Certificate Warnings in Outlook After Installing Exchange Server 2016

After installing Exchange Server 2016 into your organization you may receive reports from your end users of a security alert containing certificate warning messages appearing in Outlook.

Example of an Outlook certificate warning

The two most common problems reported by the Outlook certificate warning message are:

The name on the security certificate is invalid or does not match the name of the site
The security certificate was issued by a company you have not chosen to trust

Why Does Outlook Display a Security Warning for a Certificate Problem?

When you install Exchange Server 2016 into your Active Directory environment the setup process registers a Service Connection Point (SCP) for the Autodiscover service. Autodiscover is used by client applications to discover information about Exchange mailboxes and services. For example, Outlook uses Autodiscover during the setup of a new Outlook profile to discover the server settings for the user, so that the profile can be automatically configured (instead of the old days of manually entering server names and other details into Outlook).

By default the Autodiscover SCP is registered using a URL that includes the Exchange server’s fully-qualified domain name. You can see the Autodiscover URL for an Exchange 2016 server by running the Get-ClientAccessService cmdlet in the Exchange Management Shell. For example:

[PS] C:\>Get-ClientAccessService -Identity EXSERVER | Select AutodiscoverServiceInternalUri</p>
<p>AutoDiscoverServiceInternalUri<br />
——————————<br />
https://exserver.exchange2016demo.com/Autodiscover/Autodiscover.xml

[PS] C:\>Get–ClientAccessService –Identity EXSERVER | Select AutodiscoverServiceInternalUri

AutoDiscoverServiceInternalUri

———————————————

https://exserver.exchange2016demo.com/Autodiscover/Autodiscover.xml

Note: Previous versions of Exchange used the Get-ClientAccessServer cmdlet. With the changes in Exchange 2016 server roles architecture the new cmdlets for these management tasks are *-ClientAccessService. The old cmdlets are still available in Exchange 2016, but if you use them you will see a warning message that they are deprecated.

Autodiscover is accessible via an HTTPS (SSL) connection from clients. The Exchange server also has a number of other web services that are accessible using HTTPS connections from clients, such as Exchange Web Services (EWS), Outlook on the web (also known as OWA), ActiveSync (for mobile devices), and Outlook Anywhere (used by Outlook clients).

As the connection is over HTTPS the SSL certificate configured on the server must meet three criteria to be considered valid by the client:

The certificate was issued by a trusted certificate authority (CA)
The certificate has not expired
The name on the certificate matches the server name (or URL) that the client is connecting to

How to Fix Outlook Security Warnings After Installing Exchange 2016

There are two parts to the solution:

Configure the Autodiscover URL for the service
Install a valid SSL certificate

Configuring the Autodiscover URL for Exchange 2016

It is not recommended to leave the Autodiscover URL configured with the server’s fully-qualified domain name. Instead, you should configure it to use a different DNS name or alias. This is part of your overall Client Access namespace planning for Exchange 2016.

In this example I will change the Autodiscover URL to use the DNS name of mail.exchange2016demo.com.

[PS] C:\>Set-ClientAccessService -Identity EXSERVER -AutoDiscoverServiceInternalUri https://mail.exchange2016demo.com/Autodiscover/Autodiscover.xml

1	[PS] C:\>Set–ClientAccessService –Identity EXSERVER –AutoDiscoverServiceInternalUri https://mail.exchange2016demo.com/Autodiscover/Autodiscover.xml

However, as this is also a new server installation all of the other HTTPS services also need their URLs reconfigured. You can read more about that here, and also download my PowerShell script ConfigureExchangeURLs.ps1 to make the process easier. In some cases an IIS restart on the server is also necessary after configuring the namespaces.

You also need to add a DNS record for the namespace if one does not already exist. In this example I add an A record of “mail” to my internal DNS zone, and point it to the IP address of the Exchange 2016 server (because it is the only server in the organization). If you have multiple Exchange servers then either DNS round robin or a load balancer could be used instead.

dns

Install a Valid SSL Certificate

With the namespaces correctly configured, and DNS records in place, you will then need to provision an SSL certificate for the Exchange 2016 server. If this is a new concept for you then I recommend some additional reading:

SSL Certificates for Exchange Server 2016

To provision an SSL certificate for your Exchange 2016 server the process is:

Create a certificate signing request (CSR)
Submit the CSR to a certificate authority such as Digicert
Complete the pending certificate request on the Exchange server
Enable the SSL certificate for Exchange services

Summary

The common causes of Outlook security alerts containing certificate warnings are misconfigured Exchange server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure your namespaces and/or install a valid SSL certificate. When your Exchange server’s configuration has been corrected the Outlook security alerts should stop appearing for your end users.

Why Does Outlook Display a Security Warning for a Certificate Problem?

How to Fix Outlook Security Warnings After Installing Exchange 2016

Configuring the Autodiscover URL for Exchange 2016

Install a Valid SSL Certificate

Summary

You Might Also Like

How can I access the data on my host inside docker container?

Import PST file into Office 365 – Step-by-Step

Make your own lamp for less than 10 dollar