Solved

Exchange 2013/365 Hybrid Autodiscover Certificate Warning

Posted on 2016-10-02
6
59 Views
Last Modified: 2016-10-15
We have an Exchange 2013/365 Hybrid with:
3x Exchange 2007 servers
2x Exchange 2013 servers, one of which is the Hybrid and MRS endpoint
An Office365 Tenancy
Azure AD Sync with password sync (not ADFS)

As it is in hybrid, the Autodiscover DNS records point to the on prem 2013 server as is required.

Some users, when their mailbox migrated to Office365, receive a certificate warning as per the below picture.  

This is probably from the Autodiscover redirect, when the autodiscover service in Exchange 2013 redirects the client to the Office365 Exchange instance.

Screenshot of cert warning
How can we correct this?

Also note, the certificate does not have the usual chain of root CA -> intermediate CA -> cert as I would expect:
No Certificate Chain
0
Comment
Question by:wokwon
  • 3
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 500 total points
ID: 41825702
You just need to add the correct Root CA certificate to your machines. For the machines that are outside of the domain this process need to be completed manually, but for all the computers within your domain you can add it automatically following this process:

1. Identify the Root CA certificate that you need and ensure having it within a file (You might need to export it from a computer that already has it or download it from the Internet).

2. Open Group Policy Management Console.

3. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

4. Right-click the GPO, and then select Edit.

5. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

6. Click the Action menu, and then click Import.

7. Follow the instructions in the Certificate Import Wizard to find and import the certificate.
0
 

Author Comment

by:wokwon
ID: 41825823
Hi schnellsolitions, thank you for the tip.  My concern is around why doesn't the cert have an issuer?  Why is it a single cert by itself and why does this only happen on some computers in the organisation?

PS: This company uses a Bluecoat in transparent proxy mode.  I've asked the network team if it's doing SSL inspection.
0
 
LVL 11

Expert Comment

by:Kevin k
ID: 41826105
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41826450
The Trusted Root CA list can vary from computer to computer depending on one of these elements:
- System updates/patches.
- Certificate deployments (i.e. GPO, System Center Configuration Manager, Automatic scripts, etc)
- Manual installation of the certificate

According to one of the previous points, that certificate can or cannot be valid for one specific device.
0
 

Accepted Solution

by:
wokwon earned 0 total points
ID: 41837756
It turned out that the SSL inspection on the Bluecoats was turned on, even though the network team claimed it was off.  It was doing a MITM on the traffic.

I got them to disable the interception and the problem went away.

The tip off was the certificate issuer, which instead of being Verisign or Geotrust or etc, was something like "SSL-SY-01".  Thats why there was no chain of trust in the screenshot above.
0
 

Author Closing Comment

by:wokwon
ID: 41844865
The other solutions were not correct and did not directly answer the specific question.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question