:39am
On Sun, 17-Jan-10 07:39:47 GMT, Undying Lament wrote:>i did check the website. http://img33.imageshack.us/img33/8808/digicer.jpg everything appears to be normal... The error you note in the original post says there are two problems.1. The client doesn't trust the CA or one of the subordinate CAs.2. The name in the cert doesn't match the name of the site.For #1, verify that you have the correct certificates in your client'scertificate store. "Entrust", "DigiCert High Assurance EV Root CA",and "DigiCert High Assurance CA-3" are all needed. While the DigiCertsite has troubleshooting steps on its wevb site they're mostly aboutmaking sure you server is confogured correctly. Client, however, stillneed to trust the certificate issuer.For #2, well, you've obfuscated every name in the SAN list and the CN,and you haven't said what the domain name, etc. So, without thatinformation there's not going to be much help forthcoming from anyonebeyond guesses.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2010 8:21pm
thanks for the reply, Rich I personally am receiving the msg only when i connect through outlook anywhere externally. here's the snap of cert store on my xp machine: http://img40.imageshack.us/img40/2714/clientcer.jpg As to your second point, we have internal domain domain.local and our external is domain.com owa web address is owa.domain.com we have two cas namely cas01 and cas02 the SAN on our cert: Subject = mail.domain.com autodiscover.domain.local autodiscover.domain.com cas01.domain.local cas02.domain.local cas01 cas02 owa.domain.com thanks for the help!
January 18th, 2010 11:12am
On Mon, 18-Jan-10 08:12:32 GMT, Undying Lament wrote:>thanks for the reply, Rich I personally am receiving the msg only when i connect through outlook anywhere externally. here's the snap of cert store on my xp machine: http://img40.imageshack.us/img40/2714/clientcer.jpg As to your second point, we have internal domain domain.local and our external is domain.com owa web address is owa.domain.com we have two cas namely cas01 and cas02 the SAN on our cert: Subject = mail.domain.com autodiscover.domain.local autodiscover.domain.com cas01.domain.local cas02.domain.local cas01 cas02 owa.domain.com thanks for the help! This all works without error?https://www.digicert.com/digicert-root-certificates.htmIf you need them, there's a link to the intermediate cert at thebottom of the page. You can probably download the entire cert chainfrom your account.The DigiCert support folks would probably be the best place for you tocontinue this. Your server, according to the test results fromDigiCert, say the server cert is installed properly, so what's left isthe certs at the client(s) and the names in the certificate.The one thing that's not clear is the "Subject" of your cert (not theSANs, which, I think, is what you've listed -- the Subject is a singlevalue, not a list). Outlook, when it connects, wants to connect to thename in that property of the cert. Is that the name you have in theExchange Proxy Setting on the Outlook Client?---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2010 5:01pm
thanks again for the reply. as you can see in the snap that i already posted http://img40.imageshack.us/img40/2714/clientcer.jpg i have all the cert. already on my machines store. also, the subject on my cert is mail.domain.com the san list is as follows: mail.domain.com autodiscover.domain.local autodiscover.domain.com cas01.domain.local cas02.domain.local cas01 cas02 owa.domain.com we are using owa.domain.com (our owa web address) in the Exchange Proxy. and as i mentioned before, everything was working smoothly until recently we started receiving the aforementioned warning msgs thanks again for your support
January 18th, 2010 5:12pm
On Mon, 18-Jan-10 14:12:39 GMT, Undying Lament wrote:>thanks again for the reply. as you can see in the snap that i already posted http://img40.imageshack.us/img40/2714/clientcer.jpg i have all the cert. already on my machines store. No, I can't see that. All I see are the trusted root certificates.>also, the subject on my cert is mail.domain.com the san list is as follows: mail.domain.com autodiscover.domain.local autodiscover.domain.com cas01.domain.local cas02.domain.local cas01 cas02 owa.domain.com we are using owa.domain.com (our owa web address) in the Exchange Proxy. Change the Exchange Proxy Settings to use mail.comain.com.>and as i mentioned before, everything was working smoothly until recently we started receiving the aforementioned warning msgs thanks again for your support In the Exchange Proxy settings do you have owa.domain.com in both editboxes, or just in the 1st one? IIRC, if you use the wrong name in the2nd edit box you won't connect at all.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2010 6:43pm
hi Rich, I have owa.domain.com in the first box. the second one is unchecked. http://img200.imageshack.us/img200/6859/outany1.jpg thanks
January 19th, 2010 11:35am
On Tue, 19-Jan-10 08:35:36 GMT, Undying Lament wrote:>hi Rich, I have owa.domain.com in the first box. the second one is unchecked. http://img200.imageshack.us/img200/6859/outany1.jpg thanks So change that "owa.domain.com" to "mail.domain.com". Now the nameused by Outlook will match the Subject in the certificate and yourproblem should disappear.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2010 7:25am
i changed to mail.domain.com but the problem still remains :(
January 23rd, 2010 3:58pm
On Sat, 23-Jan-10 12:58:51 GMT, Undying Lament wrote:>i changed to mail.domain.com but the problem still remains :( I suppose it's possible that you have the wrong certificate bound tothe web site. Run "Get-ExchangeCertificate" and make sure you're usingthe right one.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2010 12:54am
Dear Rich, I posted this before: http://img138.imageshack.us/img138/6489/certdetails2.jpg p.s.in the above snap,i noticed the certificate status is shown as Unknown .could it be the cause of my miseries and how do i fix it p.s.s.the internal cert on cas seems to have been expired,though i'm not getting any warning/error msgs in the logs. http://img7.imageshack.us/img7/2137/casinter1.jpg
January 24th, 2010 11:02am
On Sun, 24-Jan-10 08:02:01 GMT, Undying Lament wrote:>Dear Rich, I posted this before: http://img138.imageshack.us/img138/6489/certdetails2.jpg p.s.in the above snap,i noticed the certificate status is shown as Unknown .could it be the cause of my miseriesIt certainly could be.http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx"Unknown: This status generally indicates that the status of thecertificate cannot be verified because the certificate revocation list(CRL) is unavailable or this server cannot connect to it. Make surethat the computer can connect to the Certificate Revocation Authority.For more information, see How to Configure Proxy Settings for WinHTTP.http://technet.microsoft.com/en-us/library/bb430772(EXCHG.80).aspx">and how do i fix it Check your certificate's details for the property "CRL DistributionPoints" and see if your server (or client, or both) can access theURLs listed there. If you cannot, then there's no way to know if yourcert's been revoked (thus the "Unknown" status). If you have to use aproxy to reach the Internet, see the "How to Configure Proxy Settingsfor WinHTTP" link above.>p.s.s.the internal cert on cas seems to have been expired,though i'm not getting any warning/error msgs in the logs. http://img7.imageshack.us/img7/2137/casinter1.jpg So, fix it if you like. It's not used for anything in Exchange rightnow.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2010 8:33pm
hello i connected to the urls from the server: http://img710.imageshack.us/img710/4525/crlserv.jpg from client: http://img684.imageshack.us/img684/8308/crlclie.jpg http://img402.imageshack.us/img402/8595/crlclie2.jpg then why is it still showing the Status:Unknown and what else can i do
January 25th, 2010 4:26pm
On Mon, 25-Jan-10 13:26:16 GMT, Undying Lament wrote:>hello i connected to the urls from the server: http://img710.imageshack.us/img710/4525/crlserv.jpg from client: http://img684.imageshack.us/img684/8308/crlclie.jpg http://img402.imageshack.us/img402/8595/crlclie2.jpg then why is it still showing the Status:Unknown Do you use a proxy server for web access?Run proxycfg.exe from the command line and see what it says. Use it toset the correct proxy information.>and what else can i do You can call the helpdesk of the company from which you purchased thecertificate. Or you can call Microsoft. You've probably burned throughmore hours (and money) trying to get this to work than the equivilantcost of the support call to MS (assuming the certrificate vendor can'thelp you for no cost).Newsgroups and online forums can be helpful, but there are someproblems for which solutions just take way too long, and where theremay be some underlying problem that's simply not obvious.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2010 6:57pm
hi,if you are using certificate , pls import this certificate on the users pc & put it in the trusted root
February 4th, 2010 5:27pm
Hi
well my experience is download certificate on your desktop.
in windows 7 goto start run and type mmc, file add remove snapin
click on certificate authority, follow the wizard, click on my computer, click on add and click okey
cetificate snap in will open, go to trusted certificate and click on import and import san certificate on this pane.
after import you can double click on certificate and install.
close the mmc if you want to save save on your desktop.
open outlook and should connect to your mail server straightway. if any more help need it
please post on here.
thanksNaeem Bhatti MCITP EA, MCITP, MCTS Exchange 2007 MCSE security,MCSE AD, MCSE in Messaging, MCDST SBS2003 and SBS2008 Specialist
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 2:04pm
Hi
well my experience is download certificate on your desktop.
in windows 7 goto start run and type mmc, file add remove snapin
click on certificate authority, follow the wizard, click on my computer, click on add and click okey
cetificate snap in will open, go to trusted certificate and click on import and import san certificate on this pane.
after import you can double click on certificate and install.
close the mmc if you want to save save on your desktop.
open outlook and should connect to your mail server straightway. if any more help need it
please post on here.
thanks
Naeem Bhatti MCITP EA, MCITP, MCTS Exchange 2007 MCSE security,MCSE AD, MCSE in Messaging, MCDST SBS2003 and SBS2008 Specialist
Hi,
I am unable to view CA root certificate in our mail.domain.com/remote.
It is simply disapper in Windows 7.
Please help me to View this certificate for Installation.
Regards
Kishore
October 13th, 2010 10:29am