iOS 4.2 displays 'Cannot Verify Server Identity' notifications when connecting through a Microsoft Forefront TMG 2010 gateway

iOS devices with iOS 4.2 that connect to Microsoft Exchange ActiveSync or other services over Secure Sockets Layer (SSL) connections may display multiple "Cannot Verify Server Identity" notifications when connecting through a Microsoft Forefront TMG 2010 server using SSL Inspection. 

This article has been archived and is no longer updated by Apple.

Normally, when a client attempts to make a secure connection, it inspects the server's certificate to verify if the client should trust the server. If the certificate was issued by a trusted Certificate Authority (CA) for the kind of connection the client is attempting, then the connection goes forward and the client doesn't prompt the user to make a decision. However, if the server's certificate is self-signed or comes from a CA that the client doesn't explicitly trust, then the client will prompt the user to verify continuing the connection. Agreeing creates a "trust exception," because you are setting an exception to what is normally an untrusted certificate.

iOS versions earlier than iOS 4.2 stored trust exceptions on a per-certificate basis, which means that each certificate had a trust exception set against it; however, in iOS 4.2, exceptions are maintained per host.  

Normally this poses no issue, but if the server uses multiple certificates for different services, the client will prompt you to trust each certificate each time it connects. This can become an issue when connecting through Microsoft's Forefront TMG 2010 gateway if SSL Inspection is enabled. This feature dynamically generates certificates for each secure service a client attempts to use; however, since all of the certificates come from the same host, iOS will prompt you to accept each certificate for each connection attempt. If you had over 80 new email messages over ActiveSync connecting through a Forefront TMG server, then you would be prompted for 80 trust exceptions.

This issue is resolved in iOS 4.2.5 and later; the previous behavior has been restored. iOS 4.2 clients unable to upgrade to iOS 4.3 should follow Microsoft's best practices for Forefront TMG and install the Root Certificate Authority (CA) certificate on the iOS 4.2 device. This allows the device to trust each of the dynamically generated server certificates Forefront server creates as part of SSL Inspection so the client will not prompt you. Learn Microsoft's best practices for managing certificates when using SSL Inspection on their website. 

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified:

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)