Home ยป Exchange Server ยป Certificate Warnings in Outlook After Installing Exchange Server 2016

Certificate Warnings in Outlook After Installing Exchange Server 2016

After installing Exchange Server 2016 into your organization you may receive reports from your end users of a security alert containing certificate warning messages appearing in Outlook.

Example of an Outlook certificate warning
Example of an Outlook certificate warning

The two most common problems reported by the Outlook certificate warning message are:

  • The name on the security certificate is invalid or does not match the name of the site
  • The security certificate was issued by a company you have not chosen to trust

Why Does Outlook Display a Security Warning for a Certificate Problem?

When you install Exchange Server 2016 into your Active Directory environment the setup process registers a Service Connection Point (SCP) for the Autodiscover service. Autodiscover is used by client applications to discover information about Exchange mailboxes and services. For example, Outlook uses Autodiscover during the setup of a new Outlook profile to discover the server settings for the user, so that the profile can be automatically configured (instead of the old days of manually entering server names and other details into Outlook).

By default the Autodiscover SCP is registered using a URL that includes the Exchange server’s fully-qualified domain name. You can see the Autodiscover URL for an Exchange 2016 server by running the Get-ClientAccessService cmdlet in the Exchange Management Shell. For example:

Note: Previous versions of Exchange used the Get-ClientAccessServer cmdlet. With the changes in Exchange 2016 server roles architecture the new cmdlets for these management tasks are *-ClientAccessService. The old cmdlets are still available in Exchange 2016, but if you use them you will see a warning message that they are deprecated.

Autodiscover is accessible via an HTTPS (SSL) connection from clients. The Exchange server also has a number of other web services that are accessible using HTTPS connections from clients, such as Exchange Web Services (EWS), Outlook on the web (also known as OWA), ActiveSync (for mobile devices), and Outlook Anywhere (used by Outlook clients).

As the connection is over HTTPS the SSL certificate configured on the server must meet three criteria to be considered valid by the client:

  • The certificate was issued by a trusted certificate authority (CA)
  • The certificate has not expired
  • The name on the certificate matches the server name (or URL) that the client is connecting to

How to Fix Outlook Security Warnings After Installing Exchange 2016

There are two parts to the solution:

  1. Configure the Autodiscover URL for the service
  2. Install a valid SSL certificate

Configuring the Autodiscover URL for Exchange 2016

It is not recommended to leave the Autodiscover URL configured with the server’s fully-qualified domain name. Instead, you should configure it to use a different DNS name or alias. This is part of your overall Client Access namespace planning for Exchange 2016.

In this example I will change the Autodiscover URL to use the DNS name of mail.exchange2016demo.com.

However, as this is also a new server installation all of the other HTTPS services also need their URLs reconfigured. You can read more about that here, and also download my PowerShell script ConfigureExchangeURLs.ps1 to make the process easier.

In some cases an IIS restart on the server is also necessary after configuring the namespaces.

You also need to add a DNS record for the namespace if one does not already exist. In this example I add an A record of “mail” to my internal DNS zone, and point it to the IP address of the Exchange 2016 server (because it is the only server in the organization). If you have multiple Exchange servers then either DNS round robin or a load balancer could be used instead.

dns

Install a Valid SSL Certificate

With the namespaces correctly configured, and DNS records in place, you will then need to provision an SSL certificate for the Exchange 2016 server. If this is a new concept for you then I recommend some additional reading:

To provision an SSL certificate for your Exchange 2016 server the process is:

  1. Create a certificate signing request (CSR)
  2. Submit the CSR to a certificate authority such as Digicert
  3. Complete the pending certificate request on the Exchange server
  4. Enable the SSL certificate for Exchange services

Summary

The common causes of Outlook security alerts containing certificate warnings are misconfigured Exchange server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure your namespaces and/or install a valid SSL certificate. When your Exchange server’s configuration has been corrected the Outlook security alerts should stop appearing for your end users.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

62 comments

  1. Sandro Alves says:

    Paul,

    I created with the FQDN to IP, added that IP in Exchange 2016 (only have one yet) in coexistence with Exchange 2010 and ran the command to change the InternalUri the Autodiscovery.

    What I realized on the client outlook?

    He communicated with the IP of the new FQDN, but looking at the status of the client connection outlook, it is still showing that you are connected to the FQDN of the server, which should be the new FQDN that changed in InternalUri.

    I logged with another user and created from scratch profile and he did the same thing, it shows that the FQDN is connected with the server name instead of showing logging in FQDN that created again.

    What could be wrong?

    Thank you

    • If all you’ve changed is the Autodiscover URI for the new server that is just part of the solution. Read the article again, it references the other namespace configurations that are also needed for a newly deployed server.

  2. Turbomcp says:

    assuming the mailbox your testing with is on 2016.
    configure the rest of the url to match not just autodiscover(specifically outlook anywhere)

  3. Phil Goldwasser says:

    Thanks for your amazing articles! I have followed all of your information about this certificate warning, but I have one pesky machine that is still throwing this warning. All of the other machines do not show the warning. They are all using Outlook 2007 (yes, I know it is not supported with Exchange 2016, but it is working). The one with the issue is the only Outlook 2013 install in the whole company.

    I did a ctrl click on outlook icon in the system tray and chose to test auto configuration and in the results, all of the entries have the correct FQDN.

    On the exchange server, I have set ALL of the virtual directories with the same FQDN for internal and external. I have an internal DNS entry for the server pointing to the internal address, and in our outside DNS, the entry points to the outside ip. Everything seems correct, yet this one machine still throws the error.

    Any ideas?

  4. Phil Goldwasser says:

    Not the Server’s FQDN, sorry if I was misunderstood. The server’s FQDN is xyzserver.xyz.local. The external URI is mail.xzy.com. The internal URI is also mail.xyz.com. The internal DNS server points mail.xyz.com to 192.168.1.3, while external DNS points it to some outside public ip. If they ping from their worksation mail.xyz.com they get 192.168.1.3. That is what I meant.

    On the exchange server, I set all of the Virtual servers to use mail.xyz.com as the internal and external URI. So when configuring Outlook 2007 (again, I know it is not supported), I put mail.xyz.com as the server name and mail.xyz.com in the outlook anywhere proxy section.

    On Outlook 2013, it does it all automatically, so I put in her email address (Janedoe@xyz.com) and her password and it auto configures nicely. I even tried doing it manually and typing in the servername, mail.xyz.com, but it ends up the same as if I had let it autoconfigure.

    End result is that on Outlook 2013, she still gets the certificate warning.

  5. anker says:

    Hi Paul.

    Is it possible to prevent exchange from “announcing” those virtual directories immediately?
    Even if the SCP is changed to the “correct” DNS name as fast as possible, it seems that the virtual directories are distributed to outlook clients and somehow cached on the existing exchange servers. We have a lot of outlook online clients, and I could not prevent the certificate warning for almost an hour. Had to reset IIS on the existing exchange 2013 servers, which made a lot of noise also.

    /anker

  6. anker says:

    Paul,

    You know a lot from the exchange team – could you ask for this cmd-let ๐Ÿ™‚ ๐Ÿ™‚ ๐Ÿ™‚

    Set-ClientAccessService -server “myNewServer” -ActivateAutodiscover

    it will do 2 things:

    1. Register the servers Client point with your configured value.
    2. Tell the other servers, that this server is now ready to announce virtual directories.

    /anker

  7. Nikolay says:

    Hi, paul. I have the same problem with my Exchange 2016, the first of all I’d like to thank you for your greate arcticles about Exchange. So I’ve got a problem with autodiscover in internal network. I installed 2 mailbox servers and 2 Edge in DMZ. I created DAG and included 2 servers, it is assigned IP and FQDN for DAG. I use 2013 outlook and then i try to connect to exchange the connection is fail. Appears the window “The action can not be completed. The connection to Microsoft Exchange is Unavailable … ” I’m sad. I read your article and took decision to create in my internal DNS CNAME record “Mail” for target host of DAG. I created new certificate in my local certification authority and impoted him to both servers. The certificate has SAN. There are two records in SAN field such as autodiscover.domain.ru and mail.domain.ru. All virtual directory in both servers I change to https://mail.domain.ru/owa , ecp, and etc . I executed the command:
    Get-ClientAccessServer | AutoDiscoverServiceInternalUri

    the result of command is displayed for both servers:
    AutoDiscoverServiceInternalUri https://mail.domain.ru/Autodiscover/Autodiscover.xml

    For Outlookanywhere I assigned mail.domain.ru for both servers as well.

    As I know in previous version of Exchange we have to change Cas server to FQDN CassArray Name or Alias in mailbox setings . I mean we should run command Set-MailboxDatabase -RpcClientAccessServer , but the commant as I know occur with error.

    Paul, sorry for my long story. Do you have any ideas what I have to do?
    May be I should create Cname records for FQDN the both servers and include them in certificate?

    • 1. The Client Access namespaces should not resolve to the DAG IP. They should resolve to the Mailbox server IP address, or to the load balanced VIP. If you’re not using a load-balancer then you can use DNS round robin instead. It is demonstrated here:
      http://practical365.com/exchange-2013-client-access-server-high-availability/ (the same applies to Exchange 2013 as 2016)

      2. Hopefully your DAG’s FQDN is not mail.domain.ru.

      3. Setting the RPCClientAccessServer on databases is not required in Exchange 2013 or 2016.

      4. You might have missed a virtual directory in your configuration. Use my GetExchangeURLs.ps1 script here:
      http://practical365.com/exchange-server-2016-client-access-namespace-configuration/

      • Nikolay says:

        Hi, Paul. Sorry for long break. My DAG’s FQDN is not mail.domain.ru and I’ve used your script to change my Exchange’s virtual directory from FQDN to mail.domain.ru for both Servers. But when I try to connect to Exchnge occurs fail and appears a notice ” The connection to Microsoft Exchange is unavailable”. Certificate is a valid and not self-signed . I took desicion to use DNS Roun Robin. So, outlook try to connect not namespace mail.cpxdemo.ru and to one of FQDN. OWA, ECP and etc. are working perfect. Do I need to configurate anything more? By the way , I changed only internal URLs, external URLs have not used and no internet access.

  8. Anatoly says:

    Hi Paul
    I do your article step by step but after installing Exchange 2016 and set valid certificate SSL warning appear and also repeatedly need user name and password

        • I don’t understand your answer.

          If you think the certificate warning shows that the client is trying to connect to the wrong server name, you should check all your Exchange namespaces to make sure you’ve configured the internal and external URLs correctly.

  9. Justin says:

    Another important consideration when you run into this issue after installing a 2016 server in your environment is MAPI over HTTP. When you install the first 2016 server MAPI over HTTP is enabled and if the new 2016 server which is a CAS by default resides in the same site as your old CAS server it will proxy and server clients. When we encountered this issue after installing our first 2016 server we corrected the issue by fixing the MAPI VD internal and external URLS to use our DNS alias which resolved the issue for us.

  10. Nick says:

    I am in the process of migrating from 2010 to 2016. I moved over a few mailboxes, and then I started receiving an error.
    “There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the target site FQDN of my server.

    Outlook is unable to connect to the proxy server. (Error Code 10)

    The strange thing is that half of the users I have migrated work without any issues. In addition, any NEW users connect with no issues either.

    I can just click ok to the error, and everything still works, but its annoying and I would like to resolve this prior to completing the migration. Any ideas?

  11. Vvvasilev says:

    Hi,
    I have a very weird problem. I am running 2 x Win2012 servers with Exchange 2016 CU1, in DAG configuration with kemp loadbalancer in front. I have a valid SSL certificate from COMODO, which is installed on both servers and all services are assigned to it. Now, when I open from browser ECP – the connection is secured and I get green bar. However when I open the same URL but OWA, the bar is green only up to the login screen. Once done, when all mails are displayed, the connection becomes unsecured displaying a self signed certificate is used, which is not even installed or visible through the management center. The configuration:

    [PS] C:Windowssystem32>Get-ExchangeCertificate -Server Exchange

    Thumbprint Services Subject
    ———- ——– ——-
    XXXXXXXXXXXXXXXXXXXXXXXXXXXX IP.WS.. CN=mail.domain.be, OU=PositiveSSL Multi-Domain, OU=Domain …
    XXXXXXXXXXXXXXXXXXXXXXXXXX ……. CN=WMSvc-EXCHANGE

  12. eli says:

    hi,
    first of all thanks so much for great articles.
    I’ve recently installed an Exchange 2016, with multi tenancy.
    Assume I have 2 domain: DoaminA.com and DomainB.com. Now how am I supposed to configure autodiscover URI?
    I have 2 accepted domain, so I created 2 SRV record instead of “autodiscover.DomainA.com” and “autodiscover.DomainB.com”.But I don’t have any valid SSL yet.
    the problem is people can’t connect to exchange through outlook ๐Ÿ™ it’s ok with IOS Mail application though!
    any help would be really great
    thanks in advanced

  13. Billie Omolo says:

    Hello,

    I have a disk consumption issue. After installing Exchange Server 2016 and configuring all everything correctly, my HDD is being consumed at a very fast rate, like a partition of 320GB shrunk to 60GB the following morning but after doing some checks found in C:windowstemp some .tmp files being created at a very fast rate.

    Please help because cant get to know whats causing all these files to be created at that very fast rate.

  14. Susan Eastrbrooks says:

    outlook will not let me get in to my e-mail account-says over and over some security error just keeps popping up for last 36 hours – how do I read my e-mails — they are piling up ? why ami blocked?

  15. Soren Rasmussen says:

    Hello Paul

    First of all, thanks for a great article! As always you make things brilliantly easy to understand.

    I have question which I hope you will find time to reply to.

    I’m planning to install Exchange 2016 into an existing Exchange 2010 organization which consists of one server only. However, I don’t plan to configure anything else (routing, connectors, etc.) on Exchange 2016 for some months.

    Question is – will just installing Exchange 2016 to leave it alone without configuration – affect the existing autodiscover/Outlook Anywhere functionality?

    Thanks in advance. Have a nice day.

    • I would question why you’re installing it months before you need it. It’ll always be a thing sitting there that you need to maintain and think about any time there’s a troubleshooting scenario.

      As long as you get the Autodiscover config set, yes.

  16. Justin hedrington says:

    Having trouble getting my certificate warning to go away and outlook anywhere working properly. My local domain is internal we will say exchange.contoso.internal. I have a FQDN mail.contoso.com that is signed to that domain and also autodiscover.contoso.com. Local clients still get a certificate warning pointing to exchange.contoso.internal after running your powershell script on exchange 2016. In DNS I have authority setup for contoso.com and have an a record for mail.contoso.com pointing to my internal IP of exchange (also one for autodiscover.contoso.com). OWA works from outside and in, mail is flowing. Local outlook clients work fine except for the cert warning. After running the script some outlook clients have troubles connecting, they continually ask for a password even after providing the correct credentials.

  17. Ryan H. says:

    Hi Paul,

    I’m having issues with Outlook 2016 after upgrading from 2013. I had to add AutoDiscover (autodicover.domain.com) to our External DNS in order for 2016 to get the mail profile. The mail server used to be remote.domain.com. The DNS entry is still there but outlook is looking for remote.domain.com and the cert displays autodiscover.domain.com. I understand that they don’t match and I’m getting the “The name on the security certificate is invalid or does not match the name of the site” warning when launching outlook.

    Do you know of a way I can remedy this? Installing the self-signed certificate is not working correctly.

    Thanks in advance!

  18. Mo Madha says:

    Excellent article! I have read it several times to match the settings on my Server 2016. Though, Outlook is still generating the error: serv2016.xyz2.local The name on the ……

    Server is the domain controller + DNS +Exchange
    My local domain name is xyz2.local but actual email domain name is xyz.com. Autodiscover and OWA work from outside. On the SSL, I have:
    autodiscover.xyz.com
    xyz.com
    email.xyz.com

    DNS on the server has:
    email (Host A) (FQDN: email.xyz2.local) pointing to server’s private IP

    Any suggestion will be much appreciated. Thanks.

  19. David Finley says:

    A little more on the Cert warning that people often get.

    We are receiving in Mac Outlook a cert warning for the DNS Domain Name. “exchange.DNSdomain.com” but this is listed only as an internal name. Exchange users “exchange.mailDomains.com” for auto discover in DNS and as configured on the exchange server.

    Why would outlook keep hunting for a secure connection to the “exchange.DNSdomain.com” when it is not external used?

    How is it even picking this up when the DNS Auto discover setings are correctly set and tested with the connectivity test website?

    • David Finley says:

      Sorry.. I messed up my post here. I intended to write not “exchange.DNSdomain.com” but “autodiscover.ADdomain.com” The issue is that outlook keeps hunting a secure connection to the Active Directory Domain name url. Not as posted above with โ€œexchange.DNSdomain.comโ€

      (sorry long day)

      • Outlook checks for Autodiscover in a number of different ways. One of them is by looking for the well known CNAME of “autodiscover”. If that resolves in DNS, it will try to connect.

        You can suppress that lookup using Group Policy. Or you can remove the DNS record (but that might break other clients relying on it).

        The other possibility is that your CAS Autodiscover Internal URI is set to that URL. That will not be tested by the connectivity analyzer, because it’s only testing externally and can’t see the Autodiscover SCP that is used inside your domain. So you should check that as well.

  20. Amjad Saleem says:

    Hi,
    I have exchange 2007 and installed new exchange 2013. i am having Trouble in certificates assignment. when i am going to ECP on server 2013 it is showing me only local domain and no other domain. Any idea what should i do. previously we were using self assigned certificates and now i plan to use third party certificates. what thing i need to consider.

    Thanks in advance for your help.
    Amjad

  21. Amjad Saleem says:

    just forgot to mention that i have not done any settings in Virtual directory (except one ) do i have to do those one first ? because i configured OWA internal url and external Url and after that OWA is appearing in Certificate menu with right domain name.

    Thanks,
    Amjad

  22. Amjad Saleem says:

    one more thing to mention. Autodiscover.domain.sk.ca name space was not configured for exchange 2007 on Domian controller previously. it was left by default and no name space was there so i created name space and changed it on exchange server 2007 to using PS:
    Get-ClientAccessServer -Identity SPC-EXCH1 | fl AutoDiscoverServiceInternalURI
    output was: https://spc-exch1.stpeters.int/Autodiscover/Au
    todiscover.xml

    so i believe it has not been configured properly . i plan to change it
    Set-ClientAccessServer -Identity spc-exch1 -AutoDiscoverServiceInternalURI https://autodiscover.domain.sk.ca/Autodiscover/Autodiscover.xml

    will it create any problem for the client which are already connected and do i have to assign new certificates on exchange 2007.

    Thanks,

  23. Amjad says:

    Hi Paul, I tried to put some comments but i believe bcz of ip address and other configuration they get removed. I am following guidance given under techgenix and a guy tried to explain everything but i am stuck at this point.
    so this is what i will be doing. after installing exchange 2013 with 2007. i will be creating following namespaces :
    Exchange 2007 has Ip address: x.x.x.3
    for exchange 2007:A record for mail.domain.com x.x.x.3
    for exchange 2007:A record for Autodiscovery.domian.com x.x.x.3
    for exchange 2013:A record for legacy.domain.com x.x.x.3

    new exchange 2013: x.x.x.93
    for exchange 2013:A record for mail.domain.com x.x.x.93
    for exchange 2013:A record for Autodiscovery. domian.com x.x.x.93

    i read some of your guidance documents , not sure but do i have to remove first two A records for Exchange 2007 and leave all others on Domain Controller.

    one more thing to mention. Autodiscover.mydomain.com name space was not configured on exchange 2007 previously. it was left by default and no name space was there so i created name space and changed it on exchange server 2007 to using PS:
    Get-ClientAccessServer -Identity SPC-EXCH1 | fl AutoDiscoverServiceInternalURI
    output was: https://spc-exch1.stpeters.int/Autodiscover/Autodiscover.xml

    so i believe it has not been configured properly . i plan to change it
    Set-ClientAccessServer -Identity spc-exch1 -AutoDiscoverServiceInternalURI https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

    will it create any problem for the client which are already connected and do i have to assign new certificates on exchange 2007.

    Hopefully this time my comments will go through. as i removed all ip address .

    Thanks,
    Amjad

    • I think you should engage a consultant for this work. Your Exchange 2007 environment is not set up correctly in the first place, so that needs to be fixed first before you can plan the upgrade. A consultant can review your environment and recommend a course of action to resolve the current issues and perform the upgrade.

      There’s only so much advice I can give you based on bits of info in your comments.

Leave a Reply

Your email address will not be published. Required fields are marked *