Outlook certificate issues

Bradleeeey 46 Reputation points
2022-01-27T15:12:26.94+00:00

Hi everyone,

I'm trying to resolve an issue with our email. When users launch outlook it prompts every time that the name does not match the certificates. The certificate has a name error due to our domain showing as EX2016.mydomain.local where as the certificates name is EX2016.mydomain.com.

I understand you used to be able to include the .local name as a SAN but on the certificate but it is no longer an option as its a security risk.

I believe the issue lies within the DNS settings on the server. I believe that we do not resolve the .local to the .com address.

I'm new to this and wondered if anyone could provide guidance to solve this issue?

Many thanks,

Brad

169111-capture.png169103-capture2.png

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,887 questions
Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
508 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,350 questions
0 comments
Accepted answer
  1. Andy David - MVP 141.6K Reputation points MVP
    2022-01-27T15:18:07.937+00:00

    Most likely one of the client virtual directories or auto discovery entries are not set to the subject name on the certificate.

    Id walk through this and ensure they are all set correctly:
    https://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2016/

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. KyleXu-MSFT 26,211 Reputation points
    2022-01-28T06:14:25.313+00:00

    @Bradleeeey
    169310-qa-kyle-14-15-24.png

    Do you use a wildcard certificate for your Exchange server? If so, you don't need to make a change to your certificate. Make sure this wildcard certificate binds on IIS “Default Web Site” and “Exchange Back End” (You needed run IISReset after making change to IIS):

    169299-qa-kyle-14-10-32.png

    After that I would suggest you follow this wizard to change mailbox email address and UPN from “domain.local” to "domain.com". Then check from Outlook whether there exist “domain.local”.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Andy David - MVP 141.6K Reputation points MVP
    2022-01-28T12:27:03.287+00:00

    oh no. Did you change the backend certificate? Dont do that, change it BACK to the Exchange Cert if that is the case

    Follow my blog. You dont need to renew, just verify the default cert is applied to the backend correctly

    https://ehloergosum.com/2020/01/25/renewing-that-pesky-microsoft-exchange-certificate/

    Set the 3rd party cert only for the client sevices in EAC

  3. Bradleeeey 46 Reputation points
    2022-01-28T14:21:37.963+00:00

    Hi everyone,

    I have some more data for you all when running these commands..... hoping it may shed some more light on the email servers config issues. i use * to hide sensitive information where it cant be replaced by sudo wording.

    [PS] C:\Windows\system32>Get-OutlookProvider
    Creating a new session for implicit remoting of "Get-OutlookProvider" command...

    Name Server CertPrincipalName TTL

    EXCH 1
    EXPR 1
    WEB 1

    [PS] C:\Windows\system32>Get-OutlookAnywhere

    RunspaceId : *************************************
    ServerName : EX2016
    SSLOffloading : True
    ExternalHostname : mydomain.com
    InternalHostname : mydomain.com
    ExternalClientAuthenticationMethod : Negotiate
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
    XropUrl :
    ExternalClientsRequireSsl : True
    InternalClientsRequireSsl : True
    MetabasePath : IIS://EX2016.mydomain.local/W3SVC/1/ROOT/Rpc
    Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    AdminDisplayVersion : Version **** (Build *****)
    Server : EX2016
    AdminDisplayName :
    ExchangeVersion : **** (*******)
    Name : Rpc (Default Web Site)
    DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
    Administrative Group (**************),CN=Administrative Groups,CN=******** ***********,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
    Identity : EX2016\Rpc (Default Web Site)
    Guid : ****************************************
    ObjectCategory : mydomain.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged : *********************
    WhenCreated : *******************
    WhenChangedUTC : **********************
    WhenCreatedUTC : ************************
    OrganizationId :
    Id : EX2016\Rpc (Default Web Site)
    OriginatingServer : EX2016.mydomain.local
    IsValid : True
    ObjectState : Changed

    [PS] C:\Windows\system32>Get-ClientAccessServer
    WARNING: The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
    Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
    to use the Get-ClientAccessService cmdlet. For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.

    Name

    EX2016

    [PS] C:\Windows\system32>

    Hope that helps!! let me know if you need more data.

    0 comments
  4. Andy David - MVP 141.6K Reputation points MVP
    2022-01-28T16:32:09.203+00:00

    If this *.com domain is used for external and internal access, then you should add it to your internal and external DNS. But that is not something I can advise on as it may break something if you arent doing this correctly
    If you look here, one solution is to add the autodiscover record as a srv record in the *.local zone and let outlook find it that way:

    https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/