none
How to make Outlook 2010 accept untrusted certificate for IMAP connection? RRS feed

  • Question

  • I've configured Outlook 2010 to connect to my Gmail account using IMAP.  But I've come across a certificate problem.

    My company firewall, which is a FortiGate 80C, is doing inspection into IP packets to see if there's any virus.  In order to do so, the firewall is using the "man in the middle" trick: it decrypts communicates with imap.gmail.com on one side, and encrypts communication using another certificate issued by itself and send the packet to Outlook (or any IMAP client like Thunderbird) on the other side.

    So the certificate coming from imap.gmail.com and seen by Outlook is issued by Fortinet instead of by the original one (I suppose it's Thwarte).  If I use Thunderbird, it will ask me if I want to accept such certificate or not.  But Outlook 2010 just silently rejects the connection.  How to make it accept the certificate, or make it ask me to accept the certificate?

    I'm 100% sure this problem is due to the firewall because if my PC is connected to the Internet through another firewall, I don't have this problem.

    Of course, I could disable firewall's inspection, but I would like to do this if there's really nothing else I could do.

    I think this problem could also be solved if Outlook accept firewall's CA certificate (which is the issuer of the final certificate).  I've exported the CA certificate and imported it into Thunderbird's CA store and now TB doesn't ask me to accept final certificate.  Then I tried to import the CA certificate into my computer's "Trusted CA certificate store" but this doesn't seem to work.  Maybe Outlook is using its own CA certificate store?

    Tuesday, September 14, 2010 2:53 PM

Answers

  • I've recently updated Fortigate firewall's firmware to 4.1.9 and it has worked around this MSS (for Microsoft Super Stupidity!)

    Fortinet engineers have really done a good job!  BIG thumb up to them!

    As to Microsoft... well, you know what, a recent reply from a Microsoft support told me that "[blah blah blah].... they cannot modify the security update .... [blah blah blah] .... this is done by design ... [blah blah blah]..." And I said to myself "Oh yeah, by design... by their stupidly damned BAD design!"  They are really so incompetent!  It’s really coward always hide behind this “by design” stupid excuse.  Very very lame!

    What's even lame is that they created problems and rely on others to solve them.

    Fortinet engineers score: 1 point.  Microsoft engineers score: minus infinity!

    • Marked as answer by Horinius Tuesday, August 30, 2011 11:15 AM
    Monday, August 22, 2011 1:42 PM

All replies

  • Hi,

     

    You can install and use your certificate in Microsoft Outlook 2003 by the steps here:

    http://www.globalsign.com/support/personal-certificate/per_outlook03.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    In Outlook 2010, you can find the options from: File > Options > Trust Center > Trust Center settings > Email Security > Digital Ids (Certificates)

     

    Hope it helps.

     

    Best Regards,

     

    Sally Tang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     

    Wednesday, September 15, 2010 7:42 AM
  • Thanks for your reply, but that's not it.

    Your suggestion is about installing personal certificate, while I was asking about server certificate.

    Wednesday, September 15, 2010 9:29 AM
  • A co-worker of mine told me that his Outlook DID ask him to accept certificates.  But this happened until two weeks ago.  Then, his Outlook no longer asked him to accept any certificate and GMail IMAP no longer worked since then.

    Seems like something is changed in Outlook two weeks ago.  Some hotfix?

    Wednesday, September 15, 2010 1:20 PM
  • Hi,

    I don't know if any new Outlook security updates have released in the pasyt couple of weeks, but it wouldn't suprise me.

    First thing I'd try would be a new Outlook profile. After you login in with the new profile, go ahead and set up the security profile again.

    Then, make sure the user has a certificate for each CA in the chain added to the user's certificate store

    If you encounter any issues setting up the security profile and pointing it to the certificate, please call in and open a Microsoft Support Incident with the Outlook team.

    If the new profile is not allowing you accept certificates, please call in and open a Microsoft Support Incident with the Outlook team.

    A couple of articles that might help, or at least show you were to look for the certs.

    http://support.microsoft.com/kb/923575  - Look under "Examine the certificate"

    http://support.microsoft.com/kb/276597 --How to turn of e-mail matching for certs.

     

    Hope that helps!

    Jahawk MSFT

    Thursday, September 23, 2010 10:59 PM
    Moderator
  • Thanks for your reply.

    Outlook profile -- I know what it is.  But security profile -- I'm not sure what it's about.  And your suggested articles have no mention of "security profile".

    Friday, September 24, 2010 2:03 PM
  • Sorry for the delay. Death in the family last week, so I just got back to this post!

    By "Security profile", I meant when you go into the Outlook profile and set up the crypto messaging features in Outlook 2010.

    For your reference, here's a fantastic technet article that should help.  http://technet.microsoft.com/en-us/library/cc179061.aspx

    <excerpt from article>

    In Outlook 2010, users are required to have a security profile to use cryptographic features. A security profile is a group of settings that describes the certificates and algorithms used when a user sends messages that use cryptographic features. Security profiles are configured automatically if the profile is not already present when:

    • The user has certificates for cryptography on his or her computer.
    • The user begins to use a cryptographic feature.

    If this still doesn't help you much, I would suggest calling in and opening a Micrsoft Outlook Support incident so that you can work with someone one this issue and any questions you may have regarding Outlook certificates.

    Take care,

    Jahawk MSFT

    • Marked as answer by Sally Tang Friday, October 8, 2010 3:57 AM
    • Unmarked as answer by Horinius Thursday, October 14, 2010 1:42 PM
    Wednesday, October 6, 2010 6:23 PM
    Moderator
  • I’ve done a complete test to find out the guilty update and I’ve found it!  (Well, Microsoft should really pay me for the job I’ve done for it!)

    Very unexpectedly, the guilty update isn’t any update for Office or Outlook, but Win7 update!  Moreover, according to my tests, the problem occurs in
    Win7 64bit + Outlook 2010 64bit
    but not in
    XP Pro (+SP3) 32bit + Outlook 2010 32bit

    I have no idea if the problem would occur for other combinations with XP 64bit, Vista or Win7 32bit because I don’t use these O/S and I don’t have the time.

    And the guilty update is …… KB2207566 !

    Actually, there is at least another Win7 update which causes the same problem but I don’t have the time to find them all.  Several things are sure:
    * None of Office updates up to February 2011 would cause the problem
    * These Win7 updates have no problem: KB2482017, KB983590, KB2284742, KB2416471, KB2160841 & KB2079403
    * Other guilty updates should be newer than KB2207566 (which was released on July 2010)

    So, is Microsoft going to publish an update to make Outlook ask user to accept untrusted certificate?
    Thursday, March 10, 2011 6:28 PM
  • I've recently updated Fortigate firewall's firmware to 4.1.9 and it has worked around this MSS (for Microsoft Super Stupidity!)

    Fortinet engineers have really done a good job!  BIG thumb up to them!

    As to Microsoft... well, you know what, a recent reply from a Microsoft support told me that "[blah blah blah].... they cannot modify the security update .... [blah blah blah] .... this is done by design ... [blah blah blah]..." And I said to myself "Oh yeah, by design... by their stupidly damned BAD design!"  They are really so incompetent!  It’s really coward always hide behind this “by design” stupid excuse.  Very very lame!

    What's even lame is that they created problems and rely on others to solve them.

    Fortinet engineers score: 1 point.  Microsoft engineers score: minus infinity!

    • Marked as answer by Horinius Tuesday, August 30, 2011 11:15 AM
    Monday, August 22, 2011 1:42 PM
  • Hi!

    I have the same problem.

    But all the final users call upsed because they doesnt know and think that they are under unsecure enviroment.

    do you know any solution to this?

    Thursday, November 1, 2012 3:44 PM
  • Please see Sally Tang's response above on how to manually add the certificate. Otherwise, as far as I see, there is no way to have Outlook trust an untrusted certificate. The certificate must have the correct common name (CN) for the CAS server, and it must be a certificate from a trusted CA.

    If the machine Outlook is installed on is joined to a domain with a CA, the CA will be automatically trusted. If it is a non-joined home user using Outlook connected to a corporate Exchange server that is not using a certificate from a publicly trusted CA, then it will not trust the certificate.

    You can manually install the untrusted certificate either manually, or create a certiicate installer package that you can make availalbe on your website for users to download and install by double clicking on the package.

    If you have access or know someone with an SBS server, SBS has a certificate installer package (executable) that you can modify to add your own root CA cert, and then distribute that to your users.

    Another way is to have them connect and logon using OWA, then view the certificate from the untrusted red symbol in the certificate status icon, and install it into the Root CA store. Here's how:

    Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista (applies to any operating system)
    http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, November 1, 2012 3:58 PM
  • Ace,

    JCordovaV said he/she has the same problem.  But Sally Tang's response is NOT the answer.

    Moreover, your answer implies the use of Outlook WITH Exchange, which is NOT the case here.  So, there is a big mismatch in your reply.


    • Edited by Horinius Tuesday, November 6, 2012 2:18 PM
    Tuesday, November 6, 2012 2:17 PM
  • That situation always makes me crazy, so I decide to create mall app to kill warning.

    Try it. If works with your version - run it with system autostart


    Oskar Shon, Office System MVP

    Press if Helpful; Answer when a problem solved

    Tuesday, November 6, 2012 3:02 PM
  • Horinius,

    Thank you for your response. Yes, I assumed it as Outlook/Exchange, however, the method I posted will work for any profile type, whether it's an Outlook/Exchange profiles, or a non-Exchange/Outlook connections.

    The point is installing the untrusted certificate in the operating system so Outlook will trust it, which will work with any Outlook profiles tyoes whether they are an Exchange/Outlook RPC type profile, or non-Exchange POP or IMAP servers.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, November 6, 2012 3:06 PM
  • Ace,

    I know you want to help us.  But trust me, this problem is due to a bug, and you cannot use "normal procedure" to solve it.

    PS: The proof that it's a bug is in my messages, so I'm not going to repeat it again.

    Tuesday, November 6, 2012 5:38 PM
  • I assume you've already tried adding the Root CA and the (this is the important part) the Intermediate root CA certificate to the Machine Store in the appropriate location and not the user store. That's what I was talking about. That's what Outlook is looking for and what I do for my non Exchange customers (Gmail, Yahoo, etc) using Outlook and works fine. If that's not working, then the problem is apparently elsewhere.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, November 6, 2012 6:07 PM
  • I had tried everything you mentioned, and it was not working (past tense!)

    Remember, I also called Microsoft support for this, and the guy had also tried a lot more than I did.  But at the end, when he saw that nothing worked, he told me the problem was *a feature*!  Fantastic!  That's how we wasted a support incident!

    Remember 2, the problem was posted two years ago.  If you are implying that something is changed inside Outlook 2010 to accept CA certificate NOW, then I have no idea, and I have no interest to go back to check the validity of your "hypothesis".  So I'll leave the speech to JCordovaV.

    Tuesday, November 6, 2012 7:07 PM
  • hi,

    i was excited to try this app but it wont work here... still get the certificate warning window...

    Monday, May 27, 2013 2:46 PM