Learn how to a build a cloud-first strategyRegister Now


Configuring Windows 2003 Certificate Services for OWA 2003 SSL: Template and 404 Errors

Posted on 2004-11-14
Medium Priority
Last Modified: 2012-06-27
I conducted fairly extensive tests and don't want to create a hard-to-read narrative.  So, for clarity, let's divide this up and use numbered items.

To enable SSL for OWA 2003 by using Windows 2003 Certificate Services, the following was tried.

1. Installed Certificate Services on the Exchange 2003 server.

2. Created a pending certificate request from the Default Web Site on the MSExch 2003 server

3. Browsed to http://exchangeserver/certsrv to submit a certificate request

4. Selected the "Request a Certificate" link

4. The first indication of trouble was that the certificate services interface failed to present the expected options for creating either a User Cert or submitting an Advanced Certificate Request and proceeded, immediately after the "Request a Certificate" link was clicked, to the "Advanced Certificate Request" page.  This was unexpected behavior.

5. From the "Advanced Certificate Request" page the "Submit a certificate request by using a base 64 encoded CMC..." option was selected.

6. The Certificate Services interface produced an error message: "No Certificate Templates Could be Found..."

7. Researched this error and found a Microsoft recommenced fix: use ADSIEDIT.msc to verify that the dNSHostName attribute of Active Directory matches the sServerConfig value found within the Certdat.inc file.

8. Followed this advice but found zero discrepancies - the relevant values within Active Directory and the Certdat.inc file matched precisely.

At this point, I decided to try another route.

1. I installed Certificate Services on the domain controller (also running Windows Server 2003).

2. After installation was complete I browsed to http://domaincontroller/certsrv to submit a certificate request.

3. This time, the interface behaved as expected and produced zero errors.

4. Using the "Submit a certificate request by using a base 64 encoded CMC..." option, I pasted the contents of the certificate request generated by the Exchange server's default website request - certreq.txt - into the appropriate field and downloaded the certificate.

5. I then completed the pending certificate request on the Exchange server's IIS server by appending the downloaded certificate to the default website.

6. The "Require secure channel" option was selected to enforce SSL.

This seemed to go without incident but the following behavior occurred.

1. I browsed to https://exchangeserver/exchange and, as expected, was prompted to accept a certificate.

2. After the certificate was accepted, I received a "Page Not Found" error.

All very frustrating.

Important Notes.

Before trying this on the production servers, I attempted it in a test environment.  The test went forward without a hitch, inspiring confidence of success (all an illusion, as it turned out) but there is a (potentially) significant difference between the test and live situations.

The test box is both a domain controller and an Exchange server.

In the production environment the Certificate Services interface behaved as expected on the domain controller but malfunctioned on the Exchange server.

I'm wondering if there are unknown (to me) dependencies that are spoiling my efforts.

Any help or guidance would be appreciated and of course, point rewarded.
Question by:idoru345
  • 3
  • 2
LVL 40

Accepted Solution

Fatal_Exception earned 1500 total points
ID: 12579342
Rather than drill through this entire list, ck out this article and see if it will help you...  I use this site for all my exchange issue problems...

Implementing Email Security with Exchange Server 2003



Author Comment

ID: 12579490
Thanks FE.

I'll give the info at the link a try and let you know whether it solves these problems.

LVL 40

Expert Comment

ID: 12580003
You are welcome..  look forward to hearing some good results..

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.


Author Comment

ID: 12580948

Well unfortunately the directions available at the site were of zero help.  Although interesting, it didn't actually address the issue at-hand, which revolved around the Win 2003's Certificate Services' inability to generate certs.

I decided to boil the problem down to its simplest components and see what other options presented themselves.

In a nutshell, I was trying to activate SSL for OWA 2003 using a certificate generated from Win 2003 Cert Services.

I figured this would be easier than going through an outside CA.  But, after struggling with Win 2003 Cert Services' persistent error announcing that "no certificate templates could be found" (which wasn't solved by using Microsoft's recommended action of making sure the dNSHostName attribute of the pkiEnrollmentService object matched the sServerConfig value of the Certdat.inc file) I decided to cut my losses and use FreeSSL (just learned about them today) to generate a cert for me.

Using their cert I was able to get SSL up and running just fine on OWA within minutes.

Since I used Microsoft's suggested fix - to no avail - I haven't a clue as to why Cert Services fell down on the job.  Even so, because you replied so fast and helped me eliminate the possibilities I'm awarding you all the points.
LVL 40

Expert Comment

ID: 12584718
That is a great tip regarding FreeSSL...  much better ($ wise) than Verisign, eh?  Thanks for letting me  (us) know about it.

And thanks for the pts..


Expert Comment

ID: 15140688
I think I have exactely the same problem. Where can I find this free SSL provider and can you give me a qucik 30 seconds heads up on what I'm going to have to do.



Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question