Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Wrong certificate when using Outlook Mac 2016
  •  
acq@ghi-dc.org

Messages: 57
Karma: 5
Send a private message to this user
Hi,

Some of my users are receiving a certificate prompt when connection to Kerio The strange part is that the certificate has the wrong name in it and also has never been applied to the server. This only happens when connection to Kerio via autodiscover and on Outlook for Mac (2016). If I disable autodiscover on the client my users do not receive a certificate prompt.

Do you have any input on this? Has anyone dealt with this?

Thanks.
  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
You should configure Autodiscover for your domain because Outlook and other clients insist on it, and ultimately it will improve the user experience when configuring new accounts. This certificate error is probably coming from your web server, which isn't set up properly for SSL communication and does not have a CA signed and trusted certificate. This article describes how to setup autodiscover in your DNS http://kb.kerio.com/product/kerio-connect/server-configurati on/mail-delivery-and-dns-records/configuring-autodiscover-in -kerio-connect-1899.html
In the 'Details' section of the article, the third bullet is most likely the requirement you need to satisfy. Either get a signed certificate for your website or disable SSL on your web server if it's not necessary. The issue is that the autodiscover client (Outlook) tries to connect to your web server so that it can realize that it's actually not a valid autodiscovery server. Without a valid certificate, it can't get past the SSL connection phase to determine that it's not a viable server. So in other words, it needs to be able to succeed so that it can fail. Eventually it will use SRV DNS lookup to determine the correct address of your Kerio Connect server. Unfortunately autodiscovery is setup to perform the SRV method last, after all other autodiscover methods have failed.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
acq@ghi-dc.org

Messages: 57
Karma: 5
Send a private message to this user
Hi Brian,

Sorry for the late response.

We have a signed certificate in place. I have double checked the public and private DNS settings for autodiscover. Both records look fine to me.
Yet, if people use autodiscover to configure an Exchange account with Outlook 2016 on a Mac they receive the wrong certificate (screen shot attached). I do not recognize this certificate, this particular domain is not being use by our organization, we also never purchased it. This certificate (the wrong one) is not installed on Kerio Connect. In fact we have only one certificate (UCC) installed.

As I have said before everything works fine if one enters the actual host name for the server and if autodiscover has been disabled in Outlook.

  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
The certificate is not from Kerio Connect and Outlook does not try to do autodicovery on Kerio Connect server. It connects to the hostname which equals to your email domain (eg. https://domain.com). So it contacts your webserver instead of Kerio Connect (which is probably on some subdomain like mail.domain.com).
This is how Outlook does autodiscovery.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
acq@ghi-dc.org

Messages: 57
Karma: 5
Send a private message to this user
Pavel,

I am not sure if I understand your response. Of course the cert is coming Kerio and I do not recognize it. That is what concerns me.

Outlook always does autodiscover. Even if you manually enter the server address Outlook defaults to autodiscover. One has to deliberately disable autodiscover. This is what I did for the users who get the error message.
Maybe I should add that I am not using the Kerio setup tool to configure Outlook. It has been a hit and miss in the past also it does not allow for adding multiple accounts in Outlook (some users just need access to multiple accounts and prefer working with one application only).

I checked the autodiscover settings on my network from Windows and Mac and the results seem fine to me. There is no problem with autodiscover on Windows machines running Outlook 2010 through 2016. Unless Kerio disables autodiscover in KOFF but I would not know about that.
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
Ok. I try it to explain in better way.
Your Outlook looks for autodiscover script on server with hostname equal to your email domain name. This server is apparently live and probably hosts your web pages.
Outlook does not contact Kerio Connect server and there is nothing we can do about it. The only workaround is to disable autodiscovery in Outlook or ask your webhosting provider to not run your website on domain.name but on www.domain.name.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
acq@ghi-dc.org

Messages: 57
Karma: 5
Send a private message to this user
Thanks Pavel. I will contact the website hoster.

However, it is strange that it only affects Outlook 2016 for Mac. It does not affect Outlook 2011 for Mac nor does it affect all the Windows versions of Outlook (2010 through 2016) which I am also supporting.
Entering autodiscover.mydomain.com takes one to the correct server. The DNS settings are all correct and point to the right IP.

Please note I am not saying that Kerio is at fault. I am just looking for clues.
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
That is a question for Microsoft. Mac versions of Office are very different from Windows version. And created by different development team.
BTW: Here is what you need to know: https://technet.microsoft.com/en-us/library/jj984202(v=offic e.16).aspx

[Updated on: Thu, 26 May 2016 23:44]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: Any plans for certificate based Authentication...?
Next Topic: Can't connect to Kerio Instant messaging
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Dec 02 20:48:23 CET 2016

Total time taken to generate the page: 0.02631 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.