Link to home
Start Free TrialLog in
Avatar of Martin Radbo
Martin RadboFlag for Sweden

asked on

Exchange 2019. Outlook clients get warning about certificate

Complete new installation of servers and clients.

One single server with Windows Server 2019, containg AD and Exchange server 2019.
Clients are WIn 10 Pro, joined to domain, with Outlook 2019.

Internal domain name is stsgroup.local, to late we realized that a public domain name is best practice theese days. But now we have an internal one...

When Outlook clients are setup for the first time, the following message are shown:

User generated image
As you can see, they try to use the internal domain name and therefor the warning is issued.

The certificate is a SAN, with, and It is installed on the server.

I have changed all of the URL:s for the virtual dir. to  

Split DNS are configured, so in the internal dns and are pointing to the internal ip of the Exchange server, i.e.

The external DNS are pointing to the public IP of the Exchange server.

I have read several posts about this, but it still fails.

Please help.
Avatar of Saif Shaikh
Saif Shaikh
Flag of India image

What is the Outlookanywhere URL check.

get-outlookanywhere | fl 

Also when the certificate prompt is coming click on the view certificate and check what is the issued to name right in front of the view. Also please post any more details.

View the certificate the likely issue is that it is not including all the possible, SAN usually has to to include
Autodiscover, and other names to work.

The error indicates the name configured for access idols not match the name for which the certificate was issued.
Avatar of Martin Radbo


Here are the result of "get-outlookanywhere | fl"

RunspaceId                         : eebc52f0-685c-46e6-90ad-619a6093ac82
ServerName                         : PDC
SSLOffloading                      : True
ExternalHostname                   :
InternalHostname                   :
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://pdc.stsgroup.local/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.2 (Build 529.5)
Server                             : PDC
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=PDC,CN=Servers,CN=Exchange Admin
                                     istrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=STS Group,CN=Microso
                                     ft Exchange,CN=Services,CN=Configuration,DC=stsgroup,DC=local
Identity                           : PDC\Rpc (Default Web Site)
Guid                               : 9bd56b4e-6f11-4a4c-87c6-75c83d968bd2
ObjectCategory                     : stsgroup.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 2020-02-09 21:37:30
WhenCreated                        : 2020-01-21 14:57:57
WhenChangedUTC                     : 2020-02-09 20:37:30
WhenCreatedUTC                     : 2020-01-21 13:57:57
OrganizationId                     :
Id                                 : PDC\Rpc (Default Web Site)
OriginatingServer                  : pdc.stsgroup.local
IsValid                            : True
ObjectState                        : Changed
Arnold, the SAN include

And the problem is probably exactly what you say, that the client tries to connect to the local domain, i.e. pdc.stsgroup.local and not to one of the three in the certificate.
Avatar of M A
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks MAS.

I've read carefully the article but all written there seems to correspond with our settings.

And the "test email Autoconfiguration" from a client says "successful" in the log and as far as I can see, all paths are to the external domain (

But still, the error message about the certificate occurs, and I think the key here is that the first line in the error message says "pdc.stsgroup.local", i.e. Outllok has tried to connect to the internal server name, not to the public domain name
Did you try recreating outlook profile as the above article will fix the certificate error.
Please try recreating a new outlook profile.
You're right. I tried to create a new user in AD and gave him a mailbox.   He get no error about certificate. So maybe I need to delete the accounts in Outlook for users which still get the error message?  I will try that.

But while trying to add the account (starting Outlook for the first time for a new user) this message occur:

 User generated image
Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that, I can finally open Outlook (no certificate warning) and start to work.

I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".

Any idea about that?
Did you set the Client Access server correctly?

Set-ClientAccessServer <servername> -AutoDiscoverServiceInternalUri (obviously, gets replaced with your real domain name)

You need to be sure that the autodiscover record can be resolved internally to your exchange server and not to an externally published IP.

You also need to be sure that your SAN certificate is bound to IIS in Exchange. You can see this in the EAC
-->Microsoft want me to login to my MS account for some reason. After several attempts to just get rid of that
You type your internal UPN. Thats it

--->I'm using Outlook 2019. In the first setup screen about new user, I choose advanced config, and I click on "Exchange account".
Yes you have to configure as Exchange. But in a normally it will never prompt for config. Just type your email and password.
Sounds to me like exchange is handing out the wrong certificate, check exchange management to see if the correct certificates are bound to exchange services in stead of the self signed local one.
MAS: "You type your internal UPN. Thats i".

That does not work. The suggested MS account in the dialog box is prename.surename@domain.local. I click on next and it tells med that this account does not exist (but in the local AD it does exist).

This is what I do at the client:
1. Start outlook first time
2. Choose "show advanced options" and then "manually options"
3. Click on "Exchange"
4. Popup about MS-account occurs. Close it with the X.
5. Get an error about something went wrong. Click on retry.
6.  Popup about MS-account occurs for second time . Close it with the X.
7. Wizard finish with message "Account is setup".
8. Outlook asks for password in the lower right hand of the screen.
9. Restart Outlook.
10. Now it works!

So, the certificate problem seems to be gone. Thank you!.
But the problem with asking for ms account is still there, and very annoying. A user will not be able to config hos Outlook on his own.

Any more ideas?
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks. I will try it tomorrow.
Today I have tried the registry setting in the article

It says \SOFTWARE\Policies\...
but as you can see in the screenshot below, I removed "policies" from the path.
So my registry key is located here: Dator\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover

Not sure if that is importante or not.

User generated image

However, it does not work. The login prompt for the live-account still popup and then closing it by the X, Exchange says "password needed".
I can then doubleclick on the text "password needed" and Outlook change to "online with exchange" for a while, but a minute or two later the live-login appears again.

Any more idea?
Hi Martin,
Did you manage to fix?