Posted on 08-28-2015 11:07 AM
We're trying to roll out Office 2016, and we've been having a certificate issue when setting up Outlook 2016 for the first time. When it tries to connect, it's asking to trust a cert that has nothing to do with our exchange server. Has anyone else experienced this? How did you resolve the issue?
Posted on 08-28-2015 12:47 PM
It's pretty common from what i've heard....
We have that issue here, because our old email server and/or ADFS uses a certificate with a hostname mismatch....
In our case, I added a section in my postinstall script that injects the certificate into the System Keychain and sets it as trusted.
Posted on 08-28-2015 01:26 PM
We have that too. Right now we just have users trust it manually, but I plan to install it and trust it via a config profile or something similar.
Posted on 08-28-2015 04:47 PM
Thanks @alexjdale and @kstrick
Looks like we may need to do something similar. It's just unfortunate, I wonder why this happens on 2016 and not on 2011.
Posted on 08-28-2015 06:47 PM
I see the same issue with my Office 365 Exchange accounts because Outlook is first checking autodiscover.talkingmoose.net, which has no certificate associated with it. I have no certificate for my top level domain.
My understanding is this has something to do with Outlook now using Apple's CFNetwork Framework instead of its own (as Outlook 2011 did). Not sure how or why, but that's what I was told.
Complain to your Microsoft Technical Account Manager. I've complained to my contacts at Microsoft but they don't see to share my concern.
Posted on 08-31-2015 07:29 AM
what is the text when it asks to trust the cert?
@kstrick if you can share, what did you add in postinstall script to set the cert as trusted?
Posted on 08-31-2015 09:30 AM
if you had a certificate called "SOME_CERTIFICATE.cer" located in the folder "/tmp",
the code would look like this (assuming you had a hosname mismatch like i do)
/usr/bin/security -v add-trusted-cert -r trustAsRoot -e hostnameMismatch -d -k /Library/Keychains/System.keychain /tmp/SOME_CERTIFICATE.cer
If you were to do this command on it's own, you would need a 'sudo' before it, but since I use it in a package post install script, it has elevated privileges
Posted on 08-31-2015 10:11 PM
Posted on 09-01-2015 09:22 AM
Posted on 09-02-2015 10:11 AM
From an official KB from Microsoft with a fix:
This issue occurs in Outlook 2016 for Mac version 15.9 and later versions when Outlook performs an Autodiscover operation and tries to connect to a service endpoint whose expected name is not present on the server's Secure Sockets Layer (SSL) certificate.
Resolution (excluded pushing certificate method, a workaround instead of a solution)
Reissue a certificate that includes the domain name as the Subject Alternative Name. This enables you to resolve the issue for all Outlook for Mac clients without having to trust the certificate from each client individually.