?
Solved

Exchange 2013/365 Hybrid Autodiscover Certificate Warning

Posted on 2016-10-02
6
Medium Priority
?
256 Views
Last Modified: 2016-10-15
We have an Exchange 2013/365 Hybrid with:
3x Exchange 2007 servers
2x Exchange 2013 servers, one of which is the Hybrid and MRS endpoint
An Office365 Tenancy
Azure AD Sync with password sync (not ADFS)

As it is in hybrid, the Autodiscover DNS records point to the on prem 2013 server as is required.

Some users, when their mailbox migrated to Office365, receive a certificate warning as per the below picture.  

This is probably from the Autodiscover redirect, when the autodiscover service in Exchange 2013 redirects the client to the Office365 Exchange instance.

Screenshot of cert warning
How can we correct this?

Also note, the certificate does not have the usual chain of root CA -> intermediate CA -> cert as I would expect:
No Certificate Chain
0
Comment
Question by:wokwon
  • 3
  • 2
6 Comments
 
LVL 15

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 2000 total points
ID: 41825702
You just need to add the correct Root CA certificate to your machines. For the machines that are outside of the domain this process need to be completed manually, but for all the computers within your domain you can add it automatically following this process:

1. Identify the Root CA certificate that you need and ensure having it within a file (You might need to export it from a computer that already has it or download it from the Internet).

2. Open Group Policy Management Console.

3. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

4. Right-click the GPO, and then select Edit.

5. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

6. Click the Action menu, and then click Import.

7. Follow the instructions in the Certificate Import Wizard to find and import the certificate.
0
 

Author Comment

by:wokwon
ID: 41825823
Hi schnellsolitions, thank you for the tip.  My concern is around why doesn't the cert have an issuer?  Why is it a single cert by itself and why does this only happen on some computers in the organisation?

PS: This company uses a Bluecoat in transparent proxy mode.  I've asked the network team if it's doing SSL inspection.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 15

Expert Comment

by:Schnell Solutions
ID: 41826450
The Trusted Root CA list can vary from computer to computer depending on one of these elements:
- System updates/patches.
- Certificate deployments (i.e. GPO, System Center Configuration Manager, Automatic scripts, etc)
- Manual installation of the certificate

According to one of the previous points, that certificate can or cannot be valid for one specific device.
0
 

Accepted Solution

by:
wokwon earned 0 total points
ID: 41837756
It turned out that the SSL inspection on the Bluecoats was turned on, even though the network team claimed it was off.  It was doing a MITM on the traffic.

I got them to disable the interception and the problem went away.

The tip off was the certificate issuer, which instead of being Verisign or Geotrust or etc, was something like "SSL-SY-01".  Thats why there was no chain of trust in the screenshot above.
0
 

Author Closing Comment

by:wokwon
ID: 41844865
The other solutions were not correct and did not directly answer the specific question.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How to Import Outlook PST file to Exchange Server Mailbox without Powershell and Exchange Admin Center. Use SysTools Exchange Import Tool to Move PST file in Exchange 2016 / 13 / 10/ 07 Server Mailbox including Contacts, Calendar, Task and journal d…
How to import Outlook calendar to MS Exchange Server. A Calendar stores user appointments, meetings details to manage work. Moving Outlook Calendar to a new or already existing Exchange Server become complex process if Admin needs to import Calendar…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Watch the working video to know how to import Outlook PST/OST files to Amazon WorkMail. Kernel released this tool which is very easy to use and migrate single or multiple PST and OST files to Amazon WorkMail. To know more about Kernel Import PST to …

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question