Exchange 2016 Certificate

Hi,

We have just installed 2 x Windows Server OS 2 x separate box,
1st - Windows Server 2012 R2 - domain controller
2nd-  Windows Server 2016 with  Exchange Server 2016

at the moment Outlook (locally) is getting certificate warning, and non-domain based Outlook doesn't connect to Exchange 2016, and Outlook 2016 keeps asking for credentials and it doesn't connect.
We would like to resolve this problem locally and also able to connect externally from Outlook using auto-discover.
We are planning to buy the multi-domain (SAN) certificate, is this problem is going to resolve by installing certificate on Exchange server?
please let us know what we need to do setup AutoDiscover URL to work locally and remotely.

Outlook 2016 was working (from domain based computer) after ignoring the certificate warning but now it keeps asking for credentials and it fails to connect to Exchange 2016. When we tested on Outlook 2010 it works.

Thanks
joyjohnAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MASEE Solution Guide - Technical Dept HeadCommented:
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joyjohnAuthor Commented:
Thanks MAS, i will follow the article, i just quickly checked.
First, now i need to generate the CSR from Exchange server with mail.example.com and autodiscover.example.com domain for SAN certificate, then i will install the certificate and i will follow the solution given in article, hope that is fine for a start?

Thanks
0
Tom CieslikIT EngineerCommented:
Yes. You need to own domain and create request for certificate and purchase it from some certificate authority.
After than finish certificate installation on your email server

In your local IIS on email server make sure your new certificate is bind to your emailserver.domain.com on port 443

You must configure your External and internal DNS
Create A record for emailserver.domain.com and autodiscover.domain.com
Create TXT record:

v=spf1 ip4:xxx.xxx.xxx.xxx a:emaiserver.domain.com mx:domain.com ptr ~all
(replace xxx by your emailserver external IP and replace name for server and domain)

 Also create Forward Lookup Zone for your external domain name in your Internal DNS with A record for your internal email server IP
Create forward lookup zone for autodiscover.yourdomain.com with A record for internal email server IP

For new Outlook 2013 and 2016 you must change NTLM authentication option to DISABLE in your GPO for domain.

Capture.JPG

Make sure you've published your email server to outside on your firewall, fo all required ports must be opened from outside to your email server
If you do this, all should start working OK from inside and outside.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

McKnifeCommented:
Just joining because I really wonder, where "For new Outlook 2013 and 2016 you must change NTLM authentication option to DISABLE in your GPO for domain" is coming from, Tom, where did you read that? We run O2016 with Exchange 2016 and don't have to set this and it's not considered secure to set  it that way.
0
MASEE Solution Guide - Technical Dept HeadCommented:
0
Tom CieslikIT EngineerCommented:
McKnife, I had same issue last week. My Windows Home computer with Outlook 2013 was not able to connect to my Exchange 2013 and I;ve spend 3 days looking for the answer.

https://www.experts-exchange.com/questions/29078030/Exchange-and-DNS-settings-for-Outlook-2013-and-2016.html
0
McKnifeCommented:
You will have tried quite a few things on the way. Anyway, it is not needed and not recommendable on clean installations. Just saying - there is no official connection nor recommendation by Microsoft and my experience does not confirm this, either, so I'd be careful to adopt this recommendation even if it did help.
0
joyjohnAuthor Commented:
thanks guys for all your suggestion, i am trying this solutions..
0
joyjohnAuthor Commented:
disabling NTLM authentication option helped to resolve Outlook 2016 password issue but is this ok to disable this setting?
0
McKnifeCommented:
Did you read and understand the policy explanation? I would not recommend to set this but rather look for the cause. It is not needed to set that, normally. Here, it works without with OL2010/2016 on win10 1703/1709 and exchange 2016 in a server 2016 domain.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.