After installing Exchange Server 2016 into your organization you may receive reports from your end users of a security alert containing certificate warning messages appearing in Outlook.
The two most common problems reported by the Outlook certificate warning message are:
- The name on the security certificate is invalid or does not match the name of the site
- The security certificate was issued by a company you have not chosen to trust
Why Does Outlook Display a Security Warning for a Certificate Problem?
When you install Exchange Server 2016 into your Active Directory environment the setup process registers a Service Connection Point (SCP) for the Autodiscover service. Autodiscover is used by client applications to discover information about Exchange mailboxes and services. For example, Outlook uses Autodiscover during the setup of a new Outlook profile to discover the server settings for the user, so that the profile can be automatically configured (instead of the old days of manually entering server names and other details into Outlook).
By default the Autodiscover SCP is registered using a URL that includes the Exchange server’s fully-qualified domain name. You can see the Autodiscover URL for an Exchange 2016 server by running the Get-ClientAccessService cmdlet in the Exchange Management Shell. For example:
[PS] C:\>Get-ClientAccessService -Identity EXSERVER | Select AutodiscoverServiceInternalUri
Note: Previous versions of Exchange used the Get-ClientAccessServer cmdlet. With the changes in Exchange 2016 server roles architecture the new cmdlets for these management tasks are *-ClientAccessService. The old cmdlets are still available in Exchange 2016, but if you use them you will see a warning message that they are deprecated.
Autodiscover is accessible via an HTTPS (SSL) connection from clients. The Exchange server also has a number of other web services that are accessible using HTTPS connections from clients, such as Exchange Web Services (EWS), Outlook on the web (also known as OWA), ActiveSync (for mobile devices), and Outlook Anywhere (used by Outlook clients).
As the connection is over HTTPS the SSL certificate configured on the server must meet three criteria to be considered valid by the client:
- The certificate was issued by a trusted certificate authority (CA)
- The certificate has not expired
- The name on the certificate matches the server name (or URL) that the client is connecting to
How to Fix Outlook Security Warnings After Installing Exchange 2016
There are two parts to the solution:
- Configure the Autodiscover URL for the service
- Install a valid SSL certificate
Configuring the Autodiscover URL for Exchange 2016
It is not recommended to leave the Autodiscover URL configured with the server’s fully-qualified domain name. Instead, you should configure it to use a different DNS name or alias. This is part of your overall Client Access namespace planning for Exchange 2016.
In this example I will change the Autodiscover URL to use the DNS name of mail.exchange2016demo.com.
[PS] C:\>Set-ClientAccessService -Identity EXSERVER -AutoDiscoverServiceInternalUri https://mail.exchange2016demo.com/Autodiscover/Autodiscover.xml
In some cases an IIS restart on the server is also necessary after configuring the namespaces.
You also need to add a DNS record for the namespace if one does not already exist. In this example I add an A record of “mail” to my internal DNS zone, and point it to the IP address of the Exchange 2016 server (because it is the only server in the organization). If you have multiple Exchange servers then either DNS round robin or a load balancer could be used instead.
Install a Valid SSL Certificate
With the namespaces correctly configured, and DNS records in place, you will then need to provision an SSL certificate for the Exchange 2016 server. If this is a new concept for you then I recommend some additional reading:
To provision an SSL certificate for your Exchange 2016 server the process is:
- Create a certificate signing request (CSR)
- Submit the CSR to a certificate authority such as Digicert
- Complete the pending certificate request on the Exchange server
- Enable the SSL certificate for Exchange services
The common causes of Outlook security alerts containing certificate warnings are misconfigured Exchange server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure your namespaces and/or install a valid SSL certificate. When your Exchange server’s configuration has been corrected the Outlook security alerts should stop appearing for your end users.