Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Outlook 2007 Certificate Prompts with Exchange 2003

A common complaint in forums for some time has been SSL certificate prompts from Outlook 2007, when running Exchange 2003.
The error is usually along the lines of

"The name on the security certificate is invalid or doesn't match the name of the site."

Often the first response will be connected to RPC over HTTPS, as this is the only part of Exchange 2003 that can use SSL certificates for Outlook connectivity.

However the real cause of this is because of the changes made to Outlook 2007 to accommodate the changes to Exchange 2007 and its move to web services. Web services are used to reduce the dependency on Public Folders.

The specific cause of this is a process known as autodiscover. Anyone who has managed Exchange 2007 will be very familiar with Autodiscover, as it can be a key pain point.

Outlook 2007 will attempt to connect to autodiscover.example.com - where example.com is the part of your email address after the @ sign. It will also attempt to connect to a number  of other URLs if that one fails.
 
If your domain does not have an entry for autodiscover, but does have a wildcard entry in its DNS (which is common) then you may get this issue.

Therefore from a client where you have the problem, attempt to ping 

autodiscover.example.com

Where example.com is your email domain, then repeat with your internal Windows domain.

If it resolves, pinging either autodiscover.example.com, example.com or similar, even if it fails, then you may well be on to the cause. The final test is to bring up a web browser and type in autodiscover.example.com and see what happens.
It is likely that you will get the same SSL certificate prompt that Outlook receives and then it will load another web site completely.

The reason for this is quite simple.
Web hosts will often share the IP address of their server with a number of web sites, could be 100s. However to use SSL, a web site must have a dedicated IP address. Therefore a single web site with that IP address will have SSL support.
By using a wildcard in your DNS (so anythingyoulike.example.com resolves) means that all hosts will resolve to the same IP address.
As SSL cannot share an IP address, and does not see the host name being used, it will connect, and generate the SSL certificate mismatch.

How to resolve? Either remove the wildcard entry on the external DNS or have an entry for autodiscover.example.com put in to your domain with a dummy IP address - 127.0.0.2 for example. This will cause the host name to resolve, but fail to connect. See the single host replacement method on this page for instructions on how to do it: http://www.amset.info/netadmin/split-dns.asp

However if you ever deploy Exchange 2007 or higher then remember to remove it!

Short URL for TestExchangeConnectivity.com

One of the most useful online tools to come out of Microsoft for the Exchange product is their testexchangeconnectivity site - or to give it's correct name - the Microsoft Exchange Remote Connectivity Analyzer (ExRCA). However the URL is a mouthful, and if you are typing it as often as I do, it is easy to make mistakes.

Therefore I have setup a short URL for it using our Exchange community site exbpa.com  - you can get to it via http://et.exbpa.com/

I was going to use te.exbpa.com (which also works) but I thought et would be easier to remember.

New Site Launch - statuspages.co.uk

Today we have launched a new web site - statuspages.co.uk. This is a development of an internal site that was built in a hurry after the Paddington exchange flood in March 2010 and is our first all new site launch since exbpa.com was created in December 2009 - all others have been existing content spun out to their own sites.

At the moment it is simply a list of links to the status pages for most of the biggest ISPs in the UK, along with BT, and some other internet based services. Not all ISPs have status pages, so where they cannot be found they are not included.

If you are supporting clients on multiple ISPs then this page could be useful, as it is a single location for the list, which we intend to keep up to date.

The site may be developed over time, but we believe it will be a useful resource in its current format.

Related Links

Statuspages.co.uk home page: http://statuspages.co.uk
ISP Status Pages: http://statuspages.co.uk/isp.asp
Phone Services Status pages: http://statuspages.co.uk/phone.asp
Other Internet Services Status pages: http://statuspages.co.uk/others.asp

Blog - All Change

Its all change here on blog.sembee.co.uk and I have an apology to make to visitors.

First the change. If you aren't reading this on the RSS feed, then you will have noticed things look a little bit different. This is because I have changed the blog engine that I am using.

Since I started blogging in 2007 I have used Community Server, nursed back to life after two server failures, plus version upgrades. However with the change of my underlying OS to Windows 2008 R2, I decided it was time to switch to something a little more basic. I only used the blogging functionality of Community Server, nothing else. Plus I wanted to drop the SQL database dependency.

Therefore I have switched to BlogEngine.net. The change was relatively painless, I was running with it on a private URL in less than 30 minutes. What took the time was putting redirect files in to place so that URLs were redirected to the new format. That is now complete (I hope).

You might find that the theme changes, I am still looking for one that I am 100% happy with, and may end up creating my own, or getting one created for me to match the other sites that I have through Sembee Ltd. I haven't quite decided. The content will stay the same.
The HTML code is a bit odd in places, which I will correct as I find the postings, but that is a display issue, nothing more.

Comments are still turned off, because I have seen then turn in to support forums before, and blogs are a really bad way for that kind of thing - use a forum instead. 

Now for the apology.

If you sent a message through the Contact option in the previous Community Server based blog format, then I didn't receive it. I had thought I had disabled all of the options for contact via the blog itself, preferring to receive direct email messages. However when I started to pull the original installation of Community Server apart, I found 70 pages of contact attempts in a location I had never looked at before - called "Feedback". Most of it was spam, and was deleted, but there were still seven pages of legitimate messages, dating back to 2008. I hadn't seen of them.

Big oops.

I am not going to reply to the lost messages now, as they will be very old and no longer relevant. However if you sent me a message via the blog and did not get a reply, it wasn't intentional. They simply went in to a location I didn't know was there.

Google Custom Search and IE Accelerators

For some time, I have had a web site called <removed>, which was created a few years ago when I first discovered Google Custom Search. It was a result of playing with this new (at the time) service from Google and creating search engines for some IT vendor knowledgebase.
The site was rather basic and I didn't do anything with it.
The site wasn't published, but Google found it, and it has had a trickle of traffic ever since - usually much less than 100 visitors a day.

However at the end of last year I started to split off some of the content from amset.info out to their own sites. This was content that wasn't core Exchange or Outlook related, but was responsible for a significant proportion of the traffic. A page I wrote six years ago as a getting started guide to the Command Prompt received more visits a day than the next five pages put together. It now has its own site at http://dosprompt.info/
With these additional sites, I implemented a common core design across them all. This design needed to be applied to others, and it was then I realised how poor it was and that the site needed some attention.

At around the same time, I was starting to play around with Windows 7 in some more depth, including the accelerators that are built in to Internet Explorer 8. The Google search tool was very useful, but there wasn't one for the UK version of Google. I found one for Canada, so I pulled it apart and modified it for the UK.

I therefore wondered if I could combine this newfound knowledge of IE search Accelerators with my <removed> site.  The reason for this was that I had created a custom search that was simply a web search engine, so that I could search Google without getting results that were mangled with their tracking information when you copied the result. An example of the URL that is returned is this:

<removed>

The custom search is here: <removed>

I found that you could indeed create an IE search accelerator for a Google custom search engine. What this means is that I can take a term and search for it through my own version of Google.

I have written exactly how here:
http://www.amset.info/ie/custom-search-accelerator.asp
And the resulting accelerators are to be found here:
<removed>

This post has been modified to remove links that are no longer valid.