Medha Cloud Logo

Certificate Warnings in Outlook After Installing Exchange Server 2016

[toc] [/toc]

Certificate Warnings Outlook After Installing Exchange Server 2016

certificate warnings outlook !!! After installing Exchange Server 2016 into your organization you may receive reports from your end users of a security alert containing certificate warning outlook messages appearing in Outlook.

Example of an Outlook certificate warning

The two most common problems reported by the Outlook certificate warning message are:

The name on the security certificate is invalid or does not match the name of the site

The security certificate was issued by a company you have not chosen to trust

Why Does Outlook Display a Security Warning for a Certificate Problem?

When you install Exchange Server 2016 into your Active Directory environment the setup process registers a Service Connection Point (SCP) for the Autodiscover service. Autodiscover is used by client applications to discover information about Exchange mailboxes and services. For example, Outlook uses Autodiscover during the setup of a new Outlook profile to discover the server settings for the user, so that the profile can be automatically configured (instead of the old days of manually entering server names and other details into Outlook).

By default the Autodiscover SCP is registered using a URL that includes the Exchange server’s fully-qualified domain name. You can see the Autodiscover URL for an Exchange 2016 server by running the Get-ClientAccessService cmdlet in the Exchange Management Shell. For example:

[PS] C:\>Get-ClientAccessService -Identity EXSERVER | Select AutodiscoverServiceInternalUri

AutoDiscoverServiceInternalUri

------------------------------

https://exserver.exchange2016demo.com/Autodiscover/Autodiscover.xml

Note: Previous versions of Exchange used the Get-ClientAccess Server cmdlet. With the changes in Exchange 2016 server roles architecture the new cmdlets for these management tasks are *-ClientAccessService. The old cmdlets are still available in Exchange 2016, but if you use them you will see a warning message that they are deprecated.

Autodiscover is accessible via an HTTPS (SSL) connection from clients. The Exchange server also has a number of other web services that are accessible using HTTPS connections from clients, such as Exchange Web Services (EWS), Outlook on the web (also known as OWA), ActiveSync (for mobile devices), and Outlook Anywhere (used by Outlook clients).

As the connection is over HTTPS the SSL certificate configured on the server must meet three criteria to be considered valid by the client:

The certificate was issued by a trusted certificate authority (CA)

The certificate has not expired

The name on the certificate matches the server name (or URL) that the client is connecting to

How to Fix Outlook Security Warnings After Installing Exchange 2016

There are two parts to the solution:

Configure the Autodiscover URL for the service

Install a valid SSL certificate

Configuring the Autodiscover URL for Exchange 2016

It is not recommended to leave the Autodiscover URL configured with the server’s fully-qualified domain name. Instead, you should configure it to use a different DNS name or alias. This is part of your overall Client Access namespace planning for Exchange 2016 .

In this example I will change the Autodiscover URL to use the DNS name of mail.exchange2016demo.com .

[PS] C:\>Set-ClientAccessService -Identity EXSERVER -AutoDiscoverServiceInternalUri https://mail.exchange2016demo.com/Autodiscover/Autodiscover.xml

However, as this is also a new server installation all of the other HTTPS services also need their URLs reconfigured. You can read more about that here , and also download my PowerShell script ConfigureExchangeURLs.ps1 to make the process easier.

In some cases an IIS restart on the server is also necessary after configuring the namespaces.

You also need to add a DNS record for the namespace if one does not already exist. In this example I add an A record of “mail” to my internal DNS zone, and point it to the IP address of the Exchange 2016 server (because it is the only server in the organization). If you have multiple Exchange servers then either DNS round robin or a load balancer could be used instead.

Install a Valid SSL Certificate

With the namespaces correctly configured, and DNS records in place, you will then need to provision an SSL certificate for the Exchange 2016 server. If this is a new concept for you then I recommend some additional reading:

SSL Certificates for Exchange Server 2016

To provision an SSL certificate for your Exchange 2016 server the process is:

Create a certificate signing request (CSR)

Submit the CSR to a certificate authority such as Digicert

Complete the pending certificate request on the Exchange server

Enable the SSL certificate for Exchange services

Summary

The common causes of certificate warnings outlook containing certificate warnings are misconfigured Exchange server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure your namespaces and/or install a valid SSL certificate. When your Exchange server’s configuration has been corrected the certificate warnings Outlook security alerts should stop appearing for your end users.

For more information on configuring the Client Access namespace in Exchange Server 2016, visit Exchange Server 2016 Client Access Namespace Configuration.

To understand more about SSL certificate requirements and configurations for Exchange Server 2016, refer to SSL Certificates for Exchange Server 2016.

Connect with Medha Cloud

Microsoft 365 Migration Form

I would like to send my contact information to MedhaCloud so that MedhaCloud can share additional information about products, services, thought leadership and invitations to flagship events with me by email. *

By submitting this form, I acknowledge that someone from MedhaCloud will contact me via email or phone to discuss my request.

Related

Related Article

View All
chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram