[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Problem with OWA, SSL and Certificate

Posted on 2005-05-12
9
Medium Priority
?
1,055 Views
Last Modified: 2012-08-13
Hi,

I have a difficult problem to solve.

Came to a new client that has Exchange 2003 and an AD. Someone before installed the AD and gave it the following name: customer.customer.ad.
The servers name is msxmail.

When I try to activate OWA using SSL I need to create a certificate. When doing to I would like to enable users to be able to access OWA(SSL) from internet using the followin webadress mail.customer.se. But when creating the cert using this FQDN the certificate autthority fails in doing so.

I belive this depends on the AD name and that it has been configured wrong.

Is there any way I can solve this?


GOAL:

https://mail.customer.se/exchange
keep the same servername internally: msxmail
keep the same AD name internally: customer.customer.ad




0
Comment
Question by:joebilek
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 13985783
Are you trying to create your own certificate or create a request for one to send to a third party?

Using a third party service is a better option to follow. This will give you a certificate that doesn't generate alerts.
Try RapidSSL, one of their StarterSSL certificates is fine.
When you step through the wizard you are asked for Common Name. This is where you put in mail.customer.se. You don't need to do anything with the AD configuration - having a different DNS name internally and externally is very common.

Simon.
0
 
LVL 1

Author Comment

by:joebilek
ID: 13985807
I am trying to use our own certificate, not external. Is StarterSSL free? Only first year?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 13985850
It isn't free, there is a free 30 day trial.

However I believe that using your own certificate is a false economy and looks unprofessional.

Users will get a warning message whenever they connect to your OWA as the certificate is from an untrusted source. While you can train the users to accept the warning message they usually don't hear the "only on our site" part and begin to ignore the warning. With the number of phising attacks going around this is bad news as it means that the phiser can put up a false https site, with a warning and know that some people are going to ignore the warning because their IT guy at work told them it was ok.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:joebilek
ID: 13986021
True. But however is there a possible solution using our own certificate in some way? Or is the only solution around the misconfigured AD an external cert?

0
 
LVL 13

Expert Comment

by:eatmeimadanish
ID: 13987963
I use the certificate system included in windows.  You need to setup the certificate with the FQDN of the internal server name.  The reason is that the SSL works as an internal security measure, it won't understand or resolve the request with the external domain name since that is not the domain it is securing with.  Once you do this, you can use any external DNS name you want as long as it is pointed to the 443 port of the server. The only difference between this SSL measure and a thirdparty is that you get a box that comes up in where you must click YES on to advance.  Since your server is not a registered authentication service it must be manually ok'd by the user.  I find this is not an annoyance.  
0
 
LVL 1

Author Comment

by:joebilek
ID: 13988208
Hi, I tried again and got this:

Certificate Services denied request 15 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392).  The request was for CN=msxmail.customer.customer.ad, OU=City, O=Customer, L=City, S=SE, C=SE.  Additional information: Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer.

So this didnt work, only time it does work is when I use the intranet host name (msxmail). But this is wrong I presume.

Joe
0
 
LVL 13

Accepted Solution

by:
eatmeimadanish earned 1500 total points
ID: 13990816
This is how you need to set up your CA.  
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

Follow that, make sure you use your internal DNS name for your server.  
0
 
LVL 1

Author Comment

by:joebilek
ID: 13991276
Hi, great article, tried it and got this:

Your certificate request was denied.

Your Request Id is 6. The disposition message is "Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: WebServer. ".

Contact your administrator for further information.


Same error as before, strange.

Is there something else I can check?
0
 

Expert Comment

by:akacaj
ID: 15033955
Have you enabled the WebServer security template? In Control Panel > Certification Authority right click on Certificate Templates > New > Certificate Template to Issue  choose the WebServer template and that should make it available for requests.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month20 days, 10 hours left to enroll

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question