Outlook 2007 POP3 or IMAP4 clients using TLS receive a “Target Principal Name is Incorrect” certificate error when connecting to Small Business Server 2008.

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

After you configure Outlook 2007 to connect to Windows Small Business Server 2008 (SBS) by using either POP3 or IMAP4 with TLS, you receive a certificate error when beginning a connection. 

 

“The server you are connected to is using a security certificate that cannot be verified.

The target principal name is incorrect.

Do you want to continue using this server?”

 

If you select “Yes”, the connection will continue successfully.  You will not receive this prompt again until you close and reopen Outlook 2007.

This occurs because of the order in which the DNS names are listed in the Subject Alternative Name field on the SBS 2008 self-signed certificate, and the way that Outlook 2007 reads this field.  The first DNS name in the list does not match the server’s public FQDN (Fully Qualified Domain Name).  Outlook 2007 reads only the first DNS name, and then compares it to the name of the POP, IMAP, or SMTP server that it is configured to connect to.  The two names do not match.

You will not receive this error in Outlook 2000, Outlook 2003, Outlook Express, or Windows Mail.

To resolve this issue, use the Add a trusted certificate wizard to request and install a 3rd party certificate from a trusted Certificate Authority.

You must complete the Internet Address Management wizard to configure your external FQDN before running the Add a trusted certificate wizard.  The same name should be used in your request for the 3rd party certificate.  Be aware that, by default, the Internet Address Management wizard adds “remote” as the prefix to the domain that you enter. For instance, if you entered contoso.com as your domain name, then the wizard will assign remote.contoso.com as your external FQDN.  Therefore, you should use remote.contoso.com in your certificate request.

For more information visit:

http://technet.microsoft.com/en-us/library/cc766572.aspx (http://technet.microsoft.com/en-us/library/cc766572.aspx) (http://technet.microsoft.com/en-us/library/cc766572.aspx)

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.