Solved

Exchange 2013 - Outlook client security alert

Posted on 2016-09-02
3
34 Views
Last Modified: 2016-09-21
Hello,

We have recently inherited a network which includes an Exchange 2013 server running on a Windows 2012 server.  

We noted that all users receive the following notification when they launch Outlook.

Security Alert
2012ex.domain.local
Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's certificate.
OK: The security certificate is from a trusting certifying authority.
OK: The security certificate is valid.
X: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed.

Once the user proceeds, everything works normally.  

When I access OWA from the Internet, I see a different certificate and everything appears to be working normally.

Is this an issue with autodiscover needing to be toggled to use the correct Service Connection Point?  

Running Get-ClientAccessServer | FL Name,AutoDiscoverServiceInternalURI returns the following:
AutoDiscoverServiceInternalUri : https://2012ex.dpg.local/autodiscover/autodiscover.xml

Please advise.

Thanks in advance.

Regards,
Real-Timer
0
Comment
Question by:realtimer
  • 2
3 Comments
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41781822
Yeah. This is your Active Directory Autodiscover SCP being configured wrong. This will impact domain joined clients on your LAN. http://wp.me/pUCB5-7X explains the concept and a couple ways to fix it.
0
 
LVL 15

Accepted Solution

by:
Todd Nelson earned 400 total points (awarded by participants)
ID: 41781927
From you Exchange server, run this command in the Exchange Management Shell...

Get-ExchangeServer | Get-ClientAccessServer | fl identity,*uri*

Open in new window


In all likelihood the output will look something like this...

Identity:  "ExchangeServerName"
AutoDiscoverServiceInternalUri:  https://2012ex.dpg.local/autodiscover/autodiscover.xml

Open in new window

The value for AutoDiscoverServiceInternalUri contains a name (2012ex.dpg.local) that does not exist in your certificate.  And that is why your Outlook clients are receiving the security pop-up.

The supported way to update the AutoDiscoverServiceInternalUri value is through the Exchange Management Shell, using the Set-ClientAccessServer command.  Similar to this...

Set-ClientAccessServer -Identity "ExchangeServerName" -AutoDiscoverServiceInternalUri https://autodiscover.MyDomain.com/Autodiscover/Autodiscover.xml

Open in new window


Check the names in your certificate issued by a public CA.  If it is a UCC/SAN certificate, you may have multiple FQDNs set for the subject alternative name.  If it is a wildcard certificate, it will most likely contain *.mydomain.com as the only FQDN for the subject alternative name.  If it is a standard certificate, it will only have one FQDN as the subject alternative name.

If you only have one name, then match the value you set for AutoDiscoverServiceInternalUri with that name.

I recommend at least two names in the certificate.  One for OWA and one for autodiscover.  But you can make it work with only one name if your Exchange organization is small.
0
 
LVL 15

Expert Comment

by:Todd Nelson
ID: 41808391
The answers provided should provide you with enough information for a successful solution.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains how to install and use the NTBackup utility that comes with Windows Server.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video discusses moving either the default database or any database to a new volume.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question