Need help with Exchange 2007 certificates

Posted on 2009-12-30
Medium Priority
Last Modified: 2012-05-08
Hey guys

I'm really getting stuck here. As an IT team of one, I'm spending the holidays lab-testing a new server running Exchange 2007 on 2008 SBS. All aspects of the server install have gone fine, but Exchange is giving me real headaches - such that I am on the brink of proposing the new server be deployed with Exchange 2003 again, simply because I can get that working!

In a nutshell, ActiveSync is not working, so no iPhone connections work, OWA is not working, and Outlook 2007 has been giving me an invalid certificate error on startup (although mysteriously this didn't do it today...)

I think all of my issues stem from invalid certificates. The Exchange Best Practices Analyser Health Check had been reporting invalid SANs on all my certificates until today. I think my same dabbling that stopped the Outlook certificate warning has also changed the Health Check results, which now show "No client authentication methods available for ActiveSync" and "Outlook Web Access configured without SSL". These 2 errors are new, and replace the certificate errors, but what's odd is that within IIS Manager, ActiveSync and OWA have "Require SSL" checked.

I feel like I need a "Reset everything related to IIS to defaults" button, followed by a "Regenerate Exchange certificates" button, but short of a reinstall I'm stuck.

One other question, why are there four certificates installed as standard. If I were up against just one, like I created for OWA on Exchange 2003, I'd feel confident, but I don't even know why there are four now?

Any help would be much appreciated.
Question by:timwatsonuk
  • 5
  • 5
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26144198
There should only be one certificate installed by default on SBS 2008 and you should replace this with a 3rd party SAN SSL certificate if you want to get all the available features working.  Please have a read of the following for info on the restrictions of a self-certified certificate:
Extract in case of link failure:
  • Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
  • Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
  • Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
  • Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
GoDaddy offer 1 Year 5 SAN SSL certificates for about $90 and you would be well advised to start off by purchasing one and then seeing what does not work.
Mestha - EE's leading Exchange Genius has a blog on the relevant names to include on a SAN (Subject Alternative Name) certificate:

Author Comment

ID: 26144226
Thanks Alan.

I see that text states that ActiveSync with a self-signed certificate doesn't encrypt communications with a mobile device. Is that new with 2007? I had a self-signed certificate on Exchange 2003 which the iPhone warned about but continued to use.

I definitely have 4 certificates. No idea why.

Would it be reasonable to:
1) Delete ALL the certificates to begin with
2) Get OWA and ActiveSync working without certificates
3) Install a single certificate self-signed certificate
4) Configure OWA and ActiveSync to work with the certificate
5) Replace the certificate in due course with a GoDaddy certificate

I don't want to delete all the certificates if that stops Exchange working - that's one of the few things that is actually working at the moment!! :)
LVL 76

Accepted Solution

Alan Hardisty earned 1500 total points
ID: 26144289
Yes - sadly with 2007 you really need a 3rd party SSL certificate.  I used to use a self-cert with 2003 (but had to install the cert on all devices), I then changed it for an SSL cert from GoDaddy and that saved me having to install the cert and then I upgraded to 2010 and bought a SAN SSL cert and it went very smoothyl.
iPhones always warn about certificates no matter what - they are not a strict on SSL security as Windows Mobile devices.
I would not necessarily delete all certificates to start with - check the one with the oldest creation date as that is probably the initial one created by SBS.  The others I would imagine that you created yourself.
You should be able to create a new certificate by doing the following in the Exchange Management Console:
New-ExchangeCertificate -DomainName name.domain.com, servername.domain.local, autodiscover.domain.local, autodiscover.domain.com, servername

Enable-Exchangecertificate -thumprint IIS, SMTP, POP3
This may make everything work initially, then you can replace this if you have problem with a GoDaddy one (or other provider).
Mkae the changes slowly - one think I learned is that the changes are not immediate with 2007 / 2010 so if you think you made a change and got away with it scott-free, you may still get bitten later!
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

ID: 26144440
Thanks Alan. I think we're getting somewhere!

This server was only installed this week, so all four certificates were created during installation. Anyway, I went ahead and zapped all four of them, and followed your advice on creating and enabling a new certificate. I then went through OWA, ActiveSync and OAB in IIS Manager and set them to use the new certificate.

Exchange is still working (!), my iPhone is suddenly synching fine again (with certificate warnings initially), and even OWA is now working locally after a warning.

I have just two issues I think now (if I live with the iPhone warning).

Firstly, I am getting a certificate warning again when I open Outlook 2007. The top of the security alert says "sites" and the error is "The name on the security certificate is invalid or does not match the name of the site". Is this an OAB issue? Should "sites" be in the list of SANs for the certificate? Or do I just have some other issue with OAB/autodiscovery?

Secondly, when I access OWA via https://sites/owa I get a certificate warning saying the certificate is not trusted.

Any ideas?  :)
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26144467
Just to check - (as I had not mentioned it) - did you change the names on the certificate you created to match your environment?
Did you include your internal and external domain names?

Author Comment

ID: 26144496
My external domain is my-domain.com, but my server is configured as mydomain.local. My server is named carlos so I created the certificate with the domain name entries of carlos, carlos.mydomain.local and autodiscover. mydomain.local. I didn't add my external domain as the only use of this is mail.my-domain.com and I didn't see the significance of this with regards to OWA or ActiveSync.

Reading your initial link again, it seems the trusted certificate warning is just something I'm going to have to live with while I use a self-signed certificate, as is the lack of SSL on ActiveSync.

I think that just leaves me with the Outlook certificate warning at startup for now...

LVL 76

Expert Comment

by:Alan Hardisty
ID: 26144603
OWA will need to have the URL you access OWA via added to the certificate otherwise you will get a certificate error (another one).  Activesync needs the same - so if you access via mail.mydomain.com then this should be included in the certificate too.
Can you screen dump the Outlook error for me please.

Author Comment

ID: 26167070
Hi Alan

Apologies for disappearing for a couple of days - the wife ended up in hospital with meningitis!

OK, I think it's all sorted now. The first breakthrough after our last exchange was to add Sites to the single certificate. This got OWA etc. all working. Another important thing was to go through all the SBS sites and ensure they are using the new, single certificate.

By the way, the sysem has re-created 2 more certificates again, but I am ignoring them!!  :)

With every passing hour and every Windows Update, something else has stopped working, and I've seen 100 different event IDs in the last 4 days, but as of tonight the error logs are clear and everything seems to be working.

Thanks for the help. Although another dozen hours were spent battling since our discussion, I'm going to credit you with the total solution based on your following comments:-

"New-ExchangeCertificate -DomainName name.domain.com, servername.domain.local, autodiscover.domain.local, autodiscover.domain.com, servername

Enable-Exchangecertificate -thumprint IIS, SMTP, POP3"

That, along with adding Sites to the list, was a real turning point. Thanks again.

Author Closing Comment

ID: 31671117
Further work is needed but the accepted solution is a good start.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26167091
Well I think I can forgive you for disappearing based on the Meningitis problem.  I hope that she makes a full and speedy recovery.

Glad you are somewhat sorted now and fully understand the delights of updates 'fixing' problems and creating yet more.

Hope you have a great 2010.


Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question