Microsoft Outlook Pop-up - Proxy Server's Security Certificate

We have one user out of our entire organization that gets the attached pop-up message when she opens Outlook. She is able to simply click "OK" and all can use her email just like everyone else, but this pop-up continues to occur. It has happened for years apparently and doesn't matter what computer or version of Office is installed, the pop-up remains.

We have tried doing everything possible troubleshooting locally but the simple fact that it appears on multiple computers rules that out as a solution. We have a hybrid setup for Office 365 and nobody out of our 500 users receive this message outside of herself. We believe the issue is somewhere on the administrator side of Exchange/Office 365 but we are unsure where since everyone isn't affected. Our next step is to call Microsoft but wanted to try Experts Exchange as a last resort.
Joe LoweAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Saif ShaikhServer engineer Commented:
Have you migrated all mailboxes to O365 and where is your autodiscover pointing.

If autodiscover is pointing to O365, then you can disable autodiscover on onpremise server.

      Set-ClientAccessServer AutodiscoverInternalConnectionURI to Null (On the On-premise Server).

For domain joined machines even though their mailboxes are migrated to O365 they will eventually look for the SCP record in AD.

So you can also create a CNAME record in your local DNS to point auto discover to O365.

On the DNS Manager page for the domain, go to Action > CNAME (CNAME).
In the New Resource Record dialog box, make sure that the fields are set to precisely the following values:
Host Name: autodiscover
Type:
CNAMEAddress: autodiscover.outlook.com
Choose OK.
Saif ShaikhServer engineer Commented:
The Proxy Server's Security Certificate error is coming from your local onpremise server.

You can also use the exclude SCP registry key by setting group policy:

https://support.microsoft.com/en-in/help/2612922/how-to-control-outlook-autodiscover-by-using-group-policy
FibertronTechnical ConsultantCommented:
Do you use roaming profiles?  If so you might try backing up her old profile and creating a new one.

Can you login on the PC that she is currently experiencing the issue on with another user account and manually add her email account successfully without seeing the error message?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Joe LoweAuthor Commented:
We have migrated all of our staff mailboxes to O365 but we still use some onPrem mailboxes locally and not migrated from what I recall along with some group and shared mailboxes, etc.

I have attached how our autodiscover is setup in DNS.
AutodiscoverBlurred.png
Saif ShaikhServer engineer Commented:
Since your autodiscover is still pointed down i.e. onpremise and you have migrated all staff users to O365.

Are these users using domain joined machines. If yes then as I said earlier your migrated user when contacting autodiscover it gets information from onpremise and not from O365.

So basically whats happening here is request id going to onpremise server instead of O365. You here you need a cname record which I have updated above or for migrated users you need to use the exclude SCP registry key so that they do connect locally for autodiscover instead request is forwarded through internet to O365.

I still believe cname record for "autodiscover.outlook.com" in your local DNS will suffice. If not then go for exclude SCP key only for migrated users.
Joe LoweAuthor Commented:
Okay, so just to understand.

This particular user is using a domain joined computer.

So my options are to either update our CNAME for autodiscover in DNS to point to: autodiscover.outlook.com
OR
Use the exclude SCP registry key for migrated users? (Where is this located at for Office 2016, I couldn't find it in the Administrative Template).

My next question is, how would implementing either of the 2 above listed features effect the other users that have no issues with this currently?
Saif ShaikhServer engineer Commented:
Normally a cname record is updated in local DNS when you have migrated all mailboxes so that domain joined computers look at the autodiscover.outlook.com record and request gets forwarded to O365.

As you mentioned that there are still users who are using on-premise exchange server and you haven't moved them to O365.

Let;s say you implement exclude SCP, this will not impact the working ability for already working users. You can follow below article for the same.

https://support.microsoft.com/en-us/help/2212902/unexpected-autodiscover-behavior-when-you-have-registry-settings-under.


HKEY_CURRENT_USER\Software\Microsoft\Office\x.0\Outlook\AutoDiscover

Notex.0 in this registry path corresponds to the Outlook version (16.0 = Outlook 2016)
Saif ShaikhServer engineer Commented:
You may also refer below article for setting registry for Outlook 2016 to connect to O365:
https://blog.jamesbayley.com/2015/12/01/registry-hack-to-enable-outlook-2016-to-connect-to-office-365/
Vasil Michev (MVP)Commented:
Why would you be making server-side changes if this only affects a single user? Get her to run the Autodiscover test from within Outlook, then compare the results with another user. You can also get her to test on a device outside of the corporate environment, to exclude issues with her domain user account. In addition, check if she has added any shared mailboxes/calendars, as those will also trigger autodiscover queries and might be what's causing the error.

You can also re-attach the screenshot, as I dont see anything in the original post.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joe LoweAuthor Commented:
Thanks Vasil. That led me down the right path and saw that this user had a shared mailbox that had not been migrated to Office 365 prompting this error. The email was old and not in use so we went ahead with archiving it and deleting it.

Thanks everyone for your help! I will keep your other suggestions in my arsenal in case we ever run into something similar to this in the future.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.