Archived - iOS 4.2 displays 'Cannot Verify Server Identity' notifications when connecting through a Microsoft Forefront TMG 2010 gateway
iOS devices with iOS 4.2 that connect to Microsoft Exchange ActiveSync or other services over Secure Sockets Layer (SSL) connections may display multiple "Cannot Verify Server Identity" notifications when connecting through a Microsoft Forefront TMG 2010 server using SSL Inspection.
Normally, when a client attempts to make a secure connection, it inspects the server's certificate to verify if the client should trust the server. If the certificate was issued by a trusted Certificate Authority (CA) for the kind of connection the client is attempting, then the connection goes forward and the client doesn't prompt the user to make a decision. However, if the server's certificate is self-signed or comes from a CA that the client doesn't explicitly trust, then the client will prompt the user to verify continuing the connection. Agreeing creates a "trust exception," because you are setting an exception to what is normally an untrusted certificate.
iOS versions earlier than iOS 4.2 stored trust exceptions on a per-certificate basis, which means that each certificate had a trust exception set against it; however, in iOS 4.2, exceptions are maintained per host.
Normally this poses no issue, but if the server uses multiple certificates for different services, the client will prompt you to trust each certificate each time it connects. This can become an issue when connecting through Microsoft's Forefront TMG 2010 gateway if SSL Inspection is enabled. This feature dynamically generates certificates for each secure service a client attempts to use; however, since all of the certificates come from the same host, iOS will prompt you to accept each certificate for each connection attempt. If you had over 80 new email messages over ActiveSync connecting through a Forefront TMG server, then you would be prompted for 80 trust exceptions.
This issue is resolved in iOS 4.2.5 and later; the previous behavior has been restored. iOS 4.2 clients unable to upgrade to iOS 4.3 should follow Microsoft's best practices for Forefront TMG and install the Root Certificate Authority (CA) certificate on the iOS 4.2 device. This allows the device to trust each of the dynamically generated server certificates Forefront server creates as part of SSL Inspection so the client will not prompt you. Learn Microsoft's best practices for managing certificates when using SSL Inspection on their website.