Fixing Outlook Certificate Errors

Outlook Certificate Error

If you work with Exchange (onprem or online), the above image is something you’ve had to deal with or are currently dealing with. In this post, I will be covering the problems that cause the Outlook Certificate Error like the one above. I’ll also give you some information or links to help you with fixing the problem. I’ve seen every one of these errors many times during my career, and I’m more than happy to help you resolve the issues you’re dealing with. Note: If none of these fixes solves your problem, let me know and I will do what I can to assist.

Problem 1: New Exchange Server

When you add a new Exchange Server to an Exchange Environment, you have to make some changes…First, you need to make sure the server has its Virtual Directory URLs set properly. Go to this post for a script that will let you set the Virtual Directories on your new server. You will also need to set the Autodiscover SCP after adding the new server.

Problem 2: Bad Certificate

Certificate errors need a bit of knowledge to resolve sometimes, so you may want to learn about digital certificates and what causes certificate errors. In particular, you will want to make sure you are using a valid certificate on the Exchange Server. Certificate trust, age, and server name must all function properly for a certificate to be valid. If a certificate is not valid, you will get an error notification about it. This rule applies to any system that uses certificates for encryption or authentication.

Certificate Trust is why we have to purchase certificates from places like Godaddy, Comodo, and Network Solutions. These companies have Certificate Authority Servers that are trusted by most (if not all) Operating Systems right out of the box, so any certificate issued by those companies will be valid on the majority of workstations, laptops, and mobile devices.

Age validity requires that the certificate has not “expired” yet. Every certificate is issued with a date range that defines how long that certificate will be usable. If the current date is outside of that date range, the certificate will not be valid and you’ll get an error (Changing the date on the computer you’re using isn’t a guaranteed way to bypass this issue).

There are two parts of the certificate details that contain server host names. One is the Common Name or CN value (usually this is the primary host name) and the DNS list of host names stored in the certificate. The host name you use to connect must match a host name value in either of these or you will get an error. I put that in Italics because it’s a very important rule. One trick that will help you resolve this issue is to pay attention to the certificate error. It will display the host name that was used. This is very important information because it will help you track down what may be causing the error.

Problem 3: Incorrect Host Name in Error

The symptom here is that the certificate error doesn’t show the host name you expect. For instance, if you access owa with mail.domain.com/owa and the certificate error shows mail.domain.local or similar “private” or “internal” host name, you have a server mis-configuration somewhere. Most likely, your SCP or VDirs are not set correctly (See problem 1).

Problem 4: Only One Name on Certificate

Normally, you will want to purchase a certificate that has at least two host names listed: autodiscover.domain.com and some variation of mail.domain.com (you cannot get certificates for domain.local anymore). However, some organizations may want to avoid paying the extra expense for a certificate that has multiple host names (also known as Subject Alternate Names or SANs). If your organization fits this situation, you can get around this by using a SRV record in DNS to point autodiscover to mail.domain.com (or whatever you want people to use for OWA or when configuring mobile devices). I cover this technique in a different post.

One problem with using this technique is that the first time users configure Outlook, they will get a popup asking them if they want to redirect to mail.domain.com. You can either instruct users to click Yes on this warning, or suppress it with Group Policy or Registry modification (Or registry mods deployed with Group Policy). Microsoft has an article on this subject which will give you instructions.

Problem 5: Configuration Fails Despite Autodiscover Config

This is a problem I’ve run into plenty of times and it’s completely unrelated to Exchange configuration. Domain-joined systems inside your network will have no issues, but the same computers, when taken outside the network, fail to configure with Autodiscover. This issue can also occur with non-domain joined computers.

If you have verified that all the above is configured correctly but Outlook refuses to access your mailbox, it may be because you have a Web Server using that as a host name and that server responds to web requests to non-existent files or child folders with anything other than a 404 error (Not Found), you will get a certificate error in Outlook. This is because Outlook runs through a specific process when looking for autodiscover information. The first check that all clients have in common (AD-Joined or Workgroup) is a check against domain.com/autodiscover/autodiscover.xml. If that request receives anything other than 404 (or the actual autodiscover file), the autodiscover check will return no information and the connection to Exchange will fail. There are two solutions to this problem:

  1. Configure Outlook to skip the domain.com lookup by setting the ExcludeHTTPSRootDomain value at the following location to 1.
    
    
    1
    HKEY_CURRENT_USER\Software\Microsoft\Office\x.0\Outlook\AutoDiscover
    This will force Outlook to skip the domain.com check. You can deploy this change with a Group Policy Preference or by installing the Group Policy ADMX templates for your Office version and finding the setting in the Outlook\Autodiscover section of the policy.
  2. Change the domain.com web server to reject all connections to domain.com/autodiscover/autodiscover.xml with a 404 error (This is the proper way).

More Problems

There are invariably more issues that can occur with Autodiscover that I haven’t mentioned, either because I haven’t run into the problem before or because I’ve forgotten to add it here. If you have solutions to more autodiscover/certificate error related issues in Outlook, send me an email at adam@acbrown-it.com with info and I will add your solution here with credit and a link to your blog or social media. You can read more about Autodiscover with these posts:

Configure Exchange Autodiscover
Exchange Autodiscover – The Active Directory SCP
Configuring Autodiscover for Internal DNS
QuickPost: What do Exchange Virtual Directories Do?
Configuring Exchange Virtual Directories
Fixing Outlook Certificate Errors
Controlling Autodiscover with Registry or GPO
Autodiscover – Microsoft Docs

Leave a Reply