Outlook safety popups on Alternate: Irritating however fixable

In each Alternate group, there comes a day when you should have customers complain about safety popups they’re getting on Outlook. Generally these are associated to the next:

  • Certificates invalid or expired.
  • Incorrect URLs set in Alternate.
  • Bindings not set to the brand new SSL certificates that was imported.
  • Certificates on load balancers like F5 or Kemp the place digital or bodily certificates additionally expired or are incorrectly assigned to a rule.
  • Inner CA certificates used and inflicting popups externally.
  • Free SSL certificates with a CA not trusted.

For probably the most half, Outlook safety popups trigger numerous consumer frustration, however they’re easy to repair. Generally new admins get overwhelmed in the actual world as a result of they are saying “it didn’t do this in my lab,” however that is how all of us study. Different occasions, we get busy and our SSL certificates expire and we overlook to resume them in time after which customers get popups due to the previous certificates.

Listed here are typical prompts and errors your customers would possibly get:

Outlook security popups

Outlook security popups

Outlook safety popups and misconfigured Alternate server

One other state of affairs is when IT admins build new Exchange servers and don’t configure them instantly. So, they arrive within the subsequent day with the helpdesk telephones going loopy as a result of the shoppers are trying on the new server but it surely has not been configured just like the previous servers or doesn’t have an SSL certificates imported but. The massive drawback is the load balancers. I’m additionally responsible of this one. Your safety division points you with a brand new certificates and also you go and replace all the things, reboot the servers however forgot the one place everybody connects to and that’s the F5 or Kemp load balancer or no matter machine you employ in your atmosphere. Now you’ve got the CIO asking you why you didn’t replace that one? It occurs.

One other widespread drawback is the usage of internal CAs that aren’t acknowledged on the Web so customers get Outlook safety popups or certificates warnings on Outlook on the Internet.

Bindings in IIS (Web Data Programs) additionally appear to be missed by IT admins. The default web site for Alternate on port 443 makes use of the SSL certificates and the backend web site on port 444 additionally makes use of the SSL cert. Should you renew the certificates or add a brand new one, it doesn’t all the time replace the bindings.

However all the things appears tremendous

There appears to be one other drawback floating round in the intervening time. I had a buyer who additionally had a grievance about popups and I’ve seen it on the boards a couple of occasions now. You go and test all the things, all of the URLs are set, the bindings in IIS are right. Servers are rebooted from begin to end however but your end-users say they’re getting Outlook safety popups. You test the Offline Deal with E-book (OAB) to ensure that is right or in case you have legacy public folder databases, however all the things there’s tremendous.

So, you go and test the permissions on the digital directories and alter all the things to NTLM, restart the server, and hope that it’s that, that may repair the errors, however nonetheless the Outlook safety popups happen. The command for reference to set Outlook wherever to make use of NTLM is as follows:

Set-OutlookAnywhere -ExternalHostname mail.area.com -InternalHostname mail.area.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Repair: Allow OAuth

So, right here is the actual query: Is the under a repair or drawback with a mixture in code with Workplace 365 and on-premises Alternate? My consumer reported that after enabling OAuth, the errors and prompts listed above went away. OK, so how do you test if OAuth is enabled? First, run the command under to test:

Get-OrganizationConfig | fl *oauth*

As you possibly can see, you might be checking the group config so this alteration is systemwide. When you run the command it can most definitely be set to false. The setting you might be in search of is as per under:


To allow this setting, that you must run the next command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

This now units the ClientProfile to Enabled. You’ll need to both do an IISReset or reboot the server for the adjustments to take impact and look forward to replication. As I discussed, doing this could imply the errors and safety prompts listed above ought to be gone.

Outlook safety popups: Issues with Alternate 2010 with Alternate 2016

One ultimate drawback that you just would possibly face earlier than you set that is if you’re working in coexistence with Alternate 2010 and Alternate 2016 and the connection from Alternate 2016 to Alternate 2010 shouldn’t be proxied throughout. Should you do run throughout this subject, it may be that that you must log it with Microsoft as this may be occurring on sure cumulative updates (CU) on Alternate 2016 or with a mix of Alternate 2010 SP3 and Alternate 2016. Solely they may be capable of advise on this. This doesn’t appear to have an effect on everybody. I’ve a coexistence working in my Azure lab and I can’t produce the identical error, however when working Fiddler towards my connection to my consumer that was affected, I might see the 401 errors occurring, which didn’t make sense.

Featured picture: Shutterstock

Submit Views:

Learn Subsequent

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *