Getting (Proxy server's security certificate) errors 18 and 10

Hello experts,

We have installed a new Exchange 2013 on a new Win 2012 server. The older exchange is 2010 on a Win 2008R2 server.

We plan to uninstall old Exchange 2010 later, right now we have all mailboxes migrated to the new exchange.

Now both mobile app access and owa are working well. We have the issue only with desktop Outlook. For few users only it's working well, for almost 90% of users they are receiving the famous message:

There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server mail.ourdomain.com. (Error code 18).

BTW, we don't have any signed certificate, but only using self-signed ones which are setup automatically upon installation of Exchange.

Any help solving this?
Haytham QassasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordExchange / Office 365 Premier Field EngineerCommented:
The answer is in the error you provided:

"The security certificate is not from a trusted certifying authority"

If you're using a self-signed cert you should get used to this error.  Purchase a UCC cert from a 3rd party CA like GoDaddy and include autodiscover and mail/owa/email/exchange or whatever you plan on using as the default.

https://www.godaddy.com/web-security/ssl-certificate
0
Haytham QassasAuthor Commented:
0
MAS (MVE)EE Solution GuideCommented:
You cannot add internal names in your 3rd party certificate in the near future.
if you are looking for a cheap certificate buy from namecheap.com
0
Jason CrawfordExchange / Office 365 Premier Field EngineerCommented:
No you specifically need a UCC cert to cover multiple domains - autodiscover.domain.com and (for instance) mail.domain.com.  You don't technically require autodiscover subdomain if you're using SRV records for Autodiscover so you might actually be able to get away with a non-UCC cert.  However, do you really want to paint yourself into a corner by only covering mail.domain.com when the difference is ~$100/yr?

Your only other option would be to configure an Enterprise Certificate Authority in your Active Directory domain and issue certs using that.  Note this will work for OWA but not Outlook if  you plan on using it off your corporate network.  The self-signed cert that comes pre-installed is fine for server auth internally, but not nearly secure enough for client authentication.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.