Outlook displays the Security Alert dialog box when Exchange is using a self-signed certificate

Article ID: 2006728 - View products that this article applies to.

Symptoms

When you start Microsoft Office Outlook 2007, you receive the following security warning:

The security certificate was issued by a company you have not chosen to trust.

Additionally, the name of a Microsoft Exchange Server 2010 server that hosts the Client Access Server role is listed in the dialog box. The following illustration is an example of this security warning.

Security Alert dialog box with certificate warning

When you click View Certificate, and then you select the Certification Path, the CA Root certificate is not trusted. This is because the certificate is not in the Trusted Root Certification Authorities store on the client. Also, the name of the Exchange 2010 server that hosts the Client Access Server role is listed on the Certification Path tab. The following illustration displays the information that you might find on the Certification Path tab.

Certification Path tab in the View Certificate dialog box

You do not expect this security warning because your Outlook client is a domain-joined workstation, and you are connecting to Exchange over an internal network.

Back to the top | Give Feedback

Cause

This problem occurs if all the following conditions are true:

You have an Exchange 2007 server that hosts the Client Access Server role together with an Exchange 2010 server that hosts the Client Access Server role in the environment.
Your mailbox is located on an Exchange 2010 server that hosts the Mailbox role.
The certificate that is installed on the Exchange 2010 server that hosts the Client Access Server role is self-signed.

This problem occurs because the Microsoft Exchange Server 2007 server that hosts the Client Access Server role redirects the Autodiscover request that is issued by Outlook. The redirection that the Exchange 2007 server issues references the Exchange 2010 server that hosts the Client Access Server role. Because the Exchange 2010 server is using a self-signed certificate, Outlook cannot trust the certificate when the redirection occurs.

Back to the top | Give Feedback

Resolution

To resolve this problem, you must install a certificate that is not a self-signed certificate on the Exchange 2010 server that hosts the Client Access Server role. This certificate can be either one that a Certification Authority server in your organization issues or one that a third-party certification authority issues.

If you cannot install a certificate that is not self-signed on the Exchange 2010 server, you can use the following workaround on workstations on which Outlook is installed. These steps install the self-signed certificate from the Exchange 2010 server into the Trusted Root Certification Authority store on the workstation. To do this, follow these steps:

Start Outlook.
In the Security Alert dialog box, click View Certificate.
In the following View Certificate dialog box, click Install Certificate.
In the Certificate Import Wizard, follow these steps:

On the following Certificate Store wizard page, click Place all certificates in the following store, and then click Browse.
In the following Certificate Store dialog box, click Trusted Root Certification Authority, and then click OK.
On the Certificate Store wizard page, click Next.
Click Finish to complete the wizard.
Click Yes as the following screen shot shows when you are prompted to confirm the installation of the certificate.
Click OK when you are advised that the import was successful.
Click OK to close the View Certificate dialog box.
Click Yes in the Security Alert dialog box to continue to start Outlook.
Exit and restart Outlook.

Now, you do not receive the security warning when you start Outlook.

After you install the certificate by using this procedure, you can confirm that the certificate is installed correctly on the client. To do this, follow these steps:

Start Windows Internet Explorer.
On the Tools menu, click Internet Options.
On the Content tab, click Certificates.
In the Certificates dialog box, click the Trusted Root Certification Authorities tab.
Scroll down the list of installed certificates to locate the certificate for your server. (The screen shot for this step is listed below).

Note In the following scenario where you are using a self-signed certificate on your Exchange 2010 server, Outlook does not display the Security Alert dialog box if both of the following conditions are true:

The certificate is listed.
The date in the Expiration Date column has not been reached.

Back to the top | Give Feedback

More Information

How to tell whether you are using a self-signed certificate

To determine whether you are using a self-signed certificate on the Exchange 2010 server that hosts the Client Access Server role, follow these steps:

Start Exchange Management Console on an Exchange 2010 server.
Select Server Configuration in the console tree.
Select the server that hosts the Client Access Server role in the work pane.
The value under the Self-Signed column indicates whether a self-signed certificate is installed, as noted in the following illustration.

Why the redirection occurs

Exactly as in Exchange 2007, when more than one Client Access server is installed, the Exchange setup creates an Autodiscover Service Connection Point (SCP) record in Active Directory Domain Services (AD DS) for each Client Access server. When a domain-connected client connects to AD DS, the Outlook client (Outlook 2007 or a later version) authenticates to AD DS and then tries to locate the Autodiscover SCP objects that were created during the Exchange setup. After the client obtains the instances of the Autodiscover service, the client connects to the first Client Access server in the list that is enumerated and sorted, and then the client obtains the Autodiscover information from that Client Access server.

In an environment where Exchange 2010 and Exchange 2007 are both present, the Outlook client uses the first SCP in the list (probably Exchange 2007) to contact the Autodiscover service. Even a new client or those who log on to their Exchange 2010 mailbox for the first time will use the Exchange 2007 SCP record because it is usually the first record in the list of SCP records.

Depending on the Exchange version for the user’s mailbox, the Exchange 2007 Client Access server may redirect the request in the following scenarios:

Exchange 2007: If the user has an Exchange 2007 mailbox, the Exchange 2007 SP2 Client Access server handles the Autodiscover request.
Exchange 2010: If the user has an Exchange 2010 mailbox, the Exchange 2007 SP2 Client Access server redirects the request to an Exchange 2010 Client Access server. The redirect response from the Exchange 2007 SP2 Client Access server includes the URL for the Exchange 2010 Client Access server.

Autodiscover reference

For more information about the Autodiscover service for Exchange 2007, please see the following articles.

White Paper: Exchange 2007 Autodiscover Service
http://technet.microsoft.com/en-us/library/bb332063.aspx

Understanding the Autodiscover Service
http://technet.microsoft.com/en-us/library/bb124251(EXCHG.140).aspx

Back to the top | Give Feedback