Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
DiscussionsAccessExcelInfoPathOutlookPowerPointPublisherWord
DirectoryUser Groups
Related Topics
Outlook ExpressInternet ExplorerWindowsMS Server ProductsMore Topics ...
MS Office Forum / Outlook / General MS Outlook Questions / March 2008

Tip: Looking for answers? Try searching our database.

Subject Alternative Names X.509 attributes in Outlook 2007

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Fabio Spelta - 06 Mar 2008 15:55 GMT
Hello,

we have a mail server which offers SMTP, POP, IMAP and webmail services.
The server has a single IP address, but multiple DNS aliases, in this form:

servername.domain.it
smtp.domain.it
pop.domain.it
imap.domain.it

As stated above, they all resolve to the same IP address.
The access to the server for all the protocols is either via TLS or SSL (TLS
is used over SMTP, while SSL is preferred on IMAP, POP and HTTP; read IMAPS,
POPS and HTTPS).
Obviously, the server presents to the clients a X.509 certificate. That
certificate has, as the common name, the one in the form
"servername.domain.it"; while all the others FQDN above are set in the
certificate as "Subject Alternative Names", as defined in RFC 3280.

All of our clients are configured to use the alternative names, i.e
"pop.domain.it" for POP access, and so on.
With this configuration we experienced no problem at all with any mail
clients (of the Outlook/Outlook express family, and others), neither for web
browsers when using the webmail (IE 6, IE7, and other browsers) since the
beginning.

Only Office 2007 which are starting to adopt now seems to ignore the
"Subject Alternative Names" field, and it only seems to search for a match
between the server name configured in the client, and the one presented *into
the Common Name* field of the X.509 certificate. With Outlook 2007, we got a
security warning which states that

"The server you are connected to is using a security certificate that
         cannot be verified.
         The target principle name is incorrect.
         Do you want to continue using this server?"

The error message disappears when we configure Outlook 2007 to use as the
(for example) POP server the name set as Common Name of the certificate;
"servername.domain.it"; only ignoring the "Alternative" names.

We would need to find a way to have Outlook 2007 working with the same
configurations in use now for all the (thousand of) clients, in foresight of
a migration of the client systems to Office 2007. without requiring the users
to change their client settings.

Side note: the problem arises either flagging the "Subject Alt Names" X.509
extension as "non critical" and as  "critical".

Thank you so much for any help.

Fabio
Reply to this Message
Fabio Spelta - 10 Mar 2008 16:43 GMT
Sorry to insist about this topic, but this is becoming pretty critical to us.

We are sincerely suspecting that this behaviour is due to a MS Outlook 2007
bug.

Can please anybody confirm this?
Or, if it's not a bug, to help us in identifying the problem?

Thank you so much everyone.

> Hello,
>
[quoted text clipped - 48 lines]
>
> Fabio
Reply to this Message
Brian Tillman - 11 Mar 2008 14:11 GMT
> Sorry to insist about this topic, but this is becoming pretty
> critical to us.

I don't know if there is anyone in this newsgroup conversant enough with the
certificate handling within Outlook to be able to answer yuor question.  MS
employees rarely visit.
Signature

Brian Tillman [MVP-Outlook]

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.