When configuring a new install of Exchange 2013, you may be presented with below the errors in Outlook:
There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the name of the target site server.domain.com.
Outlook is unable to connect to the proxy server (Error Code 10)
The name on the security certificate is invalid or does not match the name of the site
The cause of these errors is that Outlook is connecting using Outlook Anywhere although it is able to contact Exchange, it is using a name that is not on the certificate.
To resolve the issue, there are two options. Either you need to create a new certificate request and add the name to the certificate (see here for instructions) or you need to configure Exchange not to autoconfigure Outlook with this name and specify a different name that is on the certificate. This autoconfiguration is known as autodiscover. More on that in another post.
In this post, we’ll look at how to configure Exchange Outlook Anywhere so that this issue no longer occurs.
1) Confirm current Outlook Anywhere hostnames
We need to confirm that the Outlook Anywhere hostname includes the hostname in the error, in our case litex01.litwareinc.com.
To do this run the below command:
Get-OutlookAnywhere | fl ExternalHostname,InternalHostname
2) Create DNS records
We need to choose a name that is included on the certificate that is used by the CAS servers and/or reverse proxies. In our case, we will use the same name, mail.litwareinc.com, in internal and external DNS as we are using split brain DNS. You can use different names as long as both are included on your certificate. Using a single name is simpler for troubleshooting and means that less names are required on the certificate which can reduce your costs in some cases.
The internal A record needs to resolve to the internal IP of the CAS server or load balancer virtual IP if you are load balancing multiple CAS servers.
The external A record needs to resolve to the public IP of the CAS server or load balancer virtual IP if you are load balancing multiple CAS servers. If you are using a reverse proxy then you need to configure the A record to resolve to the public IP of your reverse proxy.
3) Configure new Outlook Anywhere hostnames
To configure Autodiscover Outlook Anywhere with the internal and external hostnames, run the command below on a single line:
Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.litwareinc.com -InternalClientsRequireSsl $true -ExternalHostname mail.litwareinc.com -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod Basic
4) Confirm new Outlook Anywhere hostnames
Again, we’ll run the same command from step 1 to confirm our settings have changed. See below:
Get-OutlookAnywhere | fl ExternalHostname,InternalHostname
5) Restart the MSExchangeAutodiscoverAppPool
These settings don’t take effect immediately so you need to restart the MSExchangeAutodiscoverAppPool.
You can now open Outlook without any issues.