When you start Microsoft Office Outlook 2007, you receive the following security warning:
The security certificate was issued by a company you have not chosen to trust.
Additionally, the name of a Microsoft Exchange Server 2010 server that hosts the Client Access Server role is listed in the dialog box. The following illustration is an example of this security warning.
When you click View Certificate, and then you select the Certification Path, the CA Root certificate is not trusted. This is because the certificate is not in the Trusted Root Certification Authorities store on the client. Also, the name of the Exchange 2010 server that hosts the Client Access Server role is listed on the Certification Path tab. The following illustration displays the information that you might find on the Certification Path tab.
You do not expect this security warning because your Outlook client is a domain-joined workstation, and you are connecting to Exchange over an internal network.
This problem occurs if all the following conditions are true:
This problem occurs because the Microsoft Exchange Server 2007 server that hosts the Client Access Server role redirects the Autodiscover request that is issued by Outlook. The redirection that the Exchange 2007 server issues references the Exchange 2010 server that hosts the Client Access Server role. Because the Exchange 2010 server is using a self-signed certificate, Outlook cannot trust the certificate when the redirection occurs.
To resolve this problem, you must install a certificate that is not a self-signed certificate on the Exchange 2010 server that hosts the Client Access Server role. This certificate can be either one that a Certification Authority server in your organization issues or one that a third-party certification authority issues.
If you cannot install a certificate that is not self-signed on the Exchange 2010 server, you can use the following workaround on workstations on which Outlook is installed. These steps install the self-signed certificate from the Exchange 2010 server into the Trusted Root Certification Authority store on the workstation. To do this, follow these steps:
After you install the certificate by using this procedure, you can confirm that the certificate is installed correctly on the client. To do this, follow these steps:
How to tell whether you are using a self-signed certificate
To determine whether you are using a self-signed certificate on the Exchange 2010 server that hosts the Client Access Server role, follow these steps:
Why the redirection occurs
Exactly as in Exchange 2007, when more than one Client Access server is installed, the Exchange setup creates an Autodiscover Service Connection Point (SCP) record in Active Directory Domain Services (AD DS) for each Client Access server. When a domain-connected client connects to AD DS, the Outlook client (Outlook 2007 or a later version) authenticates to AD DS and then tries to locate the Autodiscover SCP objects that were created during the Exchange setup. After the client obtains the instances of the Autodiscover service, the client connects to the first Client Access server in the list that is enumerated and sorted, and then the client obtains the Autodiscover information from that Client Access server.
In an environment where Exchange 2010 and Exchange 2007 are both present, the Outlook client uses the first SCP in the list (probably Exchange 2007) to contact the Autodiscover service. Even a new client or those who log on to their Exchange 2010 mailbox for the first time will use the Exchange 2007 SCP record because it is usually the first record in the list of SCP records.
Depending on the Exchange version for the user’s mailbox, the Exchange 2007 Client Access server may redirect the request in the following scenarios:
For more information about the Autodiscover service for Exchange 2007, please see the following articles.
White Paper: Exchange 2007 Autodiscover Service
Understanding the Autodiscover Service