You Receive a “Target Principal Name is Incorrect” Certificate Error in Outlook 2007 When Connecting to Either POP3 or IMAP4 on SBS 2008

[Today’s post comes to us courtesy of Shawn Sullivan]

This post discusses an issue we have seen specifically with Outlook 2007. After configuring Outlook 2007 to connect to SBS 2008 using either POP3 or IMAP4 with TLS, you receive a certificate error when initiating a connection.

“The server you are connected to is using a security certificate that cannot be verified.
The target principal name is incorrect.
Do you want to continue using this server?”

This error is not fatal. If you choose “Yes”, the connection will continue successfully and securely. You will not receive this prompt again until you close and reopen Outlook 2007.  This error does not occur with earlier versions of Outlook, Outlook Express, or Windows Mail.

The problem is due to the order in which the DNS names are listed in the Subject Alternative Name field on the SBS 2008 self-signed certificate, and the way that Outlook 2007 reads this field. The first DNS name in the list does not match the server’s public FQDN (Fully Qualified Domain Name). Outlook 2007 reads only the first DNS name, and then compares it to the name of the POP, IMAP, or SMTP server that it is configured to connect to. The two names do not match.

To prevent this error from occuring, use the Add a trusted certificate wizard in the SBS console to request and install a 3rd party certificate. This certificate must be purchased from a trusted certificate authority. Before running this wizard, you need to complete the Internet Address Management Wizard to configure your external FQDN. Be aware that, by default, the Internet Address Management Wizard adds “remote” as the prefix to the domain that you enter. For instance, if you entered as your domain name, then the wizard will assign as your external FQDN. Therefore, you should use in your certificate request.

For more information, please visit: