Exchange 2016 AutoDiscover outlook Security Alert - Certificate Issue and Fix and Eliminate the host Names in SSL Certificates

 Hello All

Hope everyone is doing well. i wanted to explore the free certificate from letsencrypt SSL and successfully got the certificate from them for my exchange 2016 server. i will share the separate blog how to get the free certificate later.

In this blog, i would like to share my experience of the issue  from the user side,  after i got the certificate from letsencrypt for AutoDiscover  

The users from the outlook 2016  received the below certificate error , while they open the outlook client.

Issue 
The error:  The name on the security certificate  is invalid or doesn't match the name of the site

Generally, this issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website.

i have double checked the certificate SAN is very much available as autodiscover.cloudmonkeys.xyz

i was thinking to add my exchange server host name in the SSL certificate, however its time consuming to regenerate everything, and in prod environment some SSL vendor charges to add the host names in SSL SAN 

Including server names in your SSL certificate is supported, however its not recommended and best practise .

My environment is SPLIT DNS model , on which internal network able to resolve the private IP's  pointing to my exchange servers in local DNS server and outside network able to resolve the external IP's pointed to exchange server by NAT  or  by load balancer (VIP)

DNS Server - Local

External DNS

Create A records for Mail.domain and Point to VIP

Create CNAME record Point to Mail.Domain

External 

'

Internal DNS

How to setup the host names and URLs in Exchange Server 2016 for SPLIT DNS setup

For many organizations they use of  split DNS for your Exchange namespace for  eliminating server names from SSL certificates.

Resolution

i have configured all the virtual directories for both internal and external points to mail.domain like below and fix the issue and now outlook 2016 er didn't show the security alert autodiscover alert  during the autodiscover process

Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.cloudmonkeys.xyz -InternalHostname mail.cloudmonkeys.xyz -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

 Get-MAPIVirtualDirectory | Set-MAPIVirtualDirectory -ExternalUrl https://mail.cloudmonkeys.xyz/mapi -InternalUrl https://mail.cloudmonkeys.xyz/mapi

 Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.cloudmonkeys.xyz/owa -InternalUrl https://mail.cloudmonkeys.xyz/owa

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.cloudmonkeys.xyz/ecp -InternalUrl https://mail.cloudmonkeys.xyz/ecp

Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https://mail.cloudmonkeys.xyz/Microsoft-Server-ActiveSync -InternalUrl https://mail.cloudmonkeys.xyz/Microsoft-Server-ActiveSync

 Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.cloudmonkeys.xyz/EWS/Exchange.asmx -InternalUrl https://mail.cloudmonkeys.xyz/EWS/Exchange.asmx

Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.cloudmonkeys.xyz/OAB -InternalUrl https://mail.cloudmonkeys.xyz/OAB

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.cloudmonkeys.xyz/Autodiscover/Autodiscover.xml

i Hope this blog  is useful who is encountering the autodiscover certificate issue for the error "the name on the security certificate is invalid or does not match the name of the site"

Happy learning  😃