XCCC: Client Does Not Receive Alert If Conferencing Server Certificate Is Not Valid (330347)
The information in this article applies to:
- Microsoft Exchange 2000 Server
- Microsoft Exchange 2000 Enterprise Server
- Microsoft Exchange 2000 Conferencing Server SP3
This article was previously published under Q330347 SYMPTOMS You configured your Exchange 2000 Conferencing Server
computer to use tunneling for communications, as detailed in the Exchange 2000
Conferencing Server Service Pack 3 (SP3) release notes. You configured your
Exchange Multipoint Control Unit (MCU) server to use a certificate, and any
clients who join public or private conferences should now use a secure
communications tunnel. When clients join a conference, they validate
the server certificate and verify that the following conditions are true:
- The server certificate was issued by a trusted
certification authority (CA).
- The server certificate has not been revoked by the
CA.
- The current date is not before or after the date that the
certificate is valid.
- The server name on the certificate matches the name of the
server with which the clients are communicating.
If any of the these conditions is false, the client receives a
message that the certificate is not valid, and the user must accept or decline
communication with the server. If the server certificate was
generated locally, clients determine that the certificate originated from a CA
that is not known or trusted. The client is then expected to display a dialog
box that alerts users that the communication may not be secure. The dialog box
does not appear on the client, and users cannot join the conference.
This problem can prevent clients from identifying certificates that originate
from sources that are not trusted, which renders sources that are not trusted
as effectively trusted and breaks the security model. This problem can also
permit others to intercept and interfere with data that is being transferred,
which is sometimes referred to as a "man-in-the-middle" attack. Note If the CA root certificate has been installed on the client, the
CA is considered a trusted CA by the client. For
additional information about how to install a CA root certificate on the
client, click the following article number to view the article in the Microsoft
Knowledge Base: 218445
How to Configure Certificate Server for Use with SSL on IIS
CAUSE This problem may occur if the server certificate was issued
by using the auto-enrollment feature of the certificate server. The
auto-enrollment process generates a certificate by using the fully qualified
domain name (FQDN) of the MCU server. When the client initiates communication
with the server, the common name is used, which prevents the certificate from
being properly validated. RESOLUTION To resolve this problem, install Exchange 2000 SP3. After
you install Exchange 2000 SP3, alert dialog boxes appear on the client if the
server certificate is not valid, and the users can decide whether to continue
with communication that is not secure. WORKAROUND To work around this problem, modify the MCU names that are
listed under Sites in the MCU Properties
dialog box. To do so, follow these steps:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click Conferencing Manager.
- Right-click Exchange Conferencing, and
then click Manage.
- Select your conference management site, and then click
OK.
- In the left pane, click your site.
- In the left pane, double-click Data Conferencing
Provider.
- In the right pane, right-click your server, and then click
Properties.
- Click Sites.
- In the Local sites dialog box, click the
server in the left pane, and then click Add.
- Click OK two times.
Another workaround is to generate and install a new server
certificate for the MCU server by using the common name of the server instead
of the FQDN. STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
| Modification Type: | Major | Last Reviewed: | 3/1/2006 |
|---|
| Keywords: | kbbug KB330347 kbAudITPRO |
|---|
|