Outlook desktop client error 'The security certificate has expired or is not yet valid.'

%3CLINGO-SUB%20id%3D%22lingo-sub-3131787%22%20slang%3D%22en-US%22%3EOutlook%20desktop%20client%20error%20'The%20security%20certificate%20has%20expired%20or%20is%20not%20yet%20valid.'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3131787%22%20slang%3D%22en-US%22%3E%3CP%3EFolks%2C%3C%2FP%3E%3CP%3EI've%20recently%20renewed%20our%20organizations%20ADFS%20and%20Web%20Proxy%20SSL%20web%20certificate%20using%20a%20SAN%20certificate%20'*.domainname.com'.%20This%20procedure%20was%20used%20successfully%20in%20previous%20years%20with%20no%20issues%20or%20error%20messages.%20This%20year%2C%20the%20same%20procedure%20%3CU%3Eseemed%3C%2FU%3E%20to%20be%20successful.%20However%2C%20today%20on%20the%20day%20the%20previous%20certificate%20expired%2C%20we%20received%20the%20following%20error%20when%20logging%20into%20the%20Outlook%20desktop%20client%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22swalter1501_0-1644259301312.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F345930i3BB4E92C826FC213%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22swalter1501_0-1644259301312.png%22%20alt%3D%22swalter1501_0-1644259301312.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E---------------------------------%3C%2FP%3E%3CP%3EWe%20do%20NOT%20get%20this%20message%20when%20logging%20into%20the%20Outlook%20WEB%20client%20or%20any%20other%20ADFS%20enabled%20authentication%20(VPN%2C%20etc.).%20I've%20verified%20that%20the%20procedure%20used%20was%20correct%20and%20also%20redone%20the%20procedure%20to%20be%20sure%20it%20was%20done%20correctly%20and%20completely.%20No%20improvement%20or%20fix%20was%20found.%20The%20following%20certs%20were%20renewed%20using%20the%20new%20SAN%20SSL%20Certificate%3A%3CBR%20%2F%3E-%20ADFS%20SSL%20Certificate%20(New%20SAN%20SSL%20Cert)%3CBR%20%2F%3E-%20Service-Communication%20Certificate%20(New%20SAN%20SSL%20Cert)%3CBR%20%2F%3E-%20Web%20Application%20Proxy%20SSL%20Certificate%20(New%20SAN%20SSL%20Cert)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnchanged%20Certificates%3A%3CBR%20%2F%3E-%20Token%20Decrypting%20(adfs.domainname.com)%3CBR%20%2F%3E-%20Token%20Signing%20(adfs.domainname.com)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20difference%20between%20last%20year's%20renewal%20and%20this%20year's%20renewal%20is%20that%20we%20implemented%20Multi-Factor%20Authentication%20during%20this%20past%20year.%20We%20use%20the%20DUO%20MFA%20service%20and%20this%20is%20incorporated%20into%20our%20Domain%20login%2C%20O365%20login%2C%20VPN%20and%20other%20services.%20I%20am%20unable%20to%20find%20any%20articles%20or%20support%20pages%20on%20any%20possible%20way%20the%20DUO%20MFA%20service%20could%20be%20causing%20this%20error%20but%20I%20also%20can't%20find%20any%20other%20possible%20reason%20why%20this%20error%20message%20is%20occurring.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20a%20root%20cause%20and%20potential%20fix%20for%20this%20issue.%20If%20anyone%20has%20any%20ideas%20or%20can%20point%20me%20in%20the%20right%20direction%20to%20determine%20the%20reason%20for%20this%20error%20and%20how%20to%20resolve%20it%2C%20I%20would%20be%20grateful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3131787%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eerror%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSL%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Folks,

I've recently renewed our organizations ADFS and Web Proxy SSL web certificate using a SAN certificate '*.domainname.com'. This procedure was used successfully in previous years with no issues or error messages. This year, the same procedure seemed to be successful. However, today on the day the previous certificate expired, we received the following error when logging into the Outlook desktop client:

swalter1501_0-1644259301312.png


---------------------------------

We do NOT get this message when logging into the Outlook WEB client or any other ADFS enabled authentication (VPN, etc.). I've verified that the procedure used was correct and also redone the procedure to be sure it was done correctly and completely. No improvement or fix was found. The following certs were renewed using the new SAN SSL Certificate:
- ADFS SSL Certificate (New SAN SSL Cert)
- Service-Communication Certificate (New SAN SSL Cert)
- Web Application Proxy SSL Certificate (New SAN SSL Cert)

 

Unchanged Certificates:
- Token Decrypting (adfs.domainname.com)
- Token Signing (adfs.domainname.com)

 

One difference between last year's renewal and this year's renewal is that we implemented Multi-Factor Authentication during this past year. We use the DUO MFA service and this is incorporated into our Domain login, O365 login, VPN and other services. I am unable to find any articles or support pages on any possible way the DUO MFA service could be causing this error but I also can't find any other possible reason why this error message is occurring.

 

I'm looking for a root cause and potential fix for this issue. If anyone has any ideas or can point me in the right direction to determine the reason for this error and how to resolve it, I would be grateful.

 

Thanks. 

 

0 Replies