Announcement

Collapse
No announcement yet.

Can Outlook on Work-Group Machine connect to Exchange without trusting Certificate??

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can Outlook on Work-Group Machine connect to Exchange without trusting Certificate??

    Hello everyone,
    That's my first Post here.

    I've misunderstanding here about Outlook secured Connection with Exchange 2010 sp1.

    We have some workgroup clients Windows XP and Windows 7 with mixed Outlook versions 2007 and 2010.

    The point is: These work-group clients don't have the Exchange Certificate in there trusted CA store, Why they can connect to Exchange by MAPI connection?!!

    Outlook should check the certificate that will secure the connection. If it's not trusted, Outlook should drop the connection with "cannot find ..." message.

    User just have a little mismatch warning with CAS-Array FQDN certificate. when they click yes and give credentials, they connect and get mails. My manager consider this a security breach.

    Sorry, I'm pretty sure that They shouldn't connect. Alot of research came to nothing about this. Could you clarify this point if I'm missing something?

    Thanks

  • #2
    Re: Can Outlook on Work-Group Machine connect to Exchange without trusting Certificat

    Working as intended, normal Mapi connection don't use https. If you think about the encryption between Outlook and the Exchange server, this is normal RPC encryption which is not certificate based.

    The question if the certificate is trusted or not depends on what CA provided the certificate. If you have a official certificate from a commercial CA, it is truisted because normally every client have the certificate in his local store.

    I wouln't call this a security breach because user still have to provide username + password in order to connect to their mailbox.

    Comment


    • #3
      Re: Can Outlook on Work-Group Machine connect to Exchange without trusting Certificat

      This is expected behaviour.

      MAPI is an RPC based protocol, and on domain member machines Outlook uses Integrated Windows Authentication so that users don't have to provide credentials to use it. When an authentication mismatch occurs (as it would with a workgroup PC) the user is prompted for domain credentials and will authenticate if they are provided.

      RPC over HTTPS (Now called Outlook Anywhere) channels RPC through an SSL tunnel to allow remote users to connect to an Exchange server over the internet without using a VPN. This requires either the root certificate (for internal CAs) or a trusted 3rd party certificate to operate.

      I would not consider this a security breach, assuming that the workgroup PCs are on the same subnet (or have an internal, non-public route to the same subnet) as the Exchange server. Your external firewall should not be allowing RPC from the internet, and if it is you have far bigger problems than Outlook clients. If it is desired to force the workgroup PCs to use HTTPS connections to Exchange or to block MAPI then configure a new subnet for the workgroup PCs and use the router to block the undesired traffic.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: Can Outlook on Work-Group Machine connect to Exchange without trusting Certificat

        The CAS Array doesn't have an SSL certificate. If you are using the same name for the CAS array as anything else then you have gone against the recommendation from Microsoft.

        A client would only use HTTPS for the web services part, that could be Outlook Anywhere, OAB, autodiscover etc. The self signed certificate is not supported for use with Outlook Anywhere.

        Thus the certificate prompt you are seeing is coming from one of those parts, but wouldn't stop the client from connecting if it can make a MAPI connection over TCP/IP - as already indicated.

        Trying to control access to the Exchange server via SSL certificate isn't really going to work.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment

        Working...
        X