?
Solved

Not your average OWA certificate issue

Posted on 2008-10-22
11
Medium Priority
?
1,088 Views
Last Modified: 2009-09-20
We're running Exchange on SBS.  Yesterday I installed a GoDaddy cert because of an issue with a recent pen test.  Cert installed with no problem.  When I get to Remote Web Workplace, I can login but then when I click on the OWA link, I get a cert error, Content was blocked because it was not signed by a valid security certificate. For more information, see "Certificate Errors" in Internet Explorer Help.
I also get the blocked content bar and when I click on "Display blocked content, it just brings me to the OWA login page and when I enter my credentials (or any credentials) it just loops right back to the login page.  Can't get logged in.
Here's the wierd thing.  We are using a subdomain which point to our roadrunner static ip.  All that works great but when I view the properties of the login page on OWA, it shows the godaddy cert but the url has change from our subdomain to:
https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/exchweb/bin/auth/owalogon.asp?url=https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/Exchange&reason=0.
I think this is why the cert is bombing out.  I've tried everything I can think of to get by this even reinstalling the SBS issued cert which was working just fine yesterday and get the same thing.  I've also re-keyed and reinstalled the GoDaddy cert twice.  I've recreated the virtual directories becuase at one point yesterday it would allow me to login but went to a parent directory that listed all users and allowed me to choose my username but never brought me to my OWA site, just another parent directory which showed the one message in my inbox, nothing else.  Rebooted several times.  Is this possibly a DNS issue with Roadrunner?

IOne more tidbit, due to the pen test I removed .aspx, .rew, .soap and ..asmx from the default website iaspi configuration.  I then replaced them exactly as the weree before the removal which is why I think I had to recreate the virtual directories.
STUMPED...
 
0
Comment
Question by:seannhcs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
11 Comments
 
LVL 11

Expert Comment

by:Bertling
ID: 22775258
what is the comon name you used when you registered for the godaddy cert?
is it the same as the domain name use to access the owa server?
0
 

Author Comment

by:seannhcs
ID: 22775269
Yes, vpn.mydomain.com
0
 
LVL 11

Expert Comment

by:Bertling
ID: 22775614
and your accessing owa using https://vpn.mydomain.com/exchange?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 22775620
Here is the SBS specific method, make sure everything looks right - you should be able to specify the server name when creating the CSR.  You can verify by using 'certutil -dump certreq.txt' and looking for the CN= value in the subject prior to submitting the CSR to godaddy.

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx

Here is the link to the GoDaddy root certificate chain - look for the New chain, not the Legacy:
https://certs.godaddy.com/Repository.go

Note: Since you are having issues with the cert, let godaddy know and they won't charge you for replacements, if you haven't contacted them already.
0
 

Author Comment

by:seannhcs
ID: 22776951
Ive gone in both ways directly to OWA using vpn.mydomain.com/exchange and starting at the remote web workplace, same URL minus the /exchange.
I believe it won't let me get past the login because the URL changes to that road runner one above and no longer represents the URL as seen in the Cert.  The thing that's wierd is that it doesn't change until the login page.  The certificate error at the login page says "mismatched address".
The tech net instructions above is the exact way that I installed the cert.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22777936
Sounds like there is some kind of a DNS issue, that your desired typed URL is getting replaced by the roadrunner addy somehow.  Are you running your own DNS or using theirs?  I am going to assume that you are using their DNS servers.  

You should try calling up RR and talk to them about seeing if they could help you with getting DNS set up to do what you need it to.  Its likely how something is set up on their end that they can walk you through changing in their console, or maybe just do it for you, depending on how they have their stuff set up.

If it comes to your DNS, then you would want to make sure that you have the host (A) record set up correctly and not just forwarded.  Given what it translates to, I doubt this is your DNS, just putting it out there.
0
 

Author Comment

by:seannhcs
ID: 22779734
I'm using their DNS servers, just got off the phone and they claim it's an internal DNS issue with our server and that they have no way to initiate a change in the URL on their end.
I have made no DNS changes since the server was installed 3 months ago.  I even went as far as to remove their DNS servers from both the firewall and the SBS server and sill get the same issue.
0
 

Author Comment

by:seannhcs
ID: 22784110
anybody??
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22889216
You could try a cert issued to the road runner name instead, or possibly getting a UCC cert (which you might consider anyways if you are using multiple domain/site names for OWA, such as autodiscover, etc.) where you can put in owa.domain.com, owa, autodiscover.owa.domain.com, name.rr.com, etc. all into one single cert.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24061563
I'm just checking in on old posts today... Are you still having this issue?  If so, please let me know so I can help some more, if not, please close accordingly..
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question