Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2013 - Outlook client security alert

Posted on 2016-09-02
3
Medium Priority
?
43 Views
Last Modified: 2016-09-21
Hello,

We have recently inherited a network which includes an Exchange 2013 server running on a Windows 2012 server.  

We noted that all users receive the following notification when they launch Outlook.

Security Alert
2012ex.domain.local
Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's certificate.
OK: The security certificate is from a trusting certifying authority.
OK: The security certificate is valid.
X: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed.

Once the user proceeds, everything works normally.  

When I access OWA from the Internet, I see a different certificate and everything appears to be working normally.

Is this an issue with autodiscover needing to be toggled to use the correct Service Connection Point?  

Running Get-ClientAccessServer | FL Name,AutoDiscoverServiceInternalURI returns the following:
AutoDiscoverServiceInternalUri : https://2012ex.dpg.local/autodiscover/autodiscover.xml

Please advise.

Thanks in advance.

Regards,
Real-Timer
0
Comment
Question by:realtimer
  • 2
3 Comments
 
LVL 44

Assisted Solution

by:Adam Brown
Adam Brown earned 400 total points (awarded by participants)
ID: 41781822
Yeah. This is your Active Directory Autodiscover SCP being configured wrong. This will impact domain joined clients on your LAN. http://wp.me/pUCB5-7X explains the concept and a couple ways to fix it.
0
 
LVL 17

Accepted Solution

by:
Todd Nelson earned 1600 total points (awarded by participants)
ID: 41781927
From you Exchange server, run this command in the Exchange Management Shell...

Get-ExchangeServer | Get-ClientAccessServer | fl identity,*uri*

Open in new window


In all likelihood the output will look something like this...

Identity:  "ExchangeServerName"
AutoDiscoverServiceInternalUri:  https://2012ex.dpg.local/autodiscover/autodiscover.xml

Open in new window

The value for AutoDiscoverServiceInternalUri contains a name (2012ex.dpg.local) that does not exist in your certificate.  And that is why your Outlook clients are receiving the security pop-up.

The supported way to update the AutoDiscoverServiceInternalUri value is through the Exchange Management Shell, using the Set-ClientAccessServer command.  Similar to this...

Set-ClientAccessServer -Identity "ExchangeServerName" -AutoDiscoverServiceInternalUri https://autodiscover.MyDomain.com/Autodiscover/Autodiscover.xml

Open in new window


Check the names in your certificate issued by a public CA.  If it is a UCC/SAN certificate, you may have multiple FQDNs set for the subject alternative name.  If it is a wildcard certificate, it will most likely contain *.mydomain.com as the only FQDN for the subject alternative name.  If it is a standard certificate, it will only have one FQDN as the subject alternative name.

If you only have one name, then match the value you set for AutoDiscoverServiceInternalUri with that name.

I recommend at least two names in the certificate.  One for OWA and one for autodiscover.  But you can make it work with only one name if your Exchange organization is small.
0
 
LVL 17

Expert Comment

by:Todd Nelson
ID: 41808391
The answers provided should provide you with enough information for a successful solution.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
As a Microsoft Exchange user, you must have known the importance of an Offline storage table (OST) file. It is nothing new for an Outlook user to be dependent on a .ost file during a server break down or a problematic Internet connection. In such a…
This video discusses moving either the default database or any database to a new volume.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question