Home ยป Exchange Server ยป Certificate Warnings in Outlook After Installing Exchange Server 2016

Certificate Warnings in Outlook After Installing Exchange Server 2016

After installing Exchange Server 2016 into your organization you may receive reports from your end users of a security alert containing certificate warning messages appearing in Outlook.

Example of an Outlook certificate warning
Example of an Outlook certificate warning

The two most common problems reported by the Outlook certificate warning message are:

  • The name on the security certificate is invalid or does not match the name of the site
  • The security certificate was issued by a company you have not chosen to trust

Why Does Outlook Display a Security Warning for a Certificate Problem?

When you install Exchange Server 2016 into your Active Directory environment the setup process registers a Service Connection Point (SCP) for the Autodiscover service. Autodiscover is used by client applications to discover information about Exchange mailboxes and services. For example, Outlook uses Autodiscover during the setup of a new Outlook profile to discover the server settings for the user, so that the profile can be automatically configured (instead of the old days of manually entering server names and other details into Outlook).

By default the Autodiscover SCP is registered using a URL that includes the Exchange server’s fully-qualified domain name. You can see the Autodiscover URL for an Exchange 2016 server by running the Get-ClientAccessService cmdlet in the Exchange Management Shell. For example:

Note: Previous versions of Exchange used the Get-ClientAccessServer cmdlet. With the changes in Exchange 2016 server roles architecture the new cmdlets for these management tasks are *-ClientAccessService. The old cmdlets are still available in Exchange 2016, but if you use them you will see a warning message that they are deprecated.

Autodiscover is accessible via an HTTPS (SSL) connection from clients. The Exchange server also has a number of other web services that are accessible using HTTPS connections from clients, such as Exchange Web Services (EWS), Outlook on the web (also known as OWA), ActiveSync (for mobile devices), and Outlook Anywhere (used by Outlook clients).

As the connection is over HTTPS the SSL certificate configured on the server must meet three criteria to be considered valid by the client:

  • The certificate was issued by a trusted certificate authority (CA)
  • The certificate has not expired
  • The name on the certificate matches the server name (or URL) that the client is connecting to

How to Fix Outlook Security Warnings After Installing Exchange 2016

There are two parts to the solution:

  1. Configure the Autodiscover URL for the service
  2. Install a valid SSL certificate

Configuring the Autodiscover URL for Exchange 2016

It is not recommended to leave the Autodiscover URL configured with the server’s fully-qualified domain name. Instead, you should configure it to use a different DNS name or alias. This is part of your overall Client Access namespace planning for Exchange 2016.

In this example I will change the Autodiscover URL to use the DNS name of mail.exchange2016demo.com.

However, as this is also a new server installation all of the other HTTPS services also need their URLs reconfigured. You can read more about that here, and also download my PowerShell script ConfigureExchangeURLs.ps1 to make the process easier.

In some cases an IIS restart on the server is also necessary after configuring the namespaces.

You also need to add a DNS record for the namespace if one does not already exist. In this example I add an A record of “mail” to my internal DNS zone, and point it to the IP address of the Exchange 2016 server (because it is the only server in the organization). If you have multiple Exchange servers then either DNS round robin or a load balancer could be used instead.

dns

Install a Valid SSL Certificate

With the namespaces correctly configured, and DNS records in place, you will then need to provision an SSL certificate for the Exchange 2016 server. If this is a new concept for you then I recommend some additional reading:

To provision an SSL certificate for your Exchange 2016 server the process is:

  1. Create a certificate signing request (CSR)
  2. Submit the CSR to a certificate authority such as Digicert
  3. Complete the pending certificate request on the Exchange server
  4. Enable the SSL certificate for Exchange services

Summary

The common causes of Outlook security alerts containing certificate warnings are misconfigured Exchange server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure your namespaces and/or install a valid SSL certificate. When your Exchange server’s configuration has been corrected the Outlook security alerts should stop appearing for your end users.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

44 comments

  1. Sandro Alves says:

    Paul,

    I created with the FQDN to IP, added that IP in Exchange 2016 (only have one yet) in coexistence with Exchange 2010 and ran the command to change the InternalUri the Autodiscovery.

    What I realized on the client outlook?

    He communicated with the IP of the new FQDN, but looking at the status of the client connection outlook, it is still showing that you are connected to the FQDN of the server, which should be the new FQDN that changed in InternalUri.

    I logged with another user and created from scratch profile and he did the same thing, it shows that the FQDN is connected with the server name instead of showing logging in FQDN that created again.

    What could be wrong?

    Thank you

    • If all you’ve changed is the Autodiscover URI for the new server that is just part of the solution. Read the article again, it references the other namespace configurations that are also needed for a newly deployed server.

  2. Turbomcp says:

    assuming the mailbox your testing with is on 2016.
    configure the rest of the url to match not just autodiscover(specifically outlook anywhere)

  3. Phil Goldwasser says:

    Thanks for your amazing articles! I have followed all of your information about this certificate warning, but I have one pesky machine that is still throwing this warning. All of the other machines do not show the warning. They are all using Outlook 2007 (yes, I know it is not supported with Exchange 2016, but it is working). The one with the issue is the only Outlook 2013 install in the whole company.

    I did a ctrl click on outlook icon in the system tray and chose to test auto configuration and in the results, all of the entries have the correct FQDN.

    On the exchange server, I have set ALL of the virtual directories with the same FQDN for internal and external. I have an internal DNS entry for the server pointing to the internal address, and in our outside DNS, the entry points to the outside ip. Everything seems correct, yet this one machine still throws the error.

    Any ideas?

  4. Phil Goldwasser says:

    Not the Server’s FQDN, sorry if I was misunderstood. The server’s FQDN is xyzserver.xyz.local. The external URI is mail.xzy.com. The internal URI is also mail.xyz.com. The internal DNS server points mail.xyz.com to 192.168.1.3, while external DNS points it to some outside public ip. If they ping from their worksation mail.xyz.com they get 192.168.1.3. That is what I meant.

    On the exchange server, I set all of the Virtual servers to use mail.xyz.com as the internal and external URI. So when configuring Outlook 2007 (again, I know it is not supported), I put mail.xyz.com as the server name and mail.xyz.com in the outlook anywhere proxy section.

    On Outlook 2013, it does it all automatically, so I put in her email address (Janedoe@xyz.com) and her password and it auto configures nicely. I even tried doing it manually and typing in the servername, mail.xyz.com, but it ends up the same as if I had let it autoconfigure.

    End result is that on Outlook 2013, she still gets the certificate warning.

  5. anker says:

    Hi Paul.

    Is it possible to prevent exchange from “announcing” those virtual directories immediately?
    Even if the SCP is changed to the “correct” DNS name as fast as possible, it seems that the virtual directories are distributed to outlook clients and somehow cached on the existing exchange servers. We have a lot of outlook online clients, and I could not prevent the certificate warning for almost an hour. Had to reset IIS on the existing exchange 2013 servers, which made a lot of noise also.

    /anker

  6. anker says:

    Paul,

    You know a lot from the exchange team – could you ask for this cmd-let ๐Ÿ™‚ ๐Ÿ™‚ ๐Ÿ™‚

    Set-ClientAccessService -server “myNewServer” -ActivateAutodiscover

    it will do 2 things:

    1. Register the servers Client point with your configured value.
    2. Tell the other servers, that this server is now ready to announce virtual directories.

    /anker

  7. Nikolay says:

    Hi, paul. I have the same problem with my Exchange 2016, the first of all I’d like to thank you for your greate arcticles about Exchange. So I’ve got a problem with autodiscover in internal network. I installed 2 mailbox servers and 2 Edge in DMZ. I created DAG and included 2 servers, it is assigned IP and FQDN for DAG. I use 2013 outlook and then i try to connect to exchange the connection is fail. Appears the window “The action can not be completed. The connection to Microsoft Exchange is Unavailable … ” I’m sad. I read your article and took decision to create in my internal DNS CNAME record “Mail” for target host of DAG. I created new certificate in my local certification authority and impoted him to both servers. The certificate has SAN. There are two records in SAN field such as autodiscover.domain.ru and mail.domain.ru. All virtual directory in both servers I change to https://mail.domain.ru/owa , ecp, and etc . I executed the command:
    Get-ClientAccessServer | AutoDiscoverServiceInternalUri

    the result of command is displayed for both servers:
    AutoDiscoverServiceInternalUri https://mail.domain.ru/Autodiscover/Autodiscover.xml

    For Outlookanywhere I assigned mail.domain.ru for both servers as well.

    As I know in previous version of Exchange we have to change Cas server to FQDN CassArray Name or Alias in mailbox setings . I mean we should run command Set-MailboxDatabase -RpcClientAccessServer , but the commant as I know occur with error.

    Paul, sorry for my long story. Do you have any ideas what I have to do?
    May be I should create Cname records for FQDN the both servers and include them in certificate?

    • 1. The Client Access namespaces should not resolve to the DAG IP. They should resolve to the Mailbox server IP address, or to the load balanced VIP. If you’re not using a load-balancer then you can use DNS round robin instead. It is demonstrated here:
      http://practical365.com/exchange-2013-client-access-server-high-availability/ (the same applies to Exchange 2013 as 2016)

      2. Hopefully your DAG’s FQDN is not mail.domain.ru.

      3. Setting the RPCClientAccessServer on databases is not required in Exchange 2013 or 2016.

      4. You might have missed a virtual directory in your configuration. Use my GetExchangeURLs.ps1 script here:
      http://practical365.com/exchange-server-2016-client-access-namespace-configuration/

      • Nikolay says:

        Hi, Paul. Sorry for long break. My DAG’s FQDN is not mail.domain.ru and I’ve used your script to change my Exchange’s virtual directory from FQDN to mail.domain.ru for both Servers. But when I try to connect to Exchnge occurs fail and appears a notice ” The connection to Microsoft Exchange is unavailable”. Certificate is a valid and not self-signed . I took desicion to use DNS Roun Robin. So, outlook try to connect not namespace mail.cpxdemo.ru and to one of FQDN. OWA, ECP and etc. are working perfect. Do I need to configurate anything more? By the way , I changed only internal URLs, external URLs have not used and no internet access.

  8. Anatoly says:

    Hi Paul
    I do your article step by step but after installing Exchange 2016 and set valid certificate SSL warning appear and also repeatedly need user name and password

        • I don’t understand your answer.

          If you think the certificate warning shows that the client is trying to connect to the wrong server name, you should check all your Exchange namespaces to make sure you’ve configured the internal and external URLs correctly.

  9. Justin says:

    Another important consideration when you run into this issue after installing a 2016 server in your environment is MAPI over HTTP. When you install the first 2016 server MAPI over HTTP is enabled and if the new 2016 server which is a CAS by default resides in the same site as your old CAS server it will proxy and server clients. When we encountered this issue after installing our first 2016 server we corrected the issue by fixing the MAPI VD internal and external URLS to use our DNS alias which resolved the issue for us.

  10. Nick says:

    I am in the process of migrating from 2010 to 2016. I moved over a few mailboxes, and then I started receiving an error.
    “There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the target site FQDN of my server.

    Outlook is unable to connect to the proxy server. (Error Code 10)

    The strange thing is that half of the users I have migrated work without any issues. In addition, any NEW users connect with no issues either.

    I can just click ok to the error, and everything still works, but its annoying and I would like to resolve this prior to completing the migration. Any ideas?

  11. Vvvasilev says:

    Hi,
    I have a very weird problem. I am running 2 x Win2012 servers with Exchange 2016 CU1, in DAG configuration with kemp loadbalancer in front. I have a valid SSL certificate from COMODO, which is installed on both servers and all services are assigned to it. Now, when I open from browser ECP – the connection is secured and I get green bar. However when I open the same URL but OWA, the bar is green only up to the login screen. Once done, when all mails are displayed, the connection becomes unsecured displaying a self signed certificate is used, which is not even installed or visible through the management center. The configuration:

    [PS] C:Windowssystem32>Get-ExchangeCertificate -Server Exchange

    Thumbprint Services Subject
    ———- ——– ——-
    XXXXXXXXXXXXXXXXXXXXXXXXXXXX IP.WS.. CN=mail.domain.be, OU=PositiveSSL Multi-Domain, OU=Domain …
    XXXXXXXXXXXXXXXXXXXXXXXXXX ……. CN=WMSvc-EXCHANGE

  12. eli says:

    hi,
    first of all thanks so much for great articles.
    I’ve recently installed an Exchange 2016, with multi tenancy.
    Assume I have 2 domain: DoaminA.com and DomainB.com. Now how am I supposed to configure autodiscover URI?
    I have 2 accepted domain, so I created 2 SRV record instead of “autodiscover.DomainA.com” and “autodiscover.DomainB.com”.But I don’t have any valid SSL yet.
    the problem is people can’t connect to exchange through outlook ๐Ÿ™ it’s ok with IOS Mail application though!
    any help would be really great
    thanks in advanced

  13. Billie Omolo says:

    Hello,

    I have a disk consumption issue. After installing Exchange Server 2016 and configuring all everything correctly, my HDD is being consumed at a very fast rate, like a partition of 320GB shrunk to 60GB the following morning but after doing some checks found in C:windowstemp some .tmp files being created at a very fast rate.

    Please help because cant get to know whats causing all these files to be created at that very fast rate.

  14. Susan Eastrbrooks says:

    outlook will not let me get in to my e-mail account-says over and over some security error just keeps popping up for last 36 hours – how do I read my e-mails — they are piling up ? why ami blocked?

  15. Soren Rasmussen says:

    Hello Paul

    First of all, thanks for a great article! As always you make things brilliantly easy to understand.

    I have question which I hope you will find time to reply to.

    I’m planning to install Exchange 2016 into an existing Exchange 2010 organization which consists of one server only. However, I don’t plan to configure anything else (routing, connectors, etc.) on Exchange 2016 for some months.

    Question is – will just installing Exchange 2016 to leave it alone without configuration – affect the existing autodiscover/Outlook Anywhere functionality?

    Thanks in advance. Have a nice day.

    • I would question why you’re installing it months before you need it. It’ll always be a thing sitting there that you need to maintain and think about any time there’s a troubleshooting scenario.

      As long as you get the Autodiscover config set, yes.

  16. Justin hedrington says:

    Having trouble getting my certificate warning to go away and outlook anywhere working properly. My local domain is internal we will say exchange.contoso.internal. I have a FQDN mail.contoso.com that is signed to that domain and also autodiscover.contoso.com. Local clients still get a certificate warning pointing to exchange.contoso.internal after running your powershell script on exchange 2016. In DNS I have authority setup for contoso.com and have an a record for mail.contoso.com pointing to my internal IP of exchange (also one for autodiscover.contoso.com). OWA works from outside and in, mail is flowing. Local outlook clients work fine except for the cert warning. After running the script some outlook clients have troubles connecting, they continually ask for a password even after providing the correct credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *