Exchange 2013 installation and annoying Outlook certificate Security Alert

I know, I know….why am I blabbering on about an Exchange version which is 3 years old?! The answer is because I still install it all the time, mainly for the purposes of Exchange Hybrid deployments. And this is probably old news to most of you, but if you didn’t know, Exchange 2013 can be particularly annoying when you first install it.

Once the install is completed, an SCP record is registered in Active Directory for your shiny new server (which still has all of its out of the box settings). If you faff around at all after the installation has completed, drinking tea and making merry at the water cooler, you will find that your users start moaning at you about the certificate errors they are receiving.

Outlook Certificate Error

This is because your new server has, without your consent, started merrily responding to Autodiscover and EWS requests made through Active Directory. This new server doesn’t have your public certificate installed, and also is using internal server names for it’s URLs.

What you need to do on Exchange 2013 to get around this is:

  • Install your trusted 3rd party SAN/wildcard certificate and assign it to the IIS service. Restart IIS
  • Configure, as a minimum, the Autodiscover, EWS and OAB Internal URLs to reflect your Exchange namespace
    • set-webservicesvirtualdirectory -identity ‘Servername\EWS (default web site)’ -internalurl ‘https://namespace.domain.com/ews/exchange.asmx’
    • set-oabvirtualdirectory -identity ‘Servername\OAB (default web site)’ -internalurl ‘https://namespace.domain.com/OAB’
    • set-clientaccessserver -server servername -autodiscoverserviceinternaluri ‘https://autodiscover.domain.com/autodiscover/autodiscover.xml’

This should mitigate the problem while you actually configure your server. Unfortunately it’s just part of the way Autodiscovery works, and personally I’d rather it was this way round, rather than having to remember to enable the SCP record at some point. Because knowing me, I’d forget.

You could also mitigate this problem by following the guidance on my blog post about Autodiscover optimisation and disabling SCP lookups temporarily for your users. If you are going to be using Hybrid in the future, this may be desirable anyway.

 

Advertisements

Office 365 – Outlook Profiles in a Cutover Migration

One of the drawbacks of performing a cutover migration from an On Premise Exchange environment to Office 365 is that Outlook profiles must be recreated to connect to the Office 365 servers. If done manually on every single workstation in your company, this could be a very time consuming process as you would have to create a new profile, set it as the default and configure it for the user.

One way of automating some of this process is to use Group Policy to run a script to create a new, blank Outlook profile and set it as the default profile. The user will then be presented with the first time profile setup screen when opening Outlook and should be able to use Autodiscover to automagically find their new Office 365 profile settings:

Outlook New Profile SetupOutlook Configure Profile

Outlook Profile Complete

To create the batch file required to do this, copy and paste the following text into a file and save it as a .bat file:

For Office 2010:

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\O365"
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /v DefaultProfile /t REG_SZ /d "O365" /F
reg add "HKCU\Software\Microsoft\Exchange\Client\Options" /v PickLogonProfile /t REG_DWORD /d "0" /f

For Office 2013:

reg add HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\O365
reg add "HKCU\Software\Microsoft\Office\15.0\Outlook" /v DefaultProfile /t REG_SZ /d "O365" /F

The script will create a new profile called O365 and set it as the default profile. Create a new Group Policy object to run the .bat file in Group Policy Preferences. You can safely leave the GPO in place for a few days to allow for people who may not be in the office for your go live day as it will not overwrite or remove existing profiles.

When this process in used in conjunction with the Group Policy for controlling Autodiscover (http://doubledit.co.uk/2014/10/21/controlling-autodiscovery-using-group-policy/) you can have a 80% automated cutover migration which should be smooth sailing for yourself and your users!

Thanks to my colleague Kevin for sharing his experiences and allowing me to blog about this.