Solved

Exchange 2010, Mobile Phones, and SSL

Posted on 2010-08-23
8
1,140 Views
Last Modified: 2012-05-10
Hi,
I recently migrated a Windows 2003 (w Exchange 2003) server to Windows 2008 (w Exchange 2010) server. The mailboxes migrated fine but I think I inadvertently broke the SSL hierarchy. I'm pretty good at exchange but not very good at SSL.

When I log into the OWA via firefox I get this:
"Certificate belongs to a different site, which could indicate identity theft". I accept the certificate anyways and I get OWA successfully.

When I use a blackberry to set up the phone for email I get this error code:
0x80072f17

When I set up an iphone to the exchange I get:
"Unable to verify Certificate from autodiscover.domain.com for account username@domain.com could not be verified." - I click "accept"
Then it tells me "exchange account verification failed". If I click next to finish, it asks me for my password over and over.

Here is what I've done to troubleshoot: (I left out the actual domain name)
1. Ran the Exchange remote Connectivity Analyzer:
ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
             Test Steps
             Attempting to resolve the host name mail.domain.com in DNS.
       Host successfully resolved
             Additional Details
       IP(s) returned: 12.X.X.X
      Testing TCP Port 443 on host mail.domain.com to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
             Test Steps
             The certificate name is being validated.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name mail.domain.com does not match any name found on the server certificate CN=admin-exch


2. I've googled the hell out of all the error message to come out even more confused.

Clearly I need some education here. My questions include:
1. how to set up a self-signed root certificate for the entire domain with matching host name?
2. How to get iphone and blackberry to work with exchange  2010?

Thank you in advanced.
0
Comment
Question by:bcarmi
  • 4
  • 4
8 Comments
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33506066
Good luck on the blackberry. We have not been able to get any Blackberry's to work with Exchange 2010.

As for the certificates, the error is saying that the certificate was issues for a server/url named servera.company.com  but the server name is serverb.company.com.

Open Exchange management console.
Click on Server configuration.
Click on the server.
In the bottom window it will list your certificates.
Look for the one that has IIS listed under services
Under the Subject collumn it will list the url. IS that the URL being used by your clients/
 
0
 

Author Comment

by:bcarmi
ID: 33506508
Hi,
Thank you for the swift reply.

The cert that has IIS is called "Microsoft Exchange". It's a sefl-signed certificate valid for IMAP, POP, IIS, and SMTP. Under the subject column it just says "CN=exch-name".
Shouldn't it be exch-name.domain.com? How would I change that?

Could I create a new certificate for *.domain.com?
When I click on "new exchange certification" and go through the wizard, it asks me for a file with extension "req"... how do I generate that request? I've seen some tutorials req files on IIS7, but will it work with Exchange 2010?

Thank you,
bcarmi
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33510331
Do you have an internal CA setup?
If not you will need to do that if you really want a self signed. I personally would purchase a certificate from Thwart, or GoDaddy, etc..  Especially if you want the certificate to be recognized by phones.
But ifyou really want to use a self signed here is an article that will talk you through the steps of setting up the CA and creating the certificate.

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
0
 

Author Comment

by:bcarmi
ID: 33513214
Hi,
I'm on Windows 2008.
Ok so I have IIS 7.5 running and exchange 2010. I Installed the root certificate authority service on the server and Cert Authority Web Enrollment.

How do I create, from start to finish, a root certificate from my exchange server (exch.domain.com) and issue it to mail.domain.com (different DNS, same physical server).

Thank you,
bcarmi
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 33513625
Not at my computer so doing this from memory.

1. Run the Exchange New Certificate Wizard to create your Certificate Reguest. CSR file.
2. Open a browser and go to http://CAServername/certsrv
3. Choose request certificate
4. Choose advanced certificate request.
5. Choose submit certificate request.......
6. Open the CSR file in notepad and copy the text (All of it) and past it into the browser window in the Saved Request box.
7. Change type from Administrator to IIS.
8. Download the new certificate.
9. Run the complete Certificate wizzard in exchange and select the downloaded certificate.

Now keep in mind that other PCs outside of your domain, and cell phones will not have the trusted root certificate of your CA server. So they will still get certificate warnings unless they install the root certificate from your CA server.
 
0
 

Author Comment

by:bcarmi
ID: 33560355
Hi,
Sorry it took me a while to get back to you.
I've completed all the steps and I have completed the certificate request and I see it in the exchange console...thank you.

However, when I try to connect an iphone to the exchange server, it asks me if I accept the unknown certificate from the server and I say "yes". After that I get a message saying "unable to verify account information". It then repeatedly asks for the password. When I try to get the mail the iphone says "the connection to the server failed."

On the exchange server there is no evidence of a connection either.

Any suggestions would be very appreciated.
Thank you,
bcarmi
0
 

Author Comment

by:bcarmi
ID: 33560701
An update...
I downloaded the ActiveSync Tester for the iphone and got the following:

Checking connection....ok
Checking certificate .... fail
checking application ... ok
checking version ... fail

activesync is not available...major code: 0xffffffff minor code 0x0

The certificate may not be a fail...it's just a self-signed cert.
any suggestions as to where to go from here?
bcarmi
0
 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 500 total points
ID: 33598515
create a test account on your exchange server
go here: https://www.testexchangeconnectivity.com/
click on  Exchange Activesync,
click next
fill out the form using the test account information.

What result do you get?

(dissable the test account when done)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now