ssl certificate confusion

jamesmetcalf74
jamesmetcalf74 used Ask the Experts™
on
I'm using exchange 2003 and owa and trying to get active sync to work for iphones.  
about 8 months ago i got an ssl certificate from godaddy and was able to get active sync up and working for iphones and had form based authentication working for OWA.  
This all changed recently.  
iphones no longer connect and i got rid of the old certificate and am trying to establish a new one with godaddy as i type.
i used a tool called Exchange Remote Connectivity Analyzer from the url
https://www.testexchangeconnectivity.com/Default.aspx
i'm going to call my domain  test.com
the initial ssl certificate was issued to www.test.com and like i said everything worked fine.
all of a sudden iphones quit working and the remote connectivity Analyzer is failing from the above mentioned url.

here is the output from the analyzer.
i guess what im asking is this
do i need an ssl certicate for mail.test.com for both to work
or an ssl certificate for test.com

Testing Exchange ActiveSync  
  Exchange ActiveSync test Failed
   Test Steps
   Attempting AutoDiscover and Exchange ActiveSync Test (if requested)
  Failed to test AutoDiscover for Exchange ActiveSync  
   Test Steps
   Attempting each method of contacting the AutoDiscover Service
  Failed to contact the AutoDiscover service successfully by any method
   Test Steps
   Attempting to test potential AutoDiscover URL https://test.com/AutoDiscover/AutoDiscover.xml 
  Failed testing this potential AutoDiscover URL
   Test Steps
   Attempting to resolve the host name test.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 1.1.1.1  
 
 Testing TCP Port 443 on host test.com to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The SSL Certificate failed one or more certificate validation checks.
   Test Steps
   Validating certificate name
  Certificate name validation failed
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name test.com does not match any name found on the server certificate CN=mail.test.com, OU=Domain Control Validated, O=mail.test.com  
 
 
 
 
 
 Attempting to test potential AutoDiscover URL https://autodiscover.test.com/AutoDiscover/AutoDiscover.xml 
  Failed testing this potential AutoDiscover URL
   Test Steps
   Attempting to resolve the host name autodiscover.test.com in DNS.
  The Host could not be resolved.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host autodiscover.test.com could not be resolved in DNS Exception Details:
Message: No such host is known
Type: System.Net.Sockets.SocketException
Stack Trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
 
 
 
 
 Attempting to contact the AutoDiscover service using the HTTP redirect method.
  Failed to contact AutoDiscover using the HTTP Redirect method
   Test Steps
   Attempting to resolve the host name autodiscover.test.com in DNS.
  The Host could not be resolved.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host autodiscover.test.com could not be resolved in DNS Exception Details:
Message: No such host is known
Type: System.Net.Sockets.SocketException
Stack Trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
 
 
 
 
 Attempting to contact the AutoDiscover service using the DNS SRV redirect method.
  Failed to contact AutoDiscover using the DNS SRV redirect method.
   Test Steps
   Attempting to locate SRV record _autodiscover._tcp.test.com in DNS.
  Failed to find AutoDiscover SRV record in DNS.
   Tell me more about this issue and how to resolve it
 
 
 
 
 
 
 
 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shreedhar EtteTechnical Manager
Top Expert 2010
Commented:
Hi,

At the https://www.testexchangeconnectivity.com/ use the option Exchange ActiveSync.

Use the Manually Specify Server Settings option to test the active sync.

As it is Exchange 2003 Auto discover is not there.

Also make sure you have installed new certificate on the mobile devices.

Hope this helps,
Shree
Paul MacDonaldDirector, Information Systems

Commented:
"initial ssl certificate was issued to www.test.com"
But it worked for mail.test.com?  Or do you somehow have mail.test.com virtualized under www.test.com?  It seems more likely you got a wildcard SSL certificate for *.test.com and were able to use it everywhere.
Can you ping mail.test.com?  Can you get to your mail server from inside your organization?  What about OWA from inside?

Author

Commented:
will a wild card ssl certificate cover.

mail.test.com
and
test.com
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shreedhar EtteTechnical Manager
Top Expert 2010

Commented:
If the certificate is *.test.com then it will cover.

Author

Commented:
ok last question
so this *.test.com
can also be used for forms based exchange authentication for owa 2003?
and used for active sync on the iphone?
ParanormasticCryptographic Engineer
Commented:
>> will a wild card ssl certificate cover.
>> mail.test.com
>> and
>> test.com

No.  It will cover anything.test.com, but not test.com without a prefix.

Author

Commented:
ok
i worked with godaddy and got the ssl owa forms based authentication working again

no success on iphones connecting to the exchange server
here is the results from the testing exchange activesync

 Testing Exchange ActiveSync  
  Exchange ActiveSync test Failed
   Test Steps
   Attempting to resolve the host name mail.test.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 111.111.111.111  
 
 Testing TCP Port 443 on host mail.test.com to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The SSL Certificate failed one or more certificate validation checks.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with remote host
Exception Details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack Trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
 
 
 
 

 
 
   




Paul MacDonaldDirector, Information Systems
Commented:
You'll need to make a point of replacing the certificate wherever it was in use.  Look in the SMTP, IMAP and POP3 settings to see if you need to update certificates there.  

Also, put a note on your calendar to remind you to replace this certificate before it expires.
Paul MacDonaldDirector, Information Systems

Commented:
You'll need to make a point of replacing the certificate wherever it was in use.  Look in the SMTP, IMAP and POP3 settings to see if you need to update certificates there.  

Also, put a note on your calendar to remind you to replace this certificate before it expires.
Technical Manager
Top Expert 2010
Commented:

Author

Commented:
http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx

Integrated Windows Authentication may not be enabled on the back-end server's "/Exchange" virtual directory.


thanks for all the help guys.
once the certificate got fixed i was just missing a checkmark

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial