locked
Security alert when starting Outlook 2007 on Windows 7 - Exchange Server 2003 RRS feed

  • Question

  • Hi,

    Every time I start Outlook 2007 I receive a security alert saying that:The name of the security certificate is invalid or does not match the name of the site. I use Exchange 2003 and on the client side I use Win 7 Enterprise with Outlook 2007. I click View Certificate and can see that the certificate is issued to www.mysite.info. https://mysite.info is the address of my Sharepoint 2007 portal. The certificate is from Thawte Consulting.

    Even if I install the certificate after receiving the alert and restart Outlook I still get the security alert. I have tried unchecking the  "Only connect to proxy servers that have their principal name in their certificate" without any notable success.

    Thanks a lot,

    Mihai

    • Moved by Sally Tang Tuesday, July 20, 2010 5:58 AM (From:Outlook IT Pro Discussions)
    Monday, July 19, 2010 9:54 PM

Answers

  • Outlook 2007 attempts to do autodiscover to a number of URLs at frequent intervals. This behaviour cannot be stopped. Therefore one of the URLs that it attempts to use must resolve to that machine. Autodiscover is an Exchange 2007 feature that uses https to allow Outlook 2007 and higher to connect to the server for configuration information.
    The only way to stop it is to stop the URLs from resolving.

    If you have a wildcard in the domain, autodiscover or a web server on a domain controller (so domain.com resolves to an active web site) then this will cause the problem.
    For the domain controller problem, the only thing that might work would be to put a second IP address on the network card, then bind the web site to the second Ip address only (so not all unassigned). Then adjust your internal DNS so that the site resolves to the second IP address. The autodiscover process should then fail.

    Simon.

     


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Marked as answer by Allen Song Friday, July 30, 2010 10:00 AM
    Friday, July 23, 2010 12:05 PM

All replies

  • If your site has Exchange and Sharepoint installed on the same server, then I don't think you will be able to win.
     

    Hi,

    Every time I start Outlook 2007 I receive a security alert saying that:The name of the security certificate is invalid or does not match the name of the site. I use Exchange 2003 and on the client side I use Win 7 Enterprise with Outlook 2007. I click View Certificate and can see that the certificate is issued to www.mysite.info. https://mysite.info is the address of my Sharepoint 2007 portal. The certificate is from Thawte Consulting.

    Even if I install the certificate after receiving the alert and restart Outlook I still get the security alert. I have tried unchecking the  "Only connect to proxy servers that have their principal name in their certificate" without any notable success.

    Thanks a lot,

    Mihai

    Tuesday, July 20, 2010 12:16 AM
  • Hi,

    Please understand that Outlook 2007 has Autodiscover feature. It is still trying to connect Autodiscover even work with Exchange 2003. The process is as below:

    Look for SCP objects or SCP pointer objects that correspond to user’s e-mail address, and find the correct Autodiscover server to connect to; then connect and retrieve settings.
    If previous step fails, attempt DNS discovery of Autodiscover XML
         a. HTTPS POST: https://DOMAIN/autodiscover/autodiscover.xml
         b. HTTPS POST: https://autodiscover.DOMAIN/autodiscover/autodiscover.xml
         c. HTTP GET: http://autodiscover.DOMAIN/autodiscover/autodiscover.xml
         d. DNS SRV lookup: _autodiscover._tcp.DOMAIN

    Please try to enable Outlook logging for Outlook. Then reproduce this issue and find the log under %temp% folder, which named olkdisc. Then post here.

    Thanks

    Allen

    Tuesday, July 20, 2010 7:54 AM
  • Hi Allen,

    I have replaced the real domain with domain.com

    Thread    Tick Count    Date/Time    Description
    124    5366215    07/21/10 08:00:14    Autodiscover to https://domain.com/autodiscover/autodiscover.xml starting
    124    5368571    07/21/10 08:00:16    Autodiscover to https://domain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
    124    5368571    07/21/10 08:00:16    Autodiscover to https://autodiscover.domain.com/autodiscover/autodiscover.xml starting
    124    5368602    07/21/10 08:00:16    Autodiscover to https://autodiscover.domain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
    124    5368618    07/21/10 08:00:16    Local autodiscover for domain.com starting
    124    5368618    07/21/10 08:00:16    Local autodiscover for domain.com FAILED (0x8004010F)
    124    5368618    07/21/10 08:00:16    Redirect check to http://autodiscover.domain.com/autodiscover/autodiscover.xml starting
    124    5368618    07/21/10 08:00:16    Redirect check to http://autodiscover.domain.com/autodiscover/autodiscover.xml FAILED (0x80072EE7)
    124    5368618    07/21/10 08:00:16    Srv Record lookup for domain.com starting
    124    5368649    07/21/10 08:00:16    Srv Record lookup for domain.com FAILED (0x8004010F)

    Many thanks,

    Mihai

    Thursday, July 22, 2010 11:02 AM
  • Hi,

    Can you post the warning message? Did you include the mysite.info in the SAN of the certificate?

    Thanks

    Allen

    Friday, July 23, 2010 1:35 AM
  • Hi,

    The Security alert looks like this:

    Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.

    The security certificate is from a trusted certifying authority. (checked)

    The security certificate date is valid. (checked)

    The name on the certificate is invalid or does not match the name of the site. (error)

    The certificate is simple, just a web server certificate issued to www.mysite.info which is the web address of the sharepoint portal.

    The issue however happens just internally. The firewall used is  Forefront TMG 2010.

    Thanks,

    Friday, July 23, 2010 8:59 AM
  • Outlook 2007 attempts to do autodiscover to a number of URLs at frequent intervals. This behaviour cannot be stopped. Therefore one of the URLs that it attempts to use must resolve to that machine. Autodiscover is an Exchange 2007 feature that uses https to allow Outlook 2007 and higher to connect to the server for configuration information.
    The only way to stop it is to stop the URLs from resolving.

    If you have a wildcard in the domain, autodiscover or a web server on a domain controller (so domain.com resolves to an active web site) then this will cause the problem.
    For the domain controller problem, the only thing that might work would be to put a second IP address on the network card, then bind the web site to the second Ip address only (so not all unassigned). Then adjust your internal DNS so that the site resolves to the second IP address. The autodiscover process should then fail.

    Simon.

     


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Marked as answer by Allen Song Friday, July 30, 2010 10:00 AM
    Friday, July 23, 2010 12:05 PM
  • Simon, thank you very much for this.

    I started thinking about Autodiscover after reading one of your blog entries from here .

    I'll will try to fix this as you suggested.

    Big fan of yours,

    Mihai

     

    Friday, July 23, 2010 3:07 PM
  • If I were to turn autodiscover off (in order to get rid of the security message each time Outlook is started), would the Outlook clients which have already been successfully configured with the server continue to function properly?
    Tuesday, August 10, 2010 12:57 AM
  • If I were to turn autodiscover off (in order to get rid of the security message each time Outlook is started), would the Outlook clients which have already been successfully configured with the server continue to function properly?


    You can't turn off autodiscover.
    All you can do is ensure that autodiscover or any of the URLs that the autodiscover process attempts to use don't resolve or don't have an SSL certificate. Outlook 2007 will always poll for autodiscover information because it doesn't know what version of Exchange it is being used against.
    If you do manage to get it to so that autodiscover doesn't resolve anywhere, then clients that are already configured will not change, because they aren't getting new information.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    Tuesday, August 10, 2010 1:10 PM