Certificate warning error after changing Exchange client access namespaces

So you changed your client access namespace from server1.contoso.local to autodiscover.contoso.com and know your clients are showing a certificate warning that the name of the url does not match the name(s) on the SSL-certificate?

Your Outlook client is using ‘Last Known Good Url’ to determine the autodiscover url. Because server1.contoso.local still responds, it is still a ‘good url’. But server1.contoso.local is not one of your subject alternative names on the SSL certificate. The only subject alternative names on your SSL-certificate are e.g. autodiscover.contoso.com and mail.contoso.com.

You could try to add server1.contoso.local to your SSL-certificate, but that will fail.

Somehow you need to force the Outlook client to not use the ‘Last Known Good Url’ method to determine the autodiscover url.

Fortunately there are several ways to solve this:

  • Group Policy. (You need to have the Office 2013/2016 Administrative Templates.)

  • Registry

Configure one of the following registry subkeys as follows:

HKEY_CURRENT_USER\Software\Microsoft\Office\x.0\Outlook\Autodiscover
DWORD: ExcludeLastKnownGoodUrl
Value: 1

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Autodiscover
DWORD: ExcludeLastKnownGoodUrl
Value: 1

(The value x.0 can be 15.0 for Office 2013 or 16.0 for Office 2016.)

  • New Outlook profile

When you create a new Outlook profile, there is no Last Known Good Url, so that will not be used anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *