Solved

Exchange 2013/365 Hybrid Autodiscover Certificate Warning

Posted on 2016-10-02
6
43 Views
Last Modified: 2016-10-15
We have an Exchange 2013/365 Hybrid with:
3x Exchange 2007 servers
2x Exchange 2013 servers, one of which is the Hybrid and MRS endpoint
An Office365 Tenancy
Azure AD Sync with password sync (not ADFS)

As it is in hybrid, the Autodiscover DNS records point to the on prem 2013 server as is required.

Some users, when their mailbox migrated to Office365, receive a certificate warning as per the below picture.  

This is probably from the Autodiscover redirect, when the autodiscover service in Exchange 2013 redirects the client to the Office365 Exchange instance.

Screenshot of cert warning
How can we correct this?

Also note, the certificate does not have the usual chain of root CA -> intermediate CA -> cert as I would expect:
No Certificate Chain
0
Comment
Question by:wokwon
  • 3
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 500 total points
ID: 41825702
You just need to add the correct Root CA certificate to your machines. For the machines that are outside of the domain this process need to be completed manually, but for all the computers within your domain you can add it automatically following this process:

1. Identify the Root CA certificate that you need and ensure having it within a file (You might need to export it from a computer that already has it or download it from the Internet).

2. Open Group Policy Management Console.

3. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

4. Right-click the GPO, and then select Edit.

5. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

6. Click the Action menu, and then click Import.

7. Follow the instructions in the Certificate Import Wizard to find and import the certificate.
0
 

Author Comment

by:wokwon
ID: 41825823
Hi schnellsolitions, thank you for the tip.  My concern is around why doesn't the cert have an issuer?  Why is it a single cert by itself and why does this only happen on some computers in the organisation?

PS: This company uses a Bluecoat in transparent proxy mode.  I've asked the network team if it's doing SSL inspection.
0
 
LVL 10

Expert Comment

by:Kevin k
ID: 41826105
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41826450
The Trusted Root CA list can vary from computer to computer depending on one of these elements:
- System updates/patches.
- Certificate deployments (i.e. GPO, System Center Configuration Manager, Automatic scripts, etc)
- Manual installation of the certificate

According to one of the previous points, that certificate can or cannot be valid for one specific device.
0
 

Accepted Solution

by:
wokwon earned 0 total points
ID: 41837756
It turned out that the SSL inspection on the Bluecoats was turned on, even though the network team claimed it was off.  It was doing a MITM on the traffic.

I got them to disable the interception and the problem went away.

The tip off was the certificate issuer, which instead of being Verisign or Geotrust or etc, was something like "SSL-SY-01".  Thats why there was no chain of trust in the screenshot above.
0
 

Author Closing Comment

by:wokwon
ID: 41844865
The other solutions were not correct and did not directly answer the specific question.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my first article on Expert Exchange on the Manual Method of Exporting Office 365 Mailboxes to PST format by using the eDiscovery mechanism of Office. Hope you will enjoy the article.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…
This Experts Exchange lesson shows how to use VBA to loop through rows in Excel.  In order to sort, filter, and use database features, there needs to be a value in each column for every row. When data arrives with values missing, code to copy values…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question