• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1383
  • Last Modified:

Microsoft Outlook 2010 Certificate error

I hope that you can help.

I have an Exchange 2010 CAS array connected to a hardware load balancer that is doing SSL offloading. There are multiple third party root CA certificates for different domains installed on the load balancer and SSL offloading is working correctly for OWA, ActiveSync, and OA clients. However when a local client attempts to access their mail through Outlook 2010, the following error occurs:

“The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.”

And then a question of “Do you want to proceed?” is asked and you have to reply Yes, No or View Certificate.

The certificate being used to authenticate the Outlook 2010 clients on the network is the default that is part of Exchange 2010. When I select “yes” I can access mail with no problem and Outlook works just fine, I just want to avoid this pop up from always appearing every time I go into Outlook as there are many users who get this prompt at the moment and trying to avoid it from happening. Are there any settings that you know of that disables the pop up at the same time continuing to use the default certificate from Exchange 2010?

Thank you.
5 Solutions
Jessie Gill, CISSPTechnical ArchitectCommented:
This happens if their is a certificate mismatch.  Is your internal URL the same name as the Certificate?

I.E  You have a SSL cert which has mail.domain.com and autodiscover.mail.com installed on CAS.  But the internal URL for the CAS maybe something like server.domain.com, thus the SSL warning.

So make sure your internal URL matches your SSL certificate.

What we did is keep the external and internal URL teh same ie. mail.domain.com and then we use split brain DNS internally mail.domain.com points to the load balancer and externally mail.domain.com points to our firewall.

If your using a third party certificate you may need to install their certificate authority certificate in the Trusted Root Certificate Authority on your machines.  You should be able to use AD to push that out...
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net


One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Beyond Next SolutionsSolutions ArchitectCommented:
Did you create a CAS Array and configure the -RpcClientAccessServer parameter of your mailbox databases to point to the hostname of the cas array?

- Your internal VIP (virtual IP) address is and your internal DNS (internal.com) has records that point to the CAS array

1. Create an internal DNS host record that points to the internal VIP of the hardware load balancer. This assumes that your load balancer is balancing all TCP/UDP ports across all CAS servers in the AD site.
     - Zone name in your internal DNS=internal.com: mail.internal.com A
2. Ensure that internal clients resolve mail.internal.com to, and that external clients resolve public DNS host names to your public IP (and CANNOT resolve the internal CAS array name!!).

3. Create the CAS Array:
New-ClientAccessArray -Name "mail.internal.com" -Fqdn "mail.internal.com" -Site "Default-First-Site-Name"

4. Configure each mailbox database in your site to use the CAS array:
Set-MailboxDatabase "DBname" -RpcClientAccessServer "mail.internal.com"

I may have left out something, but that should get it done.
As stated your external certificate is ok but communications internally is using a self signed certificate automatically when you installed exchange.

Options are to get a new public cert with the internal casarray and autodiscover names added to it or install a public Key infrastructure pki to generate your own certificates. You configure your clients to auto enrol a domain cert and then secure internal traffic with this. It's more effort and my preferred solution is to get the internal names added to the public certificate.
leporej092170Author Commented:
Thanks for the help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now