Configuring Windows 2003 Certificate Services for OWA 2003 SSL: Template and 404 Errors

I conducted fairly extensive tests and don't want to create a hard-to-read narrative.  So, for clarity, let's divide this up and use numbered items.



To enable SSL for OWA 2003 by using Windows 2003 Certificate Services, the following was tried.



1. Installed Certificate Services on the Exchange 2003 server.

2. Created a pending certificate request from the Default Web Site on the MSExch 2003 server

3. Browsed to http://exchangeserver/certsrv to submit a certificate request

4. Selected the "Request a Certificate" link

4. The first indication of trouble was that the certificate services interface failed to present the expected options for creating either a User Cert or submitting an Advanced Certificate Request and proceeded, immediately after the "Request a Certificate" link was clicked, to the "Advanced Certificate Request" page.  This was unexpected behavior.

5. From the "Advanced Certificate Request" page the "Submit a certificate request by using a base 64 encoded CMC..." option was selected.

6. The Certificate Services interface produced an error message: "No Certificate Templates Could be Found..."

7. Researched this error and found a Microsoft recommenced fix: use ADSIEDIT.msc to verify that the dNSHostName attribute of Active Directory matches the sServerConfig value found within the Certdat.inc file.

8. Followed this advice but found zero discrepancies - the relevant values within Active Directory and the Certdat.inc file matched precisely.



At this point, I decided to try another route.



1. I installed Certificate Services on the domain controller (also running Windows Server 2003).

2. After installation was complete I browsed to http://domaincontroller/certsrv to submit a certificate request.

3. This time, the interface behaved as expected and produced zero errors.

4. Using the "Submit a certificate request by using a base 64 encoded CMC..." option, I pasted the contents of the certificate request generated by the Exchange server's default website request - certreq.txt - into the appropriate field and downloaded the certificate.

5. I then completed the pending certificate request on the Exchange server's IIS server by appending the downloaded certificate to the default website.

6. The "Require secure channel" option was selected to enforce SSL.


This seemed to go without incident but the following behavior occurred.


1. I browsed to https://exchangeserver/exchange and, as expected, was prompted to accept a certificate.

2. After the certificate was accepted, I received a "Page Not Found" error.


All very frustrating.




Important Notes.


Before trying this on the production servers, I attempted it in a test environment.  The test went forward without a hitch, inspiring confidence of success (all an illusion, as it turned out) but there is a (potentially) significant difference between the test and live situations.

The test box is both a domain controller and an Exchange server.

In the production environment the Certificate Services interface behaved as expected on the domain controller but malfunctioned on the Exchange server.

I'm wondering if there are unknown (to me) dependencies that are spoiling my efforts.


Any help or guidance would be appreciated and of course, point rewarded.
idoru345Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fatal_ExceptionSystems EngineerCommented:
Rather than drill through this entire list, ck out this article and see if it will help you...  I use this site for all my exchange issue problems...

Implementing Email Security with Exchange Server 2003

http://www.msexchange.org/tutorials/Email_Security_with_Exchange_2003.html

FE
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
idoru345Author Commented:
Thanks FE.

I'll give the info at the link a try and let you know whether it solves these problems.

0
Fatal_ExceptionSystems EngineerCommented:
You are welcome..  look forward to hearing some good results..

FE
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

idoru345Author Commented:
FE...


Well unfortunately the directions available at the site were of zero help.  Although interesting, it didn't actually address the issue at-hand, which revolved around the Win 2003's Certificate Services' inability to generate certs.

I decided to boil the problem down to its simplest components and see what other options presented themselves.

In a nutshell, I was trying to activate SSL for OWA 2003 using a certificate generated from Win 2003 Cert Services.

I figured this would be easier than going through an outside CA.  But, after struggling with Win 2003 Cert Services' persistent error announcing that "no certificate templates could be found" (which wasn't solved by using Microsoft's recommended action of making sure the dNSHostName attribute of the pkiEnrollmentService object matched the sServerConfig value of the Certdat.inc file) I decided to cut my losses and use FreeSSL (just learned about them today) to generate a cert for me.

Using their cert I was able to get SSL up and running just fine on OWA within minutes.

Since I used Microsoft's suggested fix - to no avail - I haven't a clue as to why Cert Services fell down on the job.  Even so, because you replied so fast and helped me eliminate the possibilities I'm awarding you all the points.
0
Fatal_ExceptionSystems EngineerCommented:
That is a great tip regarding FreeSSL...  much better ($ wise) than Verisign, eh?  Thanks for letting me  (us) know about it.

And thanks for the pts..

FE
0
jkettleCommented:
I think I have exactely the same problem. Where can I find this free SSL provider and can you give me a qucik 30 seconds heads up on what I'm going to have to do.

Thanks

John
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.