We help IT Professionals succeed at work.

Exchange 2019. Outlook clients get warning about certificate

Martin_Radbo
Martin_Radbo asked
on
Complete new installation of servers and clients.

One single server with Windows Server 2019, containg AD and Exchange server 2019.
Clients are WIn 10 Pro, joined to domain, with Outlook 2019.

Internal domain name is stsgroup.local, to late we realized that a public domain name is best practice theese days. But now we have an internal one...

When Outlook clients are setup for the first time, the following message are shown:

error.png
As you can see, they try to use the internal domain name and therefor the warning is issued.

The certificate is a SAN, with autodiscover.domain.com,  webmail.domain.com and mail.domain.com. It is installed on the server.

I have changed all of the URL:s for the virtual dir. to https://webmail.domain.com/...  

Split DNS are configured, so in the internal dns autodiscover.domain.com and webmail.domain.com are pointing to the internal ip of the Exchange server, i.e. 192.168.140.40

The external DNS are pointing to the public IP of the Exchange server.

I have read several posts about this, but it still fails.

Please help.
Comment
Watch Question

Saif ShaikhServer engineer
CERTIFIED EXPERT

Commented:

What is the Outlookanywhere URL check.


get-outlookanywhere | fl 


Also when the certificate prompt is coming click on the view certificate and check what is the issued to name right in front of the view. Also please post any more details.



CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
View the certificate the likely issue is that it is not including all the possible, SAN usually has to to include
Autodiscover, and other names to work.

The error indicates the name configured for access idols not match the name for which the certificate was issued.

Author

Commented:
Here are the result of "get-outlookanywhere | fl"


RunspaceId                         : eebc52f0-685c-46e6-90ad-619a6093ac82
ServerName                         : PDC
SSLOffloading                      : True
ExternalHostname                   : webmail.domain.net
InternalHostname                   : webmail.domain.net
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://pdc.stsgroup.local/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.2 (Build 529.5)
Server                             : PDC
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=PDC,CN=Servers,CN=Exchange Admin
                                     istrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=STS Group,CN=Microso
                                     ft Exchange,CN=Services,CN=Configuration,DC=stsgroup,DC=local
Identity                           : PDC\Rpc (Default Web Site)
Guid                               : 9bd56b4e-6f11-4a4c-87c6-75c83d968bd2
ObjectCategory                     : stsgroup.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 2020-02-09 21:37:30
WhenCreated                        : 2020-01-21 14:57:57
WhenChangedUTC                     : 2020-02-09 20:37:30
WhenCreatedUTC                     : 2020-01-21 13:57:57
OrganizationId                     :
Id                                 : PDC\Rpc (Default Web Site)
OriginatingServer                  : pdc.stsgroup.local
IsValid                            : True
ObjectState                        : Changed

Author

Commented:
Arnold, the SAN include
-autodiscover.domain.net
-webmail.domain.net
-mail.domain.net

And the problem is probably exactly what you say, that the client tries to connect to the local domain, i.e. pdc.stsgroup.local and not to one of the three in the certificate.
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017
Commented:

Author

Commented:
Thanks MAS.

I've read carefully the article https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-2019-certificate-and-related-issues.html but all written there seems to correspond with our settings.

And the "test email Autoconfiguration" from a client says "successful" in the log and as far as I can see, all paths are to the external domain (webmail.domain.net)

But still, the error message about the certificate occurs, and I think the key here is that the first line in the error message says "pdc.stsgroup.local", i.e. Outllok has tried to connect to the internal server name, not to the public domain name
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
Did you try recreating outlook profile as the above article will fix the certificate error.
Please try recreating a new outlook profile.

Author

Commented:
You're right. I tried to create a new user in AD and gave him a mailbox.   He get no error about certificate. So maybe I need to delete the accounts in Outlook for users which still get the error message?  I will try that.

But while trying to add the account (starting Outlook for the first time for a new user) this message occur:

 certifikat.png
Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that, I can finally open Outlook (no certificate warning) and start to work.

I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".

Any idea about that?
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
Did you set the Client Access server correctly?

Set-ClientAccessServer <servername> -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/Autodiscover/Autodiscover.xml (obviously, domain.com gets replaced with your real domain name)

You need to be sure that the autodiscover record can be resolved internally to your exchange server and not to an externally published IP.

You also need to be sure that your SAN certificate is bound to IIS in Exchange. You can see this in the EAC
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
-->Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that
You type your internal UPN. Thats it

--->I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".
Yes you have to configure as Exchange. But in a normally it will never prompt for config. Just type your email and password.
Patrick BogersDatacenter platform engineer Lindows
CERTIFIED EXPERT

Commented:
Sounds to me like exchange is handing out the wrong certificate, check exchange management to see if the correct certificates are bound to exchange services in stead of the self signed local one.

Author

Commented:
MAS: "You type your internal UPN. Thats i".

That does not work. The suggested MS account in the dialog box is prename.surename@domain.local. I click on next and it tells med that this account does not exist (but in the local AD it does exist).

This is what I do at the client:
1. Start outlook first time
2. Choose "show advanced options" and then "manually options"
3. Click on "Exchange"
4. Popup about MS-account occurs. Close it with the X.
5. Get an error about something went wrong. Click on retry.
6.  Popup about MS-account occurs for second time . Close it with the X.
7. Wizard finish with message "Account is setup".
8. Outlook asks for password in the lower right hand of the screen.
9. Restart Outlook.
10. Now it works!

So, the certificate problem seems to be gone. Thank you!.
But the problem with asking for ms account is still there, and very annoying. A user will not be able to config hos Outlook on his own.

Any more ideas?
EE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017
Commented:
Apologize for the delayed response.
This will solve your issue. Added the same in my first comment which will help others in future.
https://www.gothamweb.com/portal/index.php/knowledgebase/8/Outlook-bypasses-AutoDiscover-and-connects-directly-to-Office-365-mailbox.html

Author

Commented:
Thanks. I will try it tomorrow.

Author

Commented:
Today I have tried the registry setting in the article https://www.gothamweb.com/portal/index.php/knowledgebase/8/Outlook-bypasses-AutoDiscover-and-connects-directly-to-Office-365-mailbox.html

It says \SOFTWARE\Policies\...
but as you can see in the screenshot below, I removed "policies" from the path.
So my registry key is located here: Dator\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover

Not sure if that is importante or not.


live-login.jpg

However, it does not work. The login prompt for the live-account still popup and then closing it by the X, Exchange says "password needed".
I can then doubleclick on the text "password needed" and Outlook change to "online with exchange" for a while, but a minute or two later the live-login appears again.

Any more idea?
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
Hi Martin,
Did you manage to fix?