Security alert pop up message from Other sites' CAS servers while local site is having its own CAS server...........
I have a setup with single Exchange organisation which includes 5 CAS servers in different locations.
Problem is when user of one ,Suppose A ,access mails through outlook,A security alert pops up saying "information you exchange with this site cannot be viewed or changed by others.However there is a problem with the site's security certificate.........",now
I have to click yes,This certificate pop up is from other CAS servers of other AD sites.Though these pop ups are not regular but intermittent only but still My users are very much irritated from this pop up message
Can somebody please let me know why my client is going to remote site's CAS server while it is having CAS server in its own site.
I will be very much thankfull if somebody can please help me out
Thanks
Luxmi narayan
October 18th, 2011 1:21am
Hi,
Did you checked this thread:
http://social.technet.microsoft.com/Forums/en-US/itprovistaie/thread/348a5a29-5311-4c29-b358-c54c8446264e/
Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2011 2:25am
You should configure your virtual directories that users access so they use a URL that is in the certificate on each CAS.
You could use a script like:
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/ to configure themMagnus Bjrk www.mailmaster.se/blog
October 18th, 2011 10:09am
Hi Luxmi,
See this:
http://support.microsoft.com/kb/555842.
Outlook 2007 client should connect to CAS server in it’s own AD site. I suggest you run “Test
Email Autoconfiguration” (see http://technet.microsoft.com/en-us/library/bb397225(EXCHG.80).aspx
) on the problematic Outlook client when the issue occurs. And then verify the result returned.
In the LOG tab, it should show the SCP record that Outlook is trying to connect. By default it should be the URL of
https://CASFQDN/autodiscover/autodiscover.xml. Please make sure the URL is pointing to the CAS server in the Outlook site.
Also, check the Results tab, and make sure the URLs returned is pointing to the CAS serer in Outlook site.
If there is any error, capture a screenshot and paste it.
Fiona
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2011 1:56am
Thanks gulab,magnus and Fiona for you replies but let me tell inform you please gulab 's reply doesn't seem to be of my concern and magnus's reply ,i will avoid for timebeing because I don't want to move towards server side in first go.
Fiona ,I already told ,this problem is not regular but it's intermittent only,So I cann't do the testing at the same time when problem comes because may be user will not be interested to inform IT every time when problem comes.Nor ,he will
be agree to do this testing by his own
So I will be thankful to you if without waiting for any problem,we can do setting that outlook client should not go to any other site's CAS server in any case.
Can we do this setting through exchange or AD.Is it possible?
I m using Exchange 2007 with SP1 and outlook 2007
October 19th, 2011 3:29am
Fioan ,Also let me tell you please that ,as I am not using router which support feature that is disabled by no ip http secure-server ,so there is not use of article containing that command
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2011 3:59am
Hi Luxmi,
I appreciate your understanding that if the issue could not be reproduce, it is hard or impossible to find the root cause.
While waitting for the issue to be reproduced, we may verify the CAS server configuration:
Run cmdlet "Get-clientaccessserver |FL", and verify the autodiscoversitescope and the autodiscoverserviceinternaluri.
RUn cmdlet "Test-OutlookWebServices |FL" and verify the URLs returned.
Hope it is helpful.Fiona
October 19th, 2011 4:09am
thanks for your time fiona
My AD site name is GGN-FIP
output of get-clientaccessserver|fl is
Name : myaccessYNRCDC01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : myaccessynrcdc01
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
https://submail1.bilt.com/autodiscover/autodis
cover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {YNR-CDC}
IsValid : True
OriginatingServer : gasggnfip01.softibil.com
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=myaccessYNRCDC01,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=Administr
ative Groups,CN=myorg,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=softibil,DC=co
m
Identity : myaccessYNRCDC01
Guid : dd1eb997-2b1e-45be-b4c4-0a883befcf78
ObjectCategory : softibil.com/Configuration/Schema/ms-Exch-Exch
ange-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 10/18/2011 7:26:23 PM
WhenCreated : 8/9/2007 10:00:09 PM
Name : myaccessGGNFIP01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : myaccessggnfip01
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
https://submail2.bilt.com/autodiscover/autodis
cover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {GGN-FIP}
IsValid : True
OriginatingServer : gasggnfip01.softibil.com
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=myaccessGGNFIP01,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=Administr
ative Groups,CN=myorg,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=softibil,DC=co
m
Identity : myaccessGGNFIP01
Guid : 55d4b7dd-39e5-4ed7-9afc-49ab76af5ae2
ObjectCategory : softibil.com/Configuration/Schema/ms-Exch-Exch
ange-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 10/11/2011 1:32:09 PM
WhenCreated : 8/13/2007 5:00:26 PM
Name : myaccessBPQBPU01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : myaccessbpqbpu01
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
https://myaccessbpqbpu01.softibil.com/Autodiscov
er/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {BPQ-BPU}
IsValid : True
OriginatingServer : gasggnfip01.softibil.com
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=myaccessBPQBPU01,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=Administr
ative Groups,CN=myorg,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=softibil,DC=co
m
Identity : myaccessBPQBPU01
Guid : 00b32030-2bcd-4c03-afee-39c3a258db33
ObjectCategory : softibil.com/Configuration/Schema/ms-Exch-Exch
ange-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 10/11/2011 5:28:56 PM
WhenCreated : 8/17/2007 12:30:32 PM
Name : myaccessBNWBWN01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : myaccessBNWBWN01
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
https://myaccessbnwbwn01.softibil.com/Autodiscov
er/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {BNW-BWN}
IsValid : True
OriginatingServer : gasggnfip01.softibil.com
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=myaccessBNWBWN01,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=Administr
ative Groups,CN=myorg,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=softibil,DC=co
m
Identity : myaccessBNWBWN01
Guid : 772ca06f-dcf9-4143-8370-320d9fb9b2b5
ObjectCategory : softibil.com/Configuration/Schema/ms-Exch-Exch
ange-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 10/11/2011 4:28:56 PM
WhenCreated : 8/17/2007 1:52:28 PM
Name : myaccessJPRSEW01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : myaccessJPRSEW01
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
https://myaccessjprsew01.softibil.com/autodiscov
er/autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {JPR-SEW}
IsValid : True
OriginatingServer : gasggnfip01.softibil.com
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=myaccessJPRSEW01,CN=Servers,CN=Exchange Admin
istrative Group (FYDIBOHF23SPDLT),CN=Administr
ative Groups,CN=myorg,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=softibil,DC=co
m
Identity : myaccessJPRSEW01
Guid : f4852216-a066-469c-bac1-62f494dbf559
ObjectCategory : softibil.com/Configuration/Schema/ms-Exch-Exch
ange-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 10/11/2011 5:28:56 PM
WhenCreated : 8/17/2007 4:01:57 PM
output of test-outlookwebservices|fl
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address
rajeev.sharma@bilt
.com.
Id : 1007
Type : Information
Message : Testing server exccasggnfip01.optibilt.com with the published name ht
tps://submail2.bilt.com/ews/exchange.asmx & .
Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover
URL on this object is
https://submail2.bilt.com/autodiscover/autodis
cover.xml.
Id : 1013
Type : Error
Message : When contacting
https://submail2.bilt.com/autodiscover/autodiscover.x
ml received the error The remote server returned an error: (401) Unau
thorized.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
PLEASE SUGGEST WHAT CAN WE DO NEXT........
Thanks
Luxmi narayan
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2011 6:01am
Thanks for your update.
From the information provided, the autodiscover service on CAS myaccessGGNFIP01 is not available for clients. My suggestion is:
1.
Launch IIS manager and verify the /Autodiscover virtual directory configuration on the CAS server myaccessGGNFIP01. Make sure the authentication is Basic and
integrated; if it is Exchange 2010, add Anonymous. Refer to:
Default settings for Exchange-related virtual directories in Exchange Server 2010
http://blogs.technet.com/b/exchange/archive/2010/09/23/3411146.aspx
Default settings for Exchange-related virtual directories in Exchange Server 2007
http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspx
2.
If the error continues in Test-OutlookWebservices, test the Autodiscover service in CAS server
https://localhost/autodiscover/autodiscover.xml. It will help us verify if the autodiscover service is working well on the server (the expected result
is error code 600).
3.
Apply the latest hotfix for all Outlook clients (at least Outlook 2007 SP2);
Let me know if there is questions.
Fiona
October 19th, 2011 11:51pm
thanks again fiona for your favors
I have already same setting ehich is given in this article for autodiscover folder of default site
Service is working fine in server
Already I have latest service pack installed for office 2007
Thanks
Luxmi narayan
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2011 3:14am
You are welcome.
so are you still encounter error when running
Test-OutlookWebservices? If you run the cmdlet without user id specified, does the issue continues? How about if you test the url manually in a client computer? what is the error code in IIS log?
Fiona
October 20th, 2011 3:20am
I m already using this command withour specifying any user id but I don't know why is it testing it by using a user's mail ID.IS this normal behaviour?
if i give this uRL in browser ,it works fine.
Also let me please tell you.all of my users are not facing this problem but only a few users are facing thisa problem
thanks
luxmi narayan
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2011 3:37am
Hi Luxmi,
yes the cmdlets will use a user automatically. Regarding the error 1013 returned by
Test-OutlookWebservices, it might be an know issue. I would suggest you submit a new thread for this problem, this is for the administrative purpose since troubleshooting multiple issues in the same thread may
cause confusion. your understanding would be appreciated.
Regarding the original issue in this thread that Outlook client connects to remote CAS, consider we run the autodiscover related confguration on the server and all appear to be fine, I am afraid you need to
wait till it is reoccurs. Just a reminder, I copied the action plan below:
Run “Test Email Autoconfiguration” (see
http://technet.microsoft.com/en-us/library/bb397225(EXCHG.80).aspx
) on the problematic Outlook client when the issue occurs. And then verify the result returned.In the LOG tab, it should show the SCP record that Outlook is trying to connect.
By default it should be the URL ofhttps://CASFQDN/autodiscover/autodiscover.xml. Please make sure the URL is pointing to the CAS server in the Outlook
site.
Capture a screenshot for the error message you received, it will help us research.
Thanks.
Fiona
October 20th, 2011 4:56am
thanks fiona for you efforts
Ultimately my problem is resolved now.Actually my AD sites were wrongly configured
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2011 4:19am
Good to hear that issue is resolved.
you mean to say in the registry it was pointing to wrong site?Gulab | MCITP: Exchange 2010-2007 | Lync Server 2010 | Windows Server 2008 | Skype: Exchange.Ranger | Blog: www.ExchangeRanger.Blogspot.com
November 9th, 2011 4:55am