I am currently having trouble with the last stage of configuring Exchange/Outlook in our organisation.

We are having issues with an SSL Warning when opening Outlook 2013, where it is failing to validate the SSL, as it is using our (old) Internal URL (exchange.internal.local).

Please see the config within Exchange below, however I'm not sure what is causing this, if it helps it doesn't seem to be happening in Outlook 2007

get-ClientAccessServer | ft identity,AutodiscoverServiceInternalUri
Identity                                                    InternalUrl
--------                                                    -----------
EXCHANGE\Autodiscover (Default Web Site)

get-webservicesvirtualdirectory | ft identity,internalurl
Identity                                                    AutoDiscoverServiceInternalUri
--------                                                    ------------------------------
EXCHANGE                                                    https://mail.externaldomain.co.uk/autodiscover/autodi...

get-webservicesvirtualdirectory | ft identity,internalurl
Identity                                                    InternalUrl
--------                                                    -----------
EXCHANGE\EWS (Default Web Site)                             https://mail.externaldomain.co.uk/EWS/Exchange.asmx

get-oabvirtualdirectory | ft identity,internalurl
Identity                                                    InternalUrl
--------                                                    -----------
EXCHANGE\OAB (Default Web Site)                             https://mail.externaldomain.co.uk/OAB

get-owavirtualdirectory | ft identity,internalurl
Identity                                                    InternalUrl
--------                                                    -----------
EXCHANGE\owa (Default Web Site)                             https://mail.externaldomain.co.uk/owa

get-ecpvirtualdirectory | ft identity,internalurl
Identity                                                    InternalUrl
--------                                                    -----------
EXCHANGE\ecp (Default Web Site)                             https://mail.externaldomain.co.uk/ecp

get-ActiveSyncVirtualDirectory | ft identity,internalurl
Identity                                                    InternalUrl
--------                                                    -----------
EXCHANGE\Microsoft-Server-ActiveSync (Default Web Site)     https://mail.externaldomain.co.uk/Microsoft-Server-ActiveSync

RunspaceId                         : 416632a3-3695-430f-8d49-a072344e2bc0
ServerName                         : EXCHANGE
SSLOffloading                      : True
ExternalHostname                   : mail.externaldomain.co.uk
InternalHostname                   : mail.externaldomain.co.uk
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://EXCHANGE.internal.local/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 516.32)
Server                             : EXCHANGE
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=EXCHANGE,CN=Servers,CN=Exchange
                                     Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Identity                           : EXCHANGE\Rpc (Default Web Site)
Guid                               : 7a9f693d-0f42-4fd5-8de9-e3e7eb946932
ObjectCategory                     : internal.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 26/06/2013 11:31:19
WhenCreated                        : 21/06/2013 14:37:47
WhenChangedUTC                     : 26/06/2013 10:31:19
WhenCreatedUTC                     : 21/06/2013 13:37:47
OrganizationId                     :
OriginatingServer                  : Exchange.internal.local
IsValid                            : True
ObjectState                        : Changed

Thumbprint                                Services   Subject
----------                                --------   -------
239AA8CC6811F0D226F73959B3B4D61FFADDF694  IP.WS..    CN=mail.externaldomain.co.uk, OU=Domain Control Validated

Screenshot of the error


!!EDIT!! Also if it helps, running the Exchange through Test Exchange Connectivity reveals the following: Screenshot

  • 1,213
  • 3
  • 15
  • 22
Matt Clements
  • 51
  • 1
  • 10
  • Check Get-OutlookAnywhere. It has an InternalHostname and ExternalHostname now that wasn't present in 2010. – Jeremy Lyons Jul 04 '13 at 21:33
  • @JeremyLyons Thanks for the heads up, all looks OK, but I have added the output to the above post – Matt Clements Jul 05 '13 at 10:21
  • It looks like you're presenting the wrong Exchange certificate. Did you install an Exchange certificate for mail.externaldomain.co.uk and autodiscover.externaldomain.co.uk? Did you assign services to it after installing it? – Jeremy Lyons Jul 05 '13 at 20:56
  • @JeremyLyons The SSL being presented is for mail.externaldomain.co.uk but does not cover autodiscover.externaldomain.co.uk - this SSL is the only SSL now in Exchange (all others have been deleted), could it be as autodiscover.externaldomain.co.uk doesn't have a valid SSL? I don't mind the initial warning for autodiscover.externaldomain.co.uk when setting up a mailbox. – Matt Clements Jul 07 '13 at 07:52
  • I'm still confused as to why Exchange seems to be presenting a cert for exchange.domain.local. Can you give me a sanitized output of get-exchangecertificate? Also, using that website to test from outside isn't a 1:1 test, but they have a downloadable tool you can run from your workstation that I would recommend trying. – Jeremy Lyons Jul 10 '13 at 02:33
  • @JeremyLyons I think that changing Autodiscover from a DNS A record that didn't have an SSL to a Service Record has fixed the issue. Am going to do a test roll out over the next couple of days to see if this fixes. I have added the `get-exchangecertificate` to the above output – Matt Clements Jul 10 '13 at 09:12

2 Answers2


Ok - Changing the Autodiscover from a DNS A Record to an SRV Record fixed.

Also this was still popping up on the Test Machines which were already setup.

On deleting/re-adding the Exchange Accounts to Outlook this fixed.

Matt Clements
  • 51
  • 1
  • 10
  • Just to advise you that the approach above is the default. Your approach is more suitable for External access to the Exchange server through Outlook Anywhere connectivity. – Vick Vega May 09 '14 at 00:35

You need to set Outlook provider. http://ilantz.com/2013/06/29/exchange-2013-outlook-anywhere-considerations/

Vick Vega
  • 2,398
  • 16
  • 22