GoDaddy SAN certificate untrusted on clients
I have requested, downloaded and installed a godaddy SAN certificate for my lync server(s).
If I apply the certificate and try to log into lync 2010 on a new client I get "there was a problem verifying the certificate from the server"
If I install the godaddy intermediates certificate into the trusted root certification authorities on the windows 7 client it works ok.
I assumed windows 7 clients would automatically trust godaddy as a certificate authority....?
***Don't forget to mark helpful or answer***
This issue occurs when the correct certificate is not installed on the computer.
Because 1,024-bit certificates are rooted to 2,048-bit certificates, you may have to download and to install the required root certificate before you can successfully sign in to Office Communicator or to Lync.
Also you can refer below link
http://support.microsoft.com/kb/2014466
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Similar Messages
-
Standard or UUC/SAN certificate for RDS
I successfully deployed RemoteApp using self-assigned certificate.
Now is the time to replace it with Trusted one.
From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
My RDS deployment is limited to one domain only.
Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
*.my_domain.com for a subject and then use it for any RDS server?
So it will be just a standard certificate with wildcard.
"When you hit a wrong note it's the next note that makes it good or bad". Miles DavisHi,
If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
same server you can purchase a single-name certificate, which is much cheaper than a wildcard.
If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request. Fill out the information, select 2048 bits, etc., save
as a file. Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response. You can usually follow those if you are unsure.
Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file. This is what you will use to apply the certificate in Server
Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab. You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
-TP -
Trial SAN Certificate & Outlook Anywhere (RPC over HTTP) test fail
I am testing exchange 2013 where autodiscover pass while performing Outlook Anywhere (RPC over HTTP) connectivity test failed with invalid SSL certifiate . I am only using self certifiate .do any one idea if any CA provding SAN certificate trial basis.
Don't forget to mark helpful or answer
connect me :-
http://in.linkedin.com/in/satya11
http://facebook.com/satya.1000Hi,
Agree with the above suggestion, ExRCA test cannot pass with self-signed certificate. And to ensure Outlook Anywhere work well , we need to install the self-signed certificate on all clients machines.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
(I'll upload screen captures if needed once my account gets verified)
I have a basic (as in freshly installed single exchange server 2010 SP3) Exchange Server installation. I've setup Outlook Anywhere. I've also setup a SAN (SubjectAltName) certificate.
My setup:
ex01.eci.XXXX.XX = is the server name and also the CN of my SAN certificate
mail.eci.XXXX.XX = an A record I've setup to access my exchange server. It is also a subjectAltName in my SAN certificate
When setting up Outlook, I enter the server name and specify the Outlook Anywhere proxy server in the Outlook Anywhere section. This works fine and I connect to my exchange server using RPC over HTTPS.
Now, I was under the impression that specifying SANs in the certificate would allow me to enter the SAN alt name (mail.eci.XXXX.XX) in the field reserved for the Server Name, in Outlook..
But it does not work. The proxy will give me an error each time, like that:
HTTP 544 RPC_IN_DATA /rpc/rpcproxy.dll?mail.eci.XXXX.XX:6002 HTTP/1.1 , NTLMSSP_NEGOTIATE
HTTP 635 HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
HTTP 123 HTTP/1.0 503 RPC Error: 6ba
My question is: is this the behaviour I should expect? Or should I be able to specify the SAN alt name in the Server Name in Outlook?
Thanks!Hi,
Firstly, I’d like to explain, the server name tab should be filled with your mailbox server name in the process of configuring Exchange 2010 account.
And the Outlook Anywhere proxy server is configured at the server side and cannot be randomly defined at the client side. To check it, we can run: get-outlookanywhere |fl externalhostname
Thus, it’s an expected behavior that we would get error if we randomly enter name in the server name tab when we configure an account. If I misunderstand your meaning, please feel free to let me know.
Additionally, Autodiscover service can help us automatically complete the configuration of the Outlook account. And how about the result if you use the Autodiscover to automatically configure the account?
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
SAN certificate for external access for edge server and reverse proxy
Hello
I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
For external access and mobile user's , Iwant to enable all the feature for external user's .
im planning to purchase san certificate ,
my first question do I need only one SAN for both my edge server and the reverse proxy ?
my second question about the name's that shoud be added to the certificate ?
sip.mydomain.com
av.mydomain.com
webconf.mydomain.com
what else I should add ? I want to add the names for all feature access.
Kind Regards
MKYour Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network. Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
SAN on your cert.
Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only.
Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
can present the third party certificate.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Exchange SAN Certificate Help!
Hello,
I need some help in troubleshooting a problem I have with a customers’ Exchange 2007 server.
I installed a new SSL SAN cert on their only Exchange server yesterday, and today users are receiving certificate name mismatch prompts when opening their Outlook 2007 clients.
The previous cert had the local host name in the SAN cert, but given the changes around using local host names in certs soon to be implemented, I Ieft these entries out this time around with the new cert.
I already have a split horizon DNS zone within the local domain, which contains an A record for Autodiscover.
So, the setup is as follows:-
New SSL SAN cert:
CN= mail.domain.co.uk
SAN= autodiscover.domain.co.uk, owa.domain.co.uk
Split horizon DNS zone: (within domain.local AD domain)
autodiscover.domain.co.uk
A record: autodiscover.domain.co.uk = IP of Exchange server
The output from an Outlook client auto configuration test are listed below:
<LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=TestUser1</LegacyDN>
<DeploymentId>64a06c34-547e-44d8-8885-aa8fd530e2a1</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>EXCHSRV01.domain.local</Server>
<ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHSRV01</ServerDN>
<ServerVersion>72038053</ServerVersion>
<MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHSRV01/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>EXCHSRV01.domain.local</PublicFolderServer>
<AD>EXCHSRV01.domain.local</AD>
<ASUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</EwsUrl>
<OOFUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://EXCHSRV01.domain.local/UnifiedMessaging/Service.asmx</UMUrl>
<OABUrl>http://EXCHSRV01.domain.local/OAB/5642c2e4-e31e-4ab8-89e7-d4590570249b/</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.domain.co.uk</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</EwsUrl>
<OOFUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</OOFUrl>
<OABUrl>http://mail.domain.co.uk/OAB/5642c2e4-e31e-4ab8-89e7-d4590570249b/</OABUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<External>
<OWAUrl AuthenticationMethod="Fba">https://mail.domain.co.uk/owa</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</ASUrl>
</Protocol>
</External>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://EXCHSRV01.domain.local/owa</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
</Account>
</Response>
</Autodiscover>
As the SCP was originally pointing to the local fqdn of the Exchange server, I have amended the binding in ADSS so that the SCP now points to the autodiscover.domain.co.uk A record instead.
I took this step because even with the internal URL for Autodiscover's virtual directory set to https://autodiscover.domain.co.uk/Autodiscover/autodiscover.xml this path was ignored and Outlook defaulted to the fqdn of the local server.
I thought this might rectify the issue but to no avail.
The security prompt when opening Outlook still references the fact that the EXCHSRV01.domain.local does not match the CN of the cert mail.domain.co.uk.
Can anyone assist in troubleshooting this further?
Regards
Matt
MattHi Matt,
We can run the following command to check your certificate settings in your Exchange server:
Get-ExchangeCertificate | FL
If your SAN certificate is assigned with IIS service, please change your internal URLs to match your SAN certificate names with IIS service. We can refer to the following KB to achieve Internal URLs changes:
http://support.microsoft.com/kb/940726
Thanks,
Winnie Liang
TechNet Community Support -
Godaddy SSL certificate installation problems - intermediate certificate not being recognized
domain = mail.gottfried.org
Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
Response from:
http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
When I check in 0000_any_443_.conf
I see:
SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
I am assuming that the intermediate certificate should be:
mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
When I look at that certicate it is the same as
mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
Anyone have any suggestions?
I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
Anyone have an SSL provider that worked properly with 10.8 or has really good support for mountain lion server?
Please let me know.
Thanks!While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate? That'll be the easiest.
If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security. Running your own certificate authority does mean you'll learn more about certificates, though.
Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232). I have found exiting Keychain Access to be a necessary step on various versions. It shouldn't be, but...
FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions. (I'm not particularly fond of any of the major math, err, certificate vendors, either.) -
Godaddy SSL certificate on weblogic
Hello,
Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
now I don't know how to create .pem file just to complete the installation. below the instruction I did.
- keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
- keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
- keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
- keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>I found out how to install godaddy ssl certificate on weblogic follow the link below.
http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. -
Problem connecting to godaddy exchange server via outlook client
I am pretty much having a very similar problem here:
https://social.technet.microsoft.com/Forums/exchange/en-US/437c5f8d-3a42-4689-90b4-13fd2749373f/go-daddy-ucc-certificate-exrca-can-only-validate-the-certificate-chain-using-the-root-certificate?forum=exchangesvr3rdpartyappslegacy
When I set up in outlook, I have noticed this in advanced connection settings:
the URL is required
mail.ex4.secureserver.net
Then check connect SSL only
Only connect to proxy servers with this principal name
msstd:mail.ex4.secureserver.net
When I use the connect principal, it works fine, but otherwise if it is not checked, it won't connect to the server.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26423254.html
However, when I restart outlook, because I have multiple exchange accounts, they keep becoming "unchecked".
Everything worked fine about 48 hours ago, and now... all these problems.
Here is my log from the testing site:
Connectivity Test Failed
Test Details
Testing Outlook connectivity.
The Outlook connectivity test failed.
Additional Details
Elapsed Time: 3897 ms.
Test Steps
Testing RPC over HTTP connectivity to server mail.ex4.secureserver.net
RPC over HTTP connectivity failed.
Additional Details
HTTP Response Headers:
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
Date: Fri, 13 Feb 2015 01:07:27 GMT
Content-Length: 58
Elapsed Time: 3897 ms.
Test Steps
Attempting to resolve the host name mail.ex4.secureserver.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.167.83.115
Elapsed Time: 95 ms.
Testing TCP port 443 on host mail.ex4.secureserver.net to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 110 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 461 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.ex4.secureserver.net on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.ex4.secureserver.net, O="Starfield Technologies, LLC.", L=Scottsdale, S=AZ, C=US, Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/repository,
O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 356 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.ex4.secureserver.net was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.ex4.secureserver.net, O="Starfield Technologies, LLC.", L=Scottsdale, S=AZ, C=US.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US.
Elapsed Time: 39 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 5 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 11/29/2012 8:39:18 PM, NotAfter = 11/29/2015 8:39:18 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 232 ms.
Testing HTTP Authentication Methods for URL https://mail.ex4.secureserver.net/rpc/rpcproxy.dll?mail.ex4.secureserver.net:6002.
The HTTP authentication methods are correct.
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Negotiate, NTLM
HTTP Response Headers:
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
Date: Fri, 13 Feb 2015 01:07:27 GMT
Content-Length: 58
Elapsed Time: 146 ms.
Attempting to ping RPC proxy mail.ex4.secureserver.net.
RPC Proxy was pinged successfully.
Additional Details
Elapsed Time: 224 ms.
Attempting to ping the MAPI Mail Store endpoint with identity: mail.ex4.secureserver.net:6001.
The attempt to ping the endpoint failed.
Tell me more about this issue and how to resolve it
Additional Details
The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.
Elapsed Time: 2626 ms.Here is another test from the autodiscover:
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
Autodiscover was tested successfully.
Additional Details
Elapsed Time: 1745 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Additional Details
Elapsed Time: 1745 ms.
Test Steps
Attempting to test potential Autodiscover URL https://MYDOMAIN.com:443/Autodiscover/Autodiscover.xml
Testing of the Autodiscover URL was successful.
Additional Details
Elapsed Time: 1745 ms.
Test Steps
Attempting to resolve the host name MYDOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: xx.168.xx.74
Elapsed Time: 59 ms.
Testing TCP port 443 on host MYDOMAIN.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 60 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 197 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server MYDOMAIN.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=MYDOMAIN.com, OU=Domain Control Validated, Issuer: CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 132 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name MYDOMAIN.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=MYDOMAIN.com, OU=Domain Control Validated.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US.
Elapsed Time: 27 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 4 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 7/2/2014 2:30:01 AM, NotAfter = 7/2/2015 2:30:01 AM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 673 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Additional Details
Elapsed Time: 754 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://MYDOMAIN.com:443/Autodiscover/Autodiscover.xml for user [email protected].
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>[email protected]</DisplayName>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>IMAP</Type>
<Server>MYDOMAIN.com</Server>
<Port>993</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>on</SSL>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<AuthRequired>on</AuthRequired>
<LoginName>[email protected]</LoginName>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server>MYDOMAIN.com</Server>
<Port>465</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>on</SSL>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<AuthRequired>on</AuthRequired>
<LoginName>[email protected]</LoginName>
</Protocol>
</Account>
</Response>
</Autodiscover>
HTTP Response Headers:
Keep-Alive: timeout=15, max=256
Connection: Keep-Alive
Content-Length: 1227
Content-Type: application/xml; charset="UTF-8"
Date: Fri, 13 Feb 2015 01:14:56 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
Elapsed Time: 754 ms. -
Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?
I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
For example, if I build following servers, what SAN needs ?
It is happy to also tell me why.
[ServerNames]
AD DS Server:DS01
AD FS Server:FS01
Web Application Proxy Server:PRX01
SharePoint Server(WFE):WFE01
SharePoint Server(APL):APL01
SQL Server:DB01
[AD DS Domain Name]
contoso.local
(Please be assumed that above all servers join this domain)
[Site collection strategy]
using a host-named site collection
[Primary web application URL]
https://sps.contoso.com
Thanks.Hi,
From your description, my understanding is that you have some doubts about SAN.
If you have a SAN, you can leverage it to make SharePoint
a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
SAN Basics” in this blog.
These articles may help you understand SAN:
https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
Best Regard
Vincent Han
TechNet Community Support -
I opened a file on my desktop that I don't remember putting there. We use many photos and I thought it was a photo file I was looking for. It turned out to be a keychain certificate from a client of ours. Does this mean that they were spying on me? What is the deal with that? Any ideas?
Interesting tid bit. I created an AAC of the original file, deleted the original MP3 from my library and also deleted the Clean matched track from the icloud.
Result is that it matched with the explicit version of Mrs. Officer this time.
What I am curious about is which songs this is happening for. I've went thru a few batched of about 500 songs at a time and redownloaded in 256k for many tracks. Sadly we don't have people to bring this to our attention and I have so much music that it's impossible to go thru every song to make sure I am getting the right version. -
Accepted domains in Exchange SAN certificate
Hi All,
I am having few queries please clarify me .
In my environment ,i having the accepted domains list like below
xyz.com
abc.com
All the users in my organisation is having the primary smtp address as [email protected] and secondary smtp address as [email protected]
In my san certificate i am not having any of the above mentioned accepted domains.
Do i need to have all the accepted domains on the SAN certificate or else only primary smtp address domain suffix is enough ?
In case if don't have any of my accepted domains suffixes in SAN certificate what will happen ? Because why i am asking is i am not getting any certificate related errors ?
As an additional info , we are using the single namespace for exchange services like owa ,activesync ,pop/imap and outlook anywhere (both internal & external ) and that name is available in my SAN certificate.
Autodiscover namespace is also included in my SAN certificate .
Thanks S.NithyanandhamHi Imkottees,
Thanks a lot for your immediate response.
But still i am having some queries please explain me what you are trying to explain on this below line ?
"But you need this for all Primary domains used in your environment"
Regards
S.Nithyanandham
Thanks S.Nithyanandham -
How to install certificate in im client
i can't find the procedure for installing a certificate in the client - i did the server part:
http://docs.sun.com/app/docs/doc/819-4412/6n6ikpsut?a=view
but now i can't find how to do the client part - i'm just using the standard im client obtained from:
https://localhost/im
which does a jnlp activation.ok - woo hoo - tls encryption kicked in - so i found a parameter that i had not set that was mentioned in the reference section, but overlooked (by me?) in the procedure: iim_server.certnickname - i had wondered how it knew which cert to pull, so i had named the cert the same name as the host to compensate - and there was, after all, only one cert in the file. anyway that plus using the sun mozilla browser on the same host as the im server caused the lock to turn on in the im frame. unfortunately - when i used a mac to try and have a conversation - the mac lock did not turn on - the java version on the mac is:
java version "1.5.0_07"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-164)
Java HotSpot(TM) Client VM (build 1.5.0_07-87, mixed mode, sharing)
the version on the sun is: 1.5.0_09-b-3. i'll open a forum question about whether a mac is supported and then i'll try im with tls on a pc, then i'll use snoop to make sure the conversation is encrypted. i used the mac in all my testing yesterday - so i t could be that the sun mozilla browser may have been working all along - who knows? -
How to install SSL Certificates automatically in Client machine
Hi All
I have installed Certificates for SSL in Planning server machine for Planning Web services.While connneting to Server through excel-addin from client machine it is not connecting
Error is bleow:
"The underlying connection was closed : could not establish trust relationship for the SSL/TLS secure channel" and then getting the following error
"The PerformancePoint Server System is currently unavailable"
I got it this is due to Certification not installed in client machine.
So i tried to install certificate through IE web browser ..i typed webservices links ..i.e https://servername:443 in address box
..not admin console link.Because if i connect to Admin console then i connect to Planning server it is not showing me the dialog box " Security Alert "
So typed direcly webservices in address box.Then "Security Alert" dialog box opened ,In that i clicked "View Certificate" button and installed manually.Then this problem solved.
But i want to check this is a way to install cerficate in the client machine or there is any other way to do it automatically...
Please help me to solve this..
Thanks
AbdulAbdul,
The problem seems to be that the certificate authority that created your certificate is no trusted by Windows.... That process of installing the root certificate in the clients machines should not be needed if the ceritifcate is obtained from the right ceritifcate authority...
Where did you purchased your certificate from?
Regards,
Pablo Barvo - MSFT -
Sending a certificate form the client to the server... how to ?
how can I send a certificate from the client to the server trough a Java code ??
Short answer: You specify a keyStore.
Either via command line using the -Djavax.net.ssl.keyStore=keystorefile property,
or in Java code:
char[] passphrase = "password".toCharArray();
SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");
// KeyStore for the SSL client certificate
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("client-cert.p12"), passphrase);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
keyManagerFactory.init(keyStore, passphrase);
// keyStore for trusted server certs or CAs
KeyStore trustedKeyStore = KeyStore.getInstance("JKS");
trustedKeyStore.load(new FileInputStream("verisign-test-cert"), passphrase);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
trustManagerFactory.init(trustedKeyStore);
ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
// open the http connection to the party
myConn = (HttpsURLConnection)myURL.openConnection();
Maybe you are looking for
-
Fax and scan problem with Acrobat Reader DC
My Acrobat Reader just updated to the new Reader DC program, and now I cannot send any faxes that contain any PDF documents using the Windows Fax and Scan program . Has anyone else seen this problem?
-
How come i know the ip of the mail server at run time
i'm developing a mail distribution server that can be used to send and receive the mails. now i would like to know that how come i know the ip of the host to which i want to send the e-mail. e.g. if the request comes in from the user and contains the
-
In LSMW using BAPI Scenario, how to assign the same file to HEADER and ITEM
Hi, i got a problem when we are in ASSIGN FILES step how to assign the same file to both HEADER and ITEM Structures?
-
Need Help- Poor Support Has Gone on Too Long
Quicktime error/iTunes error as follows- I tried running quicktime. It gives me a "Windows needs your permission to continue." Then, it fails when I press continue because "Run a Legacy CPL elevated has stopped working." This must be part of the prob
-
ControlBarContent background color
Hi, I have an application like: <?xml version="1.0" encoding="utf-8"?> <s:Application name="Application_test" xmlns:fx="http://ns.adobe.com/mxml/2009" xmlns:s="library://ns.adobe.com/flex/spark" xmlns:mx="