MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2013 certificate error: There is a problem with the proxy server’s security certificate.

Let’s take a look at an issue where users keep getting the following pop up in the outlook client frequently.

There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the name of the target site “server.domain.local”

Outlook is unable to connect to the proxy server. (Error Code 10)


Possibility 1:

=> On the user’s machine launch Outlook=> Click File => Go to
Account Settings.

=> Select the email account and then click Change.

=> Click the More Settings button.

=> Now click the Exchange Proxy Settings.

=> Copy the URL for “Only connect to the proxy servers that have this principle name in their certificate” & try to browse it.

=> You will get a certificate error, click on the top red x mark next to the address bar. It will open a certificate.

=> Check the DNS
names listed in the certificate & make a note of them.

=> Now go the Exchange Server, Launch Exchange Management Shell.’

=> Run the following command:

Get-OutlookAnywhere

=> Look for the following options:

ExternalHostname mail.domain.com

InternalHostname     mail.domain.local

=> Compare these two entries with the list of names we collected from the client machines certificate.

=> You will find that the internal host name is missing in the certificate.

=> To resolve this issue, we can run the following command to match the Internal Host name to the External host name as in the certificate SAN entry:

Set-OutlookAnywhere -Identity “EXCH201301Rpc (Default Web Site)” -InternalHostname mail.domain.com -InternalClientsRequireSsl $true

=> Next run IIS reset or simply recycle the AutoDiscover AppPool in the IIS Manager.

=> This change will take effect soon after the user closes & reopens the outlook, however the default autodiscover refresh internal is 1 hour, so it’s better to test after an hour or so.

Possibility 2:

Run the following script. Note that not all of this is relevant to the subject matter issue but you need to have your Exchange server tuned this way:

Get-ActiveSyncVirtualDirectory -ADPropertiesOnly | fl Identity, *lurl*, *method*

Get-ECPVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*

Get-OWAVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*

Get-WebservicesvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*

Get-OABvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*

Get-ClientAccessServer | fl Name, *uri*

Get-OutlookAnywhere -ADPropertiesOnly | fl Identity, *method*, *lurl*, *hostname*​

Get-MailboxServer | Get-MailboxDatabase | ft Name, *rpc* -AutoSize

Get-ClientAccessArray | ft Name, fqdn, Members -AutoSize

Once you have the output, start by reviewing URL’s and authentication settings on every CAS servers and ensure they are all configured unique.

For example if the Authentication settings or URL’s on OutlookAnywhere are different for CAS servers, that might cause Authentication popups or Certificate pop ups.

The AutoDiscoverServiceInternalUri value should ideally be a URL that is added on the certificate as a SAN.

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

Leave a Reply

migrate exchange to office 365

Categories

Archives