We help IT Professionals succeed at work.

SBS 2008 SSL conflict with Default website and SBS Web Applications

kpturner
kpturner used Ask the Experts™
on
We have just migrated from SBS 2003 to SBS 2008. The migration finally completed last week.  Most of the important things are working fine, but there are some niggly issues which are puzzling me, almost all to do with IIS and remote access.

Once the migration had completed, both "Default web site" and "SBS Web Applications" were bound to port 443 for SSL.  This meant that one of the servers ("SBS Web Application" would not start).  Although it would not start, it was not too bad because our mobile devices (mainly iPhones) were able to use activesynch/direct push presumably via the Microsoft-Server-ActiveSynch virtual directory within "Default Web SIte".  We could also get OWA via https://remote.domain/owa.

However, since SBS Web Applications could not start we cannot get to anything else like RWW etc.

When I investigated this I found various resources (including some posts on here)  telling me that "Default Web site" should only be bound to port 80, not 443.  Sure enough, if I remove the 443 binding I can then start "SBS Web Applications".  However, that instantly means I lose activeSynch/Direct Push for our remote devices and I can no longer access OWA.

It seems like a catch-22 unless there is something missing in SBS Web Applications that should replicate the activesynch and OWA functions in Default Web Site.  I know for a fact that there was an OWA virtual directory within SBS Web Applications that is no longer there. I found some script that should recreate it:

New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2007" -ExternalAuthenticationMethods Fba

Open in new window

but when I run that I get the following error:
New-OwaVirtualDirectory : An error occurred while creating the IIS virtual dire
ctory 'IIS://CHROMIS.CoralTree.local/W3SVC/3/ROOT/owa' on 'CHROMIS'.
At line:1 char:24

Open in new window


Even if we got OWA working I am still unsure how activesynch can work.  We tried uninstalling/installing ClientAccess to no avail and ran the "Fix my network" wizard - which didn't find anything to fix.

I am stumped.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Tray896SharePoint Engineer

Commented:
All that you need to do in order to run both sites on the same ports is to have them running on separate IP's.  Get a new IP for your SBS Web Application, and then edit the bindings for that site within IIS manager.  Edit the bindings for http and https so that it points to the new IP that you put on the box, and then modify any necessary DNS changes to point to that IP.

Author

Commented:
Thanks for the quick answer. I know I can get both started using different IP addresses, but I think that will just mask the fact that we have something else wrong under the covers.  There should be an OWA virtual folder in SBS Web Applications and there is not, and creating one fails.  It should be possible to have a single IP address and have activesynch, owa, RWW etc all running without difficulty as far as I know.....maybe I am wrong with that assumption but it certainly appears to be the case from the reams of documentation I have been ploughing through :-(  
Top Expert 2013

Commented:
I am not of much help, but just a 'heads up' SBS 2008 does not like multiple IP's.

Have you run the connect to the internet and configure my internet address wizards? The latter should configure the web functions. Failing that try the fix my network wizard and the SBS 2008 BPA which will often point out mis-configurations.
http://www.microsoft.com/downloads/details.aspx?familyid=86a1aa32-9814-484e-bd43-3e42aec7f731&displaylang=en

Author

Commented:
Yes tried the various wizards more than once. No luck.
Top Expert 2013

Commented:
Have you tried the BPA (Best Practices Analyzer) suggested above. It is very informative about mis-configurations with SBS 2008.

Author

Commented:
Yes we have run the BPA and it did report a few things that bear consideration, but nothing that relates to this. I think that resolving the shell error is the first thing to do, then if I could somehow see a working example with a single IP address it might be able to get it working.
Top Expert 2013

Commented:
Are there any screen shots from a default config we could provide for you that would be of some help?

Author

Commented:
Yes please.  An expanded view of the "Default Web Site" and the "SBS Web Applications" to show the underlying applications and virtual directories would be useful.  That will confirmmy suspicion that there should be an OWA object within each and may also give a clue as to how activesynch can work via SSL to SBS Web Applications rather than Default Web site.  Also the bindings for each to confirm that there is no SSL binding on the Default Directory.  

I don't know if it possible to cobble together OWA under SBS Web applications in IIS alone or if it must be done through the Exchange Shell ?
Top Expert 2013

Commented:
Is this of some help?
IIS.jpg

Author

Commented:
Yes - quite revealing thanks.  Your OWA and

Author

Commented:
Hit the wrong button by mistake.

Yes - quite revealing thanks.  Your OWA and  

Author

Commented:
Did it again!!

Your OWA and Microsoft-Server-ActiveSync viartual directories are both in SBS Web Applications whereas on our server they are both in Default Web SIte.  

That explains how it is possible to have SSL only on the SBS Web Applications folder since that is the correct place for the virtual directories.  

Now I just need to put the virtual folders in the correct place, but I am pretty sure that it is not enough to do so via IIS.

If you look at your Exchange 2007 Management Console you can see under Server Configuration/Client Access that OWA and ActiveSynch are displayed there too - and in my case incorrectly configured against Default Web Site.  That brings me full circle back to the correct shell commands to recreate them correctly and the fact that they are failing :-(

Author

Commented:
I have managed to delete and recreate everything using the Shell commands except OWA thanks to the screenshot and this: http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx

The OWA creation still fails with the error:
New-OwaVirtualDirectory : An error occurred while creating the IIS virtual directory 'IIS://blah.local/W3SVC/3/ROOT/owa' on blah'.At line:1 char:24

I think the recreation of OWA in SBS Web Applications if my only stumbling block now (as described in the original post).  

The only solution I have found is to uninstall and reinstall CAS but I have tried that and it still recreates everything in the wrong place.
Top Expert 2013

Commented:
>>"Your OWA and Microsoft-Server-ActiveSync virtual directories are both in SBS Web Applications whereas on our server they are both in Default Web SIte"
I assume that is a result of the migration rather than a clean install.

>>"If you look at your Exchange 2007 Management Console .........incorrectly configured against Default Web Site"
Yes these show SBS Web Apps

>>"I think the recreation of OWA in SBS Web Applications if my only stumbling block now"
Sorry but I have never had to do so and thus not familiar with the process. I had flagged the following article at one time:
http://exchangeshare.wordpress.com/2008/07/16/how-to-recreate-owa-virtual-directory-exchange-2007/

Author

Commented:
Yeah that link talks about how to recreate OWA on the Default Web Site - which I already have (and it is the wrong place).  So I can get to OWA using a non-SSL link - but I really want it in the correct place using SSL under SBS Web Applications.  I can feel a call to Microsoft being required to resolve it I think.  Some points are due to you for a partial solution with the screenshot but I am not sure how to do that. Maybe I need to wait until I have the full solution.
Top Expert 2013

Commented:
Sorry I didn't review that article, I see now it is for standalone Exchange not SBS.
I see this fellow had the same issue:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24255654.html
If re-installing the client access role as they did, see:
http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx

Sorry I am not much help with this.
As for the points, I am certainly not worried about them, they won't buy me much :-)  However if I would leave the question open until resolved. Then you can post your findings which may help someone else. If then you want to, you can split the points between you and I.
Distinguished Expert 2018

Commented:
Not required at all.
Sorry for getting into this so late; been busy with the day job.
1) SBS Web applications handles RWW, OWA, and ActiveSync (I think you already know this.) Why yours got changed up, couldn't tell ya, but that isn't default. And this is unique to SBS.
2) As you've also already resolved, port 443 cannot be on the default website. Don't use multiple IPs (contrary to at least one suggestion I noticed.
3) The command you want to run the commands I've attached as code
 

Get-OwaVirtualDirectory -server $LocalServerName | Remove-OwaVirtualDirectory

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2007¿ -ExternalAuthenticationMethods Fba

Set-OWAVirtualDirectory -InternalUrl “https://sites/owa/” -ClientAuthCleanupLevel “Low” -LogonFormat “UserName” -DefaultDomain $strDomainDNS -Identity “Owa (SBS Web Applications)”

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “Exadmin” -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “Mailboxes” -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “Exchweb” -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000¿ -VirtualDirectoryType “PublicFolders” -ExternalAuthenticationMethods Fba

iisreset /noforce

Open in new window

Author

Commented:
By way of an update, we got Microsoft involved to fix the location for OWA since the shell command to recreate it did not work.  The MS techie was successful eventually, but I am led to believe that he did have a particularly hair-raising time getting there, with one or two moments of panic.  They will send us the completely documented solution when they have sorted out one or two other things, and I will try to pickout the relevant bits and post back.
Top Expert 2013

Commented:
Good to hear. It would be interesting to see "the relevant bits ".
Thanks for updating.
--Rob
Commented:
This is the solution provided by MS.  It was scipted, so this describes what the script did:

 
1. It takes backup of IIS in case we need to revert any changes made by the script.  2. It use Power shell to gracefully remove the existing vdirs from the Default Web Site.     # remove certificates  # clean up any owa virtual directories  # delete OWS  # remove activesync, oab, UM, autodiscovery     3. It uses appcmd to try to remove any lingering objects that PowerShell wasn't able to remove.  4. Finally, if PowerShell and appcmd weren't able to delete the vdirs we'll remove them from the applicationhost.config.  5. It removes lingering AD objects from   CN=HTTP,CN=Protocol CN=HTTP,CN=Protocols,CN=MARKSTANSBS,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=markstancom,DC=local  6. Creates OWA vdirs using the same settings as SBS default install.  7. It creates them using following powershell commands:     New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2007" -ExternalAuthenticationMethods Fba   Set-OWAVirtualDirectory -InternalUrl "https://sites/owa/" -ClientAuthCleanupLevel "Low" -LogonFormat "UserName" -DefaultDomain $strDomainDNS -Identity "Owa (SBS Web Applications)"   New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exadmin" -ExternalAuthenticationMethods Fba   New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Mailboxes" -ExternalAuthenticationMethods Fba  New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "Exchweb" -ExternalAuthenticationMethods Fba  New-OWAVirtualDirectory -WebsiteName "SBS Web Applications" -OwaVersion "Exchange2003or2000" -VirtualDirectoryType "PublicFolders" -ExternalAuthenticationMethods Fba  New-WebServicesVirtualDirectory -WebsiteName "SBS Web Applications" -InternalUrl "https://Sites/EWS/Exchange.asmx" -basicauthentication 1 -windowsauthentication 1   New-ActiveSyncVirtualDirectory -WebsiteName "SBS Web Applications" -InternalUrl "https://Sites/Microsoft-Server-ActiveSync" -ExternalAuthenticationMethods Basic -InternalAuthenticationMethods Basic   New-OabVirtualDirectory -WebsiteName "SBS Web Applications" -InternalUrl "https://Sites/OABSet-OabVirtualDirectory -PollInterval "30" -Identity "oab (sbs web applications)"  New-UMVirtualDirectory -WebsiteName "SBS Web Applications" -InternalUrl "https://Sites/UnifiedMessaging/Service.asmx"   New-AutodiscoverVirtualDirectory -WebsiteName "SBS Web Applications" -InternalUrl "https://Sites/Autodiscover/Autodiscover.xml" -BasicAuthentication 1 -WindowsAuthentication 1     8. It then configures Virtual directories using following commands:     Set-ClientAccessServer -Identity $LocalServerName -AutoDiscoverServiceInternalUri "https://sites/Autodiscover/Autodiscover.xml"   Set-OfflineAddressBook $OAB.Name -VirtualDirectories $OABVDir -Versions Version2,Version3,Version4 -PublicFolderDistributionEnabled:$True  iisreset /noforce     9. It configures configure vdirs with SBS defaults:     cd $env:windir\system32\inetsrv  .\appcmd.exe unlock config "-section:system.webserver/security/authentication/windowsauthentication"  .\appcmd.exe set config "SBS Web Applications/ews" "-section:windowsAuthentication" "-useKernelMode:False" /commit:apphost  .\appcmd.exe set config "SBS Web Applications/AutoDiscover" "-section:windowsAuthentication" "-useKernelMode:False" /commit:apphost  .\appcmd.exe set config "SBS Web Applications/oab" "-section:windowsAuthentication" "-useKernelMode:False" /commit:apphost  .\appcmd.exe set site "Default Web Site" /Bindings:"http/*:80:"  .\appcmd.exe start site "Default Web Site"  .\appcmd.exe start site "SBS Web Applications"  
Top Expert 2013

Commented:
Thanks for posting kpturner, good information to have.
--Rob