GoDaddy SAN certificate untrusted on clients

Similar Messages

• Standard or UUC/SAN certificate for RDS

  I successfully deployed RemoteApp using self-assigned certificate.
  Now is the time to replace it with Trusted one.
  From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
  My RDS deployment is limited to one domain only.
  Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
  *.my_domain.com for a subject and then use it for any RDS server?
  So it will be just a standard certificate with wildcard.
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  Hi,
  If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
  same server you can purchase a single-name certificate, which is much cheaper than a wildcard. 
  If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
  For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request.  Fill out the information, select 2048 bits, etc., save
  as a file.  Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
  The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response.  You can usually follow those if you are unsure.
  Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file.  This is what you will use to apply the certificate in Server
  Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab.  You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
  -TP

• Trial SAN Certificate & Outlook Anywhere (RPC over HTTP) test fail

  I am testing exchange 2013 where autodiscover pass while performing Outlook Anywhere (RPC over HTTP) connectivity test failed with invalid SSL certifiate . I am only using self certifiate .do any one idea if any CA provding SAN certificate trial basis.
  Don't forget to mark helpful or answer
  connect me :-
  http://in.linkedin.com/in/satya11
  http://facebook.com/satya.1000

  Hi,
  Agree with the above suggestion, ExRCA test cannot pass with self-signed certificate. And to ensure Outlook Anywhere work well , we need to install the self-signed certificate on all clients machines.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Server Name VS Outlook Anywhere Proxy Server and the behaviour I should expect when using SAN certificates...

  (I'll upload screen captures if needed once my account gets verified)
  I have a basic (as in freshly installed single exchange server 2010 SP3) Exchange Server installation. I've setup Outlook Anywhere. I've also setup a SAN (SubjectAltName) certificate.
  My setup:
  ex01.eci.XXXX.XX = is the server name and also the CN of my SAN certificate
  mail.eci.XXXX.XX = an A record I've setup to access my exchange server. It is also a subjectAltName in my SAN certificate
  When setting up Outlook, I enter the server name and specify the Outlook Anywhere proxy server in the Outlook Anywhere section. This works fine and I connect to my exchange server using RPC over HTTPS.
  Now, I was under the impression that specifying SANs in the certificate would allow me to enter the SAN alt name (mail.eci.XXXX.XX) in the field reserved for the Server Name, in Outlook..
  But it does not work. The proxy will give me an error each time, like that:
  HTTP    544    RPC_IN_DATA /rpc/rpcproxy.dll?mail.eci.XXXX.XX:6002 HTTP/1.1 , NTLMSSP_NEGOTIATE
  HTTP    635    HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
  HTTP    123    HTTP/1.0 503 RPC Error: 6ba
  My question is: is this the behaviour I should expect? Or should I be able to specify the SAN alt name in the Server Name in Outlook?
  Thanks!

  Hi,
  Firstly, I’d like to explain, the server name tab should be filled with your mailbox server name in the process of configuring Exchange 2010 account.
  And the Outlook Anywhere proxy server is configured at the server side and cannot be randomly defined at the client side. To check it, we can run: get-outlookanywhere |fl externalhostname
  Thus, it’s an expected behavior that we would get error if we randomly enter name in the server name tab when we configure an account. If I misunderstand your meaning, please feel free to let me know.
  Additionally, Autodiscover service can help us automatically complete the configuration of the Outlook account. And how about the result if you use the Autodiscover to automatically configure the account?
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Exchange SAN Certificate Help!

  Hello,
  I need some help in troubleshooting a problem I have with a customers’ Exchange 2007 server.
  I installed a new SSL SAN cert on their only Exchange server yesterday, and today users are receiving certificate name mismatch prompts when opening their Outlook 2007 clients.
  The previous cert had the local host name in the SAN cert, but given the changes around using local host names in certs soon to be implemented, I Ieft these entries out this time around with the new cert.
  I already have a split horizon DNS zone within the local domain, which contains an A record for Autodiscover.
  So, the setup is as follows:-
  New SSL SAN cert:
  CN= mail.domain.co.uk
  SAN= autodiscover.domain.co.uk, owa.domain.co.uk
  Split horizon DNS zone: (within domain.local AD domain)
  autodiscover.domain.co.uk
  A record: autodiscover.domain.co.uk = IP of Exchange server
  The output from an Outlook client auto configuration test are listed below:
  <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=TestUser1</LegacyDN>
        <DeploymentId>64a06c34-547e-44d8-8885-aa8fd530e2a1</DeploymentId>
      </User>
      <Account>
        <AccountType>email</AccountType>
        <Action>settings</Action>
        <Protocol>
          <Type>EXCH</Type>
          <Server>EXCHSRV01.domain.local</Server>
          <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHSRV01</ServerDN>
          <ServerVersion>72038053</ServerVersion>
          <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHSRV01/cn=Microsoft Private MDB</MdbDN>
          <PublicFolderServer>EXCHSRV01.domain.local</PublicFolderServer>
          <AD>EXCHSRV01.domain.local</AD>
          <ASUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</ASUrl>
          <EwsUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</EwsUrl>
          <OOFUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</OOFUrl>
          <UMUrl>https://EXCHSRV01.domain.local/UnifiedMessaging/Service.asmx</UMUrl>
          <OABUrl>http://EXCHSRV01.domain.local/OAB/5642c2e4-e31e-4ab8-89e7-d4590570249b/</OABUrl>
        </Protocol>
        <Protocol>
          <Type>EXPR</Type>
          <Server>mail.domain.co.uk</Server>
          <SSL>On</SSL>
          <AuthPackage>Ntlm</AuthPackage>
          <ASUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</ASUrl>
          <EwsUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</EwsUrl>
          <OOFUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</OOFUrl>
          <OABUrl>http://mail.domain.co.uk/OAB/5642c2e4-e31e-4ab8-89e7-d4590570249b/</OABUrl>
        </Protocol>
        <Protocol>
          <Type>WEB</Type>
          <External>
            <OWAUrl AuthenticationMethod="Fba">https://mail.domain.co.uk/owa</OWAUrl>
            <Protocol>
              <Type>EXPR</Type>
              <ASUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</ASUrl>
            </Protocol>
          </External>
          <Internal>
            <OWAUrl AuthenticationMethod="Basic, Fba">https://EXCHSRV01.domain.local/owa</OWAUrl>
            <Protocol>
              <Type>EXCH</Type>
              <ASUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</ASUrl>
            </Protocol>
          </Internal>
        </Protocol>
      </Account>
    </Response>
  </Autodiscover>
  As the SCP was originally pointing to the local fqdn of the Exchange server, I have amended the binding in ADSS so that the SCP now points to the autodiscover.domain.co.uk A record instead.
  I took this step because even with the internal URL for Autodiscover's virtual directory set to https://autodiscover.domain.co.uk/Autodiscover/autodiscover.xml this path was ignored and Outlook defaulted to the fqdn of the local server.
  I thought this might rectify the issue but to no avail.
  The security prompt when opening Outlook still references the fact that the EXCHSRV01.domain.local does not match the CN of the cert mail.domain.co.uk.
  Can anyone assist in troubleshooting this further?
  Regards
  Matt
  Matt

  Hi Matt,
  We can run the following command to check your certificate settings in your Exchange server:
  Get-ExchangeCertificate | FL
  If your SAN certificate is assigned with IIS service, please change your internal URLs to match your SAN certificate names with IIS service. We can refer to the following KB to achieve Internal URLs changes:
  http://support.microsoft.com/kb/940726
  Thanks,
  Winnie Liang
  TechNet Community Support

• Godaddy SSL certificate installation problems - intermediate certificate not being recognized

  domain = mail.gottfried.org
  Installed both the certificate and the intermediate certificate from godaddy (used the 10.6 mac os x version)
  Response from:
  http://www.sslshopper.com/ssl-checker.html#hostname=mail.gottfried.org
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GoDaddy's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
  When I check in 0000_any_443_.conf
  I see:
  SSLCertificateFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. cert.pem
  SSLCertificateKeyFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. key.pem
  SSLCertificateChainFile "/etc/certificates/mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE. chain.pem
  I am assuming that the intermediate certificate should be:
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.chain.pem
  When I look at that certicate it is the same as
  mail.gottfried.org.1E5F3C903B64E78E3241929B16F616D1DDD130FE.cert.pem
  When I check keychain and exported both the mail.gottfried.org certificate and also the starfield secure certification authority they match what was installed initially (what I downloaded from Godaddy).
  It looks like in the install process the intermediate certificate is not being linked to the ssl certificate and that the ssl certificate is being used for the chain.
  Anyone have any suggestions?
  I have talked to both Godaddy and Apple Enterprise support. Godaddy has nothing past 10.6 instruction wise (though the support person really tried to help). The Apple rep couldnt really help and if I really want help from them I need to talk to integration where costs start at $700....
  Anyone have an SSL provider that worked properly with 10.8  or has really good support for mountain lion server?
  Please let me know.
  Thanks!

  While you still can, get a refund for the certificate, and get a certificate from somebody else, and preferably one that doesn't need an intermediate?  That'll be the easiest.
  If you're not doing ecommerce or otherwise dealing with web browsers and remote clients that you don't have some control over or affiliation with, you can use a private certificate and get equivalent (or arguably better) security.  Running your own certificate authority does mean you'll learn more about certificates, though.
  Here and here are general descriptions of getting certificates and intermediate certificates loaded, and some troubleshooting here and particularly here (TN2232).  I have found exiting Keychain Access to be a necessary step on various versions.  It shouldn't be, but...
  FWIW and depending on your particular DNS setup and whether you're serving multiple web sites, you'll need a multiple-domain certificate.
  Full disclosure: I've chased a few of these cases around for customers, and it can take an hour or three to sort out what the particular vendor of math, err, certificates has implemented, to confirm the particular certificate formats and possibly convert the certificates where necessary, and to generally to sort out the various posted directions and confusions.  (I'm not particularly fond of any of the major math, err, certificate vendors, either.)

• Godaddy SSL certificate on weblogic

  Hello,
  Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
  now I don't know how to create .pem file just to complete the installation. below the instruction I did.
  - keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
  - keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
  here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
  - keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
  - keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
  Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>

  I found out how to install godaddy ssl certificate on weblogic follow the link below.
  http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
  but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

• Problem connecting to godaddy exchange server via outlook client

  I am pretty much having a very similar problem here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/437c5f8d-3a42-4689-90b4-13fd2749373f/go-daddy-ucc-certificate-exrca-can-only-validate-the-certificate-chain-using-the-root-certificate?forum=exchangesvr3rdpartyappslegacy
  When I set up in outlook, I have noticed this in advanced connection settings:
  the URL is required
  mail.ex4.secureserver.net
  Then check connect SSL only
  Only connect to proxy servers with this principal name
  msstd:mail.ex4.secureserver.net
  When I use the connect principal, it works fine, but otherwise if it is not checked, it won't connect to the server.
  http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26423254.html
  However, when I restart outlook, because I have multiple exchange accounts, they keep becoming "unchecked".
  Everything worked fine about 48 hours ago, and now... all these problems.
  Here is my log from the testing site:
  Connectivity Test Failed
  Test Details
      Testing Outlook connectivity.
       The Outlook connectivity test failed.
      Additional Details
  Elapsed Time: 3897 ms.
      Test Steps
      Testing RPC over HTTP connectivity to server mail.ex4.secureserver.net
       RPC over HTTP connectivity failed.
      Additional Details
  HTTP Response Headers:
  Content-Type: text/html
  Server: Microsoft-IIS/7.5
  WWW-Authenticate: Negotiate,NTLM
  X-Powered-By: ASP.NET
  Date: Fri, 13 Feb 2015 01:07:27 GMT
  Content-Length: 58
  Elapsed Time: 3897 ms.
      Test Steps
      Attempting to resolve the host name mail.ex4.secureserver.net in DNS.
       The host name resolved successfully.
      Additional Details
  IP addresses returned: 72.167.83.115
  Elapsed Time: 95 ms.
      Testing TCP port 443 on host mail.ex4.secureserver.net to ensure it's listening and open.
       The port was opened successfully.
      Additional Details
  Elapsed Time: 110 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
      Additional Details
  Elapsed Time: 461 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.ex4.secureserver.net on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
      Additional Details
  Remote Certificate Subject: CN=mail.ex4.secureserver.net, O="Starfield Technologies, LLC.", L=Scottsdale, S=AZ, C=US, Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/repository,
  O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US.
  Elapsed Time: 356 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
      Additional Details
  Host name mail.ex4.secureserver.net was found in the Certificate Subject Common name.
  Elapsed Time: 0 ms.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.ex4.secureserver.net, O="Starfield Technologies, LLC.", L=Scottsdale, S=AZ, C=US.
       One or more certificate chains were constructed successfully.
      Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US.
  Elapsed Time: 39 ms.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
      Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 5 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
      Additional Details
  The certificate is valid. NotBefore = 11/29/2012 8:39:18 PM, NotAfter = 11/29/2015 8:39:18 PM
  Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
      Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 232 ms.
      Testing HTTP Authentication Methods for URL https://mail.ex4.secureserver.net/rpc/rpcproxy.dll?mail.ex4.secureserver.net:6002.
       The HTTP authentication methods are correct.
      Additional Details
  The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Negotiate, NTLM
  HTTP Response Headers:
  Content-Type: text/html
  Server: Microsoft-IIS/7.5
  WWW-Authenticate: Negotiate,NTLM
  X-Powered-By: ASP.NET
  Date: Fri, 13 Feb 2015 01:07:27 GMT
  Content-Length: 58
  Elapsed Time: 146 ms.
      Attempting to ping RPC proxy mail.ex4.secureserver.net.
       RPC Proxy was pinged successfully.
      Additional Details
  Elapsed Time: 224 ms.
      Attempting to ping the MAPI Mail Store endpoint with identity: mail.ex4.secureserver.net:6001.
       The attempt to ping the endpoint failed.
        Tell me more about this issue and how to resolve it
      Additional Details
  The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.
  Elapsed Time: 2626 ms.

  Here is another test from the autodiscover:
      The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
       Autodiscover was tested successfully.
      Additional Details
  Elapsed Time: 1745 ms.
      Test Steps
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service was tested successfully.
      Additional Details
  Elapsed Time: 1745 ms.
      Test Steps
      Attempting to test potential Autodiscover URL https://MYDOMAIN.com:443/Autodiscover/Autodiscover.xml
       Testing of the Autodiscover URL was successful.
      Additional Details
  Elapsed Time: 1745 ms.
      Test Steps
      Attempting to resolve the host name MYDOMAIN.com in DNS.
       The host name resolved successfully.
      Additional Details
  IP addresses returned: xx.168.xx.74
  Elapsed Time: 59 ms.
      Testing TCP port 443 on host MYDOMAIN.com to ensure it's listening and open.
       The port was opened successfully.
      Additional Details
  Elapsed Time: 60 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
      Additional Details
  Elapsed Time: 197 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server MYDOMAIN.com on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
      Additional Details
  Remote Certificate Subject: CN=MYDOMAIN.com, OU=Domain Control Validated, Issuer: CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US.
  Elapsed Time: 132 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
      Additional Details
  Host name MYDOMAIN.com was found in the Certificate Subject Common name.
  Elapsed Time: 0 ms.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=MYDOMAIN.com, OU=Domain Control Validated.
       One or more certificate chains were constructed successfully.
      Additional Details
  A total of 2 chains were built. The highest quality chain ends in root certificate OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US.
  Elapsed Time: 27 ms.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
      Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
      Additional Details
  The certificate is valid. NotBefore = 7/2/2014 2:30:01 AM, NotAfter = 7/2/2015 2:30:01 AM
  Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
      Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 673 ms.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
      Additional Details
  Elapsed Time: 754 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://MYDOMAIN.com:443/Autodiscover/Autodiscover.xml for user [email protected].
       The Autodiscover XML response was successfully retrieved.
      Additional Details
  Autodiscover Account Settings
  XML response:
  <?xml version="1.0"?>
  <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
  <User>
  <DisplayName>[email protected]</DisplayName>
  </User>
  <Account>
  <AccountType>email</AccountType>
  <Action>settings</Action>
  <Protocol>
  <Type>IMAP</Type>
  <Server>MYDOMAIN.com</Server>
  <Port>993</Port>
  <DirectoryPort>0</DirectoryPort>
  <ReferralPort>0</ReferralPort>
  <SSL>on</SSL>
  <DomainRequired>off</DomainRequired>
  <SPA>off</SPA>
  <AuthRequired>on</AuthRequired>
  <LoginName>[email protected]</LoginName>
  </Protocol>
  <Protocol>
  <Type>SMTP</Type>
  <Server>MYDOMAIN.com</Server>
  <Port>465</Port>
  <DirectoryPort>0</DirectoryPort>
  <ReferralPort>0</ReferralPort>
  <SSL>on</SSL>
  <DomainRequired>off</DomainRequired>
  <SPA>off</SPA>
  <AuthRequired>on</AuthRequired>
  <LoginName>[email protected]</LoginName>
  </Protocol>
  </Account>
  </Response>
  </Autodiscover>
  HTTP Response Headers:
  Keep-Alive: timeout=15, max=256
  Connection: Keep-Alive
  Content-Length: 1227
  Content-Type: application/xml; charset="UTF-8"
  Date: Fri, 13 Feb 2015 01:14:56 GMT
  Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
  Elapsed Time: 754 ms.

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• I opened a file on my desktop that I don't remember putting there.  It turned out to be a keychain certificate from a client of ours.  Does this mean that they were spying on me?  What is the deal with that?  Any ideas?

  I opened a file on my desktop that I don't remember putting there. We use many photos and I thought it was a photo file I was looking for. It turned out to be a keychain certificate from a client of ours.  Does this mean that they were spying on me?  What is the deal with that?  Any ideas?

  Interesting tid bit.  I created an AAC of the original file, deleted the original MP3 from my library and also deleted the Clean matched track from the icloud.
  Result is that it matched with the explicit version of Mrs. Officer this time.
  What I am curious about is which songs this is happening for. I've went thru a few batched of about 500 songs at a time and redownloaded in 256k for many tracks. Sadly we don't have people to bring this to our attention and I have so much music that it's impossible to go thru every song to make sure I am getting the right version.

• Accepted domains in Exchange SAN certificate

  Hi All,
  I am having few queries please clarify me .
  In my environment ,i having the accepted domains list like below 
  xyz.com
  abc.com
  All the users in my organisation is having the primary smtp address as [email protected] and secondary smtp address as [email protected]
  In my san certificate i am not having any of the above mentioned accepted domains.
  Do i need to have all the accepted domains on the SAN certificate or else only primary smtp address domain suffix is enough ?
  In case if don't have any of my accepted domains suffixes in SAN certificate what will happen ? Because why i am asking is i am not getting any certificate related errors ?
  As an additional info , we are using the single namespace for exchange services like owa ,activesync ,pop/imap  and outlook anywhere (both internal & external ) and that name is available in my SAN certificate.
  Autodiscover namespace is also included in my SAN certificate .
  Thanks S.Nithyanandham

  Hi Imkottees,
  Thanks a lot for your immediate response.
  But still i am having some queries please explain me what you are trying to explain on this below line ?
  "But you need this for all Primary domains used in your environment"
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• How to install certificate in im client

  i can't find the procedure for installing a certificate in the client - i did the server part:
  http://docs.sun.com/app/docs/doc/819-4412/6n6ikpsut?a=view
  but now i can't find how to do the client part - i'm just using the standard im client obtained from:
  https://localhost/im
  which does a jnlp activation.

  ok - woo hoo - tls encryption kicked in - so i found a parameter that i had not set that was mentioned in the reference section, but overlooked (by me?) in the procedure: iim_server.certnickname - i had wondered how it knew which cert to pull, so i had named the cert the same name as the host to compensate - and there was, after all, only one cert in the file. anyway that plus using the sun mozilla browser on the same host as the im server caused the lock to turn on in the im frame. unfortunately - when i used a mac to try and have a conversation - the mac lock did not turn on - the java version on the mac is:
  java version "1.5.0_07"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-164)
  Java HotSpot(TM) Client VM (build 1.5.0_07-87, mixed mode, sharing)
  the version on the sun is: 1.5.0_09-b-3. i'll open a forum question about whether a mac is supported and then i'll try im with tls on a pc, then i'll use snoop to make sure the conversation is encrypted. i used the mac in all my testing yesterday - so i t could be that the sun mozilla browser may have been working all along - who knows?

• How to install SSL Certificates automatically in Client machine

  Hi All
         I have installed Certificates for SSL in Planning server machine for Planning Web services.While connneting to Server through excel-addin from client machine it is not connecting
   Error is bleow:
  "The underlying connection was closed : could not establish trust relationship for the SSL/TLS secure channel" and then getting the following error
  "The PerformancePoint Server System is currently unavailable"
  I got it this is due to Certification not installed in client machine.
  So i tried to install certificate through IE web browser ..i typed webservices links ..i.e https://servername:443 in address box
  ..not admin console link.Because if i connect to Admin console then i connect to Planning server it is  not showing me the dialog box  " Security Alert "
  So typed direcly  webservices in address box.Then "Security Alert" dialog box opened ,In that i clicked "View Certificate" button and installed manually.Then this problem solved.
  But i want to check this is a way to install cerficate in the client machine or there is any other way to do it automatically...
  Please help me to solve this..
  Thanks
  Abdul

  Abdul,
  The problem seems to be that the certificate authority that created your certificate is no trusted by Windows.... That process of installing the root certificate in the clients machines should not be needed if the ceritifcate is obtained from the right ceritifcate authority...
  Where did you purchased your certificate from?
  Regards,
  Pablo Barvo - MSFT

• Sending a certificate form the client to the server... how to ?

  how can I send a certificate from the client to the server trough a Java code ??

  Short answer: You specify a keyStore.
  Either via command line using the -Djavax.net.ssl.keyStore=keystorefile property,
  or in Java code:
  char[] passphrase = "password".toCharArray();
  SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");
  // KeyStore for the SSL client certificate
  KeyStore keyStore = KeyStore.getInstance("PKCS12");
  keyStore.load(new FileInputStream("client-cert.p12"), passphrase);
  KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
  keyManagerFactory.init(keyStore, passphrase);
  // keyStore for trusted server certs or CAs
  KeyStore trustedKeyStore = KeyStore.getInstance("JKS");
  trustedKeyStore.load(new FileInputStream("verisign-test-cert"), passphrase);
  TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
  trustManagerFactory.init(trustedKeyStore);
  ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
  SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
  // open the http connection to the party
  myConn = (HttpsURLConnection)myURL.openConnection();