Outlook 2016 shows proxy server error when connecting to MS Exchange 2016 server

This is using a newly-setup MS Exchange server 2016, in MS AD Domain 2012. There is only this 1 exch2k16 server. However, although Outlook configuration is working, it shows with this error messages as follows:

   This is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site abc.local.

   Outlook is unable to connect to the proxy server. Error code is 10.

For the ssl certificate, this is using the default self-signed certificate. I heard that this could be due to the "OutlookAnywhere" virtual directory settings. Please see the results of  "get-outlookanywhere | fl" as follows:

    RunspaceId                         : 6893c094-efeb-42f3-a56f-7e04f7b17883
    ServerName                         : EXCHSRV01
    SSLOffloading                      : True
    ExternalHostname                   : sispl.abc.com
    InternalHostname                   : exchsrv01.abc.local
    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
   XropUrl                            :
  ExternalClientsRequireSsl          : True
  InternalClientsRequireSsl          : True
  MetabasePath                       : IIS://exchsrv01.abc.local/W3SVC/1/ROOT/Rpc
  Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
  ExtendedProtectionTokenChecking    : None
  ExtendedProtectionFlags            : {}
  ExtendedProtectionSPNList          : {}
  AdminDisplayVersion                : Version 15.1 (Build 1415.2)
  Server                             : EXCHSRV01
  AdminDisplayName                   :
  ExchangeVersion                    : 0.20 (15.0.0.0)
  Name                               : Rpc (Default Web Site)
  DistinguishedName                  : CN=Rpc (Default Web
                                     Site),CN=HTTP,CN=Protocols,CN=EXCHSRV01,CN=Servers,CN=Exchange Administrative
                                     Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
                                     Organization,CN=Microsoft
                                     Exchange,CN=Services,CN=Configuration,DC=abc,DC=local
  Identity                           : EXCHSRV01\Rpc (Default Web Site)
  Guid                               : 2d20f77c-8f07-4751-b09f-9ba58338dca4
  ObjectCategory                     : abc.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
  ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
  WhenChanged                        : 3/9/2018 11:22:43 PM
  WhenCreated                        : 2/13/2018 7:49:57 AM
  WhenChangedUTC                     : 3/9/2018 3:22:43 PM
  WhenCreatedUTC                     : 2/12/2018 11:49:57 PM
  OrganizationId                     :
  Id                                 : EXCHSRV01\Rpc (Default Web Site)
  OriginatingServer                  : EXCHSRV01.abc.local
  IsValid                            : True
  ObjectState                        : Changed

Please see the results of the "get-exchangcertificate | fl" as follows:  

   AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule}
   CertificateDomains : {sispl.abc.com}
   HasPrivateKey      : True
   IsSelfSigned       : True
   Issuer             : CN=Microsoft Exchange Server Auth Certificate
   NotAfter           : 3/5/2023 9:27:02 PM
   NotBefore          : 3/5/2018 9:27:02 PM
   PublicKeySize      : 2048
   RootCAType         : Registry
   SerialNumber       : 2136845FACA1D592497ADC0E1E41E8C8
   Services           : IIS, SMTP
   Status             : Valid
   Subject            : CN=Microsoft Exchange Server Auth Certificate
   Thumbprint         : C730F8AC3ECB08AA1308F56DED9D20C4E611F78C

   AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule}
   CertificateDomains : {}
   HasPrivateKey      : True
   IsSelfSigned       : True
   Issuer             : CN=Microsoft Exchange Server Auth Certificate
   NotAfter           : 3/1/2023 8:28:36 PM
   NotBefore          : 3/1/2018 8:28:36 PM
   PublicKeySize      : 2048
   RootCAType         : Registry
   SerialNumber       : 1317A243686CF69143AF498275A35FBD
   Services           : SMTP
   Status             : Valid
   Subject            : CN=Microsoft Exchange Server Auth Certificate
   Thumbprint         : D047AB8799A091F6818DF0D7F7FCE75D92F4A899

   AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule,
                                   System.Security.AccessControl.CryptoKeyAccessRule}
   CertificateDomains : {EXCHSRV01, EXCHSRV01.abc.local}
   HasPrivateKey      : True
   IsSelfSigned       : True
   Issuer             : CN=EXCHSRV01
   NotAfter           : 2/13/2023 7:33:21 AM
   NotBefore          : 2/13/2018 7:33:21 AM
   PublicKeySize      : 2048
   RootCAType         : Registry
   SerialNumber       : 4296880E4FEBA1AF4BF769241798D978
   Services           : IMAP, POP, IIS, SMTP
   Status             : Valid
   Subject            : CN=EXCHSRV01
   Thumbprint         : F20F70F84924E3154344B1DCB58C470C8E5F5F95

Shall I change to use ssl certificate from go-daddy as self-signed cert is not mean for production? What could be the root cause of the error message? how to solve?

Thanks in advance.
LVL 1
MichaelBalackAsked:
Who is Participating?
 
IvanSystem EngineerCommented:
Hi,

you have bind certificate with name CertificateDomains : {sispl.abc.com}, but only to External Hostname, while Internal Hostname is exchsrv01.abc.local

As  other experts said, what you need to do is reconfigure autodiscover to sispl.abc.com, and update Internal Hostname to sispl.abc.com.

Configure Split DNS, either with entire abc.com zone, or easier with pin-point DNS zone. To configure that zone, follow this guide: https://blogs.technet.microsoft.com/undocumentedfeatures/2016/07/08/creating-a-pinpoint-dns-zone/
A record should point to internal ip of exchange.

After you configure DNS, then to configure autodiscover, first make record how it is configured via:
Get-ClientAccessServer | FL AutoDiscoverServiceInternalUri
Then reconfigure it:
Set-ClientAccessServer -Identity EXCHSRV01 -AutoDiscoverServiceInternalUri https://sispl.abc.com/Autodiscover/Autodiscover.xml

Restart IIS, and Outlook should work fine.

Regards,
Ivan.
0
 
MaheshArchitectCommented:
it seems that your external hostname is.com and internal is .local and same is not updated on Exchange virtual directories
Update all virtual directories with mail.smtpdomain.com (this should match with one available in public cert) so that cert errors would go away
also update autodiscoverinternal URI (SCP) to point to mail.smtpdomain.com

steps:
http://exchange.sembee.info/2013/install/clientaccesshostnames.asp
0
 
Jeff GloverSr. Systems AdministratorCommented:
Check the Outlook Anywhere settings on your Server. in ECP, select servers. Select your server and hit edit properties (the little pencil). Select the Outlook Anywhere tab and see what the internal host name is. Your certificate must have a name on it to match that. It looks like you use a .local domain. We do the same and it comes with it's own little hassles. The easiest way to do this is to set the internal servername and the external servername to be the same and use the name in your certificate for it.
  If you are going to allow external access (that is the main reason for Outlook Anywhere) and Webmail, I recommend you use the same name for your webmail and your Outlook Anywhere. It is simpler that way. But to do this, you will need to implement Split Brain DNS. A copy of your external DNS zone hosted internally. this way, you can set the Outlook Anywhere name with an internal address when resolving internally and external address when it resolves from the Internet.
  As far as a Certificate goes. you are better off with a UC certificate from a public CA for exchange if you are going to allow OWA or external access.
0
 
MichaelBalackAuthor Commented:
Thank to expert - Ivan, updating follow your instruction works.

Thanks a lot
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.