Solved

Exchange 2013 - Outlook client security alert

Posted on 2016-09-02
3
30 Views
Last Modified: 2016-09-21
Hello,

We have recently inherited a network which includes an Exchange 2013 server running on a Windows 2012 server.  

We noted that all users receive the following notification when they launch Outlook.

Security Alert
2012ex.domain.local
Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's certificate.
OK: The security certificate is from a trusting certifying authority.
OK: The security certificate is valid.
X: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed.

Once the user proceeds, everything works normally.  

When I access OWA from the Internet, I see a different certificate and everything appears to be working normally.

Is this an issue with autodiscover needing to be toggled to use the correct Service Connection Point?  

Running Get-ClientAccessServer | FL Name,AutoDiscoverServiceInternalURI returns the following:
AutoDiscoverServiceInternalUri : https://2012ex.dpg.local/autodiscover/autodiscover.xml

Please advise.

Thanks in advance.

Regards,
Real-Timer
0
Comment
Question by:realtimer
  • 2
3 Comments
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41781822
Yeah. This is your Active Directory Autodiscover SCP being configured wrong. This will impact domain joined clients on your LAN. http://wp.me/pUCB5-7X explains the concept and a couple ways to fix it.
0
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 400 total points (awarded by participants)
ID: 41781927
From you Exchange server, run this command in the Exchange Management Shell...

Get-ExchangeServer | Get-ClientAccessServer | fl identity,*uri*

Open in new window


In all likelihood the output will look something like this...

Identity:  "ExchangeServerName"
AutoDiscoverServiceInternalUri:  https://2012ex.dpg.local/autodiscover/autodiscover.xml

Open in new window

The value for AutoDiscoverServiceInternalUri contains a name (2012ex.dpg.local) that does not exist in your certificate.  And that is why your Outlook clients are receiving the security pop-up.

The supported way to update the AutoDiscoverServiceInternalUri value is through the Exchange Management Shell, using the Set-ClientAccessServer command.  Similar to this...

Set-ClientAccessServer -Identity "ExchangeServerName" -AutoDiscoverServiceInternalUri https://autodiscover.MyDomain.com/Autodiscover/Autodiscover.xml

Open in new window


Check the names in your certificate issued by a public CA.  If it is a UCC/SAN certificate, you may have multiple FQDNs set for the subject alternative name.  If it is a wildcard certificate, it will most likely contain *.mydomain.com as the only FQDN for the subject alternative name.  If it is a standard certificate, it will only have one FQDN as the subject alternative name.

If you only have one name, then match the value you set for AutoDiscoverServiceInternalUri with that name.

I recommend at least two names in the certificate.  One for OWA and one for autodiscover.  But you can make it work with only one name if your Exchange organization is small.
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41808391
The answers provided should provide you with enough information for a successful solution.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
If you don't know how to downgrade, my instructions below should be helpful.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now