Outlook SSL Error after New Certificate Installation
Solution 1
I have come across same issue while doing migration to Exchange 2013 requiring to replace SSL cert on Exchange 2010 and configure OA to enable proxying through Exchange 2013. Solution to avoid cert pop ups on desktops was to import Outlook 2013 GPO template and enable GPO for Autodiscover to ExcludeLastKnownGoodUrl.
Outlook 2013's new feature to store last known good urls and order of processing connectivity when launched is the culprit :)
Solution 2
Based on a comment you made above, I would like to provide you a clear picture as to what you need to validate in order to make the environment work properly. I'm going to cover all the aspects, so some things you probably already have working. 1. Make sure you have "RPC over HTTP" installed on the Exchange server and properly operating (corresponding event logs can be seen when server boots, for example.
Since you have replaced your SSL cert with wildcard one, you would need to decide how are you going to reference the Exchange server inside your internal network, for a sake of the example, let's make it mail.domain.com for the fqdn and mail for the netbios name.
Run the following CMD-lets to find and SET the correct information as for the virtual directories perspective:
Exchange Control Panel: Get-ecpVirtualDirectory -Server mail | Set-ecpVirtualDirectory -InternalURL https://mail.domain.com/ecp -ExternalURL https://mail.domain.com/ecp
Get-ECPVirtualDirectory -Server mail | Fl InternalURL,ExternalURL
Outlook Web App: Get-OwaVirtualDirectory -Server mail | Set-OwaVirtualDirectory -InternalURL https://mail.domain.com/owa -ExternalURL https://mail.domain.com/owa
Get-OWAVirtualDirectory -Server mail | Fl internalUrl,ExternalURL
EWS (Exchange Web Services): Get-WebservicesVirtualDirectory -Server mail | Set-WebservicesVirtualDirectory -InternalURL https://mail.domain.com/EWS/Exchange.asmx -ExternalURL https://mail.domain.com/EWS/Exchange.asmx
Get-WebservicesVirtualDirectory -Server mail |Fl internalURL,ExternalURL
Autodiscover: Set-ClientAccessServer mail -AutodiscoverServiceInternalUri https://mail.domain.com/Autodiscover/Autodiscover.xml
Get-ClientAccessServer mail | Fl AutodiscoverServiceInternalUri
ActiveSync: Get-ActiveSyncVirtualDirectory -Server mail | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domain.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domain.com/Microsoft-Server-ActiveSync
Get-ActiveSyncVirtualDirectory -Server mail | Fl InternalURL,ExternalURL
Offline Address Book: Get-OABVirtualDirectory -Server mail | Set-OABVirtualDirectory -InternalUrl https://mail.domain.com/OAB -ExternalURL https://mail.domain.com/OAB
Get-OABVirtualDirectory -Server mail | Fl InternalURL,ExternalURL
OutlookAnywhere: Set-OutlookAnywhere -Identity mail\Rpc (Default Web Site)" -InternalHostname mail.domain.com -ExternalHostName mail.domain.com -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl:$True
Get-OutlookAnywhere -Identity mail\rpc (Default Web Site)" |fl InternalHostName,InternalClientAuthenticationMethod,InternalClientsRequiressl, ExternalHostName,ExternalClientAuthenticationMethod,ExternalClientsRequiressl
Perform iisreset /restart after the script above, remember to replace mail with the actual netbios name of the server and mail.domain.com with the actual fqdn of your Exchange server.
In regards to the Outlook provider see here: http://blogs.technet.com/b/exchange/archive/2008/09/29/3406352.aspx
Let me know if you have any questions.
Solution 3
We had the same issue after removing our local domain from our Exchange certs and went down the same troubleshooting path, Clay.
We found that the 'last known good' cache in Outlook 2013 was the culprit by turning this feature off via the registry for a couple affected PCs.
Then we realized the root cause was because we had left the old "local" record in dns. Outlook 2013 was looking to cache for the old autodiscover, and because it still existed despite not matching the cert, it was never going out to get the new address.
I know this is old but thought it may help someone else.
Related videos on Youtube
![SSL Certificate Error Fix [Tutorial]](https://i.ytimg.com/vi/Xp5G8x3SNhE/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDbPsM9guRh7myRvKhCABz8ha1lOg)
04 : 12
03 : 32
03 : 21
06 : 27
05 : 43
05 : 25
Clay Powell
Updated on September 18, 2022Comments
-
Clay Powell over 1 year
Recently replaced the SSL cert on our Exchange 2010 box with a new wildcard cert. Assigned services, reconfigured all URL's for external and internal access to be identical (previous cert was a SAN cert with .local domain names and since they are no longer available we are having to change this), setup split DNS so internal and external clients all use the same DNS name for access.
Everything works as expected, with the exception of Outlook clients receiving a mismatch certificate error... it appears the server is presenting the server.domain.local FQDN to the client and with the SSL being *.domain.com it doesn't match...
I have followed all guides/articles I found ensuring that all URL's are setup properly and all point to the same external DNS name. Autodiscover internally also works and passes (we do not have it setup to autodiscover externally but Outlook anywhere does function as it should when manually configured, this has been tested)
What has me perplexed with this issue is that newly created profiles/accounts do not have this issue so it seems to be more of an Outlook profile issue rather than a server issue. I can open Outlook and use my previously configured profile and I get the SSL mismatch error.. If I create a new Outlook profile and setup my account within it, there are no SSL errors at all.
Not certain if anyone has come across this before or not but any advice/help would be greatly appreciated... while rebuilding the Outlook profile does fix the issue, with 25 - 30 users that isn't exactly something I want to have to do.... It isn't something that should have to be done.... Thanks in advance for any response/assistance.
Clay
Edit -
My issue isn't quite like the referenced Outlook Security Alert question... but more so Like this one - Outlook/Exchange certificate errors after setting clientaccessserver, etc… properties... this one seems to be almost identical to my problem... sadly it has no answer though
-
Cameron Kerr almost 9 yearsSo to clarify you no longer have any ".local." domain? -
Clay Powell almost 9 yearsWe do still have our local domain as a .local, I have just reconfigured all Exchange URL's to use our public .com and set up the split DNS internally so internal clients resolve the LAN IP of the public DNS name. EDIT - Also to to note, this is the same type of setup I have used for all of my clients in moving away from SAN certs with .local domain names, the only difference in this case is the use of a wildcard cert. with other clients the Cert has just been server.domain.com, in this instance it is *.domain.com. beyond that, the setup is the same and I've not run into this problem before.
-
David V almost 9 years
-
Clay Powell almost 9 yearsThis isn't an issue with external users, only internal users and only when using an Outlook profile that was configured prior to the SSL Cert change.. newly created profiles do not give the mismatch error. We are intentionally not using autodiscover externally requiring users to actually know the information to make use of outlook anywhere or activesync. Externally, everything works, no errors whatsoever.
-
Cameron Kerr almost 9 yearsSo will internal and external clients be connecting to the same endpoint? If so, there is where your mismatch will be. You would need to have two interfaces (does Exchange call these 'listeners', I can't remember), one with the local cert, and one with the public. Because it is a public cert, you can't have a SAN cert with the .local name as well.
-
Clay Powell almost 9 yearsInternal and External clients will all connect to the same server, using the same DNS name. I am well aware that there are no longer SAN certs with .local domain names available, hence the reason for this cert change. All URL's on the Exchange server are configured to use the public .com domain, NOT the internal .local. See my edit for a link to another topic/question which is nearly identical to my problem
-
Vick Vega almost 9 yearsCould you please provide the results of "get-outlookprovider" ? -
Clay Powell almost 9 yearsAll 3, Exch, Expr, and Web, have server and certprincipal name blank with 1 for TTL
-
Vick Vega almost 9 yearsRun the following please: <Set-OutlookProvider EXPR -Server *.domain.com> and <Set-OutlookProvider EXCH -Server *.domain.com> As well, please provide results for: Get-ClientAccessServer | FT
-
Clay Powell almost 9 yearsGet-ClientAccessServer | FT only results in the local server name, no domain suffix, .local or .com, just the server name. May I ask why the setting of the outlook provider? This isn't anything that I have to to do before and in comparison to other servers setup in similar fashion that work without issue the entries in their list match mine as well as the fact that newly configured Outlook profiles work just fine with no SSL error....
-
Vick Vega almost 9 yearsok, that's your problem. I'll put the explanation on how to remediate the issue in the answer section as it would be easier from the formatting perspective, as well I strongly believe it will resolve your issue.
-
peterh almost 9 yearsDon't use triple point after the end of your every sentence. -
Clay Powell almost 9 yearsI didn't come here seeking advice for grammar or sentence structure, but thank you...
-
-
Clay Powell almost 9 yearsI have already performed all of those steps. This isn't the first server I have configured with split DNS to use internal and external domain names being the same. The only difference between this one and previous ones is the wildcard cert, others have been single name certs. While not referencing them individually I did state in my original posting that I had configured all URLs for internal/external access I again mention that new Outlook profiles work fine without error, autodiscover is working as it should, and testing it results in all the proper URLs being presented.
-
Clay Powell almost 9 yearsTried that as well and did not work... On my profile (Outlook profile) I do not have cached mode even enabled at all and still get the same prompt.
-
Clay Powell almost 9 yearsMy issue is slightly different in that it is only some of the clients... and even on clients that have the certificate error ( I am not getting the second allow this website to configure error you mention) all autodiscover tests pass when right clicking the the Outlook tray icon. DNS isn't an issue as we use a .local internal domain and a .com external but internal and external clients both use the public .com name via split DNS. Also to note our cert is a wildcard cert so it accepts everything at our .com domain. Our only resolution so far has been to create new Outlook profiles.
-
Vick Vega over 8 yearsPlease clarify at what exact point in time you get the cert error? Ideally, post screenshot.
-
Clay Powell over 8 yearsPops up about 5 - 20 seconds after Outlook first opens and is good for the entire time Outlook stays open, but if you close/re-open it the box pops up again. screenshot here
-
Vick Vega over 8 yearsPlease provide output from: Get-ClientAccessArray | fl
-
Clay Powell over 8 yearsThere is no output from that command, it is blank. This is a single server setup and is not utilizing the CAS Array.
-
Vick Vega over 8 yearsWhile having Outlook open, hold CTRL and right click on the Outlook icon in the task bar, choose Test E-mail AutoConfiguration, post results.
-
Clay Powell over 8 yearsI will give this a shot and see if this helps, but I will mention that we use a mix of Outlook 2010 and 2013 clients.... and while not everyone has had this SSL pop up, it has been a mixture of the two clients that have received and has not strictly been limited to the 2013 clients.
-
Clay Powell over 8 yearsWell, kudos to you, this seems to have done the trick, thank you so much.
