Certificate warning when adding an Exchange server

Background

When introducing a new Exchange server in an existing organization there is a common issue that appears.
The new server doesn’t have any certificates and because of this you will most likely see this message in Outlook on clients that are connected to your environment.

I’ve seen this at multiple customers when they are installing a new Exchange 2016 server and adding it to their existing environment.

A common scenario where this occurs is when you have an Exchange environment and a Office 365 tenant and are in the final steps of migrating to Exchange Online.
When all mailboxes are moved you might want to decommission your old environment but to retain some manageability on-premises a new Exchange 2016 server is a good idea. This new server will allow you to manage mailboxes in Exchange Online without having to edit attributes in Active Directory.

Issue

This warning appears because the new server has a new hostname and the SCP of the server points to the hostname that doesn’t match the subject of the certificate in the environment.

This warning might appear during the following circumstances:

  • The user tries to create a new profile in Microsoft Office Outlook.
  • The user tries to start an Outlook client.
  • The issue occurs intermittently when the Outlook client is running.
Solution

You can easily remove the incorrect SCP value by running the following command with powershell. You need to do this once for each server for which you want to remove the SCP. This usually are the servers without certificates or that shouldn’t respond to clients.
Set-ClientAccessServer -Identity %ServerName% -AutoDiscoverServiceInternalUri $Null
After you run this command you can verify that the value is gone by running this command:
Get-ClientAccessServer | select Identity,AutoDiscoverServiceInternalUri

The certificate error will be gone after this and everyone should be happy again.

References
https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx
https://support.microsoft.com/en-us/help/2772058/-the-name-on-the-security-certificate-is-invalid-or-does-not-match-the

Leave a Reply