Tuesday, September 7, 2010

General Authentication Failed when using IMAP over SSL on Exchange 2010

Ran into an interesting certificate issue with Exchange 2010 and wildcard certificates.

I had installed a wildcard certificate for our domain on an Exchange 2010 server (just like I had previously for Exchange 2007) and enabled the IMAP service (Microsoft Exchange IMAP4 is the Exchange 2010 name of the service). However, when running the Enable-ExchangeCertificate cmdlet, I received an error enabling the wildcard certificate for IMAP services.

I eventually stumbled across this KB Article, Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server. When I ran the Get-ImapSettings cmdlet, I received the following output:

UnencryptedorTLSBindings SSLBindings LoginType X509CertificateName
------------------------ ----------- --------- -------------------
{:::143, 0.0.0.0:143} {:::993, 0.0.0.0:993} SecureLogin myservername

According to the KB, this is due to a problem with the way the cmdlet generates the X.509 certificate name. It can't interpret the wildcard character correctly, so it says that the FQDN of your server is just the NetBIOS name of your server. Oops. Exchange 2007 SP1 Roll-Up 4 is supposed to fix this behavior, but I experienced it on an Exchange 2010 server that was updated to current before deploying the certificate.

After I updated the X.509 Certificate name (using the command Set-ImapSettings -X509CertificateName "myserver.mydomain.com"), I restarted the IMAP service.

To make sure everything was working, I configured an Outlook profile with the IMAP settings of my test mailbox. When I clicked the "Test Connection" button, I was greeted with yet another error:

Log on to incoming mail server (IMAP): General authentication failed. None of the authentication methods supported by your IMAP server (if any) are supported on this computer.


The answer, was, in fact, in the output of the Get-ImapSettings cmdlet that I previously ran. Apparently, it was looking for a secure login method. However, in most SSL-enabled configurations, data is submitted in clear text through the SSL tunnel. To test my theory, I ran the command Set-ImapSettings -LoginType PlainTextlogin and restarted the IMAP service again. In my Outlook client, I clicked the "Test Connection" button again and all was right with the world.

6 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. A brilliant post! I had the exact same problem when I decided to install a wildcard certificate on an Exchange 2010 server as well. The problem sent me a bit crazy but I'm so glad that I found this post, thanks a lot for your help!

    ReplyDelete
    Replies
    1. IMAP is set up for secure communications by default. Please verify that your email client is connecting to IMAP4. I had the same issue while installing wildcard SSL on Exchange 2010 server

      Delete
  3. I just finished up reading your blog the first time so I thought I should comment to let you know your stuff is great and you have another follower! Keep the posts coming!

    WildCard SSL | EV SSL | Code Signing Certificate

    ReplyDelete
  4. All the contents you mentioned in post is too good and very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts. cheap wildcard ssl

    ReplyDelete
  5. Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

    ReplyDelete