none
Domain Controller Authentication Certificate - Outlook Security Alert - The Name on the security certificate is invalid or does not match the name of the site RRS feed

  • Question

  • Dear All,

    Need your advise on below,

    Facing a Security alert when opening Outlook saying the Security Certificate invalid or does not exist.

    The Popup Says, domain.local - Security Certificate invalid or does not exist

    On the CA found its Thumbprint and Serial number Matching to Domain Controller Authentication Certificate,

    My DC2 is also CA.

    Issued to : DC2.domain.local

    Issued By : company-DC02-CA

    Subjective alternative name : DNS Name = DC02.company.local

    from my assumption the outlook is looking to resolve company.local certificate but the certificate for Domain controller authentication resolves DNS Name - DC02.company.local in Subject Name Alternative.

    Is there any way we can safely add company.local in SAN or better way to solve this Certificate alert while opening Outlook ?

    Thursday, June 13, 2019 5:37 AM

All replies

  • The best way is to add the certificate to trusted root certificates on client machines via GPO

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

    Thursday, June 13, 2019 5:57 AM
  • Hello,

    Thank you for posting in our TechNet forum.

    To better understand our question, please confirm the following information:

    1. According to "Issued By : company-DC02-CA", is our CA name company-DC02-CA?

    2. According to "
    Issued to : DC2.domain.local", is DC2.domain.local the DC2 certificate issued by CA (company-DC02-CA)?

    3. What is "Subjective alternative name : DNS Name = DC02.company.local", is it the outlook certificate for all clients?

    4. What is our domain name? company.local or domain.local?

    5. What is this Security certificate?



    Check if all the users
    face a security alert when opening their Outlook.




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 14, 2019 4:10 AM
    Moderator
  • 1. Never install an issuing CA on a DC

    2. Use the Kerberos Authentication template (as it includes the domain DNS and NetBIOS name in the SAN listing)

    3. Did i mention, never ever install a CA on a DC

    brian 

    Friday, June 14, 2019 4:46 AM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 17, 2019 8:44 AM
    Moderator
  • Sorry for late response

    1. According to "Issued By : company-DC02-CA", is our CA name company-DC02-CA?

    CA Common Name ( company-dc02-CA ) Issued certificate to DC02 its also a CA and DC

    3.What is "Subjective alternative name : DNS Name = DC02.company.local", is it the outlook certificate for all clients?

    This certificate is Domain controller authentication certificate , This certificate SAN DOes not contain dns name of domain.local

    4. What is our domain name? company.local or domain.local?
    company.local
    5. What is this Security certificate? Domain controller authentication certificate

    Seems Our CA was Server 2003 Compatible and It Does not Use Kerberos authentication. I read somewhere the Kerberos Template  have SAN for domain.local dc.local in Certificate. Since we upgraded from Outlook 2010 to 2016 it started coming more frequently


    Monday, June 17, 2019 10:09 AM
  • Thank you
    Monday, June 17, 2019 10:10 AM
  • Hi,
    1. What is the name of domain.local?

    2. Would you please show us the FQDN of DC2 and DC02?


    3. Is DC02 a domain controller?

    4. What is the role of DC02?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 18, 2019 9:36 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 20, 2019 10:21 AM
    Moderator