[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Exchange 2013 - Outlook client security alert

Posted on 2016-09-02
3
Medium Priority
?
40 Views
Last Modified: 2016-09-21
Hello,

We have recently inherited a network which includes an Exchange 2013 server running on a Windows 2012 server.  

We noted that all users receive the following notification when they launch Outlook.

Security Alert
2012ex.domain.local
Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's certificate.
OK: The security certificate is from a trusting certifying authority.
OK: The security certificate is valid.
X: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed.

Once the user proceeds, everything works normally.  

When I access OWA from the Internet, I see a different certificate and everything appears to be working normally.

Is this an issue with autodiscover needing to be toggled to use the correct Service Connection Point?  

Running Get-ClientAccessServer | FL Name,AutoDiscoverServiceInternalURI returns the following:
AutoDiscoverServiceInternalUri : https://2012ex.dpg.local/autodiscover/autodiscover.xml

Please advise.

Thanks in advance.

Regards,
Real-Timer
0
Comment
Question by:realtimer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 400 total points (awarded by participants)
ID: 41781822
Yeah. This is your Active Directory Autodiscover SCP being configured wrong. This will impact domain joined clients on your LAN. http://wp.me/pUCB5-7X explains the concept and a couple ways to fix it.
0
 
LVL 16

Accepted Solution

by:
Todd Nelson earned 1600 total points (awarded by participants)
ID: 41781927
From you Exchange server, run this command in the Exchange Management Shell...

Get-ExchangeServer | Get-ClientAccessServer | fl identity,*uri*

Open in new window


In all likelihood the output will look something like this...

Identity:  "ExchangeServerName"
AutoDiscoverServiceInternalUri:  https://2012ex.dpg.local/autodiscover/autodiscover.xml

Open in new window

The value for AutoDiscoverServiceInternalUri contains a name (2012ex.dpg.local) that does not exist in your certificate.  And that is why your Outlook clients are receiving the security pop-up.

The supported way to update the AutoDiscoverServiceInternalUri value is through the Exchange Management Shell, using the Set-ClientAccessServer command.  Similar to this...

Set-ClientAccessServer -Identity "ExchangeServerName" -AutoDiscoverServiceInternalUri https://autodiscover.MyDomain.com/Autodiscover/Autodiscover.xml

Open in new window


Check the names in your certificate issued by a public CA.  If it is a UCC/SAN certificate, you may have multiple FQDNs set for the subject alternative name.  If it is a wildcard certificate, it will most likely contain *.mydomain.com as the only FQDN for the subject alternative name.  If it is a standard certificate, it will only have one FQDN as the subject alternative name.

If you only have one name, then match the value you set for AutoDiscoverServiceInternalUri with that name.

I recommend at least two names in the certificate.  One for OWA and one for autodiscover.  But you can make it work with only one name if your Exchange organization is small.
0
 
LVL 16

Expert Comment

by:Todd Nelson
ID: 41808391
The answers provided should provide you with enough information for a successful solution.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question