bcarmi
asked on
Exchange 2010, Mobile Phones, and SSL
Hi,
I recently migrated a Windows 2003 (w Exchange 2003) server to Windows 2008 (w Exchange 2010) server. The mailboxes migrated fine but I think I inadvertently broke the SSL hierarchy. I'm pretty good at exchange but not very good at SSL.
When I log into the OWA via firefox I get this:
"Certificate belongs to a different site, which could indicate identity theft". I accept the certificate anyways and I get OWA successfully.
When I use a blackberry to set up the phone for email I get this error code:
0x80072f17
When I set up an iphone to the exchange I get:
"Unable to verify Certificate from autodiscover.domain.com for account username@domain.com could not be verified." - I click "accept"
Then it tells me "exchange account verification failed". If I click next to finish, it asks me for my password over and over.
Here is what I've done to troubleshoot: (I left out the actual domain name)
1. Ran the Exchange remote Connectivity Analyzer:
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.domain.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 12.X.X.X
Testing TCP Port 443 on host mail.domain.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name mail.domain.com does not match any name found on the server certificate CN=admin-exch
2. I've googled the hell out of all the error message to come out even more confused.
Clearly I need some education here. My questions include:
1. how to set up a self-signed root certificate for the entire domain with matching host name?
2. How to get iphone and blackberry to work with exchange 2010?
Thank you in advanced.
I recently migrated a Windows 2003 (w Exchange 2003) server to Windows 2008 (w Exchange 2010) server. The mailboxes migrated fine but I think I inadvertently broke the SSL hierarchy. I'm pretty good at exchange but not very good at SSL.
When I log into the OWA via firefox I get this:
"Certificate belongs to a different site, which could indicate identity theft". I accept the certificate anyways and I get OWA successfully.
When I use a blackberry to set up the phone for email I get this error code:
0x80072f17
When I set up an iphone to the exchange I get:
"Unable to verify Certificate from autodiscover.domain.com for account username@domain.com could not be verified." - I click "accept"
Then it tells me "exchange account verification failed". If I click next to finish, it asks me for my password over and over.
Here is what I've done to troubleshoot: (I left out the actual domain name)
1. Ran the Exchange remote Connectivity Analyzer:
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.domain.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 12.X.X.X
Testing TCP Port 443 on host mail.domain.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name mail.domain.com does not match any name found on the server certificate CN=admin-exch
2. I've googled the hell out of all the error message to come out even more confused.
Clearly I need some education here. My questions include:
1. how to set up a self-signed root certificate for the entire domain with matching host name?
2. How to get iphone and blackberry to work with exchange 2010?
Thank you in advanced.
ASKER
Hi,
Thank you for the swift reply.
The cert that has IIS is called "Microsoft Exchange". It's a sefl-signed certificate valid for IMAP, POP, IIS, and SMTP. Under the subject column it just says "CN=exch-name".
Shouldn't it be exch-name.domain.com? How would I change that?
Could I create a new certificate for *.domain.com?
When I click on "new exchange certification" and go through the wizard, it asks me for a file with extension "req"... how do I generate that request? I've seen some tutorials req files on IIS7, but will it work with Exchange 2010?
Thank you,
bcarmi
Thank you for the swift reply.
The cert that has IIS is called "Microsoft Exchange". It's a sefl-signed certificate valid for IMAP, POP, IIS, and SMTP. Under the subject column it just says "CN=exch-name".
Shouldn't it be exch-name.domain.com? How would I change that?
Could I create a new certificate for *.domain.com?
When I click on "new exchange certification" and go through the wizard, it asks me for a file with extension "req"... how do I generate that request? I've seen some tutorials req files on IIS7, but will it work with Exchange 2010?
Thank you,
bcarmi
Do you have an internal CA setup?
If not you will need to do that if you really want a self signed. I personally would purchase a certificate from Thwart, or GoDaddy, etc.. Especially if you want the certificate to be recognized by phones.
But ifyou really want to use a self signed here is an article that will talk you through the steps of setting up the CA and creating the certificate.
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
If not you will need to do that if you really want a self signed. I personally would purchase a certificate from Thwart, or GoDaddy, etc.. Especially if you want the certificate to be recognized by phones.
But ifyou really want to use a self signed here is an article that will talk you through the steps of setting up the CA and creating the certificate.
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
ASKER
Hi,
I'm on Windows 2008.
Ok so I have IIS 7.5 running and exchange 2010. I Installed the root certificate authority service on the server and Cert Authority Web Enrollment.
How do I create, from start to finish, a root certificate from my exchange server (exch.domain.com) and issue it to mail.domain.com (different DNS, same physical server).
Thank you,
bcarmi
I'm on Windows 2008.
Ok so I have IIS 7.5 running and exchange 2010. I Installed the root certificate authority service on the server and Cert Authority Web Enrollment.
How do I create, from start to finish, a root certificate from my exchange server (exch.domain.com) and issue it to mail.domain.com (different DNS, same physical server).
Thank you,
bcarmi
Not at my computer so doing this from memory.
1. Run the Exchange New Certificate Wizard to create your Certificate Reguest. CSR file.
2. Open a browser and go to http://CAServername/certsrv
3. Choose request certificate
4. Choose advanced certificate request.
5. Choose submit certificate request.......
6. Open the CSR file in notepad and copy the text (All of it) and past it into the browser window in the Saved Request box.
7. Change type from Administrator to IIS.
8. Download the new certificate.
9. Run the complete Certificate wizzard in exchange and select the downloaded certificate.
Now keep in mind that other PCs outside of your domain, and cell phones will not have the trusted root certificate of your CA server. So they will still get certificate warnings unless they install the root certificate from your CA server.
1. Run the Exchange New Certificate Wizard to create your Certificate Reguest. CSR file.
2. Open a browser and go to http://CAServername/certsrv
3. Choose request certificate
4. Choose advanced certificate request.
5. Choose submit certificate request.......
6. Open the CSR file in notepad and copy the text (All of it) and past it into the browser window in the Saved Request box.
7. Change type from Administrator to IIS.
8. Download the new certificate.
9. Run the complete Certificate wizzard in exchange and select the downloaded certificate.
Now keep in mind that other PCs outside of your domain, and cell phones will not have the trusted root certificate of your CA server. So they will still get certificate warnings unless they install the root certificate from your CA server.
ASKER
Hi,
Sorry it took me a while to get back to you.
I've completed all the steps and I have completed the certificate request and I see it in the exchange console...thank you.
However, when I try to connect an iphone to the exchange server, it asks me if I accept the unknown certificate from the server and I say "yes". After that I get a message saying "unable to verify account information". It then repeatedly asks for the password. When I try to get the mail the iphone says "the connection to the server failed."
On the exchange server there is no evidence of a connection either.
Any suggestions would be very appreciated.
Thank you,
bcarmi
Sorry it took me a while to get back to you.
I've completed all the steps and I have completed the certificate request and I see it in the exchange console...thank you.
However, when I try to connect an iphone to the exchange server, it asks me if I accept the unknown certificate from the server and I say "yes". After that I get a message saying "unable to verify account information". It then repeatedly asks for the password. When I try to get the mail the iphone says "the connection to the server failed."
On the exchange server there is no evidence of a connection either.
Any suggestions would be very appreciated.
Thank you,
bcarmi
ASKER
An update...
I downloaded the ActiveSync Tester for the iphone and got the following:
Checking connection....ok
Checking certificate .... fail
checking application ... ok
checking version ... fail
activesync is not available...major code: 0xffffffff minor code 0x0
The certificate may not be a fail...it's just a self-signed cert.
any suggestions as to where to go from here?
bcarmi
I downloaded the ActiveSync Tester for the iphone and got the following:
Checking connection....ok
Checking certificate .... fail
checking application ... ok
checking version ... fail
activesync is not available...major code: 0xffffffff minor code 0x0
The certificate may not be a fail...it's just a self-signed cert.
any suggestions as to where to go from here?
bcarmi
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As for the certificates, the error is saying that the certificate was issues for a server/url named servera.company.com but the server name is serverb.company.com.
Open Exchange management console.
Click on Server configuration.
Click on the server.
In the bottom window it will list your certificates.
Look for the one that has IIS listed under services
Under the Subject collumn it will list the url. IS that the URL being used by your clients/