locked
Outlook 365 - The server you are connected to is using a security certificate that cannot be verified RRS feed

  • Question

  • I've just installed Office 365 on a new Windows 10 Pro computer in our office. Every time I start Outlook I get the message, "The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect." The dialog has buttons to 'View Certificate', "Do you want to continue using this server? 'Yes' / 'No'. I click 'Yes' and Outlook comes up, but I have to click 'Yes' every time I start Outlook. Is there a way to NOT have this message come up?

    I do understand why it's giving me this message. I have specified STARTTLS for the incoming server connection. The certificate is issues to the public domain name mail.mydom.org. Our mail server is self-hosted, IMAP. I have specified the incoming mail server as mail.dom.local, which, of course, doesn't match the certificate. I get it. However, I want all email to/from workstations to deal with the local Mail Submission Agent on our local mail server, and not get routed "outside" to the public domain.

    I am using port 143 for incoming.

    Outlook 2010, Thunderbird and Mac Mail all gave such a warning, but allowed the exception to be permanently stored so I didn't have to click the "'Yes' continue using this server" each time I started the email client.

    How can I get this Security Warning to STOP popping up when I start Outlook?


    • Edited by markFoley Monday, September 30, 2019 5:11 PM
    • Moved by Perry-Pan Wednesday, October 2, 2019 7:51 AM
    Monday, September 30, 2019 5:04 PM

Answers

  • Perry, thanks for that detailed response. Unfortunately, changing the server name is doable, but would route traffic out to the Internet and through our ISP, whereas I'm wanting to keep all traffic between internal workstations and the internal mail server local to the LAN.

    Since Outlook will not permanently store the certificate exception like Thunderbird, I believe I have only two choices: 1) I can create another certificate for mail.mydom.local and use that for the local MSA. Unfortunately for that idea, aside from the labor and expense of getting another cert, is that the LAN MSA (Dovecot) is also an Internet MTA, so it fields connections from both the local LAN and the Internet and therefore does need the mail.mydom.local cert. If Dovecot can handle two certs, I'm not aware of that or how to do it.

    2) The other option is to not do SSL/STARTTLS enryption from Outlook clients inside the office/LAN. In fact, this is the option I'm choosing. Mail traffic between MSA (Dovecot) and workstations is strictly within the LAN, so unless some spyware is active within the LAN, traffic is secure enough. I have other counter-measures at work to detect LAN resident malware.

    • Marked as answer by markFoley Tuesday, October 1, 2019 3:33 PM
    Tuesday, October 1, 2019 3:30 PM

All replies

  • Do you receive this warning?

    >>I have specified the incoming mail server as mail.dom.local, which, of course, doesn't match the certificate.

    The error normally occurs when the server name does not match the name in your account settings. So, that's understandable as you are using a server that doesn't match the certificate.

    If your mail provider supports other server names, the easiest fix is to change the server name.

    If your host does not have a server name you can use to eliminate the error, you can get around this by following the steps below:

    1. If you didn't ping your server for the IP address (or didn't make note of it), open a cmd prompt and ping your incoming mail server - e.g. ping mail.fred.com returns IP address like 111.222.111.222.

    2. View the certificate as above and note the server name under Issued To.

    e.g. elephant.giraffe.co.nz or *.giraffe.co.nz

    3. Edit the hosts file and add a new line for IP address 111.222.111.222. The hosts file is in %windir%\system32\drivers\etc.

    4. To open the hosts file, search for Notepad on the Start menu, right click on it and choose Run as Administrator. Paste the path to the hosts file in File, Open dialog. Select All Files as the file types on the right.

    5. The entry you create in the hosts file should look something like this.

    111.222.111.222 elephant.giraffe.co.nz

    6. Edit Outlook account settings and change the incoming and outgoing mail server to elephant.giraffe.co.nz

    The above process changes the mail server name to the name on the certificate and the hosts file will ensure that mail traffic to this server name will be correctly directed to your mail server.

    Regards,

    Perry


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 1, 2019 1:47 AM
  • Perry, thanks for that detailed response. Unfortunately, changing the server name is doable, but would route traffic out to the Internet and through our ISP, whereas I'm wanting to keep all traffic between internal workstations and the internal mail server local to the LAN.

    Since Outlook will not permanently store the certificate exception like Thunderbird, I believe I have only two choices: 1) I can create another certificate for mail.mydom.local and use that for the local MSA. Unfortunately for that idea, aside from the labor and expense of getting another cert, is that the LAN MSA (Dovecot) is also an Internet MTA, so it fields connections from both the local LAN and the Internet and therefore does need the mail.mydom.local cert. If Dovecot can handle two certs, I'm not aware of that or how to do it.

    2) The other option is to not do SSL/STARTTLS enryption from Outlook clients inside the office/LAN. In fact, this is the option I'm choosing. Mail traffic between MSA (Dovecot) and workstations is strictly within the LAN, so unless some spyware is active within the LAN, traffic is secure enough. I have other counter-measures at work to detect LAN resident malware.

    • Marked as answer by markFoley Tuesday, October 1, 2019 3:33 PM
    Tuesday, October 1, 2019 3:30 PM
  • Thank you for sharing the update here. Your information will benefit other users a lot :)

    Here I will provide a brief summary of this post. This will make answer searching in the forum easier.

    [Outlook 365 - The server you are connected to is using a security certificate that cannot be verified — Summary]

      

    Issue Symptom:

    When open Outlook client, receive error: The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect

       

    (Possible) Cause:

    The error normally occurs when the server name does not match the name in your account settings. 

       

    Solution:

    1. Change the server name to match the certificate

    2. Create another certificate for mail.mydom.local and use that for the local MSA

    3. Not do SSL/STARTTLS enryption from Outlook clients inside the office/LAN.

       

    Reference Links:

    https://www.slipstick.com/outlook/security-warnings-in-outlook/

    (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

    • Edited by Perry-Pan Wednesday, October 2, 2019 7:59 AM
    Wednesday, October 2, 2019 7:58 AM
  • NOTE: This issue only occurs with gmail accounts in Outlook.

    This appears to be pretty advanced stuff, is there a long version or simplified version to this process? Or, is this something a 'Repair' would help through the 'remove program' area? Or, will this require someone else with more knowledge to handle?

    I am running Office365/Outlook365 on a Windows 32-bit, Dell Inspiron 530 which has an upgraded processor and memory. No other issues with certificates have been exerienced, and operated with the same conditions just fine for a year. This is a new problem which started a few days ago.

    Thanks!


    • Edited by mcmxcad Wednesday, February 5, 2020 5:34 PM
    Wednesday, February 5, 2020 1:36 PM