An experienced network engineer I know recently showed me an issue where an Outlook / Exchange user was receiving an error from Outlook indicating an issue with the SSL Certificate, despite all the settings being correct. What was odd was that at first appearance the SSL certificate had the wrong name, using one in the format of IOS-Self-Signed-Certificate-123456.
Looking at the error, I immediately knew the cause – but not because I am any sort of Outlook support ninja – because I am fairly familiar with the connection mechanism used by Outlook and because I’d had similar issues myself.
What’s the Problem Then?
Basically this is a DNS issue, not an Outlook or Exchange issue. A user here (see last comment) reported solving this by fixing typos in his DNS settings but in reality 99% of the time this is due to the users connecting to a device outside of their office that is capturing all DNS requests and directing them to itself such as a wireless hotspot router or guest WiFi system.
Most hotspots or guest WiFi installations require users to login or at the very least accept the providers terms and conditions before continuing. To enforce this, the system captures all DNS requests and directs them to itself, displaying the login/terms and conditions page until the user has done what is required of them.
This is great if the user is browsing the internet but if they connect to the WiFi and haven’t opened a browser, instead going straight to Outlook then as far as Outlook is concerned both the server address and the autodiscover addresses it looks for resolve to the IP address of the router so it dutifully fetches the SSL certificate from there, it then kicks up an error because the name on the certificate does match the server address.
What’s the Solution Then?
Simply have your users login to the hotspot with a browser before opening Outlook. If they are not on a hotspot and are located on the corporate network (the same network as the Exchange server) then start diagnosing DNS and connectivity to Exchange with Ping and Telnet.
What’s this Got To Do With Apple or My iPhone?
Nothing – I’ve seen a few people think that because of the mention of IOS in the SSL certificate name that this certificate was coming from a mobile Apple device (iPhone, iPad, etc.) but Cisco routers run on an operating system also called IOS!
Our wired users are getting this in outlook, but only the ones who downloaded the new iPhone app last week.