asked on Exchange 2019. Outlook clients get warning about certificate
Complete new installation of servers and clients.
One single server with Windows Server 2019, containg AD and Exchange server 2019.
Clients are WIn 10 Pro, joined to domain, with Outlook 2019.
Internal domain name is stsgroup.local, to late we realized that a public domain name is best practice theese days. But now we have an internal one...
When Outlook clients are setup for the first time, the following message are shown:
![error.png]()
As you can see, they try to use the internal domain name and therefor the warning is issued.
The certificate is a SAN, with autodiscover.domain.com, webmail.domain.com and mail.domain.com. It is installed on the server.
I have changed all of the URL:s for the virtual dir. to https://webmail.domain.com/...
Split DNS are configured, so in the internal dns autodiscover.domain.com and webmail.domain.com are pointing to the internal ip of the Exchange server, i.e. 192.168.140.40
The external DNS are pointing to the public IP of the Exchange server.
I have read several posts about this, but it still fails.
Please help.
One single server with Windows Server 2019, containg AD and Exchange server 2019.
Clients are WIn 10 Pro, joined to domain, with Outlook 2019.
Internal domain name is stsgroup.local, to late we realized that a public domain name is best practice theese days. But now we have an internal one...
When Outlook clients are setup for the first time, the following message are shown:
As you can see, they try to use the internal domain name and therefor the warning is issued.
The certificate is a SAN, with autodiscover.domain.com, webmail.domain.com and mail.domain.com. It is installed on the server.
I have changed all of the URL:s for the virtual dir. to https://webmail.domain.com/...
Split DNS are configured, so in the internal dns autodiscover.domain.com and webmail.domain.com are pointing to the internal ip of the Exchange server, i.e. 192.168.140.40
The external DNS are pointing to the public IP of the Exchange server.
I have read several posts about this, but it still fails.
Please help.
ExchangeOutlookWindows OS
Last Comment
M A
View the certificate the likely issue is that it is not including all the possible, SAN usually has to to include
Autodiscover, and other names to work.
The error indicates the name configured for access idols not match the name for which the certificate was issued.
Autodiscover, and other names to work.
The error indicates the name configured for access idols not match the name for which the certificate was issued.
ASKER
Here are the result of "get-outlookanywhere | fl"
RunspaceId : eebc52f0-685c-46e6-90ad-61
ServerName : PDC
SSLOffloading : True
ExternalHostname : webmail.domain.net
InternalHostname : webmail.domain.net
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://pdc.stsgroup.local/W
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpPr
ExtendedProtectionTokenChe
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.2 (Build 529.5)
Server : PDC
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols
istrative Group (FYDIBOHF23SPDLT),CN=Admin
ft Exchange,CN=Services,CN=Co
Identity : PDC\Rpc (Default Web Site)
Guid : 9bd56b4e-6f11-4a4c-87c6-75
ObjectCategory : stsgroup.local/Configurati
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirect
WhenChanged : 2020-02-09 21:37:30
WhenCreated : 2020-01-21 14:57:57
WhenChangedUTC : 2020-02-09 20:37:30
WhenCreatedUTC : 2020-01-21 13:57:57
OrganizationId :
Id : PDC\Rpc (Default Web Site)
OriginatingServer : pdc.stsgroup.local
IsValid : True
ObjectState : Changed
RunspaceId : eebc52f0-685c-46e6-90ad-61
ServerName : PDC
SSLOffloading : True
ExternalHostname : webmail.domain.net
InternalHostname : webmail.domain.net
ExternalClientAuthenticati
InternalClientAuthenticati
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://pdc.stsgroup.local/W
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpPr
ExtendedProtectionTokenChe
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.2 (Build 529.5)
Server : PDC
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols
istrative Group (FYDIBOHF23SPDLT),CN=Admin
ft Exchange,CN=Services,CN=Co
Identity : PDC\Rpc (Default Web Site)
Guid : 9bd56b4e-6f11-4a4c-87c6-75
ObjectCategory : stsgroup.local/Configurati
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirect
WhenChanged : 2020-02-09 21:37:30
WhenCreated : 2020-01-21 14:57:57
WhenChangedUTC : 2020-02-09 20:37:30
WhenCreatedUTC : 2020-01-21 13:57:57
OrganizationId :
Id : PDC\Rpc (Default Web Site)
OriginatingServer : pdc.stsgroup.local
IsValid : True
ObjectState : Changed
ASKER
Arnold, the SAN include
-autodiscover.domain.net
-webmail.domain.net
-mail.domain.net
And the problem is probably exactly what you say, that the client tries to connect to the local domain, i.e. pdc.stsgroup.local and not to one of the three in the certificate.
-autodiscover.domain.net
-webmail.domain.net
-mail.domain.net
And the problem is probably exactly what you say, that the client tries to connect to the local domain, i.e. pdc.stsgroup.local and not to one of the three in the certificate.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks MAS.
I've read carefully the article https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-2019-certificate-and-related-issues.html but all written there seems to correspond with our settings.
And the "test email Autoconfiguration" from a client says "successful" in the log and as far as I can see, all paths are to the external domain (webmail.domain.net)
But still, the error message about the certificate occurs, and I think the key here is that the first line in the error message says "pdc.stsgroup.local", i.e. Outllok has tried to connect to the internal server name, not to the public domain name
I've read carefully the article https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-2019-certificate-and-related-issues.html but all written there seems to correspond with our settings.
And the "test email Autoconfiguration" from a client says "successful" in the log and as far as I can see, all paths are to the external domain (webmail.domain.net)
But still, the error message about the certificate occurs, and I think the key here is that the first line in the error message says "pdc.stsgroup.local", i.e. Outllok has tried to connect to the internal server name, not to the public domain name
Did you try recreating outlook profile as the above article will fix the certificate error.
Please try recreating a new outlook profile.
Please try recreating a new outlook profile.
ASKER
You're right. I tried to create a new user in AD and gave him a mailbox. He get no error about certificate. So maybe I need to delete the accounts in Outlook for users which still get the error message? I will try that.
But while trying to add the account (starting Outlook for the first time for a new user) this message occur:
![certifikat.png]()
Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that, I can finally open Outlook (no certificate warning) and start to work.
I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".
Any idea about that?
But while trying to add the account (starting Outlook for the first time for a new user) this message occur:
Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that, I can finally open Outlook (no certificate warning) and start to work.
I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".
Any idea about that?
Did you set the Client Access server correctly?
Set-ClientAccessServer <servername> -AutoDiscoverServiceIntern
You need to be sure that the autodiscover record can be resolved internally to your exchange server and not to an externally published IP.
You also need to be sure that your SAN certificate is bound to IIS in Exchange. You can see this in the EAC
Set-ClientAccessServer <servername> -AutoDiscoverServiceIntern
You need to be sure that the autodiscover record can be resolved internally to your exchange server and not to an externally published IP.
You also need to be sure that your SAN certificate is bound to IIS in Exchange. You can see this in the EAC
-->Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that
You type your internal UPN. Thats it
--->I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".
Yes you have to configure as Exchange. But in a normally it will never prompt for config. Just type your email and password.
You type your internal UPN. Thats it
--->I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".
Yes you have to configure as Exchange. But in a normally it will never prompt for config. Just type your email and password.
Sounds to me like exchange is handing out the wrong certificate, check exchange management to see if the correct certificates are bound to exchange services in stead of the self signed local one.
ASKER
MAS: "You type your internal UPN. Thats i".
That does not work. The suggested MS account in the dialog box is prename.surename@domain.lo
This is what I do at the client:
1. Start outlook first time
2. Choose "show advanced options" and then "manually options"
3. Click on "Exchange"
4. Popup about MS-account occurs. Close it with the X.
5. Get an error about something went wrong. Click on retry.
6. Popup about MS-account occurs for second time . Close it with the X.
7. Wizard finish with message "Account is setup".
8. Outlook asks for password in the lower right hand of the screen.
9. Restart Outlook.
10. Now it works!
So, the certificate problem seems to be gone. Thank you!.
But the problem with asking for ms account is still there, and very annoying. A user will not be able to config hos Outlook on his own.
Any more ideas?
That does not work. The suggested MS account in the dialog box is prename.surename@domain.lo
This is what I do at the client:
1. Start outlook first time
2. Choose "show advanced options" and then "manually options"
3. Click on "Exchange"
4. Popup about MS-account occurs. Close it with the X.
5. Get an error about something went wrong. Click on retry.
6. Popup about MS-account occurs for second time . Close it with the X.
7. Wizard finish with message "Account is setup".
8. Outlook asks for password in the lower right hand of the screen.
9. Restart Outlook.
10. Now it works!
So, the certificate problem seems to be gone. Thank you!.
But the problem with asking for ms account is still there, and very annoying. A user will not be able to config hos Outlook on his own.
Any more ideas?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks. I will try it tomorrow.
ASKER
Today I have tried the registry setting in the article https://www.gothamweb.com/portal/index.php/knowledgebase/8/Outlook-bypasses-AutoDiscover-and-connects-directly-to-Office-365-mailbox.html
It says \SOFTWARE\Policies\...
but as you can see in the screenshot below, I removed "policies" from the path.
So my registry key is located here: Dator\HKEY_CURRENT_USER\So
Not sure if that is importante or not.
![live-login.jpg]()
However, it does not work. The login prompt for the live-account still popup and then closing it by the X, Exchange says "password needed".
I can then doubleclick on the text "password needed" and Outlook change to "online with exchange" for a while, but a minute or two later the live-login appears again.
Any more idea?
It says \SOFTWARE\Policies\...
but as you can see in the screenshot below, I removed "policies" from the path.
So my registry key is located here: Dator\HKEY_CURRENT_USER\So
Not sure if that is importante or not.
However, it does not work. The login prompt for the live-account still popup and then closing it by the X, Exchange says "password needed".
I can then doubleclick on the text "password needed" and Outlook change to "online with exchange" for a while, but a minute or two later the live-login appears again.
Any more idea?
Hi Martin,
Did you manage to fix?
Did you manage to fix?
What is the Outlookanywhere URL check.
get-outlookanywhere | fl
Also when the certificate prompt is coming click on the view certificate and check what is the issued to name right in front of the view. Also please post any more details.