Re: 2008; Certificate problems

[William Smith]

Russell Tolman wrote:
> I am having certificate issues again. Not really sure if the issue is anew
> one or a continuation. This error appears on every Mac that has Office 2008
> installed and updated to SP1.
>
> I will try and give as much detail as possible.
>
> All Intel based computers.
> All OSX 10.5.2
> All Updates for OSX done.
> Office 2008; either 12.0.1 or 12.0 before SP1 Applied.
>
> Every single computer in or School district shows the error shown in the
> picture I included with this post.

This appears to be a problem with your certificate or what you're using
for your Exchange server name.

According to your screenshot Entourage is trying to connect to a server
named "graniteschools.org", which is not a server name but a domain
name. Your server name should look something like
"echange.graniteschools.org".

Make sure the certificate you're installing on your Macs is a
certificate specifically for your server's fully qualified domain name.

Since I don't know what you're using for your server addresses all I can
do is point you to these setup instructions for Entourage 2004 (they're
still valid for 2008).

"Connecting Entourage to an Exchange Server at work"
<http://entourage.mvps.org/exchange/exchangeatwork.html>

Hope this helps!

--

bill

William M. Smith, Microsoft Interop MVP - Mac/Windows
Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>

[Rob P.]

I am having the exact same issue with Macs that have been updated to Office
2008 SP1. There are NO issues on Entourage 2004 (fully patched) or Entourage
2008 WITHOUT SP1. I have two domains, one with Exchange 2007 SP1 rollup 2,
the other with Exchange 2007 rollup 6. They both behave the same. I get this
popup:

"Unable to establish a secure connection to domain.com because the server or
IP address does not match the name or IP address on the server's certificate.

If you continue, the information you view and send will be encrypted, but
will not be secure."

This popup appears once per session (when it is initiated) and causes NO
problems with mail flow.

Bill:

All clients are configured as per the instructions in the link you gave
(were before installing SP1 as well). The Exchange server SSL certificates
are from a commercial CA (Go Daddy) and certainly DO include the machine
name. I am assuming that the problem has to do with the "enhancements" in the
autodiscover feature intruduced with SP1, but that is as far as I can get.

As far as installing certificates on the Macs, I never had to before. The
keychain on the Macs show a root certificate from my CA and that has been
good enough in the past (prior to Office 2008 SP1).

Any help would be appreciated.

[Ben Price]

I am having the exact same problem as described below, and we are also using a GoDaddy certificate that has never been a problem in the past. I sure hope we find an answer soon.

> > Hope this helps!
> >
> > --
> >
> > bill
> >
> > William M. Smith, Microsoft Interop MVP - Mac/Windows
> > Entourage Help Page

> > Entourage Help Blog
> >
>

[William Smith]

Rob P. wrote:

> All clients are configured as per the instructions in the link you gave
> (were before installing SP1 as well). The Exchange server SSL certificates
> are from a commercial CA (Go Daddy) and certainly DO include the machine
> name. I am assuming that the problem has to do with the "enhancements" in the
> autodiscover feature intruduced with SP1, but that is as far as I can get.
>
> As far as installing certificates on the Macs, I never had to before. The
> keychain on the Macs show a root certificate from my CA and that has been
> good enough in the past (prior to Office 2008 SP1).

I'm actually reproducing this problem now with my test Exchange Server
2007 account. I'll see if I can pass some information about my setup to
Microsoft for an explanation of what's happening.

[Russell tolman]

Thank you, thank you. Here is my e-mail address.

rjto...@graniteschools.org

Would love to hear what you find out. I will keep checking back every few
days.

On 5/15/08 9:29 PM, in article udZkTUwt...@TK2MSFTNGP06.phx.gbl,

[Thomas Moy]

We're seeing this problem too. Have never setup a certificate, using
Intermedia.net as an Exchange 2007 provider, no problem with Entourage
2004, or 2008. Only started after updating to SP1.

Setup new OS X user, created new account in Entourage 2008 SP1, and
it's showing the error once per Entourage-launch:

"Unable to establish a secure connection to (my domain) because the
correct root certificate is not installed."

Verbal awards for anyone who can figure this out :-)

Tom

[silv...@gmail.com]

We're seeing the same issue since upgrading to SP1.

[alexand...@gmail.com]

The cert issue is confirmed by many and is yet to be resolved by
Microsoft. Bug count of Entourage 2008 is increasing:)

[Donnie3iii]

After installing Update 12.1 on some of our computers this error has
continued to plague us.

We are running
- Exchange 2007
- Entourage 2008

We get 2 flavors of this error:

Unable to establish a secure connection to <<mail.server.com>> because

the correct root certificate is not installed.

Changes to some setting cause this one
Unable to establish a secure connection to <<IP>> because the server

name or IP address on the server's certificate

I have tried:

1.) sudo certtool i root_certificate.cer v k=/System/Library/Keychains/
X509Anchors
2.) http://www.macosxhints.com/article.php?story=2007082012492012 (was
done already but re-created the profile just in case)
3.) http://www.themachelpdesk.com/index.php?name=News&catid=&topic=19&allstories=1

One of my users claims this is causing problems because her mail does
automatically come through. This has not been verified by me though so
it could be a different problem.

[Donnie3iii]

Our cert is from Thawte not that this should make any difference.

[Diane Ross]

This is under investigation.

--
Diane

[dab...@bsu.edu]

I've got the same problem at ball state,
Unable to establish a secure connection to bsu.edu because the server
name or IP address on the server's certificate.
Mail works but it tends to freeze for a minute or two before the
message comes up, which is extremely irritating. Everything worked
fine before SP1 update.
On an unrelated note, entourage 2008 has always crashed for me
randomly, especially when the internet connection is severed for some
reason, such as closing my laptop or accidentally unplugging the
ethernet cord...

[Diane Ross]

"dab...@bsu.edu" wrote:

> On an unrelated note, entourage 2008 has always crashed for me
> randomly, especially when the internet connection is severed for some
> reason, such as closing my laptop or accidentally unplugging the
> ethernet cord...

Do you get a MERP report asking you to send in the info? If not, take a
Sample using the Activity Monitor if it's possible to catch the crash.

Open Activity Monitor, select the stalled application (should show as red).
Open the entry and click on Sample at the bottom of the window.

I know some crashes are impossible to catch like this. You can check the
Console logs for info. Having the crash log helps to track down the problem.

Lastly, send Microsoft feedback with details of the crash.

Send feedback to Microsoft:

When working in Office, you can use the łSend Feedback˛ option under the
Help menu in all of the Office applications or visit
<http://www.microsoft.com/mac/suggestions.mspx>

--
Diane

[Burgess, Patrick]

We're having the same issue at Miami U.

[Burgess, Patrick]

We are having the same issue here but we cannot create a situation that
reliably produces the issue on a consistent basis. We are still trying.

[Burgess, Patrick]

We're having issues reliably reproducing the error. Has anyone else been
able to make the cert warning appear consistently? We've got wireshark on a
Mac here with the goal of verifying that the key exchange is still working
when the error pops up. Since we can't get it to pop up all the time, this
is a bit tricky.

Has anyone else sniffed from the client side to see if encryption is still
happening?

[Chris D.]

After applying the 12.1.0 update to Office Mac 2008 the cert warning appears consistently. Then Entourage crashes while syncing with the Exchange server, consistently. This is occurring on my CEO's new Macbook Pro and is extremely embarrassing.

Microsoft are you listening?

[Diane Ross]

"Chris D." wrote:

> After applying the 12.1.0 update to Office Mac 2008 the cert warning appears
> consistently. Then Entourage crashes while syncing with the Exchange server,
> consistently. This is occurring on my CEO's new Macbook Pro and is extremely
> embarrassing.

The cert warning is being investigated. Crashing could be fixed by deleting
that account and entering new. You can test in a new Identity to see if that
helps. If not, I would test in a new User to eliminate problems in his
User's account.

--
Diane

[Russell Tolman]

This happens in my School District every single time a person starts up
Entourage.

It matters not weather we are starting from one of my schools behind the
district firewall. It happens every time from my house as well.

If there is anything some one would like me to try. Just let me know.

rjto...@graniteschools.org

I have wireshark on my laptop. I am just learning how to use it.

On 5/22/08 9:54 AM, in article OLCKYQCv...@TK2MSFTNGP03.phx.gbl,
"Burgess, Patrick" <patrick...@gmail.com> wrote:

On 5/22/08 9:54 AM, in article OLCKYQCv...@TK2MSFTNGP03.phx.gbl,

[Diane Ross]

"Russell Tolman" wrote:

> If there is anything some one would like me to try. Just let me know.

I've forwarded your message on to the developers and if they need more help,
they will contact you.

--
Diane

[jon6...@officeformac.com]

I was having the same problem with a certificate warning on initial startup. Here is what I did to fix it. Maybe this will work for others too.

I loaded up Safari and typed in the exchange address that was being used in Entourage. Example <https://exchangeserver.domain.com>. Safari gave me a message about trusting a certificate. I selected view details and then checked the box to trust. This installed the certificate in Keychain.

I then went into Keychain and changed all the trust options for that new certificate to always trust (more then what Safari originally asked for.)

The next step is important. Safari installed the certificate under the system keychain. I read a post somewhere that the certificate needs to be under the login keychain. So, in Keychain I dragged the certificate from the system keychain to the login keychain.

This solved the annoying certificate warnings I was getting on initial startup of Entourage.

My specs:
Intel Mac OS X 10.5.2 and Entourage 2008 SP1.

[Chris Collins]

> This solved the annoying certificate warnings I was getting on initial startup of Entourage.

This did not solve the problem. I am able to consistently recreate the error

[Mother]

Hi all,

I think I've traced this, at least in my setup, to a problem in
Entourage trying to connect to the wrong domain. We have a few
business Exchange accounts with mail2web, and in their configuration &
setup instructions, two things worth of mention:

1. You need to configure your nameservers with an MX record pointing
to mail2web's IP (eg. ex7.whisher.com ip=168.144.1.185) and also a
CNAME for autodiscover.domain.com pointing to their IP address.

2. Your Exchange server parameter must be https://ex7.mail2web.com/exchange/user...@domain.com

The tcpdump trace I performed shows that Entourage is trying to
connect to all these domains:

ex7.mail2web.com (https/443)
autodiscover.domain.com (https/443)
domain.com (https/443)
www.domain.com (http/80)

In my case, it's obvious that since autodiscover.domain.com is
pointing to mail2web's IP, the certificate check will fail. Why it is
also checking domain.com and www.domain.com escapes my understanding,
but it's worth considering by anyone having this problem. In my case,
domain.com and www.domain.com are setup with DNS A records pointing to
our webserver.

Are these settings configured from within Exchange?

IMHO the best solution for this would be an 'Ignore SSL certificate
errors' setting in preferences, and let users deal with their
scenarios - much better than forcing them to go over unsecured
connections, or face clicking the error message every time they start
Entourage.

Regards,

Mother

[Paul Robichaux [MVP-Exchange]]

In article
<db4fbf6d-1fb4-461b...@w7g2000hsa.googlegroups.com>,
Mother <puc...@gmail.com> wrote:

> Hi all,
>
> I think I've traced this, at least in my setup, to a problem in
> Entourage trying to connect to the wrong domain. We have a few
> business Exchange accounts with mail2web, and in their configuration &
> setup instructions, two things worth of mention:
>
> 1. You need to configure your nameservers with an MX record pointing
> to mail2web's IP (eg. ex7.whisher.com ip=168.144.1.185) and also a
> CNAME for autodiscover.domain.com pointing to their IP address.
>
> 2. Your Exchange server parameter must be
> https://ex7.mail2web.com/exchange/user...@domain.com
>
> The tcpdump trace I performed shows that Entourage is trying to
> connect to all these domains:
>
> ex7.mail2web.com (https/443)
> autodiscover.domain.com (https/443)
> domain.com (https/443)
> www.domain.com (http/80)
>
> In my case, it's obvious that since autodiscover.domain.com is
> pointing to mail2web's IP, the certificate check will fail. Why it is
> also checking domain.com and www.domain.com escapes my understanding,
> but it's worth considering by anyone having this problem. In my case,
> domain.com and www.domain.com are setup with DNS A records pointing to
> our webserver.
>
> Are these settings configured from within Exchange?

The domains queried are under the control of the client, not Exchange.
<http://technet.microsoft.com/en-us/library/bb124251.aspx> describes how
the Autodiscover protocol works. Outlook is a bit smarter about ignoring
cert errors during the process, which is why you don't see the same
errors there. I also don't think Entourage should be asking for
www.domain.com, but that's a separate argument :)

The product team is aware of this problem, but I don't know what their
timeline is for a fix.

Cheers,
-Paul

[Mother]

Thanks for the update Paul, I have been able to fix the problem for my
particular scenario, by creating (and having signed by a CA of course)
a new SSL certificate for *.domain.com, adding domain.com as a Subject
Alternative Name (not well known feature of x509v3). Entourage now
connects to domain.com and doesn't complain about the certificate - it
just won't find any joy in it since it's a plain Apache webserver :)

Regards,

Mike

[Unknown]

Is this thread dead? Anyone find a workaround? I noticed the latest office update did not fix the problem.

[Unknown]

Is this thread dead? Anyone find a workaround? I noticed the latest office
update did not fix the problem.

Still having the issue.

[Corentin Cras-Méneur]

Jerry <> wrote:

Hi Jerry,

> Is this thread dead? Anyone find a workaround? I noticed the latest
> office update did not fix the problem.
>
>
> Still having the issue.

The thread is too old and the original post doesn't even show up on my
nntp server. If you want to revive it, you need to at least quote the
original question so that people can know what the problem is about,

Corentin

--
--- Mac:MS MVP http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire