Office 2016 certificate prompts

ocla__09
Contributor

We get sporadic prompts form Office 2016 with regards to cert validation. See attached for an example4d8128ed75e04e2a9a28c687c2a4b717

Does anyone know of a good way to suppress these prompts? Trying to determine if this is an issue with the cert back end or something I can control on the client. the clients have a root cert installed on them. I have seen them come up for webmail, as well as individual Exchange servers. You can click always allow and authenticate, but it is still something i would like to avoid for our users.

I see the hostname mismatch error in the prompt, however in the always trust line above the domain names are the same.

10 REPLIES 10

andrew_nicholas
Valued Contributor

This may be an AutoDiscover issue. This is the Technet article from MS about how AutoDiscover works with Office 2016. Since there is a hostname mismatch, there might be some sort of domain forwarding causing this. A wild card cert would probably be a decent solution.

ocla__09
Contributor

Thanks @andrew.nicholas not sure I am going to get any help from our Exchange admins. Do you know if there is a way to suppress these cert prompts?

andrew_nicholas
Valued Contributor

The best solution would be to drop the compliance hammer down on the Exchange admins and drag in your InfoSec, but barring that you could probably just package up the cert in question and deploy it the same way you do your root trust cert with the security command:

security add-trusted-cert -d -r trustRoot -k "SystemKeyChainLocation" "PathToCertFile"

Just out of curiosity, is it that the "Always Trust" site and the "connecting to" site share the same top level domain, but the "Always Trust" is actually a subdomain of the "connecting to"?

ocla__09
Contributor

Thanks again @andrew.nicholas . I finally got buy in from the exchange team to investigate where these cert prompts are coming from.

Do you or anyone else know how to also suppress the autodiscovery redirect prompt that comes up? Looks like there is a reg key change for Windows where you can enter the autodiscovery server. but so far all I have found for Mac is Click "Always use my response for this server" then click "Allow". Not quite ideal :)
90a1cf41e7524dd48273eccfad30d13d

andrew_nicholas
Valued Contributor

When does this prompt occur?

ocla__09
Contributor

Seems to be the first time Outlook talks to autodiscover. I found this online:
*If the mail client has changed networks, such as when a laptop moves from inside the company network to the Internet, then users will be prompted about the change and asked to confirm that they would like to change servers. For example, Outlook for Mac users will receive the message:

Outlook was redirected to the server autodiscover.talkingmoose.pvt to get new settings for your account Talking Moose. Do you want to allow this server to configure your settings?

Click Allow only if you fully trust the source, or if your Exchange Administrator instructs you to do so.
*
http://www.officeformachelp.com/outlook/exchange/autodiscover/

rl2k05
New Contributor

This should be fixed in the latests update. 15.27.1 crippled some of our folks and we had the back down the version to 15.26.

ocla__09
Contributor

Thanks Rob, are you referring to the cert prompts or the autodiscover prompt?

ocla__09
Contributor

@andrew.nicholas any experience with the autodiscover prompt or as far as you know is this just a matter of the user having to click "always use this response" and "allow"?

Thanks

andrew_nicholas
Valued Contributor

I've only seen that message sparingly and I believe it's usually been because a mailbox was migrated for one reason or another. Is the autodiscover the same domain as your email?