Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1103
  • Last Modified:

Not your average OWA certificate issue

We're running Exchange on SBS.  Yesterday I installed a GoDaddy cert because of an issue with a recent pen test.  Cert installed with no problem.  When I get to Remote Web Workplace, I can login but then when I click on the OWA link, I get a cert error, Content was blocked because it was not signed by a valid security certificate. For more information, see "Certificate Errors" in Internet Explorer Help.
I also get the blocked content bar and when I click on "Display blocked content, it just brings me to the OWA login page and when I enter my credentials (or any credentials) it just loops right back to the login page.  Can't get logged in.
Here's the wierd thing.  We are using a subdomain which point to our roadrunner static ip.  All that works great but when I view the properties of the login page on OWA, it shows the godaddy cert but the url has change from our subdomain to:
https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/exchweb/bin/auth/owalogon.asp?url=https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/Exchange&reason=0.
I think this is why the cert is bombing out.  I've tried everything I can think of to get by this even reinstalling the SBS issued cert which was working just fine yesterday and get the same thing.  I've also re-keyed and reinstalled the GoDaddy cert twice.  I've recreated the virtual directories becuase at one point yesterday it would allow me to login but went to a parent directory that listed all users and allowed me to choose my username but never brought me to my OWA site, just another parent directory which showed the one message in my inbox, nothing else.  Rebooted several times.  Is this possibly a DNS issue with Roadrunner?

IOne more tidbit, due to the pen test I removed .aspx, .rew, .soap and ..asmx from the default website iaspi configuration.  I then replaced them exactly as the weree before the removal which is why I think I had to recreate the virtual directories.
STUMPED...
 
0
seannhcs
Asked:
seannhcs
  • 4
  • 4
  • 2
1 Solution
 
BertlingCommented:
what is the comon name you used when you registered for the godaddy cert?
is it the same as the domain name use to access the owa server?
0
 
seannhcsAuthor Commented:
Yes, vpn.mydomain.com
0
 
BertlingCommented:
and your accessing owa using https://vpn.mydomain.com/exchange?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ParanormasticCryptographic EngineerCommented:
Here is the SBS specific method, make sure everything looks right - you should be able to specify the server name when creating the CSR.  You can verify by using 'certutil -dump certreq.txt' and looking for the CN= value in the subject prior to submitting the CSR to godaddy.

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx

Here is the link to the GoDaddy root certificate chain - look for the New chain, not the Legacy:
https://certs.godaddy.com/Repository.go

Note: Since you are having issues with the cert, let godaddy know and they won't charge you for replacements, if you haven't contacted them already.
0
 
seannhcsAuthor Commented:
Ive gone in both ways directly to OWA using vpn.mydomain.com/exchange and starting at the remote web workplace, same URL minus the /exchange.
I believe it won't let me get past the login because the URL changes to that road runner one above and no longer represents the URL as seen in the Cert.  The thing that's wierd is that it doesn't change until the login page.  The certificate error at the login page says "mismatched address".
The tech net instructions above is the exact way that I installed the cert.
0
 
ParanormasticCryptographic EngineerCommented:
Sounds like there is some kind of a DNS issue, that your desired typed URL is getting replaced by the roadrunner addy somehow.  Are you running your own DNS or using theirs?  I am going to assume that you are using their DNS servers.  

You should try calling up RR and talk to them about seeing if they could help you with getting DNS set up to do what you need it to.  Its likely how something is set up on their end that they can walk you through changing in their console, or maybe just do it for you, depending on how they have their stuff set up.

If it comes to your DNS, then you would want to make sure that you have the host (A) record set up correctly and not just forwarded.  Given what it translates to, I doubt this is your DNS, just putting it out there.
0
 
seannhcsAuthor Commented:
I'm using their DNS servers, just got off the phone and they claim it's an internal DNS issue with our server and that they have no way to initiate a change in the URL on their end.
I have made no DNS changes since the server was installed 3 months ago.  I even went as far as to remove their DNS servers from both the firewall and the SBS server and sill get the same issue.
0
 
seannhcsAuthor Commented:
anybody??
0
 
ParanormasticCryptographic EngineerCommented:
You could try a cert issued to the road runner name instead, or possibly getting a UCC cert (which you might consider anyways if you are using multiple domain/site names for OWA, such as autodiscover, etc.) where you can put in owa.domain.com, owa, autodiscover.owa.domain.com, name.rr.com, etc. all into one single cert.
0
 
ParanormasticCryptographic EngineerCommented:
I'm just checking in on old posts today... Are you still having this issue?  If so, please let me know so I can help some more, if not, please close accordingly..
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now