Exchange 2013 Hybrid – Content was blocked because it was not signed by a valid security certificate

Hello again. The last few days have given me lots of new things to do, so apologies if you are being inundated with blog posts!

So today I went to enable a new Exchange 2013 Hybrid configuration. I used the Start Menu launcher for ‘Exchange Administrative Centre’, which to be honest I don’t usually do. This took me to https://localhost/ecp/?ExchClientVer=15. I then went to Hybrid and enabled the Hybrid Configuration. I logged into Office 365 and was greeted by this friendly message of doom:

Content was blocked because it was not signed by a valid security certificate

This error is quite easily solved; do not use localhost as the server name when you access the ECP. Use your client access namespace instead. For example, if my CAS name was, I would browse to

Just be sure to put and your CAS name into your Intranet Zone too or you’ll then get an error about Cookies!

412 - Cookies are disabled

Thanks for reading!


Exchange 2013 installation and annoying Outlook certificate Security Alert

I know, I know….why am I blabbering on about an Exchange version which is 3 years old?! The answer is because I still install it all the time, mainly for the purposes of Exchange Hybrid deployments. And this is probably old news to most of you, but if you didn’t know, Exchange 2013 can be particularly annoying when you first install it.

Once the install is completed, an SCP record is registered in Active Directory for your shiny new server (which still has all of its out of the box settings). If you faff around at all after the installation has completed, drinking tea and making merry at the water cooler, you will find that your users start moaning at you about the certificate errors they are receiving.

Outlook Certificate Error

This is because your new server has, without your consent, started merrily responding to Autodiscover and EWS requests made through Active Directory. This new server doesn’t have your public certificate installed, and also is using internal server names for it’s URLs.

What you need to do on Exchange 2013 to get around this is:

  • Install your trusted 3rd party SAN/wildcard certificate and assign it to the IIS service. Restart IIS
  • Configure, as a minimum, the Autodiscover, EWS and OAB Internal URLs to reflect your Exchange namespace
    • set-webservicesvirtualdirectory -identity ‘Servername\EWS (default web site)’ -internalurl ‘’
    • set-oabvirtualdirectory -identity ‘Servername\OAB (default web site)’ -internalurl ‘’
    • set-clientaccessserver -server servername -autodiscoverserviceinternaluri ‘’

This should mitigate the problem while you actually configure your server. Unfortunately it’s just part of the way Autodiscovery works, and personally I’d rather it was this way round, rather than having to remember to enable the SCP record at some point. Because knowing me, I’d forget.

You could also mitigate this problem by following the guidance on my blog post about Autodiscover optimisation and disabling SCP lookups temporarily for your users. If you are going to be using Hybrid in the future, this may be desirable anyway.


Script to change Exchange internal URLs

All Exchange consultants will have been through this situation at least once now; a customer is using a split namespace in their Exchange environment with a .local name internally, and due to the new requirements for purchasing SAN certificates, they can no longer purchase certificates with a .local name on them. One way of remedying this is to change all the Exchange internal URLs to use the public name, and add in an internal DNS zone and record to point the public name at the Exchange environment.

Changing the URLs for multiple virtual directories and servers can be a pain. There are many scripts like this out there on the internet, but I frankenstein’ed this one to fit the needs I had. I wanted it to prompt for the server name, public FQDN and autodiscover FQDN and then change the directories on that particular server to reflect the names I had entered. I also love simplicity, so I wanted the most simple script possible. If you wanted to change this to do the external URL’s, then just do a find and replace internal with external! This script will work on Exchange 2010 and 2013.

Also, if you are using a wildcard certificate, be sure to run the below command to force the name match, otherwise you may get certificate errors on your clients!

Set-OutlookProvider -identity EXPR -certprincipalname msstd:*

Here is the script I use:

#get variables
write-host "Set Exchange 2010 Internal URLS" –Foregroundcolor Yellow
$urlpath = Read-Host "Type CAS Array FQDN starting with https://"
$autodpath = Read-Hosts "Type Autodiscover FQDN starting with https://"
$CASserver = Read-Host "Type internal server FQDN"
#change urls for all internal directories
Set-AutodiscoverVirtualDirectory -Identity "$CASserver\Autodiscover (default web site)" –internalurl “$autodpath/autodiscover/autodiscover.xml”
Set-ClientAccessServer –Identity "$CASserver" –AutodiscoverServiceInternalUri “$autodpath/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory –Identity "$CASserver\EWS (default web site)" –internalurl “$urlpath/ews/exchange.asmx”
Set-oabvirtualdirectory –Identity "$CASserver\OAB (default web site)" –internalurl “$urlpath/oab”
Set-owavirtualdirectory –Identity "$CASserver\OWA (default web site)" –internalurl “$urlpath/owa”
Set-ecpvirtualdirectory –Identity "$CASserver\ECP (default web site)" –internalurl “$urlpath/ecp”
Set-ActiveSyncVirtualDirectory -Identity "$CASserver\Microsoft-Server-ActiveSync (default web site)" -InternalUrl "$urlpath/Microsoft-Server-ActiveSync"
#get commands to to doublecheck the config
get-AutodiscoverVirtualDirectory -Identity "$CASserver\Autodiscover (default web site)" | ft identity,internalurl
get-ClientAccessServer –Identity "$CASserver" | ft identity,AutodiscoverServiceInternalUri
get-webservicesvirtualdirectory "$CASserver\EWS (default web site)" | ft identity,internalurl
get-oabvirtualdirectory "$CASserver\OAB (default web site)" | ft identity,internalurl
get-owavirtualdirectory "$CASserver\OWA (default web site)" | ft identity,internalurl
get-ecpvirtualdirectory "$CASserver\ECP (default web site)" | ft identity,internalurl
get-ActiveSyncVirtualDirectory "$CASserver\Microsoft-Server-ActiveSync (default web site)" | ft identity,internalurl

Exchange 2013 Cumulative Update 8 now available

Exchange 2013 Logo

Exchange 2013 CU8 has been made available to the general public as of 17th March 2015. Along with the usual bug fixes, a few minor new features have been announced. From my point of view, the best new feature must be the automatic profile migration for Exchange Active Sync clients when being migrated to Office 365. This was the last piece in the puzzle of Office 365 migration as far as automatic reconfiguration goes, so I’m happy to see this included.

For a full list of updates and bug fixes, you can check out the Exchange Team Blog post at

Download link:

Thanks for reading 🙂

Exchange 2013 CU7 and more!

Today Microsoft have released a new slew of updates for On Premise Exchange environments!

There have been various hotfixes and scripts released to fix a multitude of sins in Exchange 2013 CU6, and Microsoft have rolled these hotfixes and more into their latest CU7 release. This update does require a Schema Update, so please run setup /prepareschema first. See for more information. Additionally there are some UM Language Packs for Exchange 2013 CU7 available.

In other news, the Exchange 2010 CU8 update has been recalled at the time of writing and is not available for download. This is because deployment of said update can lead to Outlook being unable to connect to Exchange :-/ If you have already installed, it is recommended that you rollback the update.

Lastly is the Exchange 2007 SP3 UR15 for all those retro Exchange nerds still running Exchange 2007. See KB here for information

Check out for the full rundown!

Exchange 2013 CU6 – Hybrid Configurations and Hardware Load Balancing…

Exchange 2013 CU6 was released at the end of August, and it’s fair to say it wasn’t Microsoft’s most elegant CU release ever. If you are already using a Hybrid Configuration, the following problems are faced after installation:

– You cannot use the On Premise Exchange Admin Center to create new Office 365 mailboxes, move mailboxes to Exchange Online, or create In-Place Archive mailboxes.

– You also cannot perform administration of Office 365 through the EAC, because when you click on the Office 365 management tab, it takes you to a marketing page for Office 365 rather than the 365 login page.

There has been a script released by Microsoft to fix this behaviour, which is available here:

It’s lucky that this script is available, because Microsoft made some changes to Exchange Online in the last few weeks. These changes mean that if you now attempt to create or manage a Hybrid Configuration in Exchange 2013 CU5 or older, you will see the following error:

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites

Deserialization fails due to one SerializationException: 

Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed: Microsoft.Exchange.Data.Directory.DirectoryBackendType

This can be resolved by, you guessed it, upgrading to Exchange 2013 CU6. Just remember to run the script which I linked to above after installation!

Another problem which a colleague of mine witnessed a few days back was related to CU6 and CAS Load Balancing. If you use a hardware load balancer such as a Kemp or NetScaler, and you install CU6, you will need to make some configuration changes to your availability monitors. Application aware load balancers will monitor Exchange Server 2013 using the Default Web Site in IIS, and a design change has been made in CU6 which will cause the load balancer to mark the Exchange 2013 server as down.

If you attempt to access the Default Web Site of an Exchange 2013 CU6 CAS server, it will return a status 302 and redirect you to the OWA site. A load balancer will see this and mark the server as being down. To resolve this problem, configure your load balancer to monitor https://CASFQDN/protocol/healthcheck.htm. For example, to monitor OWA you would use https://CASFQDN/owa/healthcheck.htm. The KB for this issue is here:

Exchange Server 2013 CU6 has been a bit of a box of tricks so far, but if you are about to modify or create a Hybrid Configuration, then you MUST upgrade in order to be successful. Hopefully this article will help you in your quest for Hybrid greatness!

Exchange 2013 – File Share Witness on an Azure VM

My last TechEd session of the year was on Exchange 2013 HA and Site Resilience. This session came with an exciting announcement. As of January 1st 2015, Microsoft will support using an Azure IaaS VM as a File Share Witness for an on-premises DAG. This provides the ability for deployments with a 2 datacenter DAG solution to add a FSW in a 3rd datacenter, providing the ultimate in Site Resiliency for Exchange Database Availability Groups. It’s worth pointing out that this is not the same as a Cloud Witness in the new Windows Server Technical Preview. The Exchange team have not yet decided whether they will do the work to make sure the Cloud Witness feature will be supported in Exchange 2013. The high level steps for doing this will be as follows: – create Azure networking and establish VPN (if not already in place) – configure Azure VMs (directory server and file server) – configure Exchange 2013 to use Azure FSW This is exciting news and is sure to be a guaranteed hit for those with a DAG stretched over 2 datacenters as it allows Quorum to be maintained when a single Datacenter is lost.