During an install that I recently did I ran into an issue where all the outlook clients were getting SSL pop up messages that looked like this:
From the message you are able to see that the name of the certificate does not match the server name. So I logged into the Exchange Admin Center and looked under Servers > Virtual Directories and checked each of the Virtual Directories listed. As this was my first 2016 installation I discovered that there was a virtual directory for mapi. So from the web interface I changed the internal url to match the name of the certificate "https://Mail.Domain.com/mapi" and restarted IIS. After that I go and try and configure an outlook client and good news I no longer get the SSL Error, but now I am unable to authenticate to the mailbox!!!
After playing around with it for a while I discovered that changing the name back did not fix the issue so I was forced to do a rebuild on the virtual directory and that took me back to square 1.
After hours of searching online for an answer I found this powershell command that worked
Set-mapivirtualdirectory -identity "[SERVERNAME]\mapi (default Web Site)" -internalurl https://Mail.DOMAIN.com/mapi
After doing this command I restarted IIS again and the clients are now able to connect without issue.
UPDATE on this issue:
I would appear that do to a misconfiguration in the client's internal DNS their Autodiscover.domain.local was a A record and not a CNAME which it appears that outlook autodiscover does not like. So I changed the record to a CNAME by deleting the A record and recreating it. Then I went to a local machine and did a IPCONFIG /FLUSHDNS and then restarted outlook and that seems to have fixed the issue.
