Exchange 2013, Outlook Profile, and security certificate


I installed Exchange 2013 and I installed SSL. From outside of the network, I can connect to the Exchange Server with Outlook using autodiscover. When I connect to the Exchange Server using autodiscover, I believe I establish a secure connection and the SSL certificates are trusted. So, everything seems to be working fine.

But, when I am inside of the network and when I use autodiscover, I get a security alert warning saying:
information you exchange with this site cannot be viewed or changed... there is a problem with the site's security certificate... do you want to proceed?

What do I need to change inside of the network so that my Outlook profile is trusted when I use autodiscover?

By the way, I do not have any DNS records for autodiscover in my server's DNS. If I need to do something here, please be specific.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
You need to change the URLs in Exchange to work with the external host name.
That will also require a split DNS.
The Exchange 2010 version of my article applies here:
The script at the end does work.

Must get round to completing the Exchange 2013 version.

jhiebAuthor Commented:
Thanks. My internal and external URLs are already set to be the same. Externally, I am using, and this is what autodiscover uses. Internally, I noticed that I a reverse DNS entry for an internal IP address that is for mail, also. Do you think this reverse DNS entry is conflicting with my external DNS entry? If so, should I remove the internal mail reverse DNS entry?
Simon Butler (Sembee)ConsultantCommented:
Are you sure you have got them all - including the ones in Shell only? The error you are getting would suggest that either you have missed one, or your DNS is wrong so the external name doesn't resolve internally to the correct place.

A reverse DNS entry will not be the cause of this.

What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

jhiebAuthor Commented:
I will check this in a day or two. I am side tracked because of another project. Thanks.
jhiebAuthor Commented:
When I setup my URLs, I used the following Microsoft article. My settings are the same as in this article. The Internal and External URL's are the same. I also used the PowerShell example in this article to make sure my internal URL's were the same as the external URLs.

I compared my URL's with your URL script. The only difference is autodiscover. In my environment, autodiscover is set to the default web site so there is no external URL displayed. When I look at the ECP for Exchange 2013, there is no URL shown.

This is why I was thinking this was a reverse DNS issue. What do you think the Internal Autodiscover setting should be?
Simon Butler (Sembee)ConsultantCommented:
You haven't included any Microsoft article link, so I don't know what you were following.
My script doesn't set the Autodiscover virtual directories - those should be left as default.
If you haven't changed the value on the CAS Server role then that will cause the problems you see.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

If that is the default value, which is the server name, then you need to change it to match the host name on your SSL certificate.

jhiebAuthor Commented:
Here is the link:

I ran the command you gave and here is what the results are:

The path shows my server name like you thought. Where do I change the value of my CAS server role?
Simon Butler (Sembee)ConsultantCommented:
As with most things with Exchange 2010, change the get to set

set-clientaccessserver -identity servername -AutodiscoverServiceInternalURI

or follow the guide I posted in my first answer.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.