Error: "The name on the security certificate is invalid or does not match the name of the site" for Autodiscover certificate in Outlook on Office 365

book

Article ID: 169223

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When Outlook is configured to use an email account that is hosted within Office 365, part of its connection process is a request to http://autodiscover.XXXXX.com or https://autodiscover.XXXXX.com (where XXXXX is the company domain, outlook, etc.).  These requests time out as these servers do not actually exist.  When a ProxySG or Advanced Secure Gateway is deployed transparently these requests can be intercepted and processed.

Depending on the ProxySG or Advanced Secure Gateway configuration, the requests for https://autodiscover.XXXXX.com might result in a security alert prompt to the client. For example:

User-added image

Cause

This issue occurs because of how ProxySG and Advanced Secure Gateway process the https://autodiscover.XXXXX.com request when the following is true:

  • Port 443 is set to intercept and the service type is SSL proxy.  This means requests for https://autodiscover.XXXXX.com are processed by SSL proxy.
  • SSL interception on exception is enabled (this is enabled by default on SGOS 6.2 and newer and all ASG versions).
  • Either:
    • The client does not trust the ProxySG's or Advanced Secure Gateway's certificate found in the Configuration->Proxy Settings->SSL Proxy->General Settings->Issuer keyring as a "Trusted Certificate Authority (CA)" in their browser.  
    • The certificate found in the Configuration->Proxy Settings->SSL Proxy->General Settings->Issuer keyring has expired.

      NOTE: The last two bullets depending on if the security alert is about an untrusted issuer (4) or a date that is invalid (5).

When the ProxySG or Advanced Secure Gateway receives the request for https://autodiscover.XXXXX.com, attempts to contact this server time out. This initiates the SSL interception on exception feature in which ProxySG or Advanced Secure Gateway responds to the client with a server certificate issued by the Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring so that the SSL handshake can complete and an appropriate exception page can be shown.

The security alert occurs during the SSL handshake because the client either does not trust the issuer of the server certificate, or the date of the server certificate has expired.

Resolution

The resolution of the security alert popup depends on the reason why the popup was generated:

If the security alert is about an untrusted issue

You must take steps to ensure that the client trusts the certificate found in Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring (as a trusted CA). To do this, either change this option to a keyring the client already trusts, or see Add Proxy SG certificate into my browser to install the certificate into the browser.

Note: In step one of teh TECH241928 article, the keyring used for SSL interception on exception is found at Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring.

If the security alert is about the date of the certificate expiring

Note: ProxySG and Advanced Secure Gateway only store a certificate that is valid for 2 months

Ensure that the keyring used is trusted by clients and has not expired. That keyring is specified in the Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring configuration.

If the keyring has expired, create a new one, and specify it in the configuration mentioned previously. See Default keyring has expired or is about to expire for more information.

If the keyring has not expired, then the certificate emulate, which is valid for 2 months, has been saved in certificate cache and has not been removed from cache because it is constantly being requested by clients. Flushing certificate cache will resolve this issue.  Add Proxy SG certificate into my browser shows how to flush the certificate cache.

Attachments