Getting (Proxy server's security certificate) errors 18 and 10

Haytham Qassas
Haytham Qassas used Ask the Experts™
on
Hello experts,

We have installed a new Exchange 2013 on a new Win 2012 server. The older exchange is 2010 on a Win 2008R2 server.

We plan to uninstall old Exchange 2010 later, right now we have all mailboxes migrated to the new exchange.

Now both mobile app access and owa are working well. We have the issue only with desktop Outlook. For few users only it's working well, for almost 90% of users they are receiving the famous message:

There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server mail.ourdomain.com. (Error code 18).

BTW, we don't have any signed certificate, but only using self-signed ones which are setup automatically upon installation of Exchange.

Any help solving this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
The answer is in the error you provided:

"The security certificate is not from a trusted certifying authority"

If you're using a self-signed cert you should get used to this error.  Purchase a UCC cert from a 3rd party CA like GoDaddy and include autodiscover and mail/owa/email/exchange or whatever you plan on using as the default.

https://www.godaddy.com/web-security/ssl-certificate
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
You cannot add internal names in your 3rd party certificate in the near future.
if you are looking for a cheap certificate buy from namecheap.com
Commented:
No you specifically need a UCC cert to cover multiple domains - autodiscover.domain.com and (for instance) mail.domain.com.  You don't technically require autodiscover subdomain if you're using SRV records for Autodiscover so you might actually be able to get away with a non-UCC cert.  However, do you really want to paint yourself into a corner by only covering mail.domain.com when the difference is ~$100/yr?

Your only other option would be to configure an Enterprise Certificate Authority in your Active Directory domain and issue certs using that.  Note this will work for OWA but not Outlook if  you plan on using it off your corporate network.  The self-signed cert that comes pre-installed is fine for server auth internally, but not nearly secure enough for client authentication.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial