Single Server Exchange 2013, Outlook 2013.

Periodically, users get a Security Alert as if they were still trying to connect to the internal server name. I don't see why. They do not get it when initially setting up the Outlook profile, so I think Autodiscover is working properly. Something else is wrong.

Users ARE able to access their email fine, just get an annoying cert warning every few hours and nothing I've tried helps. As you can see in the pictures below, Outlook connection info doesn't mention the internal server name at all.

Relevant Server Settings:

• WebServicesVirtualDirectory Internal and External URLs : https://mail.domain.org/ews/exchange.asmx
• OwaVirtualDirectory Internal and External URLs : https://mail.domain.org/owa
• EcpVirtualDirectory Internal and External URLs : https://mail.domain.org/ecp
• ActiveSyncVirtualDirectory Internal and External URLs : https://mail.domain.org/Microsoft-Server-ActiveSync
• OabVirtualDirectory Internal and External URLs : https://mail.domain.org/OAB
• AutoDiscoverServiceInternalUri Internal and External URLs : https://mail.domain.org/Autodiscover/Autodiscover.xml
• OutlookAnywhere Internal and external hostnames : mail.domain.org

Pictures: [Cert error](https://i.imgur.com/daMsIzp.jpg)
[Outlook Connection Status](https://i.imgur.com/U81HO8A.png)
[Outlook Anywhere poxy settings](https://i.imgur.com/WQwEyzG.png)

Certificate:
UCC Certifcate has both mail.domain.org and autodiscover.domain.org

DNS:
Internal DNS resolves mail.domain.org to internal server's IP.
External DNS resolves mail.domain.org to correct external WAN IP.
Internal DNS looks like it has the right A records for mail.domain.org and autodicover.domain.org

It looks like you have it covered.  Run Outlook's Test E-mail Autoconfiguration and see if the Autodiscover results shows the server name anywhere.

I ran that yesterday. Didn't find the server name mentioned. I'm so baffled, haha

Here's the XML posted to pastebin.

http://pastebin.com/ZtGnDy5m

You just have one server?

Yep, just the 1.

I have to think I messed up on the DNS somehow. 

I don't see this as a DNS issue.  Are there any Outlook add-ins or anything like that that might be pointing to the server name?

You're so smart! Sadly , I did search for those, and only saw a Shorerel Communicator application. It's settings didn't make reference to the server. I poked around the app and couldn't trigger any security warnings. I can retry tomorrow morning though. Does outlook cache old connection settings somehow?

Outlook can be awfully sticky and you can see a lot of what it's stuck on in the profile in the registry.

Hi Dane,

According to your description, this issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website.

I recommend you refer to the following article and check if any helps:

https://support.microsoft.com/en-us/kb/2772058

This issue may occur under the following circumstances:

• The user tries to create a new profile in Microsoft Office Outlook.
• The user tries to start an Outlook client.
• The issue occurs intermittently when the Outlook client is running.

To resolve this issue, use the following method.

Replace the existing A record by using an SRV record that points to a namespace that is already in the SAN of the SSL certificate.

Best regards,

Niko, 

Could you clarify that KB article for me? It says "The SRV record should be created in the DNS zone that matches the user's SMTP domain."

Say everyone's email address is DOMAIN.TLD, but the OWA URL it suggests in our case is MAIL.DOMAIN.TLD.

So, in which zone am I to make the SRV records?

Can I test this on a small scale without drastically redirecting everyone's Outlook?

Sorry if it's a stupid question.

Thanks

Can you run Get-ClientAccessServer | fl identity, auto*

I have a feeling that is going to come back as the domain.local namespace, if it does, use Set-ClientAccessServer <server> -AutodiscoverInternalServiceURi https://namespace.domain.com/autodiscover/autodiscover.xml

This is what it returned.

Identity : INTERNALSERVERNAME
AutoDiscoverServiceCN : INTERNALSERVERNAME
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://MAIL.DOMAIN.TLD/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}

You may be onto something, but I don't see that command fixing it.

I'm open to ideas though

Looking at your screen shots it looks like youre setting the Outlook anywhere connection options via group policy (it looks greyed out) what about checking out Get-OutlookProvider?

I was toying with using GPO to "correct" a bad Autodiscover configuration (if that's what ended up being the case). I haven't deployed it and all production PCs don't have it greyed out.

Get-Outlook provider has 3 entries, but doesn't refer to the InternalServerName.

Alright, what about Get-ExchangeCertificate

Let's take a look at what it IIS is providing. 

Thumbprint Services Subject

B75809C862AD1FC116A5FEF6A38FE085F9083BAE  IP.WS..    CN=mail.domain.tld, OU=Domain Control Validated

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.DOMAIN.TLD, www.mail.DOMAIN.TLD, autodiscover.DOMAIN.TLD}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://cer
                     O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 5/16/2018 12:43:04 PM
NotBefore          : 5/7/2015 7:36:38 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0088AA1FAB025DD6CA
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.DOMAIN.TLD, OU=Domain Control Validated
Thumbprint         : B75809C862AD1FC116A5FEF6A38FE085F9083BA

I'm still seeing this. It pops up so rarely, it's hard to troubleshoot!

I'm going to reboot the server. Everyone says it's not necessary for a simple cert change....but literally nothing else has worked.

Still appearing maybe once every 24-48 hours....

Any last minute ideas before I relegate it upwards to MS Support?

Hi Dane,

did you get a solution for the annoying popups?

I've changed to "external Name only" - SSL Certificate at my customers Exchange a few weeks ago, but still receive Popups :-(

It look's like the server side is fine, cause if I create a new Outlook Profile anythings fine.

Oliver.

Hi Dane,

did you get a solution for the annoying popups?

I've changed to "external Name only" - SSL Certificate at my customers Exchange a few weeks ago, but still receive Popups :-(

It look's like the server side is fine, cause if I create a new Outlook Profile anythings fine.

Oliver.