New behavior in Outlook 2013 causing certificate errors in some environments


I originally discovered this issue back in early Feb & let a couple people on the Exchange Product Team know about it via the TAP but it seems to be affecting more customers than initially thought so I thought I’d share.

In Outlook 2007 through Outlook 2010 all domain-joined Outlook clients would initially query Active Directory for AutoDiscover information & ultimately find a Service Connection Point (SCP) value that would point them to their nearest Client Access Server’s AutoDiscover virtual directory. If that failed then they would revert to using DNS like any non-domain-joined Outlook client. The order of this non-domain-joined lookup is as follows:

Local XML File (looking for a redirect website)

SCP AutoDiscover Record

Why it ever looked to I’ll never really know because honestly I’ve never come across a customer who had it deployed that way; most have but I imagine when Exchange 2007 was first being developed they weren’t exactly sure how customers would be implementing AutoDiscover.


The above methods have served us well since Exchange 2007 timeframe but for some reason the Outlook team decided to try & implement some giddyup into Outlook & try to speed up the process. They decided to have domain-joined Outlook 2013 clients query both the SCP values in AD as well as the DNS records at the same time. If an SCP record was found it would still be used but in the event it failed then it would already have the DNS response ready to go. Great idea, however there’s one problem in the implementation.

If Outlook 2013 encounters any kind of Certificate error while doing the simultaneous DNS query then you will receive a pop-up in Outlook about the cert.

I actually stumbled upon this while in the middle of the scenario below:


That’s right, I actually get a certificate pop-up for my lab’s domain name ( & not like one would expect if I were to have a certificate issue on Exchange.

When Outlook 2013 does it’s simultaneous DNS AutoDiscover query the first URL it tries is, which in my lab environment resolved to my Domain Controller, which was also serving DNS, as well as a Certificate Authority. resolved to this server because it’s my internal Active Directory domain name & the name server entry resolves to my DC (just ping internaldomainname.local in your AD lab environment & you’ll see the same thing).

Now because I have web enrollment enabled & am listening on 443 in IIS the server responded. Also, because I did not have a cert installed on the server with in the Subject or Subject Alternative Name then it gave the certificate error we see above.


The error is easy enough to get through & it only occurred on initial profile creation but this can definitely prove painful for some customers. Obviously my lab environment is a corner case but there have been several other customers report this issue with Outlook 2013 as well.

Here’s an example scenario.

Imagine you have a public website for hosted by a third-party hosting site & you did not pay for HTTPS/443 services. However if you were to query the website using https then it could respond & obviously not return a certificate with on it (because you haven’t paid for it you cheapskate…). Now imagine you begin deploying users using Outlook 2013 in your internal environment. In the past, they would have found the SCP record that would have pointed them to your internal Exchange 07/10/13 server for AutoDiscover & would have been happy as a clam (one Exchange Product Manager’s favorite way to describe Exchange bliss). However, now they may get a certificate pop-up for when creating a new profile.

There are a couple ways around this. Make sure doesn’t listen on 443, or possibly get a proper cert on your website that is listening on 443. Simply put, just make sure whatever resolves to is something that’s not going to throw a certificate error.

I’ve heard nothing concrete or public but the Outlook team is aware of the issue & listening to customer feedback. I suggest contacting Microsoft Support if your organization is running into this issue.


Also, this KB offers methods to control which AutoDiscover methods are used by your Outlook clients



17 thoughts on “New behavior in Outlook 2013 causing certificate errors in some environments

      • I thought the same, but our on-site Microsoft guy had a look at the internal bug report and said that the root cause of both issues is the wrong behavior of the autodiscover which will be fixed in the next CU. Let’s see …

        Unfortunately, I could not confirm the issue yet as our root domain website does not reply at all.

        Anyway great the found it out 🙂

  1. Pingback: NeWay Technologies – Weekly Newsletter #42 – May 9, 2013 | NeWay

  2. I just ran into this problem when our 3rd party hosted website ssl certificate expired. Outlook autodiscover is finding this certificate at the root domain name and giving users a popup. The website has nothing to do with the exchange cas server and it’s ssl certificate. For now, we asked the 3rd party web hosting company to renew their ssl.

    • The issue/behavior should have been resolved in the latest Outlook update. If it’s still happening it might be another issue like internal/externalURL or cert naming issue. Possibly even a load balancer in the environment.

      • Our outlook clients giving certificate error related to VMware when I click View Certificate. Pop up windows says 1) Security certificate was issued by a company not chosen to trust 2) Name of the certificate is invalid.

        I checked through SSL checker and its all valid. Please advise what can be done on this ?


  3. Pingback: Dave Stork's IMHO : Optimizing the Outlook AutoDiscover process by skipping the root domain query

  4. Pingback: Optimizing the Outlook AutoDiscover process by skipping the root domain query | Dave Stork's IMHO

  5. Pingback: Outlook Anywhere Error Certificate -

  6. thanks for you post. I recently stating seeing this issue after migration to 2013. Do you know if there is a way to turn off root domain lookup at a server level?

    I can change the behavior for Outlook clients using a GPO, but I have seen this with non domain joined clients and mobile devices where they are going to our load balancer for the company website.

  7. Pingback: Optimizing the Outlook AutoDiscover process by skipping the root domain query » Dave Stork's IMHO

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s