After installing an Exchange 2013 server into an existing organization Outlook clients may begin displaying a security alert warning dialog with the name of the Exchange 2013 server in it.

outlook-ssl-warning-after-exchange-2013-installation

An example of the warning text is:

The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.

This can occur if the Outlook clients are connecting to Autodiscover or Exchange Web Services on the new Exchange 2013 server that you have installed.

This issue can be avoided if you review your Autodiscover configuration and make changes to the Autodiscover namespace configured on the server, as well as provisioning an SSL certificate for the new server.

See the following articles for more information:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Zoran Stojanovic

    Hi Paul, thank you for all of the articles you’ve written. They’re really helpful. I’m working on a 2007 to 2013 to 2016 upgrade now. Just had one simple question. Would I be able to get this cert piece all taken care of by getting 1 SAN cert that includes all the namespaces (autodiscover.domain.com, legacy.domain.com, mail.domain.com, servername.domain.local) and then installing and enabling in each of the Exchange servers as they come online? Would something like that work? Also, do I need to have servername.domain.local in the cert if my Outlook clients have that in the account’s server setting?

  2. John

    Well my plan is that they wont be running at the same time.

    when i deploy the exchange 2013 the autodiscover will point to mail.domainA.com and DNS will point only to 2010 servers.

    Once i configured everything on the new Load balancing for 2013 and the servers are ready to take over, i will change all autodiscover to the new namespace (mail.domainB.com) and dns will point only to 2013. And then i believe 2013 will proxy connections to 2010 while the mailboxes are still sitting there.

  3. John

    Sorry Paul, i re-read your comment again.

    I’ll try to explain a little more.

    Exchange 2010 is composed of casarray01.domainA.com as the RPC Array
    The Outlook Anywhere is mail.domainA.com for internal and external URLS

    Im planning to deploy a 2013 that will have as namespace mail.domainB.com for all internal and external URLs.

    That is being done so we can stage the migration, so we can migrate 10 mailboxes and reconfigure everything (mobile devices, outlook anywhere externally and internally).

    So once i finish installing my 2013 and change the Outlook Anywhere URI for mail.domainB.com its my biggest concern on whats going to happened.

    All the clients will switchover to 2013 and then will be proxied to 2010??? being that autodiscover points to mail.domainB.com and 2013 proxies to 2010 (mail.domainA.com) if i have the right certificates for both, will the client see any errors??

    And also once the mailbox is migrated will the clients pickup the new autodiscover or the i’ll need to reconfigure them?? Thanks and sorry for all the questions.

    1. Avatar photo
      Paul Cunningham

      Can you put the new stuff into a separate AD Site (IP subnet)? Trying to run two different namespaces in the same site…. I haven’t tried it… I know it will cause Autodiscover problems. In your shoes I would look at doing a new AD site temporarily for the migration, then when complete move the new Exchange stuff back to the existing site (which is all handled in AD Sites and Services configuration).

      1. John

        I can’t.

        During initial phase i’ll be redirecting all 2013 AutoDiscoverUri to 2010 namespace.
        All 2010 mailboxes are using RPC connections (autodiscover is set to Fast connections use TCP before HTTP)

        Meantime i can test the connections to 2013 with manual config on clients.

        After the config phase i’ll point all autodiscover to 2013 and let 2013 handle the proxying to 2010 in case the mailbox is in 2010.

        Is that a correct approach???

        Thanks Paul (you’re being very helpful and prompt).

        1. Avatar photo
          Paul Cunningham

          During co-existence, Autodiscover should be pointed at the highest version of Exchange within the site. More than one Autodiscover URL in a site is going to cause you problems (all servers within a site should have the same Autodiscover URP/SCP configured).

          Sounds like you’ve got a plan but I’m not sure what it is based on (advice from Microsoft or elsewhere). So I suggest you test your approach to see whether it will work as you expect it to or not.

          1. John

            Well that’s the plan, after i’m done with the config of all the servers and the Load Balancing i will point the Autodiscover to 2013 and hope that wont face any problems being the 2013 autodiscover will have a different namespace (mail.domainb.com) then the 2010 (mail.domainA.com) even at that point i’ll have all the certificates in place.

          2. Avatar photo
            Paul Cunningham

            “the 2013 autodiscover will have a different namespace (mail.domainb.com) then the 2010 (mail.domainA.com)”

            Like I keep saying, if you try to run two different namespaces in the same site, you’re going to have problems.

  4. John

    Hi Paul,

    I’m planning a coexistence (2010 to 2013) where the 2013 will answer with a new namespace (mail.domainB.com) where the 2010 answers to mail.domainA.com. what will happened once i install the first 2013?? if deploy the new cert mail.domainb.com will the clients currently connecting to mail.domaina.com receive any message?? Thanks

    1. Avatar photo
      Paul Cunningham

      I think you should lab it first, but I suspect it will be fine as long as both servers have a certificate with the appropriate names on them.

      That said, you should have only one Autodiscover namespace for the site, and that should point to the Exchange 2013 server.

      1. John

        im changing the namespace (in 2010 is mail.domain1.com and in 2013 will be mail.domain2.com).

        i do not intent to change anything on my current public namespace (mail.domain1.com).. can i have clients accessing 2010 by it and once i move to 2013 i reconfigure manually (Outlook Anywhere and ActiveSync) to point (mail.domain2.com)??

        it will take sometime while the VIP is configured to mail.domain2.com

        Will that work?? Thanks

        1. Avatar photo
          Paul Cunningham

          The short answer is, you can configure different internal and external namespaces for each service in Exchange. Make sure DNS and certificates are accounted for.

          I don’t know your rationale for this approach, but my opinion at the moment is that it will add complexity that is unnecessary. If there’s an intention to change to a new namespace, you may as well change everything to that new namespace (either before or after your migration).

          1. John

            Hi Paul, thanks for the reply.

            The thing is the company want to use the fact we’re migrating to have an “excuse” to justify reconfiguration. If they try to do that after or before the downtime of re-configuring wont be approved.

            So the idea is as soon we move the mailbox every activesync or external outlook anywhere will have to be reconfigured, while internal will automatically change (as per autodiscover).

            I’ve seem a few treads at technet forum and some people said it should work too. being that the new namespace will be reconfigured from scratch with new internal and public ip addresses, a new VIP load balance. the only thing will be reutilised are the smtp gateways (during migration they will point only to 2013 after they are ready to handle external mails).

            But thanks for the inputs anyway.

  5. Robert Kennedy

    Paul,

    I am migrating from exchange 2003 to exchange 2010. I just finished installing exchange 2010 to co-exist with exchange 2003. I have followed every step of your guide “migration from exchange 2003 to exchange 2010”. I purchased a certificate from Digicert and installed in exchange 2010, the users in the office are getting Security Alert “The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority”. Do you want to proceed? If they click yes the message goes away but it comes back when they open their outlook the next time.
    Am I missing an step here?

    1. Avatar photo
      Paul Cunningham

      Did you enable the cert for IIS on the Exchange server?

      On the popup in Outlook there is more details. You should be able to see which certificate the clients are seeing and who it was issued by. If you’ve 100% confirmed that the Digicert certificate is the one that is causing the popup you may need to contact their support and find out if there’s a problem with the cert, or perhaps an intermediate CA cert needs to also be installed on your server.

  6. Ian Wright

    Hi Paul,

    Is there a way to set autodiscover to use the cas array name instead of the individual server. For example mail.exchangeserverpro.net?

    Fantastic site btw. Always find myself being drawn here when I have Exchange issues.

Leave a Reply