Office 365 - Outlook Certificate Popups
I got a mail the other day from a colleague requesting assistance on behalf of a partner around an Office 365 certificate error in Outlook.
The scenario was that a certificate expired – I’m not sure what certificate they referred to so I assumed the ADFS/TLS certificate. They renewed the certificate, but Outlook clients were still popping up with a certificate validation error.
The first thing you need to understand with this is that you don't manage the certificates for Exchange in Office 365 for your Outlook Anywhere connections. Microsoft manages this on the Office 365 backend. You will only manage your ADFS and TLS certificates from your side.
I did some checks on the domain and noticed that they have an A record pointing to the root domain that listens on 443 and 80 for their www site- like below:
This site had a web server certificate loaded which was expired (not the same certificate the guy was talking about initially).
So why is Outlook popping up with a certificate validation issue on from their website? Easy….
The Outlook Autodiscover process will first check the root domain for any Autodiscover service points – see here: https://technet.microsoft.com/en-us/library/cc539049.aspx
Outlook will also run Autodiscover during startup, refreshes as often as the TTL period specifies, usually 1 hour and then also during network connectivity issues to a server.
Essentially the request will see that the root domain record is listening on 443, but the certificate is expired. This results in Certificate validation errors on the first step when Outlook goes through the Autodiscover process.
There are two ways to resolve this:
- Remove the root domain record to the site and just use the www record. I don’t like root domain records like this, just because of this – it has potential to impact other services dependent on lookups.
- Renew the certificate on the site – the Autodiscover process will then fail and then move on to the next step of the process.
Happy Office 365’ing!!!
Michael
Comments
- Anonymous
January 01, 2003
Very useful info.I'm just in the process of setting up a hybrid deployment and found that autodiscover broke due our www certificate not being valid for the @ (root) domain record.Sounds like it's time to request another SAN cert :o)