Solved

Exchange 2013 - Outlook client security alert

Posted on 2016-09-02
3
37 Views
Last Modified: 2016-09-21
Hello,

We have recently inherited a network which includes an Exchange 2013 server running on a Windows 2012 server.  

We noted that all users receive the following notification when they launch Outlook.

Security Alert
2012ex.domain.local
Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's certificate.
OK: The security certificate is from a trusting certifying authority.
OK: The security certificate is valid.
X: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed.

Once the user proceeds, everything works normally.  

When I access OWA from the Internet, I see a different certificate and everything appears to be working normally.

Is this an issue with autodiscover needing to be toggled to use the correct Service Connection Point?  

Running Get-ClientAccessServer | FL Name,AutoDiscoverServiceInternalURI returns the following:
AutoDiscoverServiceInternalUri : https://2012ex.dpg.local/autodiscover/autodiscover.xml

Please advise.

Thanks in advance.

Regards,
Real-Timer
0
Comment
Question by:realtimer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 100 total points (awarded by participants)
ID: 41781822
Yeah. This is your Active Directory Autodiscover SCP being configured wrong. This will impact domain joined clients on your LAN. http://wp.me/pUCB5-7X explains the concept and a couple ways to fix it.
0
 
LVL 16

Accepted Solution

by:
Todd Nelson earned 400 total points (awarded by participants)
ID: 41781927
From you Exchange server, run this command in the Exchange Management Shell...

Get-ExchangeServer | Get-ClientAccessServer | fl identity,*uri*

Open in new window


In all likelihood the output will look something like this...

Identity:  "ExchangeServerName"
AutoDiscoverServiceInternalUri:  https://2012ex.dpg.local/autodiscover/autodiscover.xml

Open in new window

The value for AutoDiscoverServiceInternalUri contains a name (2012ex.dpg.local) that does not exist in your certificate.  And that is why your Outlook clients are receiving the security pop-up.

The supported way to update the AutoDiscoverServiceInternalUri value is through the Exchange Management Shell, using the Set-ClientAccessServer command.  Similar to this...

Set-ClientAccessServer -Identity "ExchangeServerName" -AutoDiscoverServiceInternalUri https://autodiscover.MyDomain.com/Autodiscover/Autodiscover.xml

Open in new window


Check the names in your certificate issued by a public CA.  If it is a UCC/SAN certificate, you may have multiple FQDNs set for the subject alternative name.  If it is a wildcard certificate, it will most likely contain *.mydomain.com as the only FQDN for the subject alternative name.  If it is a standard certificate, it will only have one FQDN as the subject alternative name.

If you only have one name, then match the value you set for AutoDiscoverServiceInternalUri with that name.

I recommend at least two names in the certificate.  One for OWA and one for autodiscover.  But you can make it work with only one name if your Exchange organization is small.
0
 
LVL 16

Expert Comment

by:Todd Nelson
ID: 41808391
The answers provided should provide you with enough information for a successful solution.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question