I got a mail the other day from a colleague requesting assistance on behalf of a partner around an Office 365 certificate error in Outlook.
The scenario was that a certificate expired – I’m not sure what certificate they referred to so I assumed the ADFS/TLS certificate. They renewed the certificate, but Outlook clients were still popping up with a certificate validation error.
The first thing you need to understand with this is that you don't manage the certificates for Exchange in Office 365 for your Outlook Anywhere connections. Microsoft manages this on the Office 365 backend. You will only manage your ADFS and TLS certificates from your side.
I did some checks on the domain and noticed that they have an A record pointing to the root domain that listens on 443 and 80 for their www site- like below:
This site had a web server certificate loaded which was expired (not the same certificate the guy was talking about initially).
So why is Outlook popping up with a certificate validation issue on from their website? Easy….
The Outlook Autodiscover process will first check the root domain for any Autodiscover service points – see here: http://technet.microsoft.com/en-us/library/cc539049.aspx
Outlook will also run Autodiscover during startup, refreshes as often as the TTL period specifies, usually 1 hour and then also during network connectivity issues to a server.
Essentially the request will see that the root domain record is listening on 443, but the certificate is expired. This results in Certificate validation errors on the first step when Outlook goes through the Autodiscover process.
There are two ways to resolve this:
Happy Office 365’ing!!!
Very useful info.
I'm just in the process of setting up a hybrid deployment and found that autodiscover broke due our www certificate not being valid for the @ (root) domain record.
Sounds like it's time to request another SAN cert :o)