Help

Office 2016 and Certificates

lstrm
New Contributor II

Posted on ‎08-28-2015 11:07 AM

Hi all,

We're trying to roll out Office 2016, and we've been having a certificate issue when setting up Outlook 2016 for the first time. When it tries to connect, it's asking to trust a cert that has nothing to do with our exchange server. Has anyone else experienced this? How did you resolve the issue?

0 Kudos
9 REPLIES 9

kstrick
Contributor III

Posted on ‎08-28-2015 12:47 PM

It's pretty common from what i've heard....

We have that issue here, because our old email server and/or ADFS uses a certificate with a hostname mismatch....
In our case, I added a section in my postinstall script that injects the certificate into the System Keychain and sets it as trusted.

0 Kudos

alexjdale
Valued Contributor III

Posted on ‎08-28-2015 01:26 PM

We have that too. Right now we just have users trust it manually, but I plan to install it and trust it via a config profile or something similar.

0 Kudos

lstrm
New Contributor II

Posted on ‎08-28-2015 04:47 PM

Thanks @alexjdale and @kstrick

Looks like we may need to do something similar. It's just unfortunate, I wonder why this happens on 2016 and not on 2011.

0 Kudos

talkingmoose
Moderator
Moderator

Posted on ‎08-28-2015 06:47 PM

I see the same issue with my Office 365 Exchange accounts because Outlook is first checking autodiscover.talkingmoose.net, which has no certificate associated with it. I have no certificate for my top level domain.

My understanding is this has something to do with Outlook now using Apple's CFNetwork Framework instead of its own (as Outlook 2011 did). Not sure how or why, but that's what I was told.

Complain to your Microsoft Technical Account Manager. I've complained to my contacts at Microsoft but they don't see to share my concern.

SeanA
Contributor III

Posted on ‎08-31-2015 07:29 AM

what is the text when it asks to trust the cert?

@kstrick if you can share, what did you add in postinstall script to set the cert as trusted?

0 Kudos

kstrick
Contributor III

Posted on ‎08-31-2015 09:30 AM

@SeanA , if you had a certificate called "SOME_CERTIFICATE.cer" located in the folder "/tmp",
the code would look like this (assuming you had a hosname mismatch like i do) 

/usr/bin/security -v add-trusted-cert -r trustAsRoot -e hostnameMismatch -d -k /Library/Keychains/System.keychain /tmp/SOME_CERTIFICATE.cer

If you were to do this command on it's own, you would need a 'sudo' before it, but since I use it in a package post install script, it has elevated privileges

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎08-31-2015 10:11 PM

@kstrick & @SeanA why not deploy the cert via a profile?

0 Kudos

kstrick
Contributor III

Posted on ‎09-01-2015 09:22 AM

@bentoms why not indeed? I guess i could do that too.

0 Kudos

gotshallmaxon
New Contributor II

Posted on ‎09-02-2015 10:11 AM

From an official KB from Microsoft with a fix:

Cause

This issue occurs in Outlook 2016 for Mac version 15.9 and later versions when Outlook performs an Autodiscover operation and tries to connect to a service endpoint whose expected name is not present on the server's Secure Sockets Layer (SSL) certificate.

Resolution (excluded pushing certificate method, a workaround instead of a solution)

Reissue a certificate that includes the domain name as the Subject Alternative Name. This enables you to resolve the issue for all Outlook for Mac clients without having to trust the certificate from each client individually.