Exchangemaster GmbH company logo

Exchangemaster GmbH - A Swiss IT Consultancy
Services
References
Partners
Contact
Getting Started
FAQs
Presentations
Articles
Community
Search
Popular
Tell-a-Friend
Follow Me

Follow exchangemaster on Twitter

Who's Online
We have 104 guests online
Syndicate
FAQ 000054 - Outlook Web Access Certificate Error - Navigation Blocked PDF Print E-mail
User Rating: / 76
PoorBest 
Written by Dejan Foro   
Jun 06, 2009 at 04:49 PM

This article applies to:

Exchange 2007 SP1

Windows 2008 SP1 

Internet Explorer 7 

 

PROBLEM

When you access your Outook Web Access page the following error is reported: 

Certificate Error: Navigation Blocked

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.

Click here to close this webpage.

Continue to this website (not recommended).

If you chose to continue, the Outlook Web Access Page is displayed but a certificate error is reported. 

error

 

CAUSE 

Your Exchange server is using a self-signed certificate.

Outlook Web Access in Exchange 2007 uses HTTP Secured protocol (HTTPS), which means that a secure data channel is established and data is encrypted betwen server and the client during the session. In order for client to be able to verify the identity of the server before such session is established, a digital certificate for identification on the server is required.

During installation Exchange server creates and issues such a certificate to itself. As this certificate is not issued/signed by a certification authority these kind of certificates are refered to as self-signed certificates. Purpose of this certificate is to serve for testing of Outlook Web Access only. Exchange ActiveSync and OutlookAnywhere will not work with self-signed certificates. 

If your Exchange server is not listed under Trusted Root Certification Authorities on your client, then the certificates issued by this server are not trusted and Internet Explorer will report this as a potential security problem. 

 

WORKAROUND 

In order to remove the error in Internet Explorer add the self-signed certificate issued by Exchange to the list of Trusted Root Certification Authorities. 

In Internet Explorer, click on the red Certificate Error field

SNAG-0000

 

Select View Certificate in order to download and display the Exchange server certificate. 

SNAG-0001

 

The certificate will be downloaded and presented. Click on the Install Certificate button.

SNAG-0015

 

The Certificate Import Wizard openes. Clik Next. 

SNAG-0016

 

Select Place all certificates in the following store: and click the Browse button to access the list of certificate stores

 SNAG-0003

 

From the list of Certificate Stores select Trusted Root Certification Authorities and click OK.

SNAG-0005

 

Click Next.

SNAG-0006

 

Click Finish. 

SNAG-0007

 

Click Yes to install the certificate. 

SNAG-0008

 

The following message apperars.

SNAG-0009

 

Now we must restart Internet Explorer in order to refresh the Trusted Root Authorities list . After restart, when you try to access Outlook Web Access on your Exchange server, no error will be reported as the Exchange server is now a trusted Certification Authority and accordingly the self-signed certificate issued by Exchange is treated as valid. 

SNAG-0010

 

SOLUTION 

The proper solution is to get a standard digital certificate for your Exchange server. You can deploy your internal certificate infrastructure based on Windows Certificate Services or  purchase a commercial server certificate from commercial certificate providers like for example Thawte, Verisign, Digicert ... 

For detailed instructions on how to request and implement a digital certificate you can visit Microsoft TechNet web site under Managing SSL for a Client Access Server

 

Last Updated ( Jun 06, 2009 at 06:30 PM )
<Previous   Next>