Lync Connectivity Analyzer Certificate Error

Similar Messages

• Lync is attempting to connect to certificate error

  Lync Basic version prompt certificate error but Lync pro plus didn't have prompt certificate error.
  It is different sip domain lync with error.
  Certificate is ok.
  srv record is add on two domain zone.
  sipinternaltls._tcp._domainA.com 5061
  lyncdiscover.domainA.com
  lyncdiscoverinternal.domainA.com
  sip.domainA.com
  sipinternaltls._tcp._domainB.com 5061
  lyncdiscover.domainB.com
  lyncdiscoverinternal.domainB.com
  sip.domainB.com
  Any idea? Thanks.

  Did you try the problem user account on the Lync pro plus system?
  Did you try the working account on the Lync basic system?
  Is the Issuing Root CA certificate trusted by the basic system?
  Have you turned on and reviewed the client side logs (http://blogs.msdn.com/b/leoncon/archive/2013/05/15/where-are-all-the-troubleshooting-logs-in-lync-2013.aspx)? 
  Also go through this guide:
  https://support.office.com/en-us/article/Troubleshooting-Lync-sign-in-errors-448b8ea7-5b33-444a-afd4-175fc9930d05, could be something as simple as wrong date/time.
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.
  Yes,I using same accounts to test. All is new AD accounts , let me try to turn on the log file to trace.

• Iphone getting a certificate error logging into Lync 2013

  Hello,
  I am having a strange issue with Lync Mobility. Android seems to work just fine, but my IPhone clients are throwing certificate errors. Everything is showing up properly in the Lync Connectivity Analyzer. The LyncDiscover URL seems to work just fine.Any
  Anyone run into issues specifically with certificates and IPhone?

  Check the following KB about Lync Mobile users cannot sign in after they update to client version 5.4:
  http://support.microsoft.com/kb/2965499/en-us
  Lisa Zheng
  TechNet Community Support

• Certificate error when Lync client login through VPN connection

  Hello,
  I am using the certificates from internal cert authority on Lync 2013 frontend servers and on edge server internal network. Edge external is using a third part certificate.
  The users always use MS VPN connection when work remotely. We have multiple subnets in the company so "use default gateway on remote network" is enabled for routing.
  When the users try to log in Lync client from non-domain joined computers while on VPN, they can't log in and get certificate error. It is hard to import the internal certificate on the computers.
  What change do I need to do to the Lync certificates? Thanks

  You have a few options:
  1) You could attempt to hardcode the client so that it always connects through the edge.  This can be done through tools->options->personal->advanced->manual configuration (but you may have to hardcode the FQDN in your hosts file so it doesn't
  attempt to resolve via internal DNS).  This may not work since your firewall may not be too happy with "internal" traffic leaving and coming back through the edge.
  2) Write a script that helps automate the certificate installation and try to walk users through it.
  3) Bite the bullet and use a third party certificate on the internal servers.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• ERROR 14614 on Front End when testing with Remote Connectivity Analyzer

  Hello forum
  Does the Lync Remote Connectivity Analyzer not support 128 encryption?
  Reason im asking is the following:
  When I test my Lync edge server. I get the following error on the RCA result page:  RegisterException.
  After this error on the RCA, the event 14614 is logged on my Standard Edition Front end server.
  INFO:
  User authentication with NTLM protocol failed with error SEC_E_UNSUPPORTED_FUNCTION. This indicates a potential mismatch between security policy settings on the client and server computers.
  Cause: This error can occur if the settings in "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" policy on the client computer are not the same as the settings in the "Network security: Minimum
  session security for NTLM SSP based (including secure RPC) servers" policy on this server.  By default, the "Require 128-bit encryption" setting is disabled for computers running Windows Server 2008, Windows Vista, Windows Server 2003,
  Windows 2000 Server, or Windows XP. For computers running Windows 7 or Windows Server 2008 R2, this setting enabled by default.
  Resolution:
  Ensure that the "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" policy settings on the computers from which users log on are the same as "Network security: Minimum session security for NTLM SSP based
  (including secure RPC) servers" policy settings on this server.
  All of our Lync servers are running on Windows 2012 R2. So why this error from the RCA?

  Please check your settings on the client and on the server.
  I know, this is a old blog info, but it discribed the problem.
  http://blogs.technet.com/b/rogulati/archive/2011/04/30/lync-2010-ntlm-sec-policy-mismatch-error-cannot-sign-from-xp-clients.aspx
  http://blog.ucomsgeek.com/2011/01/lync-2010-ntlm-client-authentication.html
  regards Holger Technical Specialist UC
  Thanks for the answer, but in this case the "Client" is the Remote Connectivity Analyzer. So my question was, why is it not working with that? Does the RCA not support 128 bit?

• Unable to Connect to my organization's EAS using MS Mail app since upgrade to Windows 8.1 -- certificate error

  Last November, my ASUS laptop forced me to update to Windows 8.1.  Since then, I cannot connect to my organization's mobile EAS using the Mail/Calendar/People app.  The Mail app says "We could not connect to .... because of problems with its
  digital certificates.  Contact your system administrator for info."  I also tried to delete the account and recreate it.  At the account info screen, it gave a related error message, stating "To connect to this account, you need a
  valid certificate on the PC. Contact your system administrator for more info."
  In trying to recreate the account, I note that the 8.1 Mail app appears to have combined all EAS connections -- I seem to recall different options for connecting previously, including one that was more specific to mobile EAS connections.  My organization
  only supports connection to mobile devices, and I continue to be able to connect via Windows phone, Android (iOS devices also supported).
  I have done some digging and see that in my Windows Certificate Manager, there is a Personal Certificate with an error message. It's a "Token Signing Public Key" for "Client Authentication" using an RSA Public Key, but under the Certification
  Path tab, the status states "The issuer of the certificate could not be found."  I suspect this is the certificate that my organization's server is sending but is no longer being recognized by Windows 8.1.
  My organization has been unwilling to support me on this.  They point to the fact that all other devices work, my connection worked with Windows 8.0, and they don't have enough users that connect via Windows 8.1 laptops/tablets to troubleshoot on their
  end.  They also don't want to change setting that then cause other users to lose connectivity on the more commonly used mobile devices.
  So, to trouble shoot myself, I have looked up posts on related issues and I have done all of the following to no avail:
  - Make sure my Windows is up to date, including that latest Certificate/Credential update;
  - Uninstalled the Mail/Calender/People App, restarted, and reinstalled it;
  - Had MS Online support try to trouble shoot.  They created a test account and tried to connect using that to no avail.
  Notably, I have two Windows 8.1 machines -- my wife and I got matching ASUS laptops that both upgraded to 8.1 from 8.0  -- and I am unable to connect to my organization's mobile EAS using either machine. 
  To me, this is clearly a Windows 8.1 issue.  The Mail/Calendar/People app should interface with mobile EAS exactly the same way that other mobile OSes do.  Apparently this was the case with Windows 8.0, but no longer. 
  The last thing I'll add is that my organization requires password and remote wiping when connecting to the mobile EAS.  But, this wasn't an issue when I had Windows 8.0 -- it connected fine and mandated password and remote wipe features.
  NOTE: I originally posted this question on the Windows 8.1 Tehchnet forum and was told by an MS Engineer Soumya Sunda Debroy to repost in this forum. 
  PLEASE ADVISE.  YOUR HELP IS APPRECIATED.
  - Dan

  Per the post above, I was pointed to Microsoft's remote connectivity analyzer and it appears to me that the GoDaddy Certificate -- which was compatible with Windows 8, is not compatible with Windows 8.1.  (See results below.
  I've also seen posts in other threads to "Ignore SSL errors" -- my Mail app doesn't present me that option, even though I uninstalled and reinstalled it.  So, can anyone help?
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 171 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server damobile.sccgov.org on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=*.sccgov.org, OU=Domain Control Validated, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona,
  C=US.
  Elapsed Time: 84 ms.
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  The host name that was found, damobile.sccgov.org, is a wildcard certificate match for common name *.sccgov.org.
  Elapsed Time: 0 ms.
  Validating certificate trust for Windows Mobile devices.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.sccgov.org, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
  Elapsed Time: 30 ms.
  Analyzing the certificate chains for compatibility problems with Windows Phone devices.
  Potential compatibility problems were identified with some versions of Windows Phone.
   <label for="testSelectWizard_ctl12_ctl06_ctl02_ctl02_ctl01_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go
  Daddy Group, Inc.", C=US.
  Elapsed Time: 5 ms.
  The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.
  All intermediate certificates are present and valid.
  Additional Details
  All intermediate certificates were present and valid.
  Elapsed Time: 1 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 8/7/2013 12:51:02 AM, NotAfter = 8/17/2016 4:07:52 PM
  Elapsed Time: 0 ms.
  Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
  Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 149 ms.

• Certificate error while connecting to multiple web service

  I am having a web service test client through which I can connects and get reports from multiple web services.
  In Development unix box, we are using "self-signed certificate" using keystore type JKS. In Production server, we are using certificate from CA.
  The web service is running in Development and in Production.
  Now I have developed single test client with a drop down selection for different web services. For example, if we select "Development", the request will go the development web service and if we select "Production", the request will go to Production web service.
  Now while connecting to Develpment service, we are settings the below certificates details Because we are using the self signed certificate.
  System.setProperty("javax.net.ssl.keyStore",keyStoreFileLocation);
  System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
  System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);
  System.setProperty("javax.net.ssl.trustStoreType",trustStoreType);
  System.setProperty("javax.net.ssl.trustStore",trustStoreFileLocation);
  System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
  I am clearing the System properties using the System.clearProperty() while pointing to Production service. because in Production we are using the CA certificate from Thawte so these details are not required at all and our JRE (java 5) is pre configured to support that CA certificate.
  I am using Resin-2.1.12, axis1.2 and java5.
  Now the problem is
  (1) for the first time, when I send the request to Production Service URL, the report gets generated. For the next time when we are running against Development, it's giving below certificate error.
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  (2) Now restart resin and run the test client against Developemnt service URL, here report gets generated and for the next time, run the test client against Production, it's giving the certificate error.
  So for the 2nd request, it always gives the error irrespective of the web service instance selected.
  Please suggest ....thanks in advance.

  Hi  ,
  No, due to the issue is happening only on one computer.
  The error "(401) Unauthorized" usually indicates that the connection has been established but the permission check fails.  InfoPath Form Services uses the application pool identity of the web
  application to connect to resources.
  Does the account  which login the computer have permission to connect to User Profile Service Application?
  For a workaround, you can go to IIS Manager , set the User Profile Application Pool to Anonymous Access and try again.
  Also you can have a look at the blog:
  http://sharepointconnoisseur.blogspot.in/2011/04/how-to-resolve-401-unauthorized-error.html
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Certificate error when connecting to RemoteApp outside of private network

  I have a server running Windows Server 2012 R2. It is configured as an all-in-one RDS server - all roles are installed on it. We've configured it primarily to use an application as a RemoteApp - the application is hosted at a different site, and this RDS
  server is at that site. We have a site to site VPN set up, so that it is all a part of our domain. The issue I'm having seems related to the fact that our internal network is .local, but the certificate only has a single .com name, so that we can access it
  from the Internet.
  Everything works, though what I'm trying to clear up is a certificate error. When connecting to the RemoteApp from outside of our private network, we get the error "The server name on the certificate is incorrect." This occurs after entering
  credentials.  The public name of the server (rds.contoso.com) is different from the private name (server.contoso.local).  We can proceed through the error and connect (though we'd like to fix it).
  I implemented a fix that I found elsewhere to try to fix this.  This was to add a custom RDP setting like so:
  Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty "use redirection server name:i:1`nalternate full address:s:rds.contoso.com"
  That seemed to make some progress, then we got another error.  I made a change to the RD RAP in RD Gateway Manager - by default, it allowed access to Domain Computers (which rds.contoso.com did not exist as a domain computer). I modified it to allow
  access to the rds.contoso.com name.
  I now receive a different error message and that's where I'm stuck.  The heading on the message is RemoteApp Disconnected.  The text of the error is 'Remote Desktop can't find the computer "rds.contoso.com".  This might mean that
  "rds.contoso.com" does not belong to the specified network.  Verify the computer name and domain that you are trying to connect to.'
  Any thoughts on what I can do next?  When I roll back the changes I've made, I'm again able to connect fine, I just have the certificate error again.

  Hi,
  1. For changing the published FQDN I recommend you use Set-RDPublishedName cmdlet instead setting a custom rdp property on the collection:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  2. As you mentioned before you need to edit the RD RAP so that the FQDN that you are using is permitted, or set it to Allow users to connect to any network resource.
  3. On your internal network (internal to the RDG), you need to create a DNS A record for the published FQDN (rds.contoso.com) that points to your server's private ip address. 
  I'm not sure how you have things configured right now in terms of network and DNS so it is tough to give you instructions on how to fix.  Let me explain a bit.  Normally with a VPN you would not need RD Gateway, although it is okay
  if you want to use it.  If you have things configured properly an external client will normally connect to the RDG using the FQDN specified for RDG, then the RDG will connect to the published FQDN for the RDS deployment.
  In your case these two FQDNs would be the same, only when the client does a DNS lookup it should get the ip address that you want users to connect to for the RDG whereas when the RDG does a DNS lookup it should get the private ip address of the server. 
  Exactly how you need to configure your DNS entries will depend on your VPN and networking configuration.
  Please give it a try using the information provided above and reply back here with your results and any further questions you may have.
  Thanks.
  -TP

• Lync edge internal Certificate

  Hi guys, i have an interesting problem. I'm switching my TMg server for a Palo Alto server, and when i do an external test, it fails and its showing my internal cert not the SAN certificate bound to the external dmz nic, and yes i've reassigned the certs
  multiple times to make sure.
  Any one ever see anything like this. works perfectly on TMG :|

  I have 1 Lync Standard Frontend and 1 Edge, the edge server has 2 NICs, 1 internal and 1 in the DMZ with three IPs and 1 to 1 NAT. It has static routes for the internal network.
  I'm aware there is no SAN requirement for internal. What i cant figure out is why externally tests are seeing the internal certificate.
  Testing remote connectivity for user test@i*.com to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
  Additional Details
  Elapsed Time: 16269 ms.
  Test Steps
  Attempting to resolve the host name sip.i*.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 190.********
  Elapsed Time: 186 ms.
  Testing TCP port 443 on host sip.i*.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 193 ms.
  Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
  Additional Details
  Elapsed Time: 15560 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.i*.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=cerberus.*.com, Issuer: CN=ICONS-CA, DC=i*, DC=com.
  Elapsed Time: 15501 ms.
  Validating the certificate name.
  Certificate name validation failed.
   <label for="testSelectWizard_ctl12_ctl06_ctl02_ctl01_tmmArrow">Tell
  me more about this issue and how to resolve it</label>

• Remote Connectivity Analyzer opens port 443 successfully but fails.."Net. conn. not available"

  Trying to set up a client with external access.  I just got their Edge off the domain and in the DMZ, and supposedly the appropriate firewall ports are opened. They have a RP running IIS ARR.
  Microsoft Remote Connectivity Analyzer (testconnectivity.Microsoft.com) does the following for three tests:
  1.  When I do Lync Server Remote Connectivity Test and choose Autodiscover, it is able to open port 443 and it validates the cert.  But it says "Operation failed because the network connection was not available". 
  2.  When I do the same Lync Server Remote Connectivity Test and manually enter the Access Edge service FQDN and choose port 5061, it is able to resolve the name in DNS but it then fails testing TCP port 5061 with "The specified port is either blocked,
  not listening, or not producing the expected response".
  3.  When I do the Lync Autodiscover Web Service Remote Connectivity Test, it fails when trying to open port 443 on the Lyncdiscover URL.
  So, that seems to indicate to me that port 443 might be open on the Edge but not the Reverse Proxy, since that's where the autodiscover URL points.  And it seems 5061 is not open but 443 is on the Edge.  What else could I check on the Edge to get
  443 working?
  Thanks for the help and sorry for any vague information.  Any help is appreciated!
  Brandon

  Okay, I can now telnet to lyncdiscover.mydomain.dom on port 443 successfully, and I can telnet to sip.mydomain.com on 5061 successfully. 
  Now when I do the remote connectivity test:
  Using Autodiscover to detect server settings, I get "Operation failed because the network connection was not available". It opens port 443 fine it looks like.
  Manually choosing lync.mydomain.com as the FQDN and port 5061, I get "The endpoint was unable to register.  See the ErrorCode for specific reason".  Response code is 504 and response message is Server Time-out
  Doing the Lync Autodiscover Web Service Remote Connectivity Test I get "HTTP 403 error was received because ISA server denied the specified URL".
  Looks to me like a rule might not be set right on the firewall if ISA is denying the connection, right?(they are using TMG on a server running Server 2008 as the firewall).  I can't ping the reverse proxy from the firewall (but I can ping the Edge). 
  What else can I check?
  Thanks for all the help so far, I really appreciate it.
  Brandon

• SSL Offloading and Certificate Errors

  I am attempting to offload SSL on an F5 load balancer.  I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer.  I then followed SSL Offloading TechNet instructions here:
  http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx.  My two CAS servers still have the self-signed certificates bound in IIS.  I am getting certificate
  errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
  My question is what do I do with the certificates on my 2 CAS servers?  Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS? 
  Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
  Or am I completely misunderstanding how this works and need to do something different entirely?
  Thanks in advance for any guidance.

  As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.) 
  Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell.  See for example output of Get-OutlookAnywhere:
  RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
  ServerName                         : TSTEXCG2013
  SSLOffloading                      : True
  ExternalHostname                   : tstowa.XXXX.com
  InternalHostname                   : tstowa.XXXX.com
  ExternalClientAuthenticationMethod : Ntlm
  InternalClientAuthenticationMethod : Ntlm
  IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
  XropUrl                            :
  ExternalClientsRequireSsl          : True
  InternalClientsRequireSsl          : True
  MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
  Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
  ExtendedProtectionTokenChecking    : None
  ExtendedProtectionFlags            : {}
  ExtendedProtectionSPNList          : {}
  AdminDisplayVersion                : Version 15.0 (Build 847.32)
  Server                             : TSTEXCG2013
  AdminDisplayName                   :
  ExchangeVersion                    : 0.20 (15.0.0.0)
  Name                               : Rpc (Default Web Site)
  DistinguishedName                  : CN=Rpc (Default Web
                                       Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
  Administrative
                                       Group (FYDIBOHF23SPDLT),CN=Administrative
  Groups,CN=XXX XXXX,CN=Microsoft
                                       Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
  Identity                           : TSTEXCG2013\Rpc (Default Web Site)
  Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
  ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                        : 7/10/2014 7:38:58 PM
  WhenCreated                        : 6/23/2014 2:54:36 PM
  WhenChangedUTC                     : 7/11/2014 12:38:58 AM
  WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
  OrganizationId                     :
  OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
  IsValid                            : True
  ObjectState                        : Changed

• Office Web Apps deploy certificate error

  IIS Using Domain Certificate, when access "https://fqdn/hosting/discovery"  with certificate error. 
  Office web apps using same CA with Front End Server.
  new web farm with this new certificate name.
  Any suggest?
  Thanks.

  When you get the certificate are you able to view the certificate details? Do they match the name of the site?
  Do you have the appropriate root certificate installed on the client that you are browsing from?
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Autodiscover, domain controllers, and certificate errors

  I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
  All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
  will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
  Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
  https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
  If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
  What do I do to prevent this?

  Hi,
  Yes, we can have the following “switchers”
  PreferLocalXML
  ExcludeHttpRedirect
  ExcludeHttpsAutoDiscoverDomain
  ExcludeHttpsRootDomain
  ExcludeScpLookup
  ExcludeSrvRecord
  ExcludeLastKnownGoodUR
  Thanks,
  Simon Wu
  TechNet Community Support

• Window 8.1 update & invalid security certificate errors

  I set up my new PC 2 days ago running Windows 8.1. I was able to visit all websites, including secure ones, w/no issues via Firefox. Last night, suddenly I was unable to access many secure websites. These include Google (Gmail) & Ilines (email). Here is a copy of the Google error:
  "mail.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)"
  There is no button to bypass, as I have seen in the past. I tried deleting cert8.db which didn't resolve anything. I have also tried adding exceptions which also don't resolve the issue.
  I searched support & found the link for the MS document (link below) indicating that FF & Windows Family Safety certificates are not playing nice.
  http://support.microsoft.com/kb/2965142/en-us#appliesto
  I tried to follow the guide, but when I get to step 6, there is no Microsoft Family Safety Certificate in the Trusted Root Certificates Authorities to export. For reference, I do not specifically have Family Safety enabled & am running my PC as admin, no other users. I personally have no use for this but it is my understanding that it cannot be uninstalled, either.
  I have spent hours researching & making adjustments to different settings to no avail. It is frustrating enough setting up a new PC & transferring info w/out this extra hassle. Does anyone have any other suggestions? FF is my preferred browser, but if this can't be resolved I will need to use something else so that I can access these important websites.

  Thanks for the feedback cor-el. Here are the results:
  1. Installed Kaspersky certificate per link= no change
  2. Turned off Kaspersky= able to log in to Gmail but not the other secure sites I am having probs with
  3. Booted in Safe Networking mode= able to log in to Gmail but not the other secure sites. Same blocking errors on Gmail, etc when returned to reg mode.
  Just FYI, I get 2 different secure connection errors:
  Gmail: "mail.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)"
  Ilines: "Secure Connection Failed An error occurred during a connection to mail.ilines.net. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature)"

• Best practice for licence server for RDS Farm & Certificate errors

  Hello,
  I am in the process of creating an RDS farm using Server 2008 R2.  I have three Session Hosts and a Connection Broker.
  I have a set of 10 user CALs available and also another 20 on our current RDS server which will need migrating once we go live with the farm.
  I understand the User CALs need to be installed on another Server 2008 R2 and I am wondering what is best practice.  We are running on an entirely virtual environment and it would be simple enough to create another server and install the CALs on there. 
  The only issue with that is that I would need to create a replica of this new machine for DR purposes, but this would take up valuable space which may not be necessary.
  We are planning on creating replicas of one of the Session hosts and the broker for DR, so I am guessing I would need to install some CALs on the Session Host which is going to be replicated.
  There are a few options and I am just wondering what is the best way to go about things.
  Also, as an aside, I am getting an annoying certificate error each time I log a test user onto the RDS farm - I think this is because I am using the DNS alias of the RDS Farm to log on. Is there an easy way to get around this, other than the 'Do not show
  this message again'. I have been doing some research and the world of Certificates is very confusing!!
  Thanks,
  Caroline
  C.Rafferty

  Hi Caroline,
  Firstly for your License related issue, you can perform the step on any VM or can create the new VM as replica for RDSH server also. But please be sure that you have installed RD License server on it, activate it and then install RDS CAL on it. But be safe
  if possible don’t install RD License server with RDCB, please make that out of it as little away. As you can also install RD License server with AD or make replica of that and install RDL on that.
  Best practices for setting up Remote Desktop Licensing (Terminal Server Licensing) across Active Directory Domains/Forests or Workgroup
  http://support.microsoft.com/kb/2473823
  What’s the specified certificate error which you are receiving?
  If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA. In meantime you can refer blog for getting insight for certificate case.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]