Solved

Entourage Error

Posted on 2010-08-22
11
1,117 Views
Last Modified: 2013-11-12
Everytime I open my entourage 2008 i get the error

“Unable to establish a secure connection to servername because the server name or IP address does not match the name or IP address on the server’s certificate. If you continue, the information you view and send will be encrypted, but will not be secure.”

If i click "OK" everything works 100% how can i get rid of this error?

 - I have tried importing the certificate into Keychain access manager
 - I have also tried turning off SSL in Account settings that takes the error away but then my mail does
    not work

Any Suggestions???
0
Comment
Question by:oasistechnical
11 Comments
 
LVL 53

Accepted Solution

by:
strung earned 500 total points
ID: 33495410
Is sounds like the name of the certificate is not identical to the server name. Have you checked?
0
 
LVL 6

Expert Comment

by:evanmcnally
ID: 33495453
Judging from your description, I had the same problem.

The problem is that Entourage tries to establish a secure connection to whatever IP address it finds in DNS for "yourdomain.com".  In many organizations, yourdomain.com goes to a hosting company where the public web site is located and which is not configured for security, so Entourage gets some other SSL certificate from the web host and that certificate does not match the domain name you have configured for your email account.  This causes the error.

Microsoft expects that https://yourdomain.com will have a correct and valid SSL cert and will also have Exchange autoconfiguration information available.  There is no way to turn this off, but there is a work around.

I had a discussion a while back on Mactopia which you can read here:
http://www.officeformac.com/ms/ProductForums/Entourage/14144

I think this is one of the stupider "security features" I have seen in a while.

The work around is to edit /etc/hosts on your Mac.  You want to make your domain point to the IP address of your Exchange server.  The hosts file entry will take precedence over a DNS lookup, and so when Entourage tries to connect to the address of the domain, it instead goes to your Exchange server and gets the correct certificate.  This does presuppose that your Exchange server has a UCC SSL certificate that includes yourdomain.com as a subject alternate name (which it should have).

So in hosts add a line like:
10.250.1.36      yourdomain.com

if you do not know the address to use, ping the full fully qualified domain name of your Exchange server and use that address  (e.g.  ping mail.yourdomain.com and add this address to hosts).


0
 
LVL 8

Expert Comment

by:et01267
ID: 33495471
The problem is that your email server is presenting you with a certificate that has one name, like "www.mailserver.com", but the address you are using to access the  server is different, e.g. "mail.mailserver.com".  You can try changing the configuration of your mail account, so that the mail account uses the name that is in the certificate.  

However, it is likely that your service provider will need to install a new certificate in their server.  All you can do is complain to them.
0
 
LVL 6

Expert Comment

by:evanmcnally
ID: 33495511
To clarify using the previous example, Entourage will be actually give this error when it looks for a certificate at "mailserver.com".  It will do this regardless of the hostname of the server, and regardless of the mail server itself having the correct certificate.  Whatever host resides at mailserver.com (with no hostname) must have the correct certificate.  If that is not possible (because it is a different server outside your control), then you need to make the entry in /etc/hosts  
0
 

Author Comment

by:oasistechnical
ID: 33496130
Thanks for the reply evanmcnally

Im new to Mac could you tell me step by step how i would go about to "edit /etc/hosts on your Mac."

Thanks
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 6

Expert Comment

by:evanmcnally
ID: 33496177
Sure.  
1. Go to Applications > Utilities > Terminal
2.  Type "sudo -s" and enter the password for your account.  This will give you root permission so you can edit the hosts file.
3.  type "cd /etc"
4.  type "nano hosts" to start editing the hosts file with nano.  You could use some other editor also.
5.  You'll see a column of IP addresses and next to them some host names.  Just insert a new line under the one that says "127.0.0.1     localhost"
6.  Put in the IP address of your Exchange server, then hit tab or put in a few spaces and put your email domain name with no hostname portion (e.g.   yourdomain.com NOT mail.yourdomain.com)
7.  Hit ctrl-x to exit and it will ask you to save, hit "y" for yes, then it will confirm the file name of "hosts" and you can just hit enter to confirm.
8.  You can confirm the change by typing "ping yourdomain.com" and you should get a reply from the IP address of the Exchange server.

0
 

Author Comment

by:oasistechnical
ID: 33585587
Sorry for the late reply

I have tried the above step, but im still getting this error??

any other suggestions?
0
 
LVL 6

Expert Comment

by:evanmcnally
ID: 33604449
The steps I gave assume that your server's certificate matches the fully-qualified hostname of the email server you are using.

Try https://yourmailserver.yourdomain.com in Safari.  Do you get any warningings about the certificate?
And are you using the same address within entourage?

The steps I gave before will correct the problem where entourage always connects to https://yourdomain.com and produces an error.  But the actual mailserver name still needs to match between the certificate and the name you have entered into entourage.
0
 

Author Comment

by:oasistechnical
ID: 33606011
if I try the webmail address in safari, I get no warnings, just a box that pops up asking for username and password

Im not using the same address within entourage, Im using the IP of the exchange server
0
 
LVL 6

Expert Comment

by:evanmcnally
ID: 33612478
Using an IP address in Entourage for the server is your problem.

Let's take a step back and go over one very important detail.  Every SSL certificate has a host name and/or IP address embedded internally inside the certificate.  Normally this is a host name and almost never is it an IP address.  Some SSL certificates have multiple names embedded, and some have wildcards embedded (e.g. *.domainname.com).

The important point here is that this information is inside the certificate and cannot be changed by you, only by the email server admin who installed the cert on his server.  Server admins almost never use IP addresses inside the certificate.

When you access the email server that is using the certificate, then your _client software_ compares the address you are going to with the information inside the certificate.  The client software wants to see that if you are going to mail.yourdomain.com then the certificate from the server at that address should also contain mail.yourdomain.com embedded inside the cert.  If it does not, then you will get a warning like the one you have posted "the server name or IP address does not match the name or IP address on the server’s certificate".

So what you need to do is not use an IP address for the email server address.  In Entourage, you need to enter your mail server address using a name that is in the server's certificate.  If you are using a name to connect with Safari and are not getting any certificate warnings, then you probably should use the same name in Entourage.  You definitely should not use an IP address in Entourage--this works for connectivity but will not allow Entourage to match the cert's embedded name with the address Entourage is connecting to.

You can view the names in the certificate to validate that you will be getting a match by going to the secure site in Safari and clicking on the lock icon in the far upper right of the Safari window.  This will display the certificate for that page, and you want to look for the common name and any subject alternate names or else a wildcard.  You must be using an address in Entourage that matches one of these names.  

0
 

Author Closing Comment

by:oasistechnical
ID: 33792570
No solved
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now