Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2013/365 Hybrid Autodiscover Certificate Warning

Posted on 2016-10-02
6
Medium Priority
?
198 Views
Last Modified: 2016-10-15
We have an Exchange 2013/365 Hybrid with:
3x Exchange 2007 servers
2x Exchange 2013 servers, one of which is the Hybrid and MRS endpoint
An Office365 Tenancy
Azure AD Sync with password sync (not ADFS)

As it is in hybrid, the Autodiscover DNS records point to the on prem 2013 server as is required.

Some users, when their mailbox migrated to Office365, receive a certificate warning as per the below picture.  

This is probably from the Autodiscover redirect, when the autodiscover service in Exchange 2013 redirects the client to the Office365 Exchange instance.

Screenshot of cert warning
How can we correct this?

Also note, the certificate does not have the usual chain of root CA -> intermediate CA -> cert as I would expect:
No Certificate Chain
0
Comment
Question by:wokwon
  • 3
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 2000 total points
ID: 41825702
You just need to add the correct Root CA certificate to your machines. For the machines that are outside of the domain this process need to be completed manually, but for all the computers within your domain you can add it automatically following this process:

1. Identify the Root CA certificate that you need and ensure having it within a file (You might need to export it from a computer that already has it or download it from the Internet).

2. Open Group Policy Management Console.

3. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

4. Right-click the GPO, and then select Edit.

5. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

6. Click the Action menu, and then click Import.

7. Follow the instructions in the Certificate Import Wizard to find and import the certificate.
0
 

Author Comment

by:wokwon
ID: 41825823
Hi schnellsolitions, thank you for the tip.  My concern is around why doesn't the cert have an issuer?  Why is it a single cert by itself and why does this only happen on some computers in the organisation?

PS: This company uses a Bluecoat in transparent proxy mode.  I've asked the network team if it's doing SSL inspection.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41826450
The Trusted Root CA list can vary from computer to computer depending on one of these elements:
- System updates/patches.
- Certificate deployments (i.e. GPO, System Center Configuration Manager, Automatic scripts, etc)
- Manual installation of the certificate

According to one of the previous points, that certificate can or cannot be valid for one specific device.
0
 

Accepted Solution

by:
wokwon earned 0 total points
ID: 41837756
It turned out that the SSL inspection on the Bluecoats was turned on, even though the network team claimed it was off.  It was doing a MITM on the traffic.

I got them to disable the interception and the problem went away.

The tip off was the certificate issuer, which instead of being Verisign or Geotrust or etc, was something like "SSL-SY-01".  Thats why there was no chain of trust in the screenshot above.
0
 

Author Closing Comment

by:wokwon
ID: 41844865
The other solutions were not correct and did not directly answer the specific question.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
If Skype for Business came with your office 2016 or office 365 installation, you may find that it's almost impossible to either disable or remove it. The application will often launch with each start of Windows, even when explicitly configured not t…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question