none
Outlook 2010 "target principal name is incorrect" despite match with certificate subject

    Question

  • My Outlook 2010 gives "target principal name is incorrect" when attempting to connect to POP3 SSL. The standard answer to this problem is that there is a mismatch between the URL Outlook is using to connect to the email server, and the Common Name in the certificate that the server returns to identify itself.

    But, in my case, Outlook's Incoming mail server=C.pop3.aa.net.uk and the certificate the server returns has Subject=CN=*.aa.net.uk, so what gives?

    Could it be that Outlook certificate verification cannot process *s properly?

    (I found on the net two other alleged explanations for this error: (a) that Outlook 2007 does not look at the Subject but rather the first entry only in Subject Alternative Name - I tried changing Incoming Server to that but it didn't fix it. (b) That if you have more than one account configured in Outlook they must all be configured the same way - I have three accounts and tried making them all the same but that simply caused three of these errors rather than one (if I answer NO to "do you want to continue...").) 

    Wednesday, October 17, 2012 7:59 PM

Answers

  • I have found the origin of this problem. It's the way wildcards in the subject field of the certificate are interpreted.

    *.aa.net.uk will match pop3.aa.net.uk, but it won't match C.pop3.aa.net.uk

    To match C.pop3.aa.net.uk you'd have to have *.*.aa.net.uk in the certificate.

    Monday, October 29, 2012 7:49 PM

All replies

  • below two articles help you to know the details of the error and how to resolve it.

    http://support.microsoft.com/kb/958977

    http://blogs.technet.com/b/sbs/archive/2008/10/17/you-receive-a-target-principal-name-is-incorrect-certificate-error-in-outlook-2007-when-connecting-to-either-pop3-or-imap4-on-sbs-2008.aspx

    If you are not the email server admin, ask your administrator to resolve this issue by following the above steps

    Friday, October 19, 2012 7:30 PM
  • Thanks but I had read these before posting.

    As I mentioned in parenthesis in my OP, I tried using the first alternative in Subject Alternative Name and it did not fix the problem. Also, both of these posts relate to Windows Small Business Server which is not relevant to me. I am not hosting an email server; I am running Outlook on an ordinary windows PC as an email client. The mail server is at my ISP. I am not in a position to change the certificate that that email server transmits to Outlook.

    Friday, October 19, 2012 7:54 PM
  • If your email is managed by ISP and if you have the chance to talk them. inform the issue to them. they have to work on this to resolve this issue.

    from your side, instead of using pop3 ssl, use normal settings until your isp solved it.

    Friday, October 19, 2012 9:05 PM
  • Thanks for trying but this isn't really helping me. Yes, I have told my ISP but I don't think they are doing anything wrong.

    The question I need answering is this: why doesn't Outlook recognise a valid security certificate when Outlook's Incoming Mail Server name is the same as either the certificate's Common Name or the first item in the certificate's Subject Alternatve Name? And by "same as" I mean matches if you have proper regard to wildcard * in the certificate (see my OP).

    In my view this is clearly a bug in Outlook or Windows certificate checking. Unlike Adobe, Microsoft doesn't seem to employ anyone to skim peer-to-peer forums to detect things that require remedial action. With Microsoft, it seems the customer is always wrong. I would report this as a bug to Microsoft if there were any way of doing so without being charged $50 for the privilege.

    Saturday, October 20, 2012 12:49 PM
  • I have found the origin of this problem. It's the way wildcards in the subject field of the certificate are interpreted.

    *.aa.net.uk will match pop3.aa.net.uk, but it won't match C.pop3.aa.net.uk

    To match C.pop3.aa.net.uk you'd have to have *.*.aa.net.uk in the certificate.

    Monday, October 29, 2012 7:49 PM