Microsoft Exchange 2013, Outlook 2012 invalid security certificate

So a couple weeks ago, what seemed like randomly, a majority of my Outlook clients stopped working.  When Outlook is launched there is an error related to the security certificate.  There is a problem with the proxy server's security certificate.  The security certificate is not from a trusted certifying authority.  Outlook is unable to connect to the proxy server XXXXXXX. (Error Code 8).

I don't know where I need to go to fix this.  The mail server uses a self signed/generated certificate.  We use auto discovery to configure the Outlook clients.  I'm sure it is something easy but I can't figure it out.  In the mean time we have been manually installing the certificate on all the client machines and putting it in the Trusted Root Authority store.  The certificate has been in place at least a year and we used it, installed new outlook clients, added new users without any issue or errors.  Now we get this error every time for every profile, even on machines that already had the certificate manually installed for a different user.

What do I need to change to fix this? I thought about forcefully installing the certificate via command in a login script but I figure there has to be an easier way on the server or related to auto discovery to fix this.
Kevin CastlemanIT AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Check you DCs that serve up autodiscovery/auto discover XML to make sure they have valid certs
Recently answered a question of a similar issue, the asker located the issue was on the HTTPS://ADmdomain/autodiscovepr/autodiscover.xml as the cause.

Will post the link to that post when I can find it.
0
Kevin CastlemanIT AdministratorAuthor Commented:
I added the mail servers self generated cert to the trusted root cert authority on both my domain controllers.  I get the same error.  Do I need to store them somewhere else?
0
arnoldCommented:
Are you pushing those self signed certs as trusted within a GPO to all clients?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Kevin CastlemanIT AdministratorAuthor Commented:
Actually yes we are.  The cert is there in the GPO under Trusted Root Certificate Authorities and shows as expires on 9/5/2018.
0
arnoldCommented:
There are several points where this issue can come up from.
There is the direct access to the exchange server, the other deals with autodiscovery

See if HTTPS://ADmdomain.com/autodiscover/ do you get a certificate error in the browser.
0
Kevin CastlemanIT AdministratorAuthor Commented:
I'm sorry I may be missing something.  I click that link and nothing happens.  I tried changing it to https://myinternaldomain.local/autodiscover/ and https://myexternaldomain.com/autodiscover/ and neither replied with results.
0
arnoldCommented:
That was a try.
identifying the connections your email clients makes and then looking at the cert.

I.e. The certificate is for the exchange server name, but the access from the client is to a different name. This will create a name mismatch that pushing the self signed certificate as trusted will not resolve.
0
Kevin CastlemanIT AdministratorAuthor Commented:
OK so how do I fix that?  It was working for over a year without any issue.  Then something updated and now all I get is errors.
0
arnoldCommented:
Without knowing where the issue is, I.e. You renewed/regenerated a new self-signed  certificate this year and used the system's name versus the one you used before.
0
Kevin CastlemanIT AdministratorAuthor Commented:
I didn't do either.  It just stopped working one day.  I didn't renew the cert nor did I regenerate a new one.  If we can't troubleshoot the setup as it is, what is the process to create/use a new one so that I don't get these errors.
0
arnoldCommented:
Where is the issue? Double check the account setup within outlook dealing with what host is being used. Then look to see whether the certificate of that host:port matches the name and not expired.
0
Kevin CastlemanIT AdministratorAuthor Commented:
That is my questions, where is the issue?  it is all accounts, new or old.

the cert matches the name of the mail server.  it is not expired.  I guess I don't understand or know what's missing.
0
arnoldCommented:
Look on your outlook account configuration. Is it configured through a GPO? Double check what host it pints to versus what certificate is there.

Let's say you have mail.youraddomain.local and the certificate matches that, but in the GPO to auto configure users, you are pushing exchange that also resolves to the same IP.

This will trigger a name mismatch.  Does the error/warning indicate what the issue with the certificate is?
0
Simon Butler (Sembee)ConsultantCommented:
The first problem is using the self signed certificate.
Those are not designed or supported for production use. You should really have a trusted SSL certificate on the server. When you can get a suitable certificate for less than $70/year, it doesn't make any sense to do anything else.

Once you have the certificate sorted out, you then need to correct the configuration of Exchange to support the new SSL certificate. Again easily done, but you need to be consistent with the configuration.

Exchange 2013 uses SSL exclusively, it is not an optional feature.
http://semb.ee/hostnames2013

Simon.
0
Kevin CastlemanIT AdministratorAuthor Commented:
OK.  Well sort version is I regenerated the security certificate and re applied it to the mail server, AD controllers, and in GPO.  It seems to be working now.  I couldn't  ever figure out what was wrong or what went wrong so I just started over from scratch.

It's funny that you say not to use a self signed certificate.  The server was originally setup and configure by Microsoft themselves, and they setup the self signed cert and never told us we should buy one.

Thanks for everyone's help
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.