Certificate warning - Outlook connecting to local Exchange 2016 FQDN while autodiscover points to Exchange Online
Hi,
The following is the environment:
One Exchange 2013 and one 2016 server. The 2016 server is in hybrid mode. None of the the client access URLs point to the 2016 server FQDN. Autodiscover.domain.com (split DNS) points to autodiscover.outlook.com as all mailboxes (except journaling and some test mailboxes) are in Office 365.
The official cert is installed on Exchange.
Some Outlook clients get a certificate warning and it shows that they are trying to connect to the local Exchange 2016 server's FQDN - which gives the error of course because this name is not on the certificate.
Any idea how Outlook keeps connecting to this while none of the CAS URLs point to this FQDN and while autodiscover points to Exchange Online?
Thanks
The following is the environment:
One Exchange 2013 and one 2016 server. The 2016 server is in hybrid mode. None of the the client access URLs point to the 2016 server FQDN. Autodiscover.domain.com (split DNS) points to autodiscover.outlook.com as all mailboxes (except journaling and some test mailboxes) are in Office 365.
The official cert is installed on Exchange.
Some Outlook clients get a certificate warning and it shows that they are trying to connect to the local Exchange 2016 server's FQDN - which gives the error of course because this name is not on the certificate.
Any idea how Outlook keeps connecting to this while none of the CAS URLs point to this FQDN and while autodiscover points to Exchange Online?
Thanks
ASKER
Hi Vasil, thanks.
All mailboxes are in Office 365, that's why we decided to point autodiscover to cloud directly. The SCP has been set to autodiscover.domain.com as well (and in DNS this points to autodiscover.outlook.com) so even that shouldn't give clients the server FQDN.
All mailboxes are in Office 365, that's why we decided to point autodiscover to cloud directly. The SCP has been set to autodiscover.domain.com as well (and in DNS this points to autodiscover.outlook.com) so even that shouldn't give clients the server FQDN.
Regardless of where the mailboxes are, if you are in Hybrid autodiscover should be pointing on-prem. It will hit the on-prem servers first and them be redirected to O365. But if you have moved all mailboxes to O365 and dont plan to create any new ones on-prem, perhaps you should start thinking of decommissioning Hybrid.
Anyway, for the issue at hand find out which endpoint Outlook is hitting either by enabling logging or looking at the Test E-mail Autoconfiguration wizard outpit. Or directly use the ExcludeHttps* keys from the above article to "instruct" Outlook to bypass them.
Anyway, for the issue at hand find out which endpoint Outlook is hitting either by enabling logging or looking at the Test E-mail Autoconfiguration wizard outpit. Or directly use the ExcludeHttps* keys from the above article to "instruct" Outlook to bypass them.
ASKER
Hi Vasil, thanks again for your input.
Why should autodiscover point to on-prem in hybrid if no mailboxes reside on-prem?
Also, hybrid Exchange is a requirement if AD Connect is implemented so for now we have no choice but to keep hybrid. Secondly, we have journaling so we need an on-premises server because O365 does not allow journal mailbox in Exchange Online.
The test e-mail autoconfig doesn't show the server FQDN in the response. Which logging do you refer to? Outlook logging?
The root domain lookup is already excluded. However, if I use ExcludeHttpsAutoDiscoverDo
Why should autodiscover point to on-prem in hybrid if no mailboxes reside on-prem?
Also, hybrid Exchange is a requirement if AD Connect is implemented so for now we have no choice but to keep hybrid. Secondly, we have journaling so we need an on-premises server because O365 does not allow journal mailbox in Exchange Online.
The test e-mail autoconfig doesn't show the server FQDN in the response. Which logging do you refer to? Outlook logging?
The root domain lookup is already excluded. However, if I use ExcludeHttpsAutoDiscoverDo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the mean time, I found a "solution"... those people that had the problem had a shared mailbox in their profile that was still on the on-premises server (even though the mailbox had been deleted already in the meantime - I guess their client couldn't find out since autodiscover was pointing to Exchange Online). So even though autodiscover does not return ANY server FQDN, maybe some caching in the profile still had this reference from before the user mailbox was migrated to Exchange Online and autodiscover was changed to autodiscover.outlook.com ? We migrated very recently (last month).
Delegates would have been my initial guess, but you mentioned that everyone is migrated to O365 already...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was the only real solution.
If you still want to exclude certain lookups from the process, the best way to do it is client side, via the reg keys detailed in this article: https://support.microsoft.com/en-us/help/3211279/outlook-2016-implementation-of-autodiscover