Not your average OWA certificate issue

We're running Exchange on SBS.  Yesterday I installed a GoDaddy cert because of an issue with a recent pen test.  Cert installed with no problem.  When I get to Remote Web Workplace, I can login but then when I click on the OWA link, I get a cert error, Content was blocked because it was not signed by a valid security certificate. For more information, see "Certificate Errors" in Internet Explorer Help.
I also get the blocked content bar and when I click on "Display blocked content, it just brings me to the OWA login page and when I enter my credentials (or any credentials) it just loops right back to the login page.  Can't get logged in.
Here's the wierd thing.  We are using a subdomain which point to our roadrunner static ip.  All that works great but when I view the properties of the login page on OWA, it shows the godaddy cert but the url has change from our subdomain to:
https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/exchweb/bin/auth/owalogon.asp?url=https://rrcs-OUR IP ADDRESS.nys.biz.rr.com/Exchange&reason=0.
I think this is why the cert is bombing out.  I've tried everything I can think of to get by this even reinstalling the SBS issued cert which was working just fine yesterday and get the same thing.  I've also re-keyed and reinstalled the GoDaddy cert twice.  I've recreated the virtual directories becuase at one point yesterday it would allow me to login but went to a parent directory that listed all users and allowed me to choose my username but never brought me to my OWA site, just another parent directory which showed the one message in my inbox, nothing else.  Rebooted several times.  Is this possibly a DNS issue with Roadrunner?

IOne more tidbit, due to the pen test I removed .aspx, .rew, .soap and ..asmx from the default website iaspi configuration.  I then replaced them exactly as the weree before the removal which is why I think I had to recreate the virtual directories.
STUMPED...
 
seannhcsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BertlingCommented:
what is the comon name you used when you registered for the godaddy cert?
is it the same as the domain name use to access the owa server?
0
seannhcsAuthor Commented:
Yes, vpn.mydomain.com
0
BertlingCommented:
and your accessing owa using https://vpn.mydomain.com/exchange?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

ParanormasticCryptographic EngineerCommented:
Here is the SBS specific method, make sure everything looks right - you should be able to specify the server name when creating the CSR.  You can verify by using 'certutil -dump certreq.txt' and looking for the CN= value in the subject prior to submitting the CSR to godaddy.

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx

Here is the link to the GoDaddy root certificate chain - look for the New chain, not the Legacy:
https://certs.godaddy.com/Repository.go

Note: Since you are having issues with the cert, let godaddy know and they won't charge you for replacements, if you haven't contacted them already.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seannhcsAuthor Commented:
Ive gone in both ways directly to OWA using vpn.mydomain.com/exchange and starting at the remote web workplace, same URL minus the /exchange.
I believe it won't let me get past the login because the URL changes to that road runner one above and no longer represents the URL as seen in the Cert.  The thing that's wierd is that it doesn't change until the login page.  The certificate error at the login page says "mismatched address".
The tech net instructions above is the exact way that I installed the cert.
0
ParanormasticCryptographic EngineerCommented:
Sounds like there is some kind of a DNS issue, that your desired typed URL is getting replaced by the roadrunner addy somehow.  Are you running your own DNS or using theirs?  I am going to assume that you are using their DNS servers.  

You should try calling up RR and talk to them about seeing if they could help you with getting DNS set up to do what you need it to.  Its likely how something is set up on their end that they can walk you through changing in their console, or maybe just do it for you, depending on how they have their stuff set up.

If it comes to your DNS, then you would want to make sure that you have the host (A) record set up correctly and not just forwarded.  Given what it translates to, I doubt this is your DNS, just putting it out there.
0
seannhcsAuthor Commented:
I'm using their DNS servers, just got off the phone and they claim it's an internal DNS issue with our server and that they have no way to initiate a change in the URL on their end.
I have made no DNS changes since the server was installed 3 months ago.  I even went as far as to remove their DNS servers from both the firewall and the SBS server and sill get the same issue.
0
seannhcsAuthor Commented:
anybody??
0
ParanormasticCryptographic EngineerCommented:
You could try a cert issued to the road runner name instead, or possibly getting a UCC cert (which you might consider anyways if you are using multiple domain/site names for OWA, such as autodiscover, etc.) where you can put in owa.domain.com, owa, autodiscover.owa.domain.com, name.rr.com, etc. all into one single cert.
0
ParanormasticCryptographic EngineerCommented:
I'm just checking in on old posts today... Are you still having this issue?  If so, please let me know so I can help some more, if not, please close accordingly..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.