Outlook client certificate prompt

Hi
i have exchange 2010 environment with 2 mailbox & 2 hub/cas server role.
when outlook client connects with exchange server he got certificate prompt. when i saw the certificate he got exchange mailbox certificate.
why he got certificate which is installed on mailbox server
this certificate is a certificate which is generated automatically during installation.
please help. its urgent & critical
thanks in advanced
Anuj Gupta

Hi,
According to your description, there is a sercurity alert when Outlook client connect to Exchange server. And I'd like to confirm the following information to narrow down the cause:
1. The detail name in the security alert
2. Does the issue happen on internal users or external users?
3. Are all your URLs configured with the name mail.domain.com or other name in the certificate?
Thanks,
Angela Shi
TechNet Community Support

Similar Messages

Client Certificate Prompting

Environment:
Windows 2003 Server
IIS 6.0
Java Applets
JVM 1.6
I currently have IIS set to "accept client certificates" and have a valid list in my Certificate Trust List of certificates I want to accept. I also have Windows Authentication set in the event the user does not have a valid client certificate type then they will be prompted for their Windows Login. My problem is that even though they authenticate via Windows they are still being prompted for certificates by the JVM and of course there are none in IEs store.
Is there a way to stop this or is this just a way of life.

I think it is related to the certificate you are using: what are the available CRL's (Certificate Revocation List) in that certificate? You can see that by opening the properties of the cert. The client might want to check the CRL of your CA and has no permission
to do it.
You might want to check if the CRL distribution point as configured in the certification is accessible by the client or generate a different certificate with a different distribution point.
Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be

Outlook clients get prompt for credentials

I have get the following strange problem that when the Exchange server restart and get back on-line my outlook clients all get prompt to enter their credentials. If they open and close Outlook it works until there is a lost in communication between Outlook
and Exchange. Everything work until a week or two ago and suddenly it just start to happen. All I did was to reset a few users passwords, but that was not a issue at that time and now sudden it seems to get worsted.
We run Exchange Server 2013 CU5 on Windows 2012 everything patched with Windows 7 Professional Clients either Outlook 2010 or Outlook 2013 everything patched.
Any advice?
Thanks.

Hi,
Based on my experience, the credential issue has many reasons: improper authentication method, access public folder, connectivity issue, performance and so on.
Thus, to narrow down the cause, I'd like to confirm the following inforamtion before we can go further:
1. Does the issue happens on all your clients? randomly or regularly?
2. Check the connection status when the credential appears.
3. Check the authentication method of Outlook Anywhere: get-outlookanywhere |fl *auth*
Thanks,
Angela Shi
TechNet Community Support

Slow client certificate prompt on IE - Windows 7, Windows 8

Hi
I would like to ask for help with client certificate authentication and IE. In our company we are using widely smart cards and client certificate authentication for intranet web sites. Everything worked fine until we have started upgrading Windows XP to
newer Windows 7 and Windows 8.
Users have started complaining about very slow certificate selection when web site is prompting for certificate - window containing certificates for selection (client certificates of current user) is appearing after about 30 seconds or even more. After selecting
proper certificate user is entering PIN and web site shows fine.
On Windows XP and IE window containing certificates appears immediately - on Windows 7 and Windows 8 after 30 seconds or more..Maybe the reason is because on current Windows user there are many certificates (20 or more) but it didn't matter on Windows
XP.Please help, because my users never let me to upgrade their Windows XP and they will have good argument - on previous operating system everything worked smoothly - now I have to wait for ages..
Thanks in advance
Regards

Hi,
I'm having this issue on Windows XP... it happened after i installed updates, it could be related with some security improvement...
If someone knows the KB number of the update related with this issue i would be very grateful!

2010 to 2013 Public Folder Migration - PF work in OWA but not outlook Client, password prompt?

Hello All,
I have migrated all public folders from Exchange 2010 Sp3 to Exchange 2013 Cu7. You can access the public folders without any problems in OWA.
When trying to access in outlook i will get a password/username prompt. If i enter my details in this it will keep popping up even with the remember me button ticked.
When i check the connection status i see the below the status which is "connecting" is the PF; it will never connect.
I have done:
Reboots
Restart the Microsoft Exchange RPC Client Access service on the Exchange 2013 server
Tried changing the Logon network security in the outlook client which made no difference:
Tried logging into the outlook client as different user which made no difference
What else can i do please?
Help Appreciated!

Hi,
Please check if you have NTLM configured for Outlook Anywhere on your Exchange 2010.
Get-OutlookAnywhere | fl Identity,*auth*
And please check the server the public folder is trying to connect.
Best regards,
Belinda Ma
TechNet Community Support

Outlook 2013 Clients certificate has expired warning or not yet valid

Hello,
We had been through a migration from exchange 2010 to 2013 in the last year but have had an ongoing issue with
some Outlook clients getting a certificate warning after they launch the client. Not all Outlook clients experience this. We've just recently uninstalled exchange from our 2010 servers and shut them
down. What we have left are two 2013 servers in a DAG. The certificate these Outlook clients are complaining about had expired in 2012. Here is the warning they are getting:
"Certificate has expired warning or not yet valid"
I've been through numerous threads/sites regarding this error but it always ends up that there was an expired cert hanging out somewhere. I cannot seem to find an expired cert anywhere...
I've ran the 'Get-ExchangeCertificate | fl' cmdlet and I see 7 certs listed, none of which match the thumbprint on the Cert Warning on Outlook.
When I check the registry of the Exchange servers here: HKLM>Software>Microsoft>SystemCertificates>My>Certificates
I can see 7 certificate entries listed there and the thumbprint matches those of the cmdlet ran from
EMS.
OWA shows the correct cert expiring in 2015 and Outlook clients are pointed to the 2013 servers. We do have a load balancer that AutoDiscover, OWA, SMTP are going through.
It seems like some of these Outlook clients are still looking at the decommissioned 2010 Exchange servers' old certificate. Any ideas on how I can get outlook to point to the new certificate/server?
Thanks.
Rory
Rory Schmitz

Hi Rory,
If possible, could you please post the Get-ExchangeCertificate | FL results about the certificate which is assigned with IIS service here?
If the issue only happens for some users instead of all users, please create a new Outlook profile for the problematic user to check whether the issue persists. Please make sure the certificate name which is reported as expired or not valid is included
in the IIS service certificate in your Exchange 2013.
In Exchange server side, please restart IIS service by running IISReset /noforce from a command prompt window to have a try.
Regards,
Winnie Liang
TechNet Community Support

IOS prompts for a client certificate each time i change webpages on a site

The company intranet is published through a TMG 2010 box and we use client certificates as an extra level of authentication in addition to AD user / pass.
With any PC based browser you are prompted once for the certificate to use, however in IOS 5.1.1 on iphone and ipad we get a prompt each time you go to a new page, safari prompts for the certificate to use however the more times you change the page the more it relists the certificate in the selection window. The certificate you see in the screen shot is installed once. The first time I change the page, safari reprompts and lists 2 certificates (both the same) next time i change the page it then lists the certificate 3, then 4 then 5 times etc. The client certificate is issued directly from the root CA so this isnt the issue of IOS not supporting 2 or 3 tier certificates.
All other PC based browsers work fine and only prompt once then happily reuse that certificate when you change pages without reprompting.

We're experiencing the same problem. We are also publishing internal web applications via TMG 2010, using forms based authentication with client SSL certificate authentication.
We see this problem on devices using iOS 5.1.1. Devices with iOS 6 are automatically selecting the client certificate. Unfortunately upgrading to iOS 6 is currently not an option.

Document Library: Open in Explorer - Client Certificate Selection Prompt

Hello,
when a User in a Document Library clicked on "Open in Explorer" a Window Prompting where the user can choose a Certificate. If the user clicked on Abort (Abbrechen in German) the Library open correct in a Windows-Windows and the user can work.
Clicked the User in the same Webapplication in a other Document Library on "Open in Explorer" no Certificate-Windows prompt. After the next Restart of the Client the Certificate-Windows prompt for the First Time. Is this a WebDav Problem or a wrong
IIS configuration? We use for all Webapplications https.
Thank you
Sebastian

Hi Sebastian,
For troubleshooting your issue, please refer to the steps as below:
1.Open up your IIS manager, go to Sites and select the site which is having the issue.
2.Click on SSL Settings and set Client certificates to Ignore.
Best Regards,
Eric
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

I'm attempting to access my work email through Microsoft Outlook web client. The URL is mail.ad.msu.edu. I get the following message: The website "mail.ad.msu.edu" requires a client certificate. This website requires a certificate to validate your id

I'm attempting to access my work email through Microsoft Outlook web client. The URL is mail.ad.msu.edu. I get the following message:
The website "mail.ad.msu.edu" requires a client certificate.
This website requires a certificate to validate your identity. Select the certificate to use when you connect to this website, then click Continue.
The choice I am presented with is: adp3d (iChat Encryption Certificate) (Apple.Mac Certificate Authority)
I'm thinking that this can't be correct, and in fact doesn't allow me to signing to the website.
How do I go about getting the proper certificate?

I'm attempting to access my work email through Microsoft Outlook web client. The URL is mail.ad.msu.edu. I get the following message:
The website "mail.ad.msu.edu" requires a client certificate.
This website requires a certificate to validate your identity. Select the certificate to use when you connect to this website, then click Continue.
The choice I am presented with is: adp3d (iChat Encryption Certificate) (Apple.Mac Certificate Authority)
I'm thinking that this can't be correct, and in fact doesn't allow me to signing to the website.
How do I go about getting the proper certificate?

Exchange 2013/2010 Co-existance Outlook Users Always Prompted for Password

Hello,
We are in the process of attempting to migrate to Exchange 2013, but during the migration time, we need to coexist with the two versions. Our outlook clients are a mix of Office 2007, 2010, and 2013. When a user is migrated from 2010 to 2013,
they start getting prompted for their password in Outlook every few minutes. They can click cancel and continue working, but they continue to get prompts for their password. If they click the update folder button in outlook, it updates fine, and
the password prompt goes away for awhile.
Most topics on this state that this is caused by a certificate issue. We have an internally deployed CA, with the Root certificate trusted by all clients. The exchange 2013 server has a certificate that was created by this CA.
I believe that this is caused by OAB (address book) still being hosted on the Exchange 2010 server (with a self signed cert), that is causing the connection to fail. Is there anyway to test this without breaking outlook connections for the users that
are on Exchange 2010? Or is there any other reason that this would occur?
Thanks for any assistance.

Sorry for taking so long to reply, other items came up that rank higher then this migration.
I ran the Test-OutlookWebServices CMD and got this result:
[PS] C:\Windows\system32> Test-OutlookWebServices
Source                              ServiceEndpoint
Scenario                       Result Latency
(MS)
EXCHANGE13.company.local           exchange10.company.local           Autodiscover: Outlook Provider Failure     229
EXCHANGE13.company.local
Exchange Web Services          Skipped       0
EXCHANGE13.company.local
Availability Service           Skipped       0
EXCHANGE13.company.local
Offline Address Book           Skipped       0
I
am currently thinking that this may be the error. Is there a way to
change the first failing result to the hostname of the
exchange13.company.local without breaking the current settings for the
exchange10.company.local autodiscover?

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Problem connecting to godaddy exchange server via outlook client

I am pretty much having a very similar problem here:
https://social.technet.microsoft.com/Forums/exchange/en-US/437c5f8d-3a42-4689-90b4-13fd2749373f/go-daddy-ucc-certificate-exrca-can-only-validate-the-certificate-chain-using-the-root-certificate?forum=exchangesvr3rdpartyappslegacy
When I set up in outlook, I have noticed this in advanced connection settings:
the URL is required
mail.ex4.secureserver.net
Then check connect SSL only
Only connect to proxy servers with this principal name
msstd:mail.ex4.secureserver.net
When I use the connect principal, it works fine, but otherwise if it is not checked, it won't connect to the server.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26423254.html
However, when I restart outlook, because I have multiple exchange accounts, they keep becoming "unchecked".
Everything worked fine about 48 hours ago, and now... all these problems.
Here is my log from the testing site:
Connectivity Test Failed
Test Details
 Testing Outlook connectivity.
 The Outlook connectivity test failed.
 Additional Details
Elapsed Time: 3897 ms.
 Test Steps
 Testing RPC over HTTP connectivity to server mail.ex4.secureserver.net
 RPC over HTTP connectivity failed.
 Additional Details
HTTP Response Headers:
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
Date: Fri, 13 Feb 2015 01:07:27 GMT
Content-Length: 58
Elapsed Time: 3897 ms.
 Test Steps
 Attempting to resolve the host name mail.ex4.secureserver.net in DNS.
 The host name resolved successfully.
 Additional Details
IP addresses returned: 72.167.83.115
Elapsed Time: 95 ms.
 Testing TCP port 443 on host mail.ex4.secureserver.net to ensure it's listening and open.
 The port was opened successfully.
 Additional Details
Elapsed Time: 110 ms.
 Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Additional Details
Elapsed Time: 461 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.ex4.secureserver.net on port 443.
 The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 Additional Details
Remote Certificate Subject: CN=mail.ex4.secureserver.net, O="Starfield Technologies, LLC.", L=Scottsdale, S=AZ, C=US, Issuer: SERIALNUMBER=10688435, CN=Starfield Secure Certification Authority, OU=http://certificates.starfieldtech.com/repository,
O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 356 ms.
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
Host name mail.ex4.secureserver.net was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
 Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.ex4.secureserver.net, O="Starfield Technologies, LLC.", L=Scottsdale, S=AZ, C=US.
 One or more certificate chains were constructed successfully.
 Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US.
Elapsed Time: 39 ms.
 Analyzing the certificate chains for compatibility problems with versions of Windows.
 Potential compatibility problems were identified with some versions of Windows.
 Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 5 ms.
 Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
The certificate is valid. NotBefore = 11/29/2012 8:39:18 PM, NotAfter = 11/29/2015 8:39:18 PM
Elapsed Time: 0 ms.
 Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 232 ms.
 Testing HTTP Authentication Methods for URL https://mail.ex4.secureserver.net/rpc/rpcproxy.dll?mail.ex4.secureserver.net:6002.
 The HTTP authentication methods are correct.
 Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Negotiate, NTLM
HTTP Response Headers:
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM
X-Powered-By: ASP.NET
Date: Fri, 13 Feb 2015 01:07:27 GMT
Content-Length: 58
Elapsed Time: 146 ms.
 Attempting to ping RPC proxy mail.ex4.secureserver.net.
 RPC Proxy was pinged successfully.
 Additional Details
Elapsed Time: 224 ms.
 Attempting to ping the MAPI Mail Store endpoint with identity: mail.ex4.secureserver.net:6001.
 The attempt to ping the endpoint failed.
 Tell me more about this issue and how to resolve it
 Additional Details
The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.
Elapsed Time: 2626 ms.

Here is another test from the autodiscover:
 The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
 Autodiscover was tested successfully.
 Additional Details
Elapsed Time: 1745 ms.
 Test Steps
 Attempting each method of contacting the Autodiscover service.
 The Autodiscover service was tested successfully.
 Additional Details
Elapsed Time: 1745 ms.
 Test Steps
 Attempting to test potential Autodiscover URL https://MYDOMAIN.com:443/Autodiscover/Autodiscover.xml
 Testing of the Autodiscover URL was successful.
 Additional Details
Elapsed Time: 1745 ms.
 Test Steps
 Attempting to resolve the host name MYDOMAIN.com in DNS.
 The host name resolved successfully.
 Additional Details
IP addresses returned: xx.168.xx.74
Elapsed Time: 59 ms.
 Testing TCP port 443 on host MYDOMAIN.com to ensure it's listening and open.
 The port was opened successfully.
 Additional Details
Elapsed Time: 60 ms.
 Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Additional Details
Elapsed Time: 197 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server MYDOMAIN.com on port 443.
 The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 Additional Details
Remote Certificate Subject: CN=MYDOMAIN.com, OU=Domain Control Validated, Issuer: CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 132 ms.
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
Host name MYDOMAIN.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
 Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=MYDOMAIN.com, OU=Domain Control Validated.
 One or more certificate chains were constructed successfully.
 Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US.
Elapsed Time: 27 ms.
 Analyzing the certificate chains for compatibility problems with versions of Windows.
 Potential compatibility problems were identified with some versions of Windows.
 Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 4 ms.
 Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
The certificate is valid. NotBefore = 7/2/2014 2:30:01 AM, NotAfter = 7/2/2015 2:30:01 AM
Elapsed Time: 0 ms.
 Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 673 ms.
 Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
 Additional Details
Elapsed Time: 754 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://MYDOMAIN.com:443/Autodiscover/Autodiscover.xml for user [email protected].
 The Autodiscover XML response was successfully retrieved.
 Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>[email protected]</DisplayName>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>IMAP</Type>
<Server>MYDOMAIN.com</Server>
<Port>993</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>on</SSL>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<AuthRequired>on</AuthRequired>
<LoginName>[email protected]</LoginName>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server>MYDOMAIN.com</Server>
<Port>465</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>on</SSL>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<AuthRequired>on</AuthRequired>
<LoginName>[email protected]</LoginName>
</Protocol>
</Account>
</Response>
</Autodiscover>
HTTP Response Headers:
Keep-Alive: timeout=15, max=256
Connection: Keep-Alive
Content-Length: 1227
Content-Type: application/xml; charset="UTF-8"
Date: Fri, 13 Feb 2015 01:14:56 GMT
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
Elapsed Time: 754 ms.

OTP 2FA Problems with DA 2012 R2 and Windows 8.1 Client - Not prompting or OTP Code

Hi
Just seeing if anyone has come across the same issue with their WIn 8.1 clients not prompting for 2FA once configured with DirectAccess 2012 R2?
I have created the 2x OTP certificates, enabled OTP via PowerShell and set up the RADIUS server but whatever happens the Win 8.1 client does not get prompted for 2FA - They connect seamlessly?
I have also configured the DAProbeUser on the RADIUS server
Any help appreciated
Thanks

I was afraid that you'll said that
I hate to be the annoying guy but take a look at this KB article:
http://support.microsoft.com/kb/2787534
Applied to: Windows 8\2012,
Doesn't Apply to: Windows 8.1\2012 R2
and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
another annoying fact - No other update was released for these version yet.
this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
and allow me to add another fact.
when you configure DirectAccess via the remote access wizard it creates a WMI query called
DirectAccess - Laptop Only WMI Filter.
after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
Tamir Levy

How to find out what server the outlook client is connected to/change it automatically

Hi,
I am performing a server migration from Exchange 2010 to Exchange 2010 (the previous installation was installed by an outsourced provider and is rubbish so I'm configuring it properly). On the of things the existing server lacks is a CAS array configured,
so I have built the new Exchange 2010 server, configured a new DB and CASArray. I have created a brand new mailbox for a new user and the user's outlook shows it is connected to casarray.domain.local, I have migrated my own mailbox but internally my outlook
shows it is connected to oldserver.domain.local (under the account settings when you go to change the settings for the account), this is on a domain joined internal desktop. But at home on my personal laptop non-domain joined, it has appeared to reflect the
new casarray.domain.local. The outlook client is 2007 in both situations.
When I run the following command, it shows my mailbox is indeed connected to the new exchange server, but this is not true in outlook
Get-LogonStatistics -Server "new-exch2010" | where {$_.clientname -eq "new-exch2010"}| ft username,servername,clientname
If I run the above command against the old server my name shows on that list as well. When I look at the connection status of my outlook it shows that it is connected to casarray for directory, but the old server for mail.
A couple of other things:
Mailflow is now going to the new exchange server from the gateway over port 25, the autodiscover record in the internal DNS is now also pointing to the new exchange server, outlook clients and users computers have been completely restarted but still don’t
seem to pick up the new settings, both the old server and new server functions as a multi-role exchange having the Hub, CAS and MBX roles.
Now that you have all that background info my question is two parts:
What is the correct powershell command I can run on the exchange server to ensure that all my outlook clients are connected to the new exchange server for all connection types (or identify those which are connected against the old server)?
How do I get the outlook clients to automatically pick up the casarray servername once their mailboxes have been migrated?
I am considering removing the CAS from the old server which may force outlook to find it’s new server but am unsure whether this will work or not, and I think I should migrate all the mailboxes into the new DB before I do this.
Other than that, I am out of ideas.
Appreciate, any help. Thanks
Steve

I had already run the command Get-MailboxDatabase | FL Identity,RpcClientAccessServer
and it only identified the old database as being tied to the server name, the new database has the correct casarray and all mailboxes are in this new database. should I also set the old database to point to my casarray as the second command indicates? can't
do any harm right?
also, I have outlook 2007 and 2013 at home and both of them had automatically reconfigured
themselves to point to casarray, my problem is with the internal clients.
today I have also noticed in DNS there is a Zone which points to autodiscover.domain.co.uk
and in there it points to my old server.
a few things to note about the above:
1. the zone is pointing to the .co.uk domain not the .local - is this correct?
2. should that zone even be in our internal DNS, i hadn't noticed on previous implementation
of Exchange I have done
3. if i change the record within that zone to point to my new server, will this likely show
up the popup message shown in this link http://www.rackspace.com/apps/support/portal/1218 I havent yet got a certificate for the new exchange server (few more days) and i dont want users seeing any kind of untrusted unsecure connection box or it
will only lead to panic and flooding the helpdesk
many thanks
Steve

Windows XP with Outlook 2007 authentication prompt

We have successfully migrated some of our users from Exchange 2010 to 2013 - the ones running Windows 7 and Office 2007 and Office 2013.
We have some users with Windows XP and Office 2007 though and when they start Outlook they get prompted to logon to the mailbox. These are all domain connected PCs in a single domain. If they put their details in Outlook opens as normal but the next time
they start Outlook 2007 they get prompted again.
From looking around I suspect it is something to do with our UCC certificates.
The primary name is ourdomain.com
The alternate names are mail.ourdomain.com, mail2.ourdomain.com, ex2010.ourdomain.com and ex2013.ourdomain.com
I have tried setting EXCH and EXPR principal to ourdomain.com and the prompts remain.
Have we set the primary name wrongly ? Should it be mail.ourdomain.com ?
Any help appreciated
Darren

Windows XP is out of support, Microsoft doesn't test new technologies with oos platforms.
If you look around the web XP with any Office version has problem connecting to Exch 2013
This post is provided AS IS with no warranties or guarantees, and confers no rights.
~~~
Questo post non fornisce garanzie e non conferisce diritti

Outlook client certificate prompt

Similar Messages

Maybe you are looking for