Working around SSL Root Certificate Errors with Entourage 2004 and Microsoft Exchange (0)
Connecting to Microsoft Exchange Servers from a Mac has never been much fun. Typically, Exchage clients for the Mac have always lagged one full version behind those for Windows. Outlook 2001 brought Mac OS 9 users closer to parity with Windows users, but there was a really long delay before we got to Entourage X with Exchange support. That "support" if you want to call it that, was second-rate, to say the least, and left many organizations running Outlook 2001 in Classic mode because of network issues, delays, and general lack of calendar, public folder, and contact directory support. If you're already familiar with all of this, and want to skip to the "how to," click here.
Entourage 2004 was supposed to correct many of this issues, and has, using WebDav, the same protocol that powers Outlook Web Access. All you need to do as an Exchange Administrator (theoretically) is enable Outlook Web Access, and you should be go to go, right? Well, not exactly. Exchange 2000 and 2003 both generate a self-signing SSL certificate for use with Outlook Web Access, due to the fact that not using SSL sends your login information in clear text form, leaving you open to miscreants who would steal your passwords.
Many organizations rely on these certificates for peace of mind. Enabling Outlook Web Access without SSL is not good for a network administrator's job security or corporate trade secrets. To effectively and securely use WebDAV, from inside a firewall or out, it's necessary to use an SSL certificate, and Entourage 2004 needs WebDav to do its job. Some organizations pay for Verisign certificates for this purpose, but in reality there's no good reason to do so, since the certificate generated by the Exchange server is sufficient for a Mac web browser connecting to Outlook Web Access.
Well, we got a call from a client this week that's having issues with WebDAV over SSL--they kept getting an "improperly installed root certificate file" error message, so they turned the issue over to us. We tried it with our own Exchange Server running Exchange 2003, and experienced the exact same problem and after some head-scratching and following the suggestions for installing the certificate found in the Entourage Help Documentation, we came to the conclusion that we were either doing someting wrong, that Entourage had a fatal SSL bug (it is a point "oh" release) or Microsoft's instructions were just plain wrong. We converted, massaged, regenerated, and formatted the certificate with the openssl tools on Mac OS X. No joy. Here's what happens; upon logging in, a dialog comes up with the following message:
Followed by another less pleasing dialog:
Clicking on the link to Entourage help provides instructions on using Microsoft Cert Manager and Keychain access to install the certificate that just don't work, as we found out after a few hours. It's funny, no matter how often I run into such errors, I always think I'm doing something wrong.
We Called Microsoft
We figured this would be as good of a test of Microsoft's Technical Support as would be possible. After all, the issue clearly extended beyond a simple installation question and into the realm of Exchange Server administration. However, after several transfers and repetitions of our problem, we were told that a specialist would call. Can you hear us snickering? Yeah right.
Well, we actually did get a call from a friendly and knowledgeable support engineer named Peter Wilson, from the Microsoft Exchange Client Server Infrastructure Support Group. Pete, this is a blantant plug for ya, I hope you get a bump for being so good to us Mac consultants! Later on in the day, we received an email from Pete with step-by-step instructions on how to install the certificate that clearly countermanded those in Entourage Help. A couple of tries, still no joy. Then a little Mac troubleshooting, and wham!, it worked, all of our email came rushing in, the calendar counting up appointments, and even Office Notifications! Best of all, using secure WebDAV! Pete had also mentioned that he'd gotten a few other identical queries and that he was sorry for the trouble.
Well, Peter Wilson, of Microsoft's Exchange Client Server Infrastructure Support Group, you the man! This how-to's for you! (And everyones else who's dealing with this frustration).
How to Set Up Entourage 2004 with WebDav over SSL for Exchange Server Connections
Export your self-signing SSL certificate from the Exchange Server you'll be connecting your Entourage 2004 clients to, assuming you have administrative access to the Exchange Server, or ask your Windows Server System administrator to follow these steps:
1. Open the IIS Management Application on the Exchange Server or another Server connected to it:
2. Select the site properties containing your OWA/Exchange site (typically default website):
3. Select the Directory Security Tab, then View Certificate, then Select the Details Tab:
4. Next, select "yes, I want to export the private key":
5. Check the box that says: "Include all certificates in the certification's path":
6. Select a passphrase to protect the contents of the certificate:
7. Name the file, then either place it on a server, keychain drive, CD or some other media that can get it to the Macintosh:
Begin Work on your Macs
The following process will detail how to set up the SSL Certificate you or your system administrator exported in the steps above so that you can avoid the SSL errors listed above. You can install the certificate as an X509 anchor, following Microsoft's directions in Entourage Help, but you must do the following to avoid the "root certificate error." Please note that you'll have to repeat the process for each Mac running Entourage. If you are staging a Mass Deployment, consider including the certificate set up as a Digital ID on your corporate image.
1. Install the certificate before launching Entourage for the first time or:
2. Delete the "OfficeSync Prefs" located in your home directory's Library/Preferences folder, then it will work.
However, installing it as an X509 anchor with the Keychain Access utility has a big downside, you'll never be able to remove it without root access and a fresh copy of the X509 anchors file from another Mac.
Installing the Certificate as a Digital ID
This is the process that Pete Wilson of Microsoft helped to discover. In a followup call, we discussed it and he acknowledged that the steps he'd sent us (enhanced and tested below) were from an "unreleased source." Look for Microsoft to update the Entourage Help File in the future.
1. Open the application called "Microsoft Cert Manager" located in the Office folder inside your Microsoft Office 2004 folder:
2. Import the Exchange Server certificate and enter the passphrase:
3. Now everything should just work when you create your Exchange Account and choose "Use SSL for these Servers" during the Entourage Setup Assistant:
4. Make sure you check the "DAV Service requires SSL" in the "Advanced" account settings for your Exchange user. If you still get the "root certificate error" when starting Entourage, don't forget to delete the "OfficeSync Prefs" located in your home directory's Library/Preferences folder and relaunch Entourage.
Now everything should function well, along with your Office Notifications and everything else. It's still not as good of an Exchange Client as Outlook for Windows, but it's a big improvement on Entourage X! And, should you ever need to update the certificate for your Exchange Server, you'll be able to do so directly from the Microsoft Cert Manager Application, without having to log in as root and mess with the X509 anchors file.
Dean Shavit is an instructor and consultant for MOST (Mac OS Training & Consulting), where problems like this are solved on a daily basis. If you have questions or feedback you can contact him at dean@macworkshops.com
Entourage 2004 was supposed to correct many of this issues, and has, using WebDav, the same protocol that powers Outlook Web Access. All you need to do as an Exchange Administrator (theoretically) is enable Outlook Web Access, and you should be go to go, right? Well, not exactly. Exchange 2000 and 2003 both generate a self-signing SSL certificate for use with Outlook Web Access, due to the fact that not using SSL sends your login information in clear text form, leaving you open to miscreants who would steal your passwords.
Many organizations rely on these certificates for peace of mind. Enabling Outlook Web Access without SSL is not good for a network administrator's job security or corporate trade secrets. To effectively and securely use WebDAV, from inside a firewall or out, it's necessary to use an SSL certificate, and Entourage 2004 needs WebDav to do its job. Some organizations pay for Verisign certificates for this purpose, but in reality there's no good reason to do so, since the certificate generated by the Exchange server is sufficient for a Mac web browser connecting to Outlook Web Access.
Well, we got a call from a client this week that's having issues with WebDAV over SSL--they kept getting an "improperly installed root certificate file" error message, so they turned the issue over to us. We tried it with our own Exchange Server running Exchange 2003, and experienced the exact same problem and after some head-scratching and following the suggestions for installing the certificate found in the Entourage Help Documentation, we came to the conclusion that we were either doing someting wrong, that Entourage had a fatal SSL bug (it is a point "oh" release) or Microsoft's instructions were just plain wrong. We converted, massaged, regenerated, and formatted the certificate with the openssl tools on Mac OS X. No joy. Here's what happens; upon logging in, a dialog comes up with the following message:
Followed by another less pleasing dialog:
Clicking on the link to Entourage help provides instructions on using Microsoft Cert Manager and Keychain access to install the certificate that just don't work, as we found out after a few hours. It's funny, no matter how often I run into such errors, I always think I'm doing something wrong.
We Called Microsoft
We figured this would be as good of a test of Microsoft's Technical Support as would be possible. After all, the issue clearly extended beyond a simple installation question and into the realm of Exchange Server administration. However, after several transfers and repetitions of our problem, we were told that a specialist would call. Can you hear us snickering? Yeah right.
Well, we actually did get a call from a friendly and knowledgeable support engineer named Peter Wilson, from the Microsoft Exchange Client Server Infrastructure Support Group. Pete, this is a blantant plug for ya, I hope you get a bump for being so good to us Mac consultants! Later on in the day, we received an email from Pete with step-by-step instructions on how to install the certificate that clearly countermanded those in Entourage Help. A couple of tries, still no joy. Then a little Mac troubleshooting, and wham!, it worked, all of our email came rushing in, the calendar counting up appointments, and even Office Notifications! Best of all, using secure WebDAV! Pete had also mentioned that he'd gotten a few other identical queries and that he was sorry for the trouble.
Well, Peter Wilson, of Microsoft's Exchange Client Server Infrastructure Support Group, you the man! This how-to's for you! (And everyones else who's dealing with this frustration).
How to Set Up Entourage 2004 with WebDav over SSL for Exchange Server Connections
Export your self-signing SSL certificate from the Exchange Server you'll be connecting your Entourage 2004 clients to, assuming you have administrative access to the Exchange Server, or ask your Windows Server System administrator to follow these steps:
1. Open the IIS Management Application on the Exchange Server or another Server connected to it:
2. Select the site properties containing your OWA/Exchange site (typically default website):
3. Select the Directory Security Tab, then View Certificate, then Select the Details Tab:
4. Next, select "yes, I want to export the private key":
5. Check the box that says: "Include all certificates in the certification's path":
6. Select a passphrase to protect the contents of the certificate:
7. Name the file, then either place it on a server, keychain drive, CD or some other media that can get it to the Macintosh:
Begin Work on your Macs
The following process will detail how to set up the SSL Certificate you or your system administrator exported in the steps above so that you can avoid the SSL errors listed above. You can install the certificate as an X509 anchor, following Microsoft's directions in Entourage Help, but you must do the following to avoid the "root certificate error." Please note that you'll have to repeat the process for each Mac running Entourage. If you are staging a Mass Deployment, consider including the certificate set up as a Digital ID on your corporate image.
1. Install the certificate before launching Entourage for the first time or:
2. Delete the "OfficeSync Prefs" located in your home directory's Library/Preferences folder, then it will work.
However, installing it as an X509 anchor with the Keychain Access utility has a big downside, you'll never be able to remove it without root access and a fresh copy of the X509 anchors file from another Mac.
Installing the Certificate as a Digital ID
This is the process that Pete Wilson of Microsoft helped to discover. In a followup call, we discussed it and he acknowledged that the steps he'd sent us (enhanced and tested below) were from an "unreleased source." Look for Microsoft to update the Entourage Help File in the future.
1. Open the application called "Microsoft Cert Manager" located in the Office folder inside your Microsoft Office 2004 folder:
2. Import the Exchange Server certificate and enter the passphrase:
3. Now everything should just work when you create your Exchange Account and choose "Use SSL for these Servers" during the Entourage Setup Assistant:
4. Make sure you check the "DAV Service requires SSL" in the "Advanced" account settings for your Exchange user. If you still get the "root certificate error" when starting Entourage, don't forget to delete the "OfficeSync Prefs" located in your home directory's Library/Preferences folder and relaunch Entourage.
Now everything should function well, along with your Office Notifications and everything else. It's still not as good of an Exchange Client as Outlook for Windows, but it's a big improvement on Entourage X! And, should you ever need to update the certificate for your Exchange Server, you'll be able to do so directly from the Microsoft Cert Manager Application, without having to log in as root and mess with the X509 anchors file.
