This goes out to all of you Exchange 2000 / IIS 5.0 (SSL) experts out there... I could REALLY use some help here.
First the problem... I have a single DC domain which runs Exchange 2000. OWA has been operational and stable for a long time. The server is now plagued with spam / relay / etc... I've fixed most of the relay / spam problems but one of the measures to shore up security that I am trying to implement is the use of SSL for OWA clients through the internet. Currently clients can connect with OWA via HTTP but when I require SSL for the Exchange and Public virtual directories in IIS (of the Default Website) I can no longer connect. I get 403 access denied errors. When I don't require SSL on the directories I can connect without error.
I installed Certificate Services on the DC and created an Enterprise Trust CA, I created a certificate and then enabled the use of that certificate on all Virtual Servers. I only required it on the Exchange and Public virtual servers in IIS, not on SMTP, MAPI, or PoP in Exchange (that problem is next once I figure out the ramifications of Macintosh connectivity with SSL).
I have configured the firewall with the appropriate NAT policies and Access Rules to pass HTTPS traffic, I have verified that no other websites on the server are using port 443 for SSL and even specified the LAN IP rather than using "All Unassigned" (not that that would matter since no other sites use SSL). I have verfied NTFS permissions exist for Authenticated Users and System on the appropriate folders to comply with Microsofts recommendations. I have verified that it is not a "Cannot Log on locally" GPO issue. I have even removed Integrated Windows Authentication and only specified Basic on the Exchange and Public virtual directories. Nothing I do seems to work and the results regardless of what I do to the server are always the same.
When I require SSL on the Exchange and Public directories and attempt to log in with OWA from a remote PC, the server's System log records the following entry:
Event ID: 100 Source: W3SVC Type: Warning
Description: The server was unable to logon the Windows NT account 'user@domain.com' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
I know that the user account exists, the domain is correct, and that the password is correct. The user account for this particular test is a member of the Domain Admins global security group. I can log on with it locally, via Terminal Services, and with OWA when not using SSL.
I have also created a HTTP to HTTPS redirect asp page and virtual directory which (According to Microsoft) should automatically intercept HTTP connections and redirect them, forcing the client to connect with HTTPS without any client input. Of course I can't tell if that is working... however, when I attempt to connect to the mail server via OWA using HTTPS instead of HTTP I am not prompted to login and I get a DNS error / page cannot be displayed error (which is different than when I attempt to connect via HTTP with SSL enabled).
I have a stack of knowledge base articles over an inch thick which I've poured over multiple times... I just can't seem to locate the source of the problem. Do I need a commercial CA for OWA to work with SSL and non-domain PC's on the internet?
Oh, I've also checked my Internet Explorer settings. I am allowing SSL 2.0 and 3.0. I have even added the domain to the trusted list and allowed cross-domain traffic. There is no ISA server or proxy between the remote PC and the internet or between the Server's firewall and the Exchange / IIS server.
All input is welcome and appreciated.
Thanks in advance.
