[toc] [/toc]
certificate warnings outlook !!! After installing Exchange Server 2016 into your organization you may receive reports from your end users of a security alert containing certificate warning outlook messages appearing in Outlook.
The two most common problems reported by the Outlook certificate warning message are:
The name on the security certificate is invalid or does not match the name of the site
The security certificate was issued by a company you have not chosen to trust
When you install Exchange Server 2016 into your Active Directory environment the setup process registers a Service Connection Point (SCP) for the Autodiscover service. Autodiscover is used by client applications to discover information about Exchange mailboxes and services. For example, Outlook uses Autodiscover during the setup of a new Outlook profile to discover the server settings for the user, so that the profile can be automatically configured (instead of the old days of manually entering server names and other details into Outlook).
By default the Autodiscover SCP is registered using a URL that includes the Exchange server’s fully-qualified domain name. You can see the Autodiscover URL for an Exchange 2016 server by running the Get-ClientAccessService cmdlet in the Exchange Management Shell. For example:
[PS] C:\>Get-ClientAccessService -Identity EXSERVER | Select AutodiscoverServiceInternalUri
AutoDiscoverServiceInternalUri
——————————
Note: Previous versions of Exchange used the Get-ClientAccess Server cmdlet. With the changes in Exchange 2016 server roles architecture the new cmdlets for these management tasks are *-ClientAccessService. The old cmdlets are still available in Exchange 2016, but if you use them you will see a warning message that they are deprecated.
Autodiscover is accessible via an HTTPS (SSL) connection from clients. The Exchange server also has a number of other web services that are accessible using HTTPS connections from clients, such as Exchange Web Services (EWS), Outlook on the web (also known as OWA), ActiveSync (for mobile devices), and Outlook Anywhere (used by Outlook clients).
As the connection is over HTTPS the SSL certificate configured on the server must meet three criteria to be considered valid by the client:
The certificate was issued by a trusted certificate authority (CA)
The certificate has not expired
The name on the certificate matches the server name (or URL) that the client is connecting to
There are two parts to the solution:
Configure the Autodiscover URL for the service
Install a valid SSL certificate
It is not recommended to leave the Autodiscover URL configured with the server’s fully-qualified domain name. Instead, you should configure it to use a different DNS name or alias. This is part of your overall Client Access namespace planning for Exchange 2016 .
In this example I will change the Autodiscover URL to use the DNS name of mail.exchange2016demo.com .
[PS] C:\>Set-ClientAccessService -Identity EXSERVER -AutoDiscoverServiceInternalUri https://mail.exchange2016demo.com/Autodiscover/Autodiscover.xml
However, as this is also a new server installation all of the other HTTPS services also need their URLs reconfigured. You can read more about that here , and also download my PowerShell script ConfigureExchangeURLs.ps1 to make the process easier.
In some cases an IIS restart on the server is also necessary after configuring the namespaces.
You also need to add a DNS record for the namespace if one does not already exist. In this example I add an A record of “mail” to my internal DNS zone, and point it to the IP address of the Exchange 2016 server (because it is the only server in the organization). If you have multiple Exchange servers then either DNS round robin or a load balancer could be used instead.
With the namespaces correctly configured, and DNS records in place, you will then need to provision an SSL certificate for the Exchange 2016 server. If this is a new concept for you then I recommend some additional reading:
SSL Certificates for Exchange Server 2016
To provision an SSL certificate for your Exchange 2016 server the process is:
Create a certificate signing request (CSR)
Submit the CSR to a certificate authority such as Digicert
Complete the pending certificate request on the Exchange server
Enable the SSL certificate for Exchange services
The common causes of certificate warnings outlook containing certificate warnings are misconfigured Exchange server namespaces, and invalid SSL certificates. Using the steps demonstrated above you can reconfigure your namespaces and/or install a valid SSL certificate. When your Exchange server’s configuration has been corrected the certificate warnings Outlook security alerts should stop appearing for your end users.
For more information on configuring the Client Access namespace in Exchange Server 2016, visit Exchange Server 2016 Client Access Namespace Configuration.
To understand more about SSL certificate requirements and configurations for Exchange Server 2016, refer to SSL Certificates for Exchange Server 2016.
