Link to home
Start Free TrialLog in
Avatar of joebilek
joebilekFlag for Sweden

asked on

Problem with OWA, SSL and Certificate

Hi,

I have a difficult problem to solve.

Came to a new client that has Exchange 2003 and an AD. Someone before installed the AD and gave it the following name: customer.customer.ad.
The servers name is msxmail.

When I try to activate OWA using SSL I need to create a certificate. When doing to I would like to enable users to be able to access OWA(SSL) from internet using the followin webadress mail.customer.se. But when creating the cert using this FQDN the certificate autthority fails in doing so.

I belive this depends on the AD name and that it has been configured wrong.

Is there any way I can solve this?


GOAL:

https://mail.customer.se/exchange
keep the same servername internally: msxmail
keep the same AD name internally: customer.customer.ad




Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Are you trying to create your own certificate or create a request for one to send to a third party?

Using a third party service is a better option to follow. This will give you a certificate that doesn't generate alerts.
Try RapidSSL, one of their StarterSSL certificates is fine.
When you step through the wizard you are asked for Common Name. This is where you put in mail.customer.se. You don't need to do anything with the AD configuration - having a different DNS name internally and externally is very common.

Simon.
Avatar of joebilek

ASKER

I am trying to use our own certificate, not external. Is StarterSSL free? Only first year?
It isn't free, there is a free 30 day trial.

However I believe that using your own certificate is a false economy and looks unprofessional.

Users will get a warning message whenever they connect to your OWA as the certificate is from an untrusted source. While you can train the users to accept the warning message they usually don't hear the "only on our site" part and begin to ignore the warning. With the number of phising attacks going around this is bad news as it means that the phiser can put up a false https site, with a warning and know that some people are going to ignore the warning because their IT guy at work told them it was ok.

Simon.
True. But however is there a possible solution using our own certificate in some way? Or is the only solution around the misconfigured AD an external cert?

Avatar of eatmeimadanish
eatmeimadanish

I use the certificate system included in windows.  You need to setup the certificate with the FQDN of the internal server name.  The reason is that the SSL works as an internal security measure, it won't understand or resolve the request with the external domain name since that is not the domain it is securing with.  Once you do this, you can use any external DNS name you want as long as it is pointed to the 443 port of the server. The only difference between this SSL measure and a thirdparty is that you get a box that comes up in where you must click YES on to advance.  Since your server is not a registered authentication service it must be manually ok'd by the user.  I find this is not an annoyance.  
Hi, I tried again and got this:

Certificate Services denied request 15 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392).  The request was for CN=msxmail.customer.customer.ad, OU=City, O=Customer, L=City, S=SE, C=SE.  Additional information: Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer.

So this didnt work, only time it does work is when I use the intranet host name (msxmail). But this is wrong I presume.

Joe
ASKER CERTIFIED SOLUTION
Avatar of eatmeimadanish
eatmeimadanish

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi, great article, tried it and got this:

Your certificate request was denied.

Your Request Id is 6. The disposition message is "Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer. ".

Contact your administrator for further information.


Same error as before, strange.

Is there something else I can check?
Have you enabled the WebServer security template? In Control Panel > Certification Authority right click on Certificate Templates > New > Certificate Template to Issue  choose the WebServer template and that should make it available for requests.