Microsoft Outlook Pop-up - Proxy Server's Security Certificate

Joe Lowe
Joe Lowe used Ask the Experts™
We have one user out of our entire organization that gets the attached pop-up message when she opens Outlook. She is able to simply click "OK" and all can use her email just like everyone else, but this pop-up continues to occur. It has happened for years apparently and doesn't matter what computer or version of Office is installed, the pop-up remains.

We have tried doing everything possible troubleshooting locally but the simple fact that it appears on multiple computers rules that out as a solution. We have a hybrid setup for Office 365 and nobody out of our 500 users receive this message outside of herself. We believe the issue is somewhere on the administrator side of Exchange/Office 365 but we are unsure where since everyone isn't affected. Our next step is to call Microsoft but wanted to try Experts Exchange as a last resort.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Saif ShaikhServer engineer

Have you migrated all mailboxes to O365 and where is your autodiscover pointing.

If autodiscover is pointing to O365, then you can disable autodiscover on onpremise server.

      Set-ClientAccessServer AutodiscoverInternalConnectionURI to Null (On the On-premise Server).

For domain joined machines even though their mailboxes are migrated to O365 they will eventually look for the SCP record in AD.

So you can also create a CNAME record in your local DNS to point auto discover to O365.

On the DNS Manager page for the domain, go to Action > CNAME (CNAME).
In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
Host Name: autodiscover
Choose OK.
Saif ShaikhServer engineer

The Proxy Server's Security Certificate error is coming from your local onpremise server.

You can also use the exclude SCP registry key by setting group policy:
FibertronTechnical Consultant

Do you use roaming profiles?  If so you might try backing up her old profile and creating a new one.

Can you login on the PC that she is currently experiencing the issue on with another user account and manually add her email account successfully without seeing the error message?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


We have migrated all of our staff mailboxes to O365 but we still use some onPrem mailboxes locally and not migrated from what I recall along with some group and shared mailboxes, etc.

I have attached how our autodiscover is setup in DNS.
Saif ShaikhServer engineer

Since your autodiscover is still pointed down i.e. onpremise and you have migrated all staff users to O365.

Are these users using domain joined machines. If yes then as I said earlier your migrated user when contacting autodiscover it gets information from onpremise and not from O365.

So basically whats happening here is request id going to onpremise server instead of O365. You here you need a cname record which I have updated above or for migrated users you need to use the exclude SCP registry key so that they do connect locally for autodiscover instead request is forwarded through internet to O365.

I still believe cname record for "" in your local DNS will suffice. If not then go for exclude SCP key only for migrated users.


Okay, so just to understand.

This particular user is using a domain joined computer.

So my options are to either update our CNAME for autodiscover in DNS to point to:
Use the exclude SCP registry key for migrated users? (Where is this located at for Office 2016, I couldn't find it in the Administrative Template).

My next question is, how would implementing either of the 2 above listed features effect the other users that have no issues with this currently?
Saif ShaikhServer engineer

Normally a cname record is updated in local DNS when you have migrated all mailboxes so that domain joined computers look at the record and request gets forwarded to O365.

As you mentioned that there are still users who are using on-premise exchange server and you haven't moved them to O365.

Let;s say you implement exclude SCP, this will not impact the working ability for already working users. You can follow below article for the same.


Notex.0 in this registry path corresponds to the Outlook version (16.0 = Outlook 2016)
Saif ShaikhServer engineer

You may also refer below article for setting registry for Outlook 2016 to connect to O365:
Most Valuable Expert 2015
Distinguished Expert 2018
Why would you be making server-side changes if this only affects a single user? Get her to run the Autodiscover test from within Outlook, then compare the results with another user. You can also get her to test on a device outside of the corporate environment, to exclude issues with her domain user account. In addition, check if she has added any shared mailboxes/calendars, as those will also trigger autodiscover queries and might be what's causing the error.

You can also re-attach the screenshot, as I dont see anything in the original post.


Thanks Vasil. That led me down the right path and saw that this user had a shared mailbox that had not been migrated to Office 365 prompting this error. The email was old and not in use so we went ahead with archiving it and deleting it.

Thanks everyone for your help! I will keep your other suggestions in my arsenal in case we ever run into something similar to this in the future.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial