Entourage Exchange Error – “Unable to establish a secure connection to…”

Entourage Exchange Error – “Unable to establish a secure connection to…”

(Updated posting)

root-certificate-error

After performing a clean install of Microsoft Office 2008, Entourage began to give me the following error:

“Unable to establish a secure connection to servername because the correct root certificate is not installed.”

 

I followed various post regarding installing our Exchange Server’s certificate.   After installing this, I began to receive this error:

doesnotmatcherror

“Unable to establish a secure connection to servername because the server name or IP address does not match the name or IP address on the server’s certificate. If you continue, the information you view and send will be encrypted, but will not be secure.”

Clicking okay, will allow Entourage to connect – but the error will return and is annoying.

However, the error continued.  After much experimenting, I was able to resolve the issue, but the error is so ambigous, that it can be caused from several different misconfigurations.  

If you desire to use SSL, your server must have a valid certificate.  If the certificate is through a public provider, I don’t believe you will not need to install any certificates at all.  If your system admin has provided you a private certificate you will need to install it into Keychain Access.  Install it to system chain if all users on the computer will need it, or to login chain if only you need it.  There are several documents on the web for doing this.  However, if you have installed the certificate, and you still recieve this error, read on.

mailsettings-tab

 

RESOLUTION
Several blogs have discussed the new AutoDiscovery Service issue within Exchange 2007, however we use Exchange 2003.  

The problem with my Entourage was being caused by our domain structure.  The hardware firewall passes mail ports to the Exchange server.  The Exchange server has a public accessible Security Certificate through GO DADDY.  

However, the LDAP port is forwarded to the domain controller running the Active Directory.  Because in our setup, we don’t publish a separate internet host record the LDAP (for example ldap.mydomain.com), there is no way for the machine name listed in the certificate for mail.mydomain.com to match 2 different machines (the Exchange server and LDAP server).  Therefore the error is valid, and not a Microsoft bug in Office/Entourage.

Since the LDAP lookup is what was causing the error, the error would not popup until a lookup function was needed.  Because of this, it was possible to have Entourage sessions without getting this dialog.  In order to prevent this error, do not require LDAP functions to connect sercurely.  

  1. Under the ENTOURAGE menu select ACCOUNT SETTINGS
  2. Double click your Exchange Account.
  3. Select the Advanced Tab under the EDIT ACCOUNT dialog.
  4. Ensure “This LDAP server requires a secure connection (SSL)” is NOT selected.

ldap-settings

All mail activity is still handled through an SSL secure connection to the Exchange server.  Only directory lookup function is changed.  Some organizations allow non-secure LDAP access, if yours does not and you are using a separate server for LDAP functions.  Then it will be necessary to obtain a certificate that has a matching internet host record to machine name.   You can also ignore the dialog box safely – though it is very inconvenient.

You can also use this procedure to ensure the error is being caused by LDAP functions.

CONCLUSION
At the very least, I can reassure you that OSX 10.5.6 and Microsoft Office for the Mac (Entourage) 12.1.5 do work together without error.  Microsoft has fixed whatever error/bug was involved, so don’t give up trying to resolve it.  And definitely don’t wait in vain for Microsoft’s next update to do so.

Comments

  1. Jeff says:

    wait.. Microsoft has, or has not fixed the error? Just to clarify!

  2. danisrael says:

    Jeff, they HAVE indeed fixed the error.

    Our error was caused by the LDAP lookup on the Exchange GAL (Global Address List) look-up. The check box for SSL LDAP was enabled. Unfortunately, the server name did not match the certificate, because the hardware firewall routed LDAP to the domain controller. So, the solution would be to use a different HOST name for internet DNS resolution to a machine with the correct certificate.

    After correcting this, the above worked. Entrouage does function without the certificate error now. You can test this by unchecking secure LDAP function on the tab of your Exchange account. Passwords and email are still encrypted.

    Hope that helps!

  3. Gmon3y says:

    I followed the steps and still get the same error message. what a pain!

    all up-to-date
    settings corret
    selfsigned sbs cert

    but nada. outlook works so much better.. ms you greedy farts..lol

  4. danisrael says:

    Gmon3y, which of the two errors due you get? Can you publish the exact error?

  5. Christo Acosta says:

    Same issue here as Gmon3y… maybe?

    Regardless if the SSL option is checked, if I am outside my organization, I get the error “Unable to establish a secure connection to rim.onyx.local.CONNECTION because the server name…” where CONNECTION is my connection wherever I am (i.e.: rim.onyx.local.hsd1.ga.comcast.net). Note: onyx.local is my work domain. I have no clue what part RIM plays… I don’t use BlackBerry, and I don’t *think* we have a full-fledged BlackBerry server. I think we just connect to exchange.

    If I am in the office, where onyx.local is my connection, there is no problem.

    -C

  6. danisrael says:

    Christo,

    Couple of questions:

    1) Are you unchecking the LDAP SSL or the mail server?
    2) What version is your Exchange server 2000, 2003, 2007?

    Regardless, you’ll need to obtain an external connection address to use. The .local address is what most companies use for machine addresses behind a firewall (or InTRAnet).

    For instance, at our office, internally we connect to “xch.domain.local.” However, when connecting externally through the inTERnet, then the address is “mail.domain.com.” This is all setup by an Admin.

    If you have webmail, try that address. But it will definetaly require a FQDN (not a .local)

    Does that help?

  7. Christo Acosta says:

    Hi Daniel,

    Thanks for the reply! I have both unchecked SSL settings for the LDAP and Exchange server. The Exchange Server is 2007.

    I didn’t make it very clear, “onyx.local” is simply the DNS suffix at work. My connection address is a FQDN, I’ve never used the .local address in Entourage: My connection is set to smtp.XXXX.com (XXXX just for privacy). If I want to use OWA, I can connect to http://smtp.XXXX.com/owa without problems.

    Also, I actually get and can send the mail without issue, it’s just the error that’s bothersome 🙂

    Thanks for the help so far!

    -C

  8. danisrael says:

    Christo…that’s good info.

    Since you are getting mail, I’m assuming the error pops sometime during Entourage’s being open. This is almost certainly a directory lookup error.

    You can verify this, by opening Entourage and selecting new mail message. Then in the drop down, select Global Address Book. If you get the message, than you are defientaly expierncing an LDAP look up issue.

    What makes this whole process a pain, is the myriad of combinations that exist and the requirement that your settings match your companies. They will only communicate with your system if you present to them as expected. This causes some very misleading error messages.

    For instance, if you uncheck SSL and your system admins have selected “SSL required” on the iis server – then you may be presented with a dialog saying “could not establish a secure connection.” In reality, the error could be:

    a) “Your trying to communicate on a non-secure channel, and SSL security is required to talk to this server.”
    b) “Your system does not appear to be a computer this server wants to talk to securely”
    c) “The server you are connecting to cannot talk to this computer securely”
    d) “The server (or computer) is not who they say they are”

    In your case, I would imagine there is going to be an incompatiblity with your corporate structure and Entourage. If your system ADMINs have require communiation to the LDAP server to be SSL, and they don’t have an external certificate for communciating with the LDAP server. You will not be able to avoid this.

    The LDAP server’s certificate must match what you are putting in for a name in the LDAP Server box under the Directory Services>Advanced Tab.

    If you can, ask an ADMIN this.

    1) Is it possible to contact the Global Address Book/LDAP server external, and if so..
    2) Is it standard SSL
    3) What is the exact FDQN the machine is certifcated for.

    As a work around, you might try removing any server names from the LDAP server box. That way no attempt is made to contact it.

  9. Marc Morris says:

    I solved this error
    unable to establish a secure connection to because a certificate on the server’s certificate chain has expired or is not yet vaild

    I chattted with verisign and they gave me the correct intermediate and root certificates , I loaded these into key chain, the next time I opened entourage there was a message to always allow the certificate into my key chain, problem solved…….finally