Proxy Server Security Certificate

mara2021 1,121 Reputation points
2024-03-26T19:34:09.5966667+00:00

We are a hybrid deployment. Our user mailboxes are in Exchange Online. A couple of mailboxes are on prem for archiving application. We use smtp relay for inhouse applications and multifunction printers. The two hybrid servers are exchange 2019. The servers are in a DAG.

In preparation for enabling extended protection on the exchange servers, I un-checked SSL Offloading on Outlook Anywhere using EAC. We do not use Outlook Anywhere. I did not remove the server name from server host field and left negotiate in the authentication field. I tried disabling using powershell but received error message. It was suggested that I disable using EAC.

After I made the change, I started getting prompted for my credentials on my outlook client and outlook would not open. I also got the following message:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site exchangeserver2019.com. Outlook is unable to connect to the proxy server (Error Code 10)

I changed back to SSL Offloading. I am still getting the above message (may need to do iisreset?), but not getting the prompts and I am able to access Outlook.

Why am I getting this message? Do I need to remove the servername information from the Outlook Anywhere Fields?

Thank You for your help.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,171 questions
Outlook Windows Classic Outlook for Windows For business
Exchange Exchange Server Management
Exchange Hybrid management
0 comments No comments
{count} votes

Accepted answer
  1. Yuki Sun-MSFT 41,376 Reputation points Moderator
    2024-03-27T05:50:06.9233333+00:00

    Hi @mara2021

    Do I need to remove the servername information from the Outlook Anywhere Fields?

    No, there's no need to remove the servername information or change the authentication method when unchecking the SSL Offloading on Outlook Anywhere via EAC.

    According to the official document, the recommended way to disable SSL offloading by running the cmdlet below:

    Set-OutlookAnywhere -Identity "EXCH1\rpc (Default Web Site)" -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true
    

    Based on my test, un-checking the SSL Offloading option only on Outlook Anywhere in EAC does the almost the equivalent thing backend:
    User's image

    User's image

    Why am I getting this message?

    The error message indicates there is a mismatch between the host name that the Outlook client is trying to access and the certificate SAN. But it's weird that the error prompts and your outlook client is affected after disabling SSL offloading on Outlook Anywhere, as you mentioned that you do not use Outlook Anywhere.

    To help narrow the issue, please collect the information below:

    1. Outlook connection status when the issue occurs:
      While Outlook is running, click the CTRL key and then right-click the Outlook icon in the system tray, click Connection Status, catch a screenshot, be sure to include the protocol column. Obfuscate all sensitive information like email address and domain name, then share the image:
      User's image
    2. Check the Outlook Anywhere settings by running the following command:
    Get-OutlookAnywhere | fl *ssl*,*authen*
    
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.