Microsoft KB Archive/330347

= XCCC: Client Does Not Receive Alert If Conferencing Server Certificate Is Not Valid =

Article ID: 330347

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Exchange 2000 Conferencing Server Service Pack 3

-



This article was previously published under Q330347



SYMPTOMS
You configured your Exchange 2000 Conferencing Server computer to use tunneling for communications, as detailed in the Exchange 2000 Conferencing Server Service Pack 3 (SP3) release notes. You configured your Exchange Multipoint Control Unit (MCU) server to use a certificate, and any clients who join public or private conferences should now use a secure communications tunnel.

When clients join a conference, they validate the server certificate and verify that the following conditions are true:
 * The server certificate was issued by a trusted certification authority (CA).
 * The server certificate has not been revoked by the CA.
 * The current date is not before or after the date that the certificate is valid.
 * The server name on the certificate matches the name of the server with which the clients are communicating.

If any of the these conditions is false, the client receives a message that the certificate is not valid, and the user must accept or decline communication with the server.

If the server certificate was generated locally, clients determine that the certificate originated from a CA that is not known or trusted. The client is then expected to display a dialog box that alerts users that the communication may not be secure. The dialog box does not appear on the client, and users cannot join the conference.

This problem can prevent clients from identifying certificates that originate from sources that are not trusted, which renders sources that are not trusted as effectively trusted and breaks the security model. This problem can also permit others to intercept and interfere with data that is being transferred, which is sometimes referred to as a &quot;man-in-the-middle&quot; attack.

Note If the CA root certificate has been installed on the client, the CA is considered a trusted CA by the client.

For additional information about how to install a CA root certificate on the client, click the following article number to view the article in the Microsoft Knowledge Base:

218445 How to Configure Certificate Server for Use with SSL on IIS



CAUSE
This problem may occur if the server certificate was issued by using the auto-enrollment feature of the certificate server. The auto-enrollment process generates a certificate by using the fully qualified domain name (FQDN) of the MCU server. When the client initiates communication with the server, the common name is used, which prevents the certificate from being properly validated.



RESOLUTION
To resolve this problem, install Exchange 2000 SP3. After you install Exchange 2000 SP3, alert dialog boxes appear on the client if the server certificate is not valid, and the users can decide whether to continue with communication that is not secure.



WORKAROUND
To work around this problem, modify the MCU names that are listed under Sites in the MCU Properties dialog box. To do so, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft Exchange, and then click Conferencing Manager.
 * 2) Right-click Exchange Conferencing, and then click Manage.
 * 3) Select your conference management site, and then click OK.
 * 4) In the left pane, click your site.
 * 5) In the left pane, double-click Data Conferencing Provider.
 * 6) In the right pane, right-click your server, and then click Properties.
 * 7) Click Sites.
 * 8) In the Local sites dialog box, click the server in the left pane, and then click Add.
 * 9) Click OK two times.

Another workaround is to generate and install a new server certificate for the MCU server by using the common name of the server instead of the FQDN.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
314038 XCCC: Enforcing Encryption for Password-Protected Public Data Conferences

Keywords: kbbug KB330347

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.