Announcement

Collapse
No announcement yet.

Microsoft Remote Connectivity test , Outlook Anywhere ( Exch 2007)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Microsoft Remote Connectivity test , Outlook Anywhere ( Exch 2007)

    Hello,

    I am running the Microsoft Connectivity test tool and it throws an error, regarding the "certificate chain"

    I read some documents to put the whole thing up (Certificate services, creating certificates from Exchange or from the IIS console, public dns records, etc)

    I took a screen-shot in case it could help.

    The certificate has a subject name (mail.domain.com) but also the required alternative names (mainly: autodiscover.domain.com) , as shown in the image. In fact, in the image you can see that the tool finds the certificate and does not complain about it.

    Thanks in advance.
    Attached Files
    -
    Madrid (Spain).

  • #2
    I took a look and the issue is that your certificate is not signed by a trusted 3rd party CA. If you want Outlook Anywhere to work you need the cert to be signed by a CA that the client trusts.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Thanks Jeremy.

      The thing is that I imported the root certificate of my domain into this pc's certificate mmc.

      If I go into the Certificate mmc, within "Trusted root Certification authorities." I can see it.

      I have done this many times:

      1. Export the root certificate with a .cer extension, to a file.
      2. Import that .cer certificate file into the Certificate mmc. in the pc where outlook is.

      Thanks a lot again.
      -
      Madrid (Spain).

      Comment


      • #4
        Right, that makes that one computer trust the cert but the Microsoft Connectivity Analyzer will never trust a cert unless it's signed by a trusted 3rd party.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          If you are using an internal CA then you will never pass the remote tests. End of story.
          An internal CA is only suitable for use with Exchange if you have 100% control over all clients accessing the server in any way.
          That means all clients - ActiveSync included, and usually means no OWA access.

          When you can get a suitable trusted SSL certificate for less than $80/year, it doesn't make any sense to try and get an internal CA to work.
          The certificates generated by Exchange are not supported for use with ActiveSync or Outlook Anywhere.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Originally posted by Sembee View Post
            If you are using an internal CA then you will never pass the remote tests. End of story.
            An internal CA is only suitable for use with Exchange if you have 100% control over all clients accessing the server in any way.
            That means all clients - ActiveSync included, and usually means no OWA access.

            When you can get a suitable trusted SSL certificate for less than $80/year, it doesn't make any sense to try and get an internal CA to work.
            The certificates generated by Exchange are not supported for use with ActiveSync or Outlook Anywhere.

            Simon.


            Yes, but just one thing:

            If I say to chrome (or any other web browser): "Hey , trust all the certificates coming from this Certificate Authority" (by importing the root certificate to the Trusted root store) , should not that web browser admit "https://mail.domain.com/owa" ? (provided that mail.domain.com is either the cn or a alternative name on the certificate, of course)

            As far as I remember, I did not get any warnings in the past (I haven't worked with owa for quite a while, when I did, it was when I was learning it, one or two years ago.)

            Edition, addition: THE CERTIFICATE IS NOT THE DEFAULT EXCHANGE SELF-SIGNED CERTIFICATE, but one issued from my internal C.A , as a web server template.
            Last edited by loureed4; 22nd September 2015, 12:00.
            -
            Madrid (Spain).

            Comment


            • #7
              The trust (or more accurately, the lack thereof) is not coming from the browser, but from the ExRCA tool which does not use your computer's certificate store for it's chain validation.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Originally posted by cruachan View Post
                The trust (or more accurately, the lack thereof) is not coming from the browser, but from the ExRCA tool which does not use your computer's certificate store for it's chain validation.
                Right.
                loureed4, it's not your browser that's running the test, it is Microsoft's servers. You're just getting the resulting information.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Ohh !!, now I understand, sorry that it took me so long to understand the first replies.

                  THANKS!!
                  -
                  Madrid (Spain).

                  Comment

                  Working...
                  X