Ask a new question

[SOLVED] Outlook + Exchange problem with the proxy server's security certificate

Hi,

This is maybe more server question, but for debugging purposes, I need to decipher Outlook's logic first.

Customer has SBS 2011 with Exchange 2010, working fine for few years. But now, few weeks ago, clients (not all, but some!) with Outlook begun experiencing problems when connecting to SBS local Exchange from outside:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site my.exchange.server.com. Outlook is unable to connect to the proxy server (Error Code 0) 

What I have tried to resolve?

  • Checked installed SSL certificate on Exchange server, cert is OK, and is VALID. Actually, this cert was issued 1,5 years ago and has 2 years validity till 5th of May 2020, so nothing changed there.
  • Verified latest updates....none. SBS has not been rebooted or updated for few months, so nothing changed there, too.
  • Checked Outlook connectivity test https://testconnectivity.microsoft.com/ and is connects OK, no errors, all green checks.
  • Checked OWA and RPC via https://my.exchange.server.com/owa and /rpc, and both open just fine on LAN and WAN, presenting proper and valid SSL cert.
  • Verified if https://testconnectivity.microsoft.com/ SSL is the same as installed on Exchange - yes, it is the same SSL, valid and working.
  • Tried to connect form different locations with Outlook 2013, 2016 and 2019, but all experience the same problem.
  • Checked, if I have for some weird reason PROXY enabled for my internet connection, but no, I do not. Neither does any of other testing locations.
  • Tried to run OUTLOOK.EXE /SAFE, but as expected, still no joy.

And NO, none of these recommended actions do NOT help: Error message when Outlook tries to connect to a server by using an RPC connection or an HTTPS connection: "There is a problem with the proxy server's security certificate"

I would now like to have this answer:

Outlook says: "The name on the security certificate is invalid or does not match the name..."

My question: "Hey Outlook, please, show mi which certificate you are looking at, please!"

I would really like to know, what is he looking at, because from any point of view I see proper and valid certificate, so how can he see something else?

Any idea?

Aha...here we go...I am one step further.

I found RIGHT-CLICK on Outlook icon (while running) in System Tray, then selected Test E-mail AutoConfiguration. Nice tool, which gives me exactly what I need - insight into SSL certificate!

And somehow Outlook is testing WILDCARD SSL certificate *.domain.com, which has been in use some 5 years ago, then abandoned due to incompatibility with exchange. Seems like with some miracle thise cert settings resurrected from dead....

So: 
there's no such wildcard SSL on SOPHOS UTM like *.domain.com, so I can exclude any Sophos UTM issue here.
BUT under MMC --> CERTIFICATES on Exchange server I cannot find any wildcard SSL with name *.domain.com

Hmmm...where's what messed up and how to resolve?


1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Andrej,
Are you using that on a web server? Outlook could be looking there for the autodiscover. Set the ExcludeHttpsRootDomain key so it doesn't check the webserver for autodiscover. .

https://docs.microsoft.com/outlook/troubleshoot...
--
Diane Poremsky
M365 MVP, specializing in Outlook, Exchange, and Microsoft 365 apps.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thank you, Diane, but I've already checked this reg key and forgot to mention in my post. Nothing there, one of testing computers was brand new, so no leftovers there.

I think, there must me something on server, DNS or router. On client I am almost sure nothing could be wrong.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Are you using a wildcard certificate on your website's server?

Add the ExcludeHttpsRootDomain key and set it to 1 - you don't want to check the web server (which is usually the root domain).
--
Diane Poremsky
M365 MVP, specializing in Outlook, Exchange, and Microsoft 365 apps.

2 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi again, Diane!

I've added ExcludeHttpsRootDomain DWORD to HKEY_CURRENT_USER\Software\Microsoft\Office\x.0\Outlook\AutoDiscover registry path, but even after reboot, Outlook still reports the same error.

And NO, I am NOT using Wildcard certificate anywhere. I was the option for Exchange some 6 years ago, but was abaondoned and replaced with SAN SSL certificate due to incompatibility with Exchange.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

>> BUT under MMC --> CERTIFICATES on Exchange server
You looked in all of the certificate folders, including web server? Check in IIS too,
--
Diane Poremsky
M365 MVP, specializing in Outlook, Exchange, and Microsoft 365 apps.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

No, nothing like *.domain.com in IIS.

Only one weird certificate with name WMSvc-WIN-KBS25H7K10I with expiration date 7.3.2023.

...and of course the VALID SAN SSL, named mail.domain.com (and ALT names autodiscover.domain.com and remote.domain.com)

Tomorrow I will switch domain from ISP DNS to CloudFlare DNS, so I will have control over it. Then I will add proper SRV records and see, if those resolve the issue.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

SOLVED!

Solution described here: https://community.spiceworks.com/topic/2254121-outlook-error-to-exchange-saying-wrong-ssl-certificate-name?page=1#entry-8741424

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thanks for the update!
--
Diane Poremsky
M365 MVP, specializing in Outlook, Exchange, and Microsoft 365 apps.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated November 11, 2024 Views 52,279 Applies to: