A contact of mine at the Macintosh Business Unit (MacBU) of Microsoft has verified that they have reproduced a problem first seen in the release of SP1 for Office 2008 where a new certificate message may appear at start-up with no apparent means of disabling it.
Since the release of SP1, some Entourage users in Exchange environments have noticed a new dialog window at startup. The message states, “Unable to establish a secure connection to mydomain.com because the server name or IP address does not match the name or IP address on the server’s certificate.” The domain mydomain.com refers to the domain of the Exchange Server and not the Exchange Server itself.
This message is different from a similar certificate message displayed when an authoritative root certificate is not installed.
Repeated attempts to completely trust the server’s certificate as well as the root certificate do not mitigate the problem of the message displaying at every launch of Entourage.
For developers, reproducing a problem is 90% of the battle in troubleshooting and fixing a problem. However, MacBU can not provide a timeline for a fix nor whether or not it will be included in the next update.
Twitter
Facebook
del.icio.us
Digg
StumbleUpon
Google Bookmarks
PDF
Print
Hi,
We have a hosted exchange account with mail2web. We have our domain’s (say domain.com) MX record pointed to mail2web’s server, and created a CNAME for autodiscover.domain.com also pointed to the same mail2web IP address. I also have a fix for those who run their own web server (more at the end of my comment).
The Entourage configuration guide for mail2web states that our Exchange server address should be:
http...@domain.com
I have done a tcpdump of Entourage starting up, and it tries to connect to all these addresses:
ex7.mail2web.com (https/443)
autodiscover.domain.com (https/443)
domain.com (https/443)
http://www.domain.com (http/80)
What I don’t know is from where is Entourage getting the knowledge to connect to domain.com addresses. Is it assuming the last two words with a dot between them in the server address as being the domain? This would make sense if the Exchange address was https://ex7.mail2web.com only. Maybe the Exchange server is providing this information (I’m not that familiar with Exchange setup so I cannot say for sure).
Now for the fix: we had a wildcard SSL certificate for our web server, which would be valid for http://www.domain.com (or whatever.domain.com), but NOT for domain.com, the base domain. I found out that x509v3 supports Subject Alternative Names, which allow you to include domain.com as part of the wildcard *.domain.com certificate. Once the new certificate was installed on our web server, Entourage stopped complaining about SSL certificate errors. YMMV as not all SSL providers support SANs (Comodo for example does not).
Good luck with the fix!
Hi Mike!
Thanks for the detailed instructions.
Since speaking with Microsoft the first time, they have identified two issues that can cause this problem. The first, they said, is the wrong name on a certificate. I’m not sure if your fix is a workaround or indeed something new that Exchange admins need to know. But not properly setting the name on the certificate is indeed a cause.
The second may actually be an Exchange Server bug and Entourage may be reporting the error correctly. (At least that’s what I gleaned from our conversation.)
Anyone who tries Mike’s fix and doesn’t get favorable results should know that a bug does indeed exist somewhere.
Hi William,
Thanks for your update.
Yes, this is correct. But the problem is that Entourage is connecting to the wrong domain, this my case, instead of just connecting to ex7.mail2web.com, it is also connecting to various combinations around domain.com, and since these are pointed to our own web server, Entourage encounters a certificate for *.domain.com when it checks domain.com. Unless a Subject Alternative Name is added to the certificate, the error will appear.
The fix from Microsoft’s side should be to stop Entourage from connecting to domain.com when it has no business doing so, as the whole Exchange service is hosted at ex7.mail2web.com (following my example) – or at least, ignoring certificate errors by giving us an option to do so in Preferences.
This could be, but my trace shows that the error appeared exactly at the time when Entourage tried to connect to domain.com. This of course doesn’t mean that under a different scenario, a bug in Exchange could cause the error to appear.
If you want to forward my email address to someone at Microsoft in case they want further feedback or any other information, feel free to do so.
We are also having this issue and therefore have not rolled out SP1. For us, the issue is also causing free/busy searches to fail. We have the communications certificate with multiple domains on it on our Exchange 2007 SP1 box. What is the best way to interface with the MacBU to work on this problem as we really need to move on a fix or at least more troubleshooting? Thanks to everyone on this site for a great job, there is a lot of great information here.
-John
We have just started receiving this error on our system. We believe after sp1 entourage is is checking for a valid certificate based on the users email addy.
Andre
Microsoft will have a fix in the next update (post SP1 bug, not the latter) as the bug has been identified and resolved.
In the meantime, you can add the search path to your cert in your Network PrefPane and the error will go away.
For example we have our exchange server as:
http://www.exchange.domain.com
But our ssl cert is at:
server.domain.com
Adding server.domain.com in the search path fixes our problem.
Joe,
That is interesting, but I think our certicicate and domain searches are correct if I follow your discussion. We’re also moving domains, so we have twice the number of domains listed in the cert. Here is the order of our domains in the cert:
DNS Name=owa.domain.org
DNS Name=exchfe.ADdom.domain.org
DNS Name=webmail.domain.org
DNS Name=webmail.domain.place.state.us
DNS Name=owa.domain.place.state.us
Our DNS search paths when on our network are: ADdom.domain.org, domain.org, domain.place.state.us
If I understand your post correctly, this should work, however we are still getting the error.
Any info anyone can provide would be very much appreciated.
Thanks,
John
For a great explanation of what’s happening be sure to read Amir Haque’s blog post SSL Warning Issue in Entourage 2008. Amir is a Microsoft employee who focuses his blog on Entourage and Exchange Server interactivity.
Hello. I am so glad to find this discussion as I have to deal with this error every time I start Entourage 2008.
From what I read, it looks like there is at least a partial solution to this problem (until the patch is released), however, I can hardly follow the technical talk. I’d love to see a step-by-step description for non-IT people like me.
So far I went to the Accounts menu to look for places where to change things. I am familiar with all of the different tabs there, etc. but I have no idea where to change the search paths you all write about.
Regardless, in the two Macs I have seen this problem, it looks like after one clicks OK, things do work … except for the Out of Office message which has never worked for me (“Entourage cannot connect to the server”, the error reads). Related or not? I don’t know.
Thanks.
A.C
I had a client that got the first error (not about root certificate.)
With the latest upgrade 12.1.1
They was using a Hosted Exchange Solution and
have there website at a webhotel.
So when Entourage starts up they got the error.
My solution: Try to surf to https://domain.com
if you got a answer from the webhotel about a certificate.
Thats was the problem.
Solution (the webhotel didnt wanna remove the certificate)
was remove the www cname A in the DNS.
So you have to typ http://www.domain.com to get to the website.
Not just type http://domain.com
Has anyone actually gotten this fixed? We’re at 12.1.2 on all our clients, and our vendor says they’ve done all they can do with Exchange and say the auto-discover services are set up correctly, but we’re still getting the certificate error…
this still does not seem to be fixed. I am getting the error on 12.1.4
[Comment has been moderated.]
Hello. When 12.1.3 was released, the ReadMe for that release promised the fix of this problem in particular was included. Yes, the fix was included in that text but nowhere else! I am at 12.1.4 now and the message keeps coming up … A.C.
I am using snow leopard and mac office 2008 – I am getting the “correct root certificate is not installed” warning as discussed above
looking for a solution
Using Safari 4.x or Firefox 3.x, connect to your Exchange Server address. For example, if the server address you’re using in Entourage is “server.example.com” then connect to it using “https://server.example.com”.
If you receive a certificate error message right away or if you click the lock icon in the browser to view the certificate’s details and see an error then your certificate probably is wrongly configured.
Reading through all the comments even now, 1,5 years later in version 12.2.3 of entourage MAC OS 10.6.2. I start to use entourage and unfortunately experiencing the same problem. Does anybody know how to solve the error message?
Enter the same server address you’re using in Entourage into a web browser such as https://server.example.com/exchange. When connecting to your server you should connect securely or your may receive a message about the certificate. If you receive a message about the certificate then Entourage is not the problem. You can click the little lock icon somewhere in the frame of the browser to view your certificate and examine the problem.
My MS Entourage 2008 for Mac is 12.2.3. Our Exchange Server is Exchange 2007 on a Windows 2003 server. We have the same “root certificate is not installed” problem every time we bring up Entourage,
. Using OWA pointing to the same host name works fine though.
Our Mac users are getting new Snow Leopard machines, and upgrading from Office2004 to Office2008 in the process. The Mac techs have applied all Office2008 patches. We’re getting the error about the root certificate.
Our e-mail domain is leisurearts.com. But our in-house servers, including Exchange2007, are all leisurearts.net (.com is reserved for our consumer-facing web site managed through public DNS). Even externally, we access OWA on a leisurearts.net URL. Our SSL certs on the Exchange servers are all for leisurearts.net, and that is the domain used in the Entourage settings (e.g., http...@leisurearts.com )
The error about the root certificate not being installed refers to leisurearts.com, which is not a domain included in either SSL certificate on our Exchange servers (we have a mailbox server and a hub transport server, which is the one with the public internet connection for inbound/outbound SMTP traffic).
Is this domain-ending difference a cause for the error?
Brian,
I suspect you’re correct that the difference between domains is causing the problem, but troubleshooting Exchange Server certificates is beyond the scope of this blog. I suggest you post your question in the microsoft.public.exchange.admin newsgroup. You’ll find plenty of knowledgeable folks there who can correctly answer this question.