Outlook certificate issues

Bradleeeey 46 Reputation points
2022-01-27T15:12:26.94+00:00

Hi everyone,

I'm trying to resolve an issue with our email. When users launch outlook it prompts every time that the name does not match the certificates. The certificate has a name error due to our domain showing as EX2016.mydomain.local where as the certificates name is EX2016.mydomain.com.

I understand you used to be able to include the .local name as a SAN but on the certificate but it is no longer an option as its a security risk.

I believe the issue lies within the DNS settings on the server. I believe that we do not resolve the .local to the .com address.

I'm new to this and wondered if anyone could provide guidance to solve this issue?

Many thanks,

Brad

169111-capture.png169103-capture2.png

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,902 questions
Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
511 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,359 questions
0 comments
Accepted answer
  1. Andy David - MVP 142.3K Reputation points MVP
    2022-01-27T15:18:07.937+00:00

    Most likely one of the client virtual directories or auto discovery entries are not set to the subject name on the certificate.

    Id walk through this and ensure they are all set correctly:
    https://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2016/

    1 person found this answer helpful.

6 additional answers

Sort by: Newest
Most helpful Newest Oldest
  1. Bradleeeey 46 Reputation points
    2022-02-01T16:54:54.897+00:00

    Hi everyone,

    further update.... certificate error is coming up still when users view shared calendars or other users calendars within the organisation?!

    any ideas?! @Andy David - MVP @KyleXu-MSFT

    It doesn't come up in any other scenario.....

  2. Bradleeeey 46 Reputation points
    2022-02-01T11:31:34.093+00:00

    Hi everyone,

    First of all thanks to everyone that tried to help me sort out my exchange. I have now resolved the issue and will add below what i did to resolve it in the hopes it helps someone else some day that may stumble upon this!

    The issue was as said in some replies above a problem with my DNS. In my case i did not have a zone for autodiscover.mydomain.com or remote.mydomain.com. All i have to do is create a new zone in the forward lookup zone pointing to internal email servers IP address. After this i then set my auto discover settings and OWA hostname for each virtual directory using the exchanage management console (this can be done in ECP as shown above but i just followed the guide below exactly) . All details of how to sort your dns AND all other autodiscover settings can be found here: https://www.ajtek.ca/guides/exchange-autodiscover-a-guide-to-making-exchange-work-properly/

    Make sure you follow the tests for your new dns settings also (in guide).

    FOLLOW THE GUIDE EXACTLY SKIP NOTHING. DO an IISRESET after and run below in powershell as an admin to restart exchange services: 

    Get-Service *Exchange* | Where {$_.DisplayName -NotLike "*Hyper-V*"} | Restart-Service -Force

    After this you'll likely still find you have the certificate error..... which is the original question on this thread. You cannot solve this error if you have not set up dns and autodiscover correctly as this is the cause.

    Ti get rid of the error simply go onto the client machine, close outlook and go to control panel then to mail. Click show profiles then click add. Give it a name and then click ok, then close the following pop up. It will ask if you want to save the profile without an email account..... click ok. Then change the always use this profile dropdown box to the new profile. Click apply then okay and close the window.

    Now when you launch outlook it will be like first time launch, connect to the email account, choose outlook.com and you are done! No more cert errors.

    0 comments
  3. Andy David - MVP 142.3K Reputation points MVP
    2022-01-28T16:32:09.203+00:00

    If this *.com domain is used for external and internal access, then you should add it to your internal and external DNS. But that is not something I can advise on as it may break something if you arent doing this correctly
    If you look here, one solution is to add the autodiscover record as a srv record in the *.local zone and let outlook find it that way:

    https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/

  4. Bradleeeey 46 Reputation points
    2022-01-28T14:21:37.963+00:00

    Hi everyone,

    I have some more data for you all when running these commands..... hoping it may shed some more light on the email servers config issues. i use * to hide sensitive information where it cant be replaced by sudo wording.

    [PS] C:\Windows\system32>Get-OutlookProvider
    Creating a new session for implicit remoting of "Get-OutlookProvider" command...

    Name Server CertPrincipalName TTL

    EXCH 1
    EXPR 1
    WEB 1

    [PS] C:\Windows\system32>Get-OutlookAnywhere

    RunspaceId : *************************************
    ServerName : EX2016
    SSLOffloading : True
    ExternalHostname : mydomain.com
    InternalHostname : mydomain.com
    ExternalClientAuthenticationMethod : Negotiate
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
    XropUrl :
    ExternalClientsRequireSsl : True
    InternalClientsRequireSsl : True
    MetabasePath : IIS://EX2016.mydomain.local/W3SVC/1/ROOT/Rpc
    Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    AdminDisplayVersion : Version **** (Build *****)
    Server : EX2016
    AdminDisplayName :
    ExchangeVersion : **** (*******)
    Name : Rpc (Default Web Site)
    DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=EX2016,CN=Servers,CN=Exchange
    Administrative Group (**************),CN=Administrative Groups,CN=******** ***********,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
    Identity : EX2016\Rpc (Default Web Site)
    Guid : ****************************************
    ObjectCategory : mydomain.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged : *********************
    WhenCreated : *******************
    WhenChangedUTC : **********************
    WhenCreatedUTC : ************************
    OrganizationId :
    Id : EX2016\Rpc (Default Web Site)
    OriginatingServer : EX2016.mydomain.local
    IsValid : True
    ObjectState : Changed

    [PS] C:\Windows\system32>Get-ClientAccessServer
    WARNING: The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
    Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
    to use the Get-ClientAccessService cmdlet. For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.

    Name

    EX2016

    [PS] C:\Windows\system32>

    Hope that helps!! let me know if you need more data.

    0 comments