I encountered a customer case that was originally escalated as an Exchange server issue impacting multiple users.
After a brief inspection I found that the Exchange server itself appeared healthy, and began working with one of the end users to troubleshoot some more.
When this person launched Outlook they were receiving an SSL error message:
The application experienced an internal error loading the SSL libraries.
Clicking View Certificate showed the following information:
A system-level error occurred while verifying trust
I also found that the end user had received an error at logon that their roaming profile could not be loaded, and they were also unable to access their My Documents.
With that information in hand we turned our attention to the storage appliance at the site, and it was found that the storage system’s clock was out by more than 5 minutes, breaking Kerberos and causing authentication to fail for the users attempting to connect to network shares.
Having never experienced a network file share outage impacting Outlook/Exchange in this manner with SSL errors I was interested to learn more. I found that the AppData folder for the users was also redirected to a share on the same storage appliance.
I found this article that on brief inspection seems to confirm that the section of the Application Data folder shown in the screenshot below is critical for SSL validation.
So it appears that the contributing factors in this situation were:
- Storage system clock skewed by more than 5 minutes, breaking Kerberos authentication
- Users unable to authenticate and access network file shares, including the redirected Application Data folder
- Lack of access to Application Data folder impacts SSL validation when Outlook is making HTTPS requests to Exchange
- Unable to validate the SSL cert, Outlook fails in a secure manner by preventing the client connecting to Exchange
Once the storage system clock was corrected and access resumed, the SSL errors were gone.