In a previous article, we installed Let's Encrypt in Exchange Server. Everything is working great…
Certificate warning during or after a new Exchange Server installation
Users are getting a certificate warning in Outlook. It happens during or after a new Exchange Server installation in the organization. Why are users getting a certificate warning in Outlook? Is there a way to prevent the certificate warning for the users in Outlook? In this article, you will get both questions answered.
Table of contents
Why are users getting a certificate warning in Outlook?
The reason for this is Outlook and the Service Connection Point (SCP) in Active Directory. During the Exchange Server setup, a new SCP is created in Active Directory (AD). An Outlook client will accidentally discover the unconfigured SCP. It will try to connect to the new Exchange Server instead of the Autodiscover FQDN. Because of that, a certificate warning is showing up in Outlook.
In our example, we did install Exchange Server on a second Windows Server with the hostname EX02-2016 in the domain exoip.local.
Fix certificate warning in Outlook
- Find autodiscover URL in Exchange with PowerShell
- Configure autodiscover URL in Exchange with PowerShell
Is there a way to prevent the certificate warning?
Yes, there is a way to prevent the certificate warning for the users in Outlook. A PowerShell script can do this. Download the Set-AutodiscoverSCP.ps1 PowerShell script (Microsoft) or here (direct). Jeff Guillet made the script.
The script intends to run on another Exchange server in the organization. Are you running Exchange Server 2010? Run the script on the same version of Exchange as the new server. It’s because Exchange 2010 cannot update SCP values for Exchange 2013, 2016, or 2019 and vice versa. Note that Exchange 2013/2016/2019 servers can update each other.
You can also have the script target a particular domain controller. It’s useful when the new server you are installing is in a different AD site.
Example 1: Exchange 2010 and Exchange 2016
You have two Exchange Servers 2010 (EX2010-01) and (EX2010-02) in the organization. You are going to install a new Exchange Server 2016 (EX2016). Download the script and place it in the C:\scripts\ folder on the Exchange Server 2016 (EX2016). Run the script on the Exchange Server 2016 (EX2016). Start installing Exchange Server on EX2016.
|
1 |
[PS] C:\>C:\scripts\.\Set-AutodiscoverSCP.ps1 -Server ex2016 -ServerToClone ex2010-01 |
The script will continually query the current configuration domain controller until it finds an SCP for server EX2016 and then sets it to match the SCP of EX2010-01. It also configures Outlook Anywhere and the internal/external virtual directory URLs to match those found on EX2010-01.
Example 2: Exchange 2013 and Exchange 2019
You have one Exchange Server 2013 (EX2013) in the organization. You are going to install a new Exchange Server 2019 (EX2019). Download the script and place it in the C:\scripts\ folder on the Exchange Server 2013 (EX2013). Run the script on the Exchange Server 2013 (EX2013). Start installing Exchange Server on the EX2019.
|
1 |
[PS] C:\>C:\scripts\.\Set-AutodiscoverSCP.ps1 -Server ex2019 -ServerToClone ex2013 |
The script will continually query the current configuration domain controller until it finds an SCP for server EX2019 and then sets it to match the SCP of EX2013. It also configures Outlook Anywhere and the internal/external virtual directory URLs to match those found on EX2013.
Example 3: Exchange server in different AD site
It’s almost the same as the previous commands, except it continually queries DC03 for the SCP record and configures it on that domain controller. It’s useful when configuring a new Exchange server in a different Active Directory site.
|
1 |
[PS] C:\>C:\scripts\.\Set-AutodiscoverSCP.ps1 -Server ex2019 -ServerToClone ex2013 -DomainController dc03 |
From this moment on, an Outlook client can safely discover this SCP record. Outlook will automatically connect to the correct Autodiscover URL, and therefore, the SSL Certificate warning will not appear (assuming the original Exchange Servers are configured correctly).
Read more: Outlook keeps asking for password after migration »
Conclusion
In this article, you learned why a certificate warning is showing up in Outlook. It happens during or after a new Exchange Server installation. Fix Outlook warning by configuring the autodiscover URL. The next time you install an Exchange Server, you can prevent the certificate warning from popping up in Outlook using the PowerShell script.
Did you enjoy this article? You may also like Remove certificate in Exchange Server. Don’t forget to follow us and share this article.
What Others Are Reading
This Post Has 0 Comments