Exchange 2007 certificate Errors
I have installed exchange 2007 sp1 on a 2003 servers I have 1 cliant access and 1 hub and the store on a SCC cluster. I followed the instructions and requested and installes san certificate with the servername.domainname, Publicname.domainname, PublicnameOut.domainname. The OWA works great no certificate errors using the publicname.com but Imap,POP3 and Outlook anywhere are not working and they are also on Imap, POP3 it says the server you are connected to is using a security certificate that could not be verified a certificate chain processed but terminated in aroot certificate shich is not turusted by the trust provider. In Outlook anywhere the connection keeps asking for the username over and over and will not connect. THe certificate was issued by Geo trust. I am confused because the OWA is working well no certificate errors and I am using the publinna.domain name for the POP3 and IMap out and since the hub is seperate from the client publicnameout.domainname for the SMTP. All works in POP3 and Imap can send and receive just with the certificate error popup. and of Course the Outlookanywhere will not connect.
May 29th, 2009 3:45am

~ Make sure that POP, IMAP, IIS & SMTP services are registered with certificate you are using. You can check Service parameter output of Get-ExchangeCertificate cmdlet as per below cmdlet... Get-ExchangeCertificate <thumbprint> | fl Certificate Use in Exchange Server 2007 http://technet.microsoft.com/en-us/library/bb851505.aspx ~ Also make sure that certificate name is properly populated in CAS server properties... How to Configure POP3 to Use TLS or SSL http://technet.microsoft.com/en-us/library/aa997290.aspxAmit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2009 7:14am

hi,an additon to Amit, Step 1: Obtain an SSL certificate There are three ways to obtain a Secure Sockets Layer (SSL) certificate: - Option 1: Use the self-signed SSL certificate that Exchange 2007 installs by default. Use of the self-signed certificate is not supported by Outlook Anywhere or the offline address book. - Option 2: Purchase an SSL certificate from a well-known certification authority (CA). - Option 3: Obtain an SSL certificate from a Windows PKI certification authority. If you choose Option 1, skip steps 2 and 3 and go straight to step 4. If you choose Option 2 or Option 3, go straight to step 2. Note: For all three options, Exchange ActiveSync will require the device to have a copy of the SSL certificate installed in the Trusted Root Certificate Store. Step 2: Generate and submit the certificate request Create a new certificate request for Secure Sockets Layer (SSL) services. 1. Open the Exchange Management Shell. 2. Run the following command, replacing domainname and friendlyname with your domain name and display name: New-ExchangeCertificate -GenerateRequest -domainname mail.mumincicek.com,autodiscover.mumincicek.com,dc2008,dc2008.mumincicek.com -FriendlyName mail.mumincicek.com -privatekeyexportable:$true -path c:\sertifika\certser.txt Note: "DomainName" is used to populate one or more domain names (FQDNs) or server names in the resulting certificate request. Note: "FriendlyName" is used to specify a display name for the resulting certificate. The display name must be fewer than 64 characters. 3. Submit the request to the certification authority and have the CA generate the certificate. Step 3: Enable the certificate on the Default Web site After your certificate has been generated, you must import it and then enable the certificate on the Default Web site. From the computer where step 2 was run, import the certificate. To import the certificate, do the following: 1. Open the Exchange Management Shell. 2. Run the following command. Import-ExchangeCertificate -path c:\sertifika\certt.cer Note: "c:\sertifika\certt.cer" is the location and name of your certificate. Copy the thumbprint of the certificate, which is the digest of the certificate data, to the clipboard by doing the following: 1. Open the Exchange Management Shell. 2. Run the following command: dir cert:\LocalMachine\My | fl 3. Locate the certificate that you just imported by finding the one that matches FriendlyName from step 2. Then copy the Thumbprint property of that certificate to the Windows Clipboard. Enable the certificate on the Default Web site by doing the following: 1. Open the Exchange Management Shell. 2. Run the following command: enable-ExchangeCertificate -thumbprint <value copied to the Clipboard> -services "IIS,IMAP,POP" 3. Using the "enable-ExchangeCertificate" cmdlet will update the certificate mapping, replacing the self-signed certificate that is installed by default with Exchange 2007 and configured in IIS, IMAP4, POP3. Step 4: Require the Client Access server virtual directories to use SSL By default, the Default Web site in IIS is configured to require SSL for all virtual directories except the offline address book virtual directory. However, you can configure additional virtual directories for each Client Access feature. You must confirm that each virtual directory is configured to require SSL. The Client Access virtual directories are as follows: - Outlook Web Access 2007 virtual directory: owa - Outlook Web Access 2003 and WebDAV virtual directories: exchange and public - Exchange ActiveSync virtual directory: Microsoft-Server-ActiveSync - Outlook Anywhere virtual directory: Rpc - Autodiscover virtual directory: Autodiscover - Exchange Web Services virtual directory: EWS - Unified Messaging virtual directory: Unified Messaging - Offline Address Book virtual directory: OAB For each of the Client Access virtual directories that you will use, open Internet Information Services (IIS) Manager, and follow these steps: 1. Under Default Web site, select the virtual directory that you want, for example, "owa". 2. Right-click the virtual directory, and then click "Properties". 3. Click the "Directory Security" tab. 4. In the "Secure Communications" section, click "Edit". 5. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected. 6. Click "OK" to save your changes. 7. Restart the POP3 and IMAP4 services by opening the Services Windows administrative tool, selecting "Microsoft Exchange POP3" or "Microsoft Exchange IMAP4", right-clicking the name of the service, and then clicking "Restart". IIS does not have to be restarted. Read more about SSL on the Client Access server - Managing Client Access Security.Reference ; Exchange Server 2007 Finalize Deploymentregards,Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
May 29th, 2009 8:18am

Thank you both for your replies I followed everything to the letter and still the same results OWA works great no issues, POP3,IMAP give me a certificate error but still work can send and receive e-mail, and Outlook anywhere still isnt quite right. If i select "Only connect to proxy servers that have this principal name in their certificate"msstd:owal.test.com ...Outlook will request the password infinite times even if you enter the correct one. Instead, if i untick the option outlook works correctly. I cant help to think that it has something to do with the hub and client being on seprate servers.Below is a bit more details on the enviroment:exchcli.test.com is the FQQDN for the server istselfowa.test.com is the public DNS record for connection to the OWA (this is working withno certificate errors) and is natted to the Exchange Client.owaout.test.com is the public DNS record for the SMTP send and is natted to the hub transport serverAutodiscover.test.com i am not sure what needs to be natted .when setting up POP3 I use owa.test.com as the POP3, or Imap server. I use OWAOut.test.com as the SMTP Server Command Ran for certificate request:New-ExchangeCertificate -GenerateRequest -Path c:\exchcli52909.csr -KeySize 2048 -SubjectName "c=US, s=colorado, l=Denver, o=Mycompany, ou=IS, cn=exchcli.test.com" -DomainName exchcli.test.com, exchcli, owa.test.com, owaout.test.com, autodiscover.test.com -PrivateKeyExportable $True Certificate Details:AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchcli.test.com, owa.test.com, owaout.test.com, exchcli, autodiscover.test.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=USNotAfter : 5/31/2011 9:09:09 PMNotBefore : 5/29/2009 9:03:44 AMPublicKeySize : 2048RootCAType : ThirdPartySerialNumber : 0B4464Services : IMAP, POP, IISStatus : ValidSubject : CN=exchcli.test.com, OU=IS, O=mycompany, L=Denver, S=Colorado, C=USThumbprint : 59FD82999A5CDA3A3D86E0B2B9CE9FADADF53AC4I hope that gives you a little addtional information about the certificate and the infrastructure.
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2009 7:43pm

Do you get any error or suggestion if you run ExBPA?Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
May 30th, 2009 5:25pm

HiTo test your connectivity you can use this tool:http://msexchangeteam.com/archive/2009/03/25/450908.aspxRegards,Zoltnhttp://www.clamagent.org - Free Antivirus for Exchange http://www.it-pro.hu http://emaildetektiv.hu
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2009 12:20am

Hi, to clear the outlook issue, when you enter msstd:owal.test.com , you force outlook to look for a specific subject name, which in your case is exchcli.test.com. you could use a free utility to request & enable the certificate on the services you want http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html that should help with the messy powershell scripts :) as for the pop3, imap4 errors, what are the server name you are using ? and with which clients ? does the certificate is a trusted 3rp party like godaddy etc ? or it's an internal CA ? what is the error exactly when you connect using pop3, imap4 ? you've also mentioned that you are using 2 cas/hub , are you using NLB with some sort ? are you sure you are testing a specific server ? sorry for all the questions just to help us cut to the chase and get you running. IlantzMCSA Messaging
May 31st, 2009 12:54am

Hi, I suggest that we forcus on the POP3 certificate issue. Would you please run following commands and post the result here:On Client and Hub Transport Server, please run following command seperatelyget-exchangecertificate |flOn Client Server:Get-popsettings -server CASserver |flOn Hub Server:Get-ReceiveConnector -server HubServer |flMike
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2009 6:27pm

Thank you all for your replies and suggestions.Amit I do not gat any errors at all when I run the EXBPA tool it Identifies som things with the hardware and a couple of firmware upgrades but nothing specifically with exchange. I did try the connectivity tool and it looks like I need to make a public DNS record for https://autodiscover.test.com/AutoDiscover/AutoDiscover.xml what server does it need to point to and what ports need to be opened on the Fire wall.As far as the certificate it was issued by GEOTrust. It seems that the certificate is fine if I connect to the OWA internally or externally I am OK no errors.with the POP3 I am testing with 2003 but I will be upgrading to 2007 my next project.the error that I am receiving is:the server you are connected to is using a security certificate that could not be verified a certificate chain processed but terminated in a root certificate which is not turusted by the trust provider.You are correct the Hub aand the client are running on seperate servers, I am not sure what you mena NLB. but Attached is the client configuration and may be that will helpPOP and IMAP for now I am using 2003 outlook but will be migrating to 2007 soon i. To configure a client to use POP3 you will need to go to the mail icon in the control panel. ii. Click on add iii. Click a profile name iv. Click add an exchange account v. Click POP3 1. For your name put in the users name 2. For e-mail address put in the users primary e-mail address 3. For logon information put in the domain\logonname 4. for password put in the users password 5. for incoming mail server(POP3) put in OWA.test.com (this points to the exchange client server) 6. For outgoing Mail Server (SMTP) put in OWAOut.test.com (this points to the exchange hub transport server). 7. click more settings a. No action on the general tab b. On the outgoing server tab check my outgoing server(SMTP) requires authentication and check . Check the use settings of my incoming mail server. c. Connection no action d. On the advanced tab i. Incoming server (pop3) =995 ii. Check this server connection requires an encrypted connection (SSL) iii. Outgoing server (SMTP)=587 iv. Check this server this server requires an encrypted connection (SSL) v. Make sure leave a copy of messages on the server vi. Make sure that remove items from server when deleted from deleted items.
June 1st, 2009 7:49pm

Thanks Mike for the reply attached is the output for the commands requested, I dont think that I mentioned this befor but this is a migration from 2003 to 2007 everything else is working really well I just need to get the external access configured. From Client get-exchangecertificate |fl Certificate Details:AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchcli.test.com, owa.test.com, owaout.test.com,exchcli, autodiscover.test.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : OU=Equifax Secure Certificate Authority, O=Equifax,C=USNotAfter : 5/31/2011 9:09:09 PMNotBefore : 5/29/2009 9:03:44 AMPublicKeySize : 2048RootCAType : ThirdPartySerialNumber : 0B4464Services : IMAP, POP, IISStatus : ValidSubject : CN=exchcli.test.com, OU=IS, O=mycompany, L=Denver, S=Colorado, C=USThumbprint : 59FD82999A5CDA3A3D86E0B2B9CE9FADADF53AC4 From Hubget-exchangecertificate |fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule}CertificateDomains : {exchhub, exchhub.test.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=exchhubNotAfter : 4/20/2010 4:43:33 PMNotBefore : 4/20/2009 4:43:33 PMPublicKeySize : 2048RootCAType : NoneSerialNumber : A6C24F345B7F6C8F42322F1D9C82F461Services : SMTPStatus : ValidSubject : CN=exchhubThumbprint : 880B06071087A143FB51B8CFB4062508FC42DC52 On the Client Server:Get-popsettings -server CASserver |fl[PS] C:\Documents and Settings\Admin>Get-popsettings -server exchcli |fl Name : 1ProtocolName : POP3MaxCommandSize : 45MessageRetrievalSortOrder : AscendingUnencryptedOrTLSBindings : {0000:0000:0000:0000:0000:0000:0.0.0.0:110, 0.0.0.0:110}SSLBindings : {0000:0000:0000:0000:0000:0000:0.0.0.0:995, 0.0.0.0:995}X509CertificateName : exchcli.test.comBanner : The Microsoft Exchange POP3 service is read y.LoginType : SecureLoginAuthenticatedConnectionTimeout : 00:30:00PreAuthenticatedConnectionTimeout : 00:01:00MaxConnections : 2000MaxConnectionFromSingleIP : 2000MaxConnectionsPerUser : 16MessageRetrievalMimeFormat : BestBodyFormatProxyTargetPort : 110CalendarItemRetrievalOption : iCalendarOwaServerUrl :EnableExactRFC822Size : FalseAdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=1,CN=POP3,CN=Protocols,CN=EXCHCLI,CN=Ser vers,CN=Exchange Administrative Group (FYDI BOHF23SPDLT),CN=Administrative Groups,CN=Wo odstreasm,CN=Microsoft Exchange,CN=Services ,CN=Configuration,DC=test,DC=comIdentity : EXCHCLI\1Guid : cc0b069c-cd84-4ae8-bcb3-567fd73f8fe4ObjectCategory : test.com/Configuration/Schema/ms-Exch -Protocol-Cfg-POP-ServerObjectClass : {top, protocolCfg, protocolCfgPOP, protocol CfgPOPServer}WhenChanged : 5/29/2009 12:16:45 PMWhenCreated : 4/20/2009 3:58:24 PMOriginatingServer : ntserver2.test.comIsValid : True **********************Windows PowerShell Transcript StartStart time: 20090601131634Username :test\admin Machine : EXCHHUB (Microsoft Windows NT 5.2.3790 Service Pack 2) **********************Transcript started, output file is c:\MySession.txt[PS] C:\Documents and Settings\admin>Get-ReceiveConnector -server exchhub |fl AuthMechanism : Tls, Integrated, BasicAuth, BasicAuth RequireTLS, ExchangeServerBanner : BinaryMimeEnabled : TrueBindings : {0000:0000:0000:0000:0000:0000:0.0.0. 0:25, 0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : unlimitedMaxInboundConnectionPercentagePerSource : 100MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 5000PermissionGroups : ExchangeUsers, ExchangeServers, Excha ngeLegacyServersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {0000:0000:0000:0000:0000:0000:0.0.0. 0-ffff:ffff:ffff:ffff:ffff:ffff:255.2 55.255.255, 0.0.0.0-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledWithoutValueTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : Default EXCHHUBDistinguishedName : CN=Default EXCHHUB,CN=SMTP Receive Co nnectors,CN=Protocols,CN=EXCHHUB,CN=S ervers,CN=Exchange Administrative Gro up (FYDIBOHF23SPDLT),CN=Administrativ e Groups,CN=test,CN=Microsoft Exchange,CN=Services,CN=Configuration ,DC=test,DC=comIdentity : EXCHHUB\Default EXCHHUBGuid : bcc1455e-aef1-4451-99a3-2d3b12f63882ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/20/2009 4:43:48 PMWhenCreated : 4/20/2009 4:43:45 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, Integrated, BasicAuth, BasicAuth RequireTLSBanner : BinaryMimeEnabled : TrueBindings : {0000:0000:0000:0000:0000:0000:0.0.0. 0:587, 0.0.0.0:587}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : 600MaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {0000:0000:0000:0000:0000:0000:0.0.0. 0-ffff:ffff:ffff:ffff:ffff:ffff:255.2 55.255.255, 0.0.0.0-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : TrueServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : Client EXCHHUBDistinguishedName : CN=Client EXCHHUB,CN=SMTP Receive Con nectors,CN=Protocols,CN=EXCHHUB,CN=Se rvers,CN=Exchange Administrative Grou p (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=test,CN=Microsoft E xchange,CN=Services,CN=Configuration, DC=test,DC=comIdentity : EXCHHUB\Client EXCHHUBGuid : 0a429d3e-f437-4577-bd81-ffcb41705520ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/20/2009 4:43:48 PMWhenCreated : 4/20/2009 4:43:45 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, Integrated, BasicAuthBanner : BinaryMimeEnabled : TrueBindings : {10.254.20.33:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {10.254.10.254-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : SurfControlReceiveDistinguishedName : CN=SurfControlReceive,CN=SMTP Receive Connectors,CN=Protocols,CN=EXCHHUB,C N=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administra tive Groups,CN=test,CN=Microso ft Exchange,CN=Services,CN=Configurat ion,DC=test,DC=comIdentity : EXCHHUB\SurfControlReceiveGuid : 921b8db2-fccf-44f6-a9fd-cd433fa03d06ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/21/2009 4:34:07 PMWhenCreated : 4/21/2009 4:30:51 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {192.168.1.12-255.255.255.255, 192.16 8.1.24-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : DenverServersDistinguishedName : CN=DenverServers,CN=SMTP Receive Conn ectors,CN=Protocols,CN=EXCHHUB,CN=Ser vers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=test,CN=Microsoft Ex change,CN=Services,CN=Configuration,D C=test,DC=comIdentity : EXCHHUB\DenverServersGuid : bebd42fc-ee49-4a2a-954e-ba30cda9e0d3ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/23/2009 10:48:19 AMWhenCreated : 4/22/2009 7:31:30 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {10.254.21.39-255.255.255.255, 10.254 .20.42-255.255.255.255, 10.254.20.150 -255.255.255.255, 10.254.10.152-255.2 55.255.255, 10.254.21.185-255.255.255 .255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : LititzServersDistinguishedName : CN=LititzServers,CN=SMTP Receive Conn ectors,CN=Protocols,CN=EXCHHUB,CN=Ser vers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=test,CN=Microsoft Ex change,CN=Services,CN=Configuration,D C=test,DC=comIdentity : EXCHHUB\LititzServersGuid : c30a2b3f-91bd-4bc7-bd4d-a37738f7203eObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/23/2009 3:45:43 PMWhenCreated : 4/23/2009 12:44:31 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.wodstream.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {192.168.20.51-255.255.255.255, 192.1 68.20.50-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : MechanicsburgServersDistinguishedName : CN=MechanicsburgServers,CN=SMTP Recei ve Connectors,CN=Protocols,CN=EXCHHUB ,CN=Servers,CN=Exchange Administrativ e Group (FYDIBOHF23SPDLT),CN=Administ rative Groups,CN=test,CN=Micro soft Exchange,CN=Services,CN=Configur ation,DC=test,DC=comIdentity : EXCHHUB\MechanicsburgServersGuid : a2e47492-fd59-474a-8fca-25b0df57e744ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/23/2009 1:18:18 PMWhenCreated : 4/23/2009 1:17:42 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {192.168.2.21-255.255.255.255, 192.16 8.2.20-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : MidwestServersDistinguishedName : CN=MidwestServers,CN=SMTP Receive Con nectors,CN=Protocols,CN=EXCHHUB,CN=Se rvers,CN=Exchange Administrative Grou p (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=test,CN=Microsoft E xchange,CN=Services,CN=Configuration, DC=test,DC=comIdentity : EXCHHUB\MidwestServersGuid : ae737ab2-2473-488e-9370-f26b5b6deab4ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/23/2009 1:25:30 PMWhenCreated : 4/23/2009 1:24:53 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {192.168.15.2-255.255.255.255, 192.16 8.15.5-255.255.255.255, 192.168.15.6- 255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : TennesseeServersDistinguishedName : CN=TennesseeServers,CN=SMTP Receive C onnectors,CN=Protocols,CN=EXCHHUB,CN= Servers,CN=Exchange Administrative Gr oup (FYDIBOHF23SPDLT),CN=Administrati ve Groups,CN=test,CN=Microsoft Exchange,CN=Services,CN=Configuratio n,DC=test,DC=comIdentity : EXCHHUB\TennesseeServersGuid : 4b43cf40-b5e6-466a-94ba-662ae181b1e6ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/23/2009 1:32:29 PMWhenCreated : 4/23/2009 1:31:54 PMOriginatingServer : ntserver2.test.comIsValid : True AuthMechanism : Tls, IntegratedBanner : BinaryMimeEnabled : TrueBindings : {0.0.0.0:25}ChunkingEnabled : TrueDefaultDomain : DeliveryStatusNotificationEnabled : TrueEightBitMimeEnabled : TrueDomainSecureEnabled : FalseEnhancedStatusCodesEnabled : TrueLongAddressesEnabled : FalseOrarEnabled : FalseFqdn : exchhub.test.comComment : Enabled : TrueConnectionTimeout : 00:10:00ConnectionInactivityTimeout : 00:05:00MessageRateLimit : unlimitedMaxInboundConnection : 5000MaxInboundConnectionPerSource : 20MaxInboundConnectionPercentagePerSource : 2MaxHeaderSize : 64KBMaxHopCount : 30MaxLocalHopCount : 8MaxLogonFailures : 3MaxMessageSize : 10MBMaxProtocolErrors : 5MaxRecipientsPerMessage : 200PermissionGroups : AnonymousUsers, ExchangeUsersPipeliningEnabled : TrueProtocolLoggingLevel : NoneRemoteIPRanges : {192.168.0.5-255.255.255.255, 192.168 .0.6-255.255.255.255}RequireEHLODomain : FalseRequireTLS : FalseEnableAuthGSSAPI : FalseServer : EXCHHUBSizeEnabled : EnabledTarpitInterval : 00:00:05AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0)Name : CanadaServersDistinguishedName : CN=CanadaServers,CN=SMTP Receive Conn ectors,CN=Protocols,CN=EXCHHUB,CN=Ser vers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=test,CN=Microsoft Ex change,CN=Services,CN=Configuration,D C=test,DC=comIdentity : EXCHHUB\CanadaServersGuid : 7b96a65c-93d1-44e6-b665-fa4913e4f420ObjectCategory : test.com/Configuration/Schema/m s-Exch-Smtp-Receive-ConnectorObjectClass : {top, msExchSmtpReceiveConnector}WhenChanged : 4/23/2009 1:48:31 PMWhenCreated : 4/23/2009 1:47:52 PMOriginatingServer : ntserver2.test.comIsValid : True [PS] C:\Documents and Settings\admin>
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2009 8:25pm

Hi, Thanks for your response. From your output, I notice following information: On the Client Access Server, the X509CertificateName attribute is set to exchcli.test.com. I would like to explain that the Exchange will select a FQDN and find a certificate based on a matching CertificateDomain. The FQDN chosen is based on the POP or IMAP service settings X509CertificateName attribute. Therefore, in your case, the Exchange will select the certificate which contains exchcli.test.com in CertificateDomain attribute. From your certificate information on CAS server, I notice that only one certificate is POP3 enabled and includes exchcli.test.com in its CertificateDomain attribute. At this time, I suggest you use the following method to check whether the certificate warning is encountered when connects to CAS server: 1. Use Outlook 2007 to test the issue. Description of the View Certificate button that has been added to the Internet Security Warning dialog box in Outlook 2007 http://support.microsoft.com/kb/914203/en-us 2. Configure a POP3 client to connect to Exchange Server Note: Please do not use encrypted connection for Outgoing server (SMTP). It will be helpful for us to check whether the certificate warning occurs when connecting to CAS POP3 server. 3. Please logon users mailbox and attempt to receive message. Please check whether the certificate warning is received. If the certificate warning is not received, I think the issue occurs when connecting to Hub Server to deliver message. If the certificate warning is received, pleas click View Certificate button to check whether correct certificate is provided. You can compare the Thumbprint with the number 59FD82999A5CDA3A3D86E0B2B9CE9FADADF53AC which gathered when running get-exchangecertificate |fl command on the CAS server. Mike
June 2nd, 2009 9:45am

If no Certificate related warning is received when only use encrypted connection to CAS POP3 server, I suspect that the issue occurs when connecting SMTP service by using encrypted connection. After checking the Receive Connectors on Hub Server and Certificate on Hub Transport Server, I would like to explain that in order to advertise or use STARTTLS, Exchange selects a certificates based on an FQDN and a matching value on the CertificateDomains of a certificate (value in Subject or Subject Alternative Names). For Inbound STARTTLS, it is based on the value of FQDN on a Receive Connector. From your Receive connector, the FQDN for receive connector which listened to 587 is exchhub.test.com. Therefore, the certificate 880B06071087A143FB51B8CFB4062508FC42DC52 on hub server should be provided by Exchange Server to client. Nevertheless, please understand that the certificate 880B06071087A143FB51B8CFB4062508FC42DC52 is a self-signed certificate. It is not trusted by the client. Mike
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2009 10:35am

Hi Mike -Thank you for the replyI went ahead and tested the settings as you suggested and with 2007 I am getting the error when connecting to the CAS with this errorThe server you are connected to is using a security certificate that cannot be verified.The Target principal name is in correct When I view the SAN Certificate the certificate is issued to exchcli.test.comand in the subject alternative name there are :exchcli.test.comowa.test.comowaout.test.comexchcliautodiscover.test.comwhen I check the certification path it is ok and trusted so I dont think it is a trust issue just the FQDN is an issueif you click ok to use the server POP and IMAP do work OK it just the annoying issue with the certificate at the begining.I am a newby to certificates but what am I missing I thought the SAN certificateif itincluded the the other names then you were OK.As far as the HUB I went ahead and set up the send of smtp and you are correct that it is returning the self signed certificate. Do I need to purchase an additional certificate for it? and then how do I associate the certificate with the send smtp.Public DNS for the send is owaout.test.com Again I thought the SAn would take care of that as well.Totally confused since the OWA works with out a hitch and for the most part outlookanywhere is working I am not sure where my configuration for the certificate or exchange is incorrect. Thanks for responcesby the
June 2nd, 2009 5:54pm

Schuml, your certificate on the CAS server seems okay, but as far as using SSL with the HUB server - you have an obvious error. you are accessing the HUB server for SMTP , and it has a self signed certificate. what you could do is just add the required names you will contact your hub , eg; exchhub.wodstream.com, exchhub.test.com, exchhub once you will reissue your certificate, import it again in the CAS & HUB , and enable the exchange certificate on each server, on CAS enable IIS, POP , IMAP & on the HUB server enable the SMTP on the certificate. you can use the tool i provided for easy creation & enable of the certificates on each servers. it's okay btw to use the same certificate on more then one server - as long as it holds all the names (FQDN/NETBIOS) you are accessing the servers, internally & externally. Good luck !MCSA Messaging
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2009 9:18pm

Thanks Ilantz for the replyI think I understand your solution for th hub but I am having the same error when connecting to the cas. It almost seems like I need to make a public DNS entry for the CAS to exchcli.test.com and for the hub an entry of exchhub.test.com instead of OWA.test.com and OWAOUT.test.com. It seems the names are the issue but I dont understand why POP or IMAP will not recognize that owa.test.com is part of the certificate. I really didnt want to put the actaul servernames as the DNS entry in the public DNS space. Ideas?
June 3rd, 2009 12:56am

well you've got it correct. could be a solution: owa.test.com = Outlook Web Access + POP3 server for this run the following: Get-popsettings -server CASserver | set-popsettings -X509CertificateName owa.test.com now to solve the HUB issue with SMTP over TLS you'll need to export the certificate from CAS (including Private key) and import it on the hub. enable the certificate for the SMTP service. Then create a new Receive connector with an FQDN of owaout.test.com with the required permissions. (rather then modifying the default one) You should be okay then. post results :)MCSA Messaging
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2009 1:58am

Hi Schuml, Thanks for your response. For Hub Server (SMTP) I agree with Schuml that you need to import the certificate to Hub Server and enable for SMTP Server. Then, configure the Receive Connector which listened to 587 to use owaout.test.com FQDN. After that, restart Transport Service on the Hub Server. For CAS Server (POP3) Based on my knowledge and local test, we should not get certificate warning as the correct Certificate is provided by Exchange Server which includes owa.test.com in Subject Alternative Name attribute. At this time, would you please let me know whether you test the issue on external client or internal client? If you test the issue on internal client, please let me know whether the test client connects to Exchange CAS server directly or through any firewall such as ISA server. If the test client connects to Exchange CAS sever through any firewall, I suggest you bypass the firewall and have the problem client connects to Exchange CAS server directly to check whether the certificate warning still persists. Mike
June 3rd, 2009 8:52am

Thanks Mike and Ilantz;I ran the command that changed the x509certificatename to owa.test.comI followed the procedures and set up the new connector and exported the certificate from the CAS imported and enabled the certificate on the hub.The good news is that for the 2003 clients the changes worked hurray! But the 2007 outlook client is still receiving the same certificate error when first connecting. With 2007 when connecting to the CAS and to the HUB the Internet security warning pops up says "The server you are connected to is using a a securty certificate that can not be verified.The target principal name is incorrect. "When I click on view certificate for both the pop and smtp server the certificate is the correct one, the one I would expect to see.On the "Do you want to continue using this server?" if I click yes the e-mail works until you close outlook an reopen with the same certificate warning.I actully have been testing both inside and outside with the clientswith the same results. Inside the connection would not go through a firewall, from the outside it does. I dont think the firewall is the issue based on the testing
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2009 8:25pm

Hi Schuml, From your description, I guess the Certificate Warning is encountered when connecting to both CAS server and Hub Server. You have temporarily disabled the encrypted connection to POP3 and SMTP to test the issue. If I am wrong, please let me know. After some further research, I think that the issue may due to a product issue of Office 2007. Here is the explanation: The Windows API that is called by Outlook 2007 will review the Subject Alternative Name extension of the certificate if it is present. If the first entry in the Subject Alternative Name does not match the name specified in the POP3 or IMAP4 account configuration, the error will occur. Outlook 2007 will not request other information from the Subject Alternative Name extension - ie, additional URLs. I would like to explain that the product issue has already been pushed as a Design Change Request for the next version of Outlook in a general manner. As far as I know, there are no plans to include this in Outlook 2007 at this time. Currently, we have two possible workaround regarding the issue: 1. Change the POP3 or IMAP4 account settings to reflect the first entry in the Subject Alternative Name extension of the certificate. 2. Re-issue the certificate for the server and include the actual Subject as the first entry in the Subject Alternative Name extension. Mike
June 4th, 2009 10:09am

Hi Mike thanks for the reply.Interesting about 2007. I am not sure what I can do here since I have 2 servers only one namecan be at the begining. Ideas? I certainly can solve the POP or IMAP but what about SMTP?
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2009 1:18am

Hi Schuml, I think that you need to issue a new certificate for the Hub Transport for server to include owaout.test.com as the first entry in the Subject Alternative Name extension. For the Certificate on the CAS server, you need to re-issueit to include owa.test.com as the first entry in the SAN extension.Mike
June 5th, 2009 8:47am

Hi Schuml,Any updates regarding the issue?Mike
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2009 5:01am

Hi Schuml, Some update:Please check whether following hotfix has been installed:http://support.microsoft.com/kb/968858/en-usOutlook 2007 does not check the Subject Alternative Name (SAN) entries for a certificate when Outlook tries to connect to a Microsoft Exchange Server that uses the certificate through an Internet Protocol, such as IMAP, POP or SMTP. Therefore, when Outlook is trying to connect the Exchange Server, you receive the following error message: The server you are connected to is using a security certificate that cannot be verified. <option to view certificate> Do you want to continue using this server?Another related article:http://support.microsoft.com/kb/958977/en-usMike
June 17th, 2009 1:47pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics