Outlook Target Principal Name issue

[Marcuse7 0]

I use ESET Internet Security 12.2.23.0 on Windows 10 build 18362.239.
When I try to sync my IMAP folder in Outlook 2019 MSO 16.0.11727.2022 32-Bit
with its server at mail.jpberlin.de I receive the warning
"The target principal name is incorrect".
Seems that the self-signed certificate for *.jpberlin.de issued by "ESET SSL Filter CA" could be the issue.

What could I do in this case?

[itman 1,659]

Whereas there is a way to export the self-signed cert. from their webmail site here: https://webmail.jpberlin.de/roundcube/ and import it into Eset's list of SSL/TLS known certificates, I don't know if it would work in regards to Eset's client e-mail scanning. Someone from Eset will to comment on this.

I am assuming the webmail certificate is the same one their client e-mail servers are using.

 

Edited July 30, 2019 by itman

[Posolsvetla 15]

At the first sight this does not seem to be the issue on our side.
Could you please check if the steps described at these links helps?
https://webmasters.stackexchange.com/questions/112046/outlook-2016-says-the-target-principal-name-is-incorrect-on-my-sites-security
https://www.msoutlook.info/question/613

On 7/29/2019 at 4:51 PM, Marcuse7 said:

Seems that the self-signed certificate for *.jpberlin.de issued by "ESET SSL Filter CA" could be the issue.

This statement is misleading, as a self-signed certificate would not be issued by "ESET SSL Filter CA".

[Marcuse7 0]

At least on my machine, it looks as if the certificate is indeed issued by "ESET SSL Filter CA". The underlying "ESET SSL Filter CA" certificate is issued by the same entity it is issued to.

It might be that Outlook 2019 has issues with the wildcard certificate. The links address SAN certificates but this is not the case here.

 

[Marcuse7 0]

On 7/31/2019 at 1:11 AM, itman said:

Whereas there is a way to export the self-signed cert. from their webmail site here: https://webmail.jpberlin.de/roundcube/ and import it into Eset's list of SSL/TLS known certificates, I don't know if it would work in regards to Eset's client e-mail scanning. Someone from Eset will to comment on this.

I am assuming the webmail certificate is the same one their client e-mail servers are using.

 

Thank you! The jpberlin.de SSL wildcard certificate is issued by Thawte/digicert. I have imported it into eset's known certificate list. The issue persists.

For the www.jpberlin.de Web page, Firefox 68.0.1 also warns that "connection verified by a certificate issuer that is not recognized by Mozilla". The ESET certicate was imported into the Firefox certificate list, though. For now, it's just a warning...

Edited August 12, 2019 by Marcuse7
Issue not solved

[itman 1,659]

6 hours ago, Marcuse7 said:

For the www.jpberlin.de Web page, Firefox 68.0.1 also warns that "connection verified by a certificate issuer that is not recognized by Mozilla". The ESET certicate was imported into the Firefox certificate list, though. For now, it's just a warning...

Not exactly. You will only see this wording, "connection verified by a certificate issuer that is not recognized by Mozilla," if you click on the lock symbol in Firefox. This same wording will appear for every HTTPS web site you connect to unless it is internal excluded from Eset's SSL/TLS protocol scanning or has been manually excluded.

Again refer to this previously posted link: https://www.msoutlook.info/question/613

Specifically this:

Quote

When I start Outlook, I get an “Internet Security Warning” dialog box with the message;

The server you are connected to is using a security certificate that cannot be verified.
The target principal name is incorrect.

Usually you get this error when you are using a shared hosting account with your own domain and connect via SSL. Another common cause is that your ISP has changed the name of their mail server and is redirecting you from the old server name to the new one and the name of the old server isn’t on their new SSL certificate.

Also this:

Quote

The solution is quite simple; click on the “View Certificate…” button and look at the “Issued to” name. This is usually the name that you’ll need to specify for your incoming and/or outgoing server in your account configuration.

In some cases, this still won’t work when the certificate holds multiple names. You can then select the “Details” tab and see if the certificate holds a field called “Subject Alternative Name”. If so, then you’ll find other names that you could try behind the “DNS Name=” value.

If none of those names work either, contact your ISP and ask for the correct name of the mail server that you should use. Another (less secure) alternative would be to disable the use of SSL for your mail account.

The problem here has nothing to do with Eset's certificate or the use of it.

There appears to be an issue with the certificate the e-mail provider server is using. You need to contact your e-mail provider about this issue. Specifically, you need to find the name of the new URL for the e-mail server they are using and enter that into Outlook. Everything on their web site is in German which I don't understand. It appears you are using a client e-mail URL that references a prior used server and are being redirected to the current server/s the e-mail provider is using.

Edited August 12, 2019 by itman

[Marcuse7 0]

Thank you for looking into this. I have contacted the e-mail provider.