Solved

Not your average OWA certificate issue

Posted on 2008-10-22
11
1,039 Views
Last Modified: 2009-09-20
We're running Exchange on SBS.  Yesterday I installed a GoDaddy cert because of an issue with a recent pen test.  Cert installed with no problem.  When I get to Remote Web Workplace, I can login but then when I click on the OWA link, I get a cert error, Content was blocked because it was not signed by a valid security certificate. For more information, see "Certificate Errors" in Internet Explorer Help.
I also get the blocked content bar and when I click on "Display blocked content, it just brings me to the OWA login page and when I enter my credentials (or any credentials) it just loops right back to the login page.  Can't get logged in.
Here's the wierd thing.  We are using a subdomain which point to our roadrunner static ip.  All that works great but when I view the properties of the login page on OWA, it shows the godaddy cert but the url has change from our subdomain to:
https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/exchweb/bin/auth/owalogon.asp?url=https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/Exchange&reason=0.
I think this is why the cert is bombing out.  I've tried everything I can think of to get by this even reinstalling the SBS issued cert which was working just fine yesterday and get the same thing.  I've also re-keyed and reinstalled the GoDaddy cert twice.  I've recreated the virtual directories becuase at one point yesterday it would allow me to login but went to a parent directory that listed all users and allowed me to choose my username but never brought me to my OWA site, just another parent directory which showed the one message in my inbox, nothing else.  Rebooted several times.  Is this possibly a DNS issue with Roadrunner?

IOne more tidbit, due to the pen test I removed .aspx, .rew, .soap and ..asmx from the default website iaspi configuration.  I then replaced them exactly as the weree before the removal which is why I think I had to recreate the virtual directories.
STUMPED...
 
0
Comment
Question by:seannhcs
  • 4
  • 4
  • 2
11 Comments
 
LVL 11

Expert Comment

by:Bertling
ID: 22775258
what is the comon name you used when you registered for the godaddy cert?
is it the same as the domain name use to access the owa server?
0
 

Author Comment

by:seannhcs
ID: 22775269
Yes, vpn.mydomain.com
0
 
LVL 11

Expert Comment

by:Bertling
ID: 22775614
and your accessing owa using https://vpn.mydomain.com/exchange?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22775620
Here is the SBS specific method, make sure everything looks right - you should be able to specify the server name when creating the CSR.  You can verify by using 'certutil -dump certreq.txt' and looking for the CN= value in the subject prior to submitting the CSR to godaddy.

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx

Here is the link to the GoDaddy root certificate chain - look for the New chain, not the Legacy:
https://certs.godaddy.com/Repository.go

Note: Since you are having issues with the cert, let godaddy know and they won't charge you for replacements, if you haven't contacted them already.
0
 

Author Comment

by:seannhcs
ID: 22776951
Ive gone in both ways directly to OWA using vpn.mydomain.com/exchange and starting at the remote web workplace, same URL minus the /exchange.
I believe it won't let me get past the login because the URL changes to that road runner one above and no longer represents the URL as seen in the Cert.  The thing that's wierd is that it doesn't change until the login page.  The certificate error at the login page says "mismatched address".
The tech net instructions above is the exact way that I installed the cert.
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 31

Expert Comment

by:Paranormastic
ID: 22777936
Sounds like there is some kind of a DNS issue, that your desired typed URL is getting replaced by the roadrunner addy somehow.  Are you running your own DNS or using theirs?  I am going to assume that you are using their DNS servers.  

You should try calling up RR and talk to them about seeing if they could help you with getting DNS set up to do what you need it to.  Its likely how something is set up on their end that they can walk you through changing in their console, or maybe just do it for you, depending on how they have their stuff set up.

If it comes to your DNS, then you would want to make sure that you have the host (A) record set up correctly and not just forwarded.  Given what it translates to, I doubt this is your DNS, just putting it out there.
0
 

Author Comment

by:seannhcs
ID: 22779734
I'm using their DNS servers, just got off the phone and they claim it's an internal DNS issue with our server and that they have no way to initiate a change in the URL on their end.
I have made no DNS changes since the server was installed 3 months ago.  I even went as far as to remove their DNS servers from both the firewall and the SBS server and sill get the same issue.
0
 

Author Comment

by:seannhcs
ID: 22784110
anybody??
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22889216
You could try a cert issued to the road runner name instead, or possibly getting a UCC cert (which you might consider anyways if you are using multiple domain/site names for OWA, such as autodiscover, etc.) where you can put in owa.domain.com, owa, autodiscover.owa.domain.com, name.rr.com, etc. all into one single cert.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24061563
I'm just checking in on old posts today... Are you still having this issue?  If so, please let me know so I can help some more, if not, please close accordingly..
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now