idoru345
asked on
Configuring Windows 2003 Certificate Services for OWA 2003 SSL: Template and 404 Errors
I conducted fairly extensive tests and don't want to create a hard-to-read narrative. So, for clarity, let's divide this up and use numbered items.
To enable SSL for OWA 2003 by using Windows 2003 Certificate Services, the following was tried.
1. Installed Certificate Services on the Exchange 2003 server.
2. Created a pending certificate request from the Default Web Site on the MSExch 2003 server
3. Browsed to http://exchangeserver/certsrv to submit a certificate request
4. Selected the "Request a Certificate" link
4. The first indication of trouble was that the certificate services interface failed to present the expected options for creating either a User Cert or submitting an Advanced Certificate Request and proceeded, immediately after the "Request a Certificate" link was clicked, to the "Advanced Certificate Request" page. This was unexpected behavior.
5. From the "Advanced Certificate Request" page the "Submit a certificate request by using a base 64 encoded CMC..." option was selected.
6. The Certificate Services interface produced an error message: "No Certificate Templates Could be Found..."
7. Researched this error and found a Microsoft recommenced fix: use ADSIEDIT.msc to verify that the dNSHostName attribute of Active Directory matches the sServerConfig value found within the Certdat.inc file.
8. Followed this advice but found zero discrepancies - the relevant values within Active Directory and the Certdat.inc file matched precisely.
At this point, I decided to try another route.
1. I installed Certificate Services on the domain controller (also running Windows Server 2003).
2. After installation was complete I browsed to http://domaincontroller/certsrv to submit a certificate request.
3. This time, the interface behaved as expected and produced zero errors.
4. Using the "Submit a certificate request by using a base 64 encoded CMC..." option, I pasted the contents of the certificate request generated by the Exchange server's default website request - certreq.txt - into the appropriate field and downloaded the certificate.
5. I then completed the pending certificate request on the Exchange server's IIS server by appending the downloaded certificate to the default website.
6. The "Require secure channel" option was selected to enforce SSL.
This seemed to go without incident but the following behavior occurred.
1. I browsed to https://exchangeserver/exchange and, as expected, was prompted to accept a certificate.
2. After the certificate was accepted, I received a "Page Not Found" error.
All very frustrating.
Important Notes.
Before trying this on the production servers, I attempted it in a test environment. The test went forward without a hitch, inspiring confidence of success (all an illusion, as it turned out) but there is a (potentially) significant difference between the test and live situations.
The test box is both a domain controller and an Exchange server.
In the production environment the Certificate Services interface behaved as expected on the domain controller but malfunctioned on the Exchange server.
I'm wondering if there are unknown (to me) dependencies that are spoiling my efforts.
Any help or guidance would be appreciated and of course, point rewarded.
To enable SSL for OWA 2003 by using Windows 2003 Certificate Services, the following was tried.
1. Installed Certificate Services on the Exchange 2003 server.
2. Created a pending certificate request from the Default Web Site on the MSExch 2003 server
3. Browsed to http://exchangeserver/certsrv to submit a certificate request
4. Selected the "Request a Certificate" link
4. The first indication of trouble was that the certificate services interface failed to present the expected options for creating either a User Cert or submitting an Advanced Certificate Request and proceeded, immediately after the "Request a Certificate" link was clicked, to the "Advanced Certificate Request" page. This was unexpected behavior.
5. From the "Advanced Certificate Request" page the "Submit a certificate request by using a base 64 encoded CMC..." option was selected.
6. The Certificate Services interface produced an error message: "No Certificate Templates Could be Found..."
7. Researched this error and found a Microsoft recommenced fix: use ADSIEDIT.msc to verify that the dNSHostName attribute of Active Directory matches the sServerConfig value found within the Certdat.inc file.
8. Followed this advice but found zero discrepancies - the relevant values within Active Directory and the Certdat.inc file matched precisely.
At this point, I decided to try another route.
1. I installed Certificate Services on the domain controller (also running Windows Server 2003).
2. After installation was complete I browsed to http://domaincontroller/certsrv to submit a certificate request.
3. This time, the interface behaved as expected and produced zero errors.
4. Using the "Submit a certificate request by using a base 64 encoded CMC..." option, I pasted the contents of the certificate request generated by the Exchange server's default website request - certreq.txt - into the appropriate field and downloaded the certificate.
5. I then completed the pending certificate request on the Exchange server's IIS server by appending the downloaded certificate to the default website.
6. The "Require secure channel" option was selected to enforce SSL.
This seemed to go without incident but the following behavior occurred.
1. I browsed to https://exchangeserver/exchange and, as expected, was prompted to accept a certificate.
2. After the certificate was accepted, I received a "Page Not Found" error.
All very frustrating.
Important Notes.
Before trying this on the production servers, I attempted it in a test environment. The test went forward without a hitch, inspiring confidence of success (all an illusion, as it turned out) but there is a (potentially) significant difference between the test and live situations.
The test box is both a domain controller and an Exchange server.
In the production environment the Certificate Services interface behaved as expected on the domain controller but malfunctioned on the Exchange server.
I'm wondering if there are unknown (to me) dependencies that are spoiling my efforts.
Any help or guidance would be appreciated and of course, point rewarded.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are welcome.. look forward to hearing some good results..
FE
FE
ASKER
FE...
Well unfortunately the directions available at the site were of zero help. Although interesting, it didn't actually address the issue at-hand, which revolved around the Win 2003's Certificate Services' inability to generate certs.
I decided to boil the problem down to its simplest components and see what other options presented themselves.
In a nutshell, I was trying to activate SSL for OWA 2003 using a certificate generated from Win 2003 Cert Services.
I figured this would be easier than going through an outside CA. But, after struggling with Win 2003 Cert Services' persistent error announcing that "no certificate templates could be found" (which wasn't solved by using Microsoft's recommended action of making sure the dNSHostName attribute of the pkiEnrollmentService object matched the sServerConfig value of the Certdat.inc file) I decided to cut my losses and use FreeSSL (just learned about them today) to generate a cert for me.
Using their cert I was able to get SSL up and running just fine on OWA within minutes.
Since I used Microsoft's suggested fix - to no avail - I haven't a clue as to why Cert Services fell down on the job. Even so, because you replied so fast and helped me eliminate the possibilities I'm awarding you all the points.
Well unfortunately the directions available at the site were of zero help. Although interesting, it didn't actually address the issue at-hand, which revolved around the Win 2003's Certificate Services' inability to generate certs.
I decided to boil the problem down to its simplest components and see what other options presented themselves.
In a nutshell, I was trying to activate SSL for OWA 2003 using a certificate generated from Win 2003 Cert Services.
I figured this would be easier than going through an outside CA. But, after struggling with Win 2003 Cert Services' persistent error announcing that "no certificate templates could be found" (which wasn't solved by using Microsoft's recommended action of making sure the dNSHostName attribute of the pkiEnrollmentService object matched the sServerConfig value of the Certdat.inc file) I decided to cut my losses and use FreeSSL (just learned about them today) to generate a cert for me.
Using their cert I was able to get SSL up and running just fine on OWA within minutes.
Since I used Microsoft's suggested fix - to no avail - I haven't a clue as to why Cert Services fell down on the job. Even so, because you replied so fast and helped me eliminate the possibilities I'm awarding you all the points.
That is a great tip regarding FreeSSL... much better ($ wise) than Verisign, eh? Thanks for letting me (us) know about it.
And thanks for the pts..
FE
And thanks for the pts..
FE
I think I have exactely the same problem. Where can I find this free SSL provider and can you give me a qucik 30 seconds heads up on what I'm going to have to do.
Thanks
John
Thanks
John
ASKER
I'll give the info at the link a try and let you know whether it solves these problems.