Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2013/365 Hybrid Autodiscover Certificate Warning

Posted on 2016-10-02
6
Medium Priority
?
134 Views
Last Modified: 2016-10-15
We have an Exchange 2013/365 Hybrid with:
3x Exchange 2007 servers
2x Exchange 2013 servers, one of which is the Hybrid and MRS endpoint
An Office365 Tenancy
Azure AD Sync with password sync (not ADFS)

As it is in hybrid, the Autodiscover DNS records point to the on prem 2013 server as is required.

Some users, when their mailbox migrated to Office365, receive a certificate warning as per the below picture.  

This is probably from the Autodiscover redirect, when the autodiscover service in Exchange 2013 redirects the client to the Office365 Exchange instance.

Screenshot of cert warning
How can we correct this?

Also note, the certificate does not have the usual chain of root CA -> intermediate CA -> cert as I would expect:
No Certificate Chain
0
Comment
Question by:wokwon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 2000 total points
ID: 41825702
You just need to add the correct Root CA certificate to your machines. For the machines that are outside of the domain this process need to be completed manually, but for all the computers within your domain you can add it automatically following this process:

1. Identify the Root CA certificate that you need and ensure having it within a file (You might need to export it from a computer that already has it or download it from the Internet).

2. Open Group Policy Management Console.

3. Find an existing or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit whose users you want affected by the policy.

4. Right-click the GPO, and then select Edit.

5. Group Policy Management Editor opens, and displays the current contents of the policy object.
In the navigation pane, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

6. Click the Action menu, and then click Import.

7. Follow the instructions in the Certificate Import Wizard to find and import the certificate.
0
 

Author Comment

by:wokwon
ID: 41825823
Hi schnellsolitions, thank you for the tip.  My concern is around why doesn't the cert have an issuer?  Why is it a single cert by itself and why does this only happen on some computers in the organisation?

PS: This company uses a Bluecoat in transparent proxy mode.  I've asked the network team if it's doing SSL inspection.
0
 
LVL 15

Expert Comment

by:Ajit Singh
ID: 41826105
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41826450
The Trusted Root CA list can vary from computer to computer depending on one of these elements:
- System updates/patches.
- Certificate deployments (i.e. GPO, System Center Configuration Manager, Automatic scripts, etc)
- Manual installation of the certificate

According to one of the previous points, that certificate can or cannot be valid for one specific device.
0
 

Accepted Solution

by:
wokwon earned 0 total points
ID: 41837756
It turned out that the SSL inspection on the Bluecoats was turned on, even though the network team claimed it was off.  It was doing a MITM on the traffic.

I got them to disable the interception and the problem went away.

The tip off was the certificate issuer, which instead of being Verisign or Geotrust or etc, was something like "SSL-SY-01".  Thats why there was no chain of trust in the screenshot above.
0
 

Author Closing Comment

by:wokwon
ID: 41844865
The other solutions were not correct and did not directly answer the specific question.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question