A contact of mine at the Macintosh Business Unit (MacBU) of Microsoft has verified that they have reproduced a problem first seen in the release of SP1 for Office 2008 where a new certificate message may appear at startup with no apparent means of disabling it.
Since the release of SP1, some Entourage users in Exchange environments have noticed a new dialog window at startup. The message states, "Unable to establish a secure connection to mydomain.com because the server name or IP address does not match the name or IP address on the server's certificate." The domain mydomain.com refers to the domain of the Exchange Server and not the Exchange Server itself.
This message is different from a similar certificate message displayed when an authoritative root certificate is not installed.
Repeated attempts to completely trust the server's certificate as well as the root certificate do not mitigate the problem of the message displaying at every launch of Entourage.
For developers, reproducing a problem is 90% of the battle in troubleshooting and fixing a problem. However, MacBU can not provide a timeline for a fix nor whether or not it will be included in the next update.
Comments (9)
Hi,
We have a hosted exchange account with mail2web. We have our domain's (say domain.com) MX record pointed to mail2web's server, and created a CNAME for autodiscover.domain.com also pointed to the same mail2web IP address. I also have a fix for those who run their own web server (more at the end of my comment).
The Entourage configuration guide for mail2web states that our Exchange server address should be:
https://ex7.mail2web.com/exchange/user@domain.com
I have done a tcpdump of Entourage starting up, and it tries to connect to all these addresses:
ex7.mail2web.com (https/443)
autodiscover.domain.com (https/443)
domain.com (https/443)
www.domain.com (http/80)
What I don't know is from where is Entourage getting the knowledge to connect to domain.com addresses. Is it assuming the last two words with a dot between them in the server address as being the domain? This would make sense if the Exchange address was https://ex7.mail2web.com only. Maybe the Exchange server is providing this information (I'm not that familiar with Exchange setup so I cannot say for sure).
Now for the fix: we had a wildcard SSL certificate for our web server, which would be valid for www.domain.com (or whatever.domain.com), but NOT for domain.com, the base domain. I found out that x509v3 supports Subject Alternative Names, which allow you to include domain.com as part of the wildcard *.domain.com certificate. Once the new certificate was installed on our web server, Entourage stopped complaining about SSL certificate errors. YMMV as not all SSL providers support SANs (Comodo for example does not).
Good luck with the fix!
Hi Mike!
Thanks for the detailed instructions.
Since speaking with Microsoft the first time, they have identified two issues that can cause this problem. The first, they said, is the wrong name on a certificate. I'm not sure if your fix is a workaround or indeed something new that Exchange admins need to know. But not properly setting the name on the certificate is indeed a cause.
The second may actually be an Exchange Server bug and Entourage may be reporting the error correctly. (At least that's what I gleaned from our conversation.)
Anyone who tries Mike's fix and doesn't get favorable results should know that a bug does indeed exist somewhere.
Hi William,
Thanks for your update.
Yes, this is correct. But the problem is that Entourage is connecting to the wrong domain, this my case, instead of just connecting to ex7.mail2web.com, it is also connecting to various combinations around domain.com, and since these are pointed to our own web server, Entourage encounters a certificate for *.domain.com when it checks domain.com. Unless a Subject Alternative Name is added to the certificate, the error will appear.
The fix from Microsoft's side should be to stop Entourage from connecting to domain.com when it has no business doing so, as the whole Exchange service is hosted at ex7.mail2web.com (following my example) - or at least, ignoring certificate errors by giving us an option to do so in Preferences.
This could be, but my trace shows that the error appeared exactly at the time when Entourage tried to connect to domain.com. This of course doesn't mean that under a different scenario, a bug in Exchange could cause the error to appear.
If you want to forward my email address to someone at Microsoft in case they want further feedback or any other information, feel free to do so.
We are also having this issue and therefore have not rolled out SP1. For us, the issue is also causing free/busy searches to fail. We have the communications certificate with multiple domains on it on our Exchange 2007 SP1 box. What is the best way to interface with the MacBU to work on this problem as we really need to move on a fix or at least more troubleshooting? Thanks to everyone on this site for a great job, there is a lot of great information here.
-John
We have just started receiving this error on our system. We believe after sp1 entourage is is checking for a valid certificate based on the users email addy.
Andre
Microsoft will have a fix in the next update (post SP1 bug, not the latter) as the bug has been identified and resolved.
In the meantime, you can add the search path to your cert in your Network PrefPane and the error will go away.
For example we have our exchange server as:
www.exchange.domain.com
But our ssl cert is at:
server.domain.com
Adding server.domain.com in the search path fixes our problem.
Joe,
That is interesting, but I think our certicicate and domain searches are correct if I follow your discussion. We're also moving domains, so we have twice the number of domains listed in the cert. Here is the order of our domains in the cert:
DNS Name=owa.domain.org
DNS Name=exchfe.ADdom.domain.org
DNS Name=webmail.domain.org
DNS Name=webmail.domain.place.state.us
DNS Name=owa.domain.place.state.us
Our DNS search paths when on our network are: ADdom.domain.org, domain.org, domain.place.state.us
If I understand your post correctly, this should work, however we are still getting the error.
Any info anyone can provide would be very much appreciated.
Thanks,
John
For a great explanation of what's happening be sure to read Amir Haque's blog post SSL Warning Issue in Entourage 2008. Amir is a Microsoft employee who focuses his blog on Entourage and Exchange Server interactivity.
Hello. I am so glad to find this discussion as I have to deal with this error every time I start Entourage 2008.
From what I read, it looks like there is at least a partial solution to this problem (until the patch is released), however, I can hardly follow the technical talk. I'd love to see a step-by-step description for non-IT people like me.
So far I went to the Accounts menu to look for places where to change things. I am familiar with all of the different tabs there, etc. but I have no idea where to change the search paths you all write about.
Regardless, in the two Macs I have seen this problem, it looks like after one clicks OK, things do work ... except for the Out of Office message which has never worked for me ("Entourage cannot connect to the server", the error reads). Related or not? I don't know.
Thanks.
A.C