Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010, Mobile Phones, and SSL

Posted on 2010-08-23
8
Medium Priority
?
1,150 Views
Last Modified: 2012-05-10
Hi,
I recently migrated a Windows 2003 (w Exchange 2003) server to Windows 2008 (w Exchange 2010) server. The mailboxes migrated fine but I think I inadvertently broke the SSL hierarchy. I'm pretty good at exchange but not very good at SSL.

When I log into the OWA via firefox I get this:
"Certificate belongs to a different site, which could indicate identity theft". I accept the certificate anyways and I get OWA successfully.

When I use a blackberry to set up the phone for email I get this error code:
0x80072f17

When I set up an iphone to the exchange I get:
"Unable to verify Certificate from autodiscover.domain.com for account username@domain.com could not be verified." - I click "accept"
Then it tells me "exchange account verification failed". If I click next to finish, it asks me for my password over and over.

Here is what I've done to troubleshoot: (I left out the actual domain name)
1. Ran the Exchange remote Connectivity Analyzer:
ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
             Test Steps
             Attempting to resolve the host name mail.domain.com in DNS.
       Host successfully resolved
             Additional Details
       IP(s) returned: 12.X.X.X
      Testing TCP Port 443 on host mail.domain.com to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
             Test Steps
             The certificate name is being validated.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name mail.domain.com does not match any name found on the server certificate CN=admin-exch


2. I've googled the hell out of all the error message to come out even more confused.

Clearly I need some education here. My questions include:
1. how to set up a self-signed root certificate for the entire domain with matching host name?
2. How to get iphone and blackberry to work with exchange  2010?

Thank you in advanced.
0
Comment
Question by:bcarmi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33506066
Good luck on the blackberry. We have not been able to get any Blackberry's to work with Exchange 2010.

As for the certificates, the error is saying that the certificate was issues for a server/url named servera.company.com  but the server name is serverb.company.com.

Open Exchange management console.
Click on Server configuration.
Click on the server.
In the bottom window it will list your certificates.
Look for the one that has IIS listed under services
Under the Subject collumn it will list the url. IS that the URL being used by your clients/
 
0
 

Author Comment

by:bcarmi
ID: 33506508
Hi,
Thank you for the swift reply.

The cert that has IIS is called "Microsoft Exchange". It's a sefl-signed certificate valid for IMAP, POP, IIS, and SMTP. Under the subject column it just says "CN=exch-name".
Shouldn't it be exch-name.domain.com? How would I change that?

Could I create a new certificate for *.domain.com?
When I click on "new exchange certification" and go through the wizard, it asks me for a file with extension "req"... how do I generate that request? I've seen some tutorials req files on IIS7, but will it work with Exchange 2010?

Thank you,
bcarmi
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33510331
Do you have an internal CA setup?
If not you will need to do that if you really want a self signed. I personally would purchase a certificate from Thwart, or GoDaddy, etc..  Especially if you want the certificate to be recognized by phones.
But ifyou really want to use a self signed here is an article that will talk you through the steps of setting up the CA and creating the certificate.

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:bcarmi
ID: 33513214
Hi,
I'm on Windows 2008.
Ok so I have IIS 7.5 running and exchange 2010. I Installed the root certificate authority service on the server and Cert Authority Web Enrollment.

How do I create, from start to finish, a root certificate from my exchange server (exch.domain.com) and issue it to mail.domain.com (different DNS, same physical server).

Thank you,
bcarmi
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33513625
Not at my computer so doing this from memory.

1. Run the Exchange New Certificate Wizard to create your Certificate Reguest. CSR file.
2. Open a browser and go to http://CAServername/certsrv
3. Choose request certificate
4. Choose advanced certificate request.
5. Choose submit certificate request.......
6. Open the CSR file in notepad and copy the text (All of it) and past it into the browser window in the Saved Request box.
7. Change type from Administrator to IIS.
8. Download the new certificate.
9. Run the complete Certificate wizzard in exchange and select the downloaded certificate.

Now keep in mind that other PCs outside of your domain, and cell phones will not have the trusted root certificate of your CA server. So they will still get certificate warnings unless they install the root certificate from your CA server.
 
0
 

Author Comment

by:bcarmi
ID: 33560355
Hi,
Sorry it took me a while to get back to you.
I've completed all the steps and I have completed the certificate request and I see it in the exchange console...thank you.

However, when I try to connect an iphone to the exchange server, it asks me if I accept the unknown certificate from the server and I say "yes". After that I get a message saying "unable to verify account information". It then repeatedly asks for the password. When I try to get the mail the iphone says "the connection to the server failed."

On the exchange server there is no evidence of a connection either.

Any suggestions would be very appreciated.
Thank you,
bcarmi
0
 

Author Comment

by:bcarmi
ID: 33560701
An update...
I downloaded the ActiveSync Tester for the iphone and got the following:

Checking connection....ok
Checking certificate .... fail
checking application ... ok
checking version ... fail

activesync is not available...major code: 0xffffffff minor code 0x0

The certificate may not be a fail...it's just a self-signed cert.
any suggestions as to where to go from here?
bcarmi
0
 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 2000 total points
ID: 33598515
create a test account on your exchange server
go here: https://www.testexchangeconnectivity.com/
click on  Exchange Activesync,
click next
fill out the form using the test account information.

What result do you get?

(dissable the test account when done)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question