Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1145
  • Last Modified:

Entourage Error

Everytime I open my entourage 2008 i get the error

“Unable to establish a secure connection to servername because the server name or IP address does not match the name or IP address on the server’s certificate. If you continue, the information you view and send will be encrypted, but will not be secure.”

If i click "OK" everything works 100% how can i get rid of this error?

 - I have tried importing the certificate into Keychain access manager
 - I have also tried turning off SSL in Account settings that takes the error away but then my mail does
    not work

Any Suggestions???
0
oasistechnical
Asked:
oasistechnical
1 Solution
 
strungCommented:
Is sounds like the name of the certificate is not identical to the server name. Have you checked?
0
 
evanmcnallyCommented:
Judging from your description, I had the same problem.

The problem is that Entourage tries to establish a secure connection to whatever IP address it finds in DNS for "yourdomain.com".  In many organizations, yourdomain.com goes to a hosting company where the public web site is located and which is not configured for security, so Entourage gets some other SSL certificate from the web host and that certificate does not match the domain name you have configured for your email account.  This causes the error.

Microsoft expects that https://yourdomain.com will have a correct and valid SSL cert and will also have Exchange autoconfiguration information available.  There is no way to turn this off, but there is a work around.

I had a discussion a while back on Mactopia which you can read here:
http://www.officeformac.com/ms/ProductForums/Entourage/14144

I think this is one of the stupider "security features" I have seen in a while.

The work around is to edit /etc/hosts on your Mac.  You want to make your domain point to the IP address of your Exchange server.  The hosts file entry will take precedence over a DNS lookup, and so when Entourage tries to connect to the address of the domain, it instead goes to your Exchange server and gets the correct certificate.  This does presuppose that your Exchange server has a UCC SSL certificate that includes yourdomain.com as a subject alternate name (which it should have).

So in hosts add a line like:
10.250.1.36      yourdomain.com

if you do not know the address to use, ping the full fully qualified domain name of your Exchange server and use that address  (e.g.  ping mail.yourdomain.com and add this address to hosts).


0
 
et01267Commented:
The problem is that your email server is presenting you with a certificate that has one name, like "www.mailserver.com", but the address you are using to access the  server is different, e.g. "mail.mailserver.com".  You can try changing the configuration of your mail account, so that the mail account uses the name that is in the certificate.  

However, it is likely that your service provider will need to install a new certificate in their server.  All you can do is complain to them.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
evanmcnallyCommented:
To clarify using the previous example, Entourage will be actually give this error when it looks for a certificate at "mailserver.com".  It will do this regardless of the hostname of the server, and regardless of the mail server itself having the correct certificate.  Whatever host resides at mailserver.com (with no hostname) must have the correct certificate.  If that is not possible (because it is a different server outside your control), then you need to make the entry in /etc/hosts  
0
 
oasistechnicalAuthor Commented:
Thanks for the reply evanmcnally

Im new to Mac could you tell me step by step how i would go about to "edit /etc/hosts on your Mac."

Thanks
0
 
evanmcnallyCommented:
Sure.  
1. Go to Applications > Utilities > Terminal
2.  Type "sudo -s" and enter the password for your account.  This will give you root permission so you can edit the hosts file.
3.  type "cd /etc"
4.  type "nano hosts" to start editing the hosts file with nano.  You could use some other editor also.
5.  You'll see a column of IP addresses and next to them some host names.  Just insert a new line under the one that says "127.0.0.1     localhost"
6.  Put in the IP address of your Exchange server, then hit tab or put in a few spaces and put your email domain name with no hostname portion (e.g.   yourdomain.com NOT mail.yourdomain.com)
7.  Hit ctrl-x to exit and it will ask you to save, hit "y" for yes, then it will confirm the file name of "hosts" and you can just hit enter to confirm.
8.  You can confirm the change by typing "ping yourdomain.com" and you should get a reply from the IP address of the Exchange server.

0
 
oasistechnicalAuthor Commented:
Sorry for the late reply

I have tried the above step, but im still getting this error??

any other suggestions?
0
 
evanmcnallyCommented:
The steps I gave assume that your server's certificate matches the fully-qualified hostname of the email server you are using.

Try https://yourmailserver.yourdomain.com in Safari.  Do you get any warningings about the certificate?
And are you using the same address within entourage?

The steps I gave before will correct the problem where entourage always connects to https://yourdomain.com and produces an error.  But the actual mailserver name still needs to match between the certificate and the name you have entered into entourage.
0
 
oasistechnicalAuthor Commented:
if I try the webmail address in safari, I get no warnings, just a box that pops up asking for username and password

Im not using the same address within entourage, Im using the IP of the exchange server
0
 
evanmcnallyCommented:
Using an IP address in Entourage for the server is your problem.

Let's take a step back and go over one very important detail.  Every SSL certificate has a host name and/or IP address embedded internally inside the certificate.  Normally this is a host name and almost never is it an IP address.  Some SSL certificates have multiple names embedded, and some have wildcards embedded (e.g. *.domainname.com).

The important point here is that this information is inside the certificate and cannot be changed by you, only by the email server admin who installed the cert on his server.  Server admins almost never use IP addresses inside the certificate.

When you access the email server that is using the certificate, then your _client software_ compares the address you are going to with the information inside the certificate.  The client software wants to see that if you are going to mail.yourdomain.com then the certificate from the server at that address should also contain mail.yourdomain.com embedded inside the cert.  If it does not, then you will get a warning like the one you have posted "the server name or IP address does not match the name or IP address on the server’s certificate".

So what you need to do is not use an IP address for the email server address.  In Entourage, you need to enter your mail server address using a name that is in the server's certificate.  If you are using a name to connect with Safari and are not getting any certificate warnings, then you probably should use the same name in Entourage.  You definitely should not use an IP address in Entourage--this works for connectivity but will not allow Entourage to match the cert's embedded name with the address Entourage is connecting to.

You can view the names in the certificate to validate that you will be getting a match by going to the secure site in Safari and clicking on the lock icon in the far upper right of the Safari window.  This will display the certificate for that page, and you want to look for the common name and any subject alternate names or else a wildcard.  You must be using an address in Entourage that matches one of these names.  

0
 
oasistechnicalAuthor Commented:
No solved
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now