Exchange 2013 certificate error: There is a problem with the proxy server’s security certificate.
Let’s take a look at an issue where users keep getting the following pop up in the outlook client frequently.
There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the name of the target site “server.domain.local”
Outlook is unable to connect to the proxy server. (Error Code 10)
Possibility 1:
=> On the user’s machine launch Outlook=> Click File => Go to
Account Settings.
=> Select the email account and then click Change.
=> Click the More Settings button.
=> Now click the Exchange Proxy Settings.
=> Copy the URL for “Only connect to the proxy servers that have this principle name in their certificate” & try to browse it.
=> You will get a certificate error, click on the top red x mark next to the address bar. It will open a certificate.
=> Check the DNS
names listed in the certificate & make a note of them.
=> Now go the Exchange Server, Launch Exchange Management Shell.’
=> Run the following command:
Get-OutlookAnywhere
=> Look for the following options:
ExternalHostname mail.domain.com
InternalHostname mail.domain.local
=> Compare these two entries with the list of names we collected from the client machines certificate.
=> You will find that the internal host name is missing in the certificate.
=> To resolve this issue, we can run the following command to match the Internal Host name to the External host name as in the certificate SAN entry:
Set-OutlookAnywhere -Identity “EXCH201301Rpc (Default Web Site)” -InternalHostname mail.domain.com -InternalClientsRequireSsl $true
=> Next run IIS reset or simply recycle the AutoDiscover AppPool in the IIS Manager.
=> This change will take effect soon after the user closes & reopens the outlook, however the default autodiscover refresh internal is 1 hour, so it’s better to test after an hour or so.
Possibility 2:
Run the following script. Note that not all of this is relevant to the subject matter issue but you need to have your Exchange server tuned this way:
Get-ActiveSyncVirtualDirectory -ADPropertiesOnly | fl Identity, *lurl*, *method*
Get-ECPVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Get-OWAVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Get-WebservicesvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Get-OABvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Get-ClientAccessServer | fl Name, *uri*
Get-OutlookAnywhere -ADPropertiesOnly | fl Identity, *method*, *lurl*, *hostname*
Get-MailboxServer | Get-MailboxDatabase | ft Name, *rpc* -AutoSize
Get-ClientAccessArray | ft Name, fqdn, Members -AutoSize
Once you have the output, start by reviewing URL’s and authentication settings on every CAS servers and ensure they are all configured unique.
For example if the Authentication settings or URL’s on OutlookAnywhere are different for CAS servers, that might cause Authentication popups or Certificate pop ups.
The AutoDiscoverServiceInternalUri value should ideally be a URL that is added on the certificate as a SAN.
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru
April 17th, 2017 at 9:05 am
Awesome. This worked like a charm! Thanks!! +++
April 30th, 2017 at 9:49 pm
This did not work for me.
I am using exchange 2013 outlook 2016
something has changed on my exchange server all my computers are getting the same error (Error Code 10)
some computers are getting Error 18.
I need to know if there is a way to change the name on the proxy cert.
Thank you
May 13th, 2017 at 12:19 am
why do you want to change the name.