[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2874
  • Last Modified:

Outlook Web Access stopped working after renewing certificate

Last week, our self-made certificate expired on the Exchange server and "remote outlook" (RPC over HTTP) stopped working with an expired certificate error.  However, the Outlook Web Access via browser did work.  On Wednesday evening I renewed the certificate and now none of it works.  If I use the remote outlook it does not ask for authentication and opens Outlook but it will not connect to the Exchange server.  If I use the web browser I get the error: Internet Explorer cannot display the web page.  If I use the same URL without the "s" (just http://) it connects but of course it is garbled due to my setting in IIS to use SSL.  So it seems something regarding the SSL is not working correctly but I cannot figure out what that is.  Right now our OWA is unusable.  I have reset IIS but it did not help.  Any ideas?
0
12vltmn
Asked:
12vltmn
  • 7
  • 7
  • 2
  • +1
2 Solutions
 
Alan HardistyCommented:
Self issued SSL certificates need to be installed on each and every client for RPC over HTTPs to work, thus you will need to install the new certificate on every client connecting via this method.

This is one reason why $30 for a 3rd party SSL certificate makes sense as you don't have to manually install it on each client.
0
 
12vltmnAuthor Commented:
I do not recall having to install the certificate on the client in the past.  Actually, I'm not even sure how to do that.  Will you direct me?  When I open IE, Internet Options, Content, Certificates...the self issued certificate is listed with the correct expiration date of the renewed certificate.  Why does it not work?  It is listed in both the Intermediate and Trusted Root tabs.
0
 
Alan HardistyCommented:
Weird.  If you didn't install the new cert - how did it get onto the client?

Are you checking on the server or the client above?

Have you considered spending the $30 for a 3rd party SSL cert to eliminate these problems permanently?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
12vltmnAuthor Commented:
I do not know how the new cert got onto the client but I'm sure that I have never had to install the self issued certificate on any client.  I originally set up OWA four years ago and it has been working fine with a self issued cert.  I just assume it pulled the cert from the server.  I checked the client above (my laptop) for installed certificates and the cert is listed.  The RPC over HTTPs works fine inside our network but once I am at home it will not connect.  But the OWA via IE does not work even inside our network.  Strange.  

Who has a third party cert for $30?  I pay comodo $149 per year for a cert for one of our other servers.  And I thought they were one of the least expensive.
0
 
ebooyensCommented:
Are you using SBS 2003 or just Server 2003?  I SBS use the SBS wizard to recreate the self-signed certificate.  Do you use the http://server/connectcomputer feature to join PCs to the domain?   May be how they got the certificate without manual install.

If not SBS2003 then I'm not sure what's going on here.  You can still recreate a self-signed cert using selfsll

http://www.visualwin.com/SelfSSL/

But then you will need to re-install the cert of your outlook over https clients

http://blogs.technet.com/b/asiasupp/archive/2007/05/29/self-signed-certificate-issue-when-connecting-to-the-exchange-server.aspx
0
 
Alan HardistyCommented:
GoDaddy - http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979
$24.99 for a 1 year single name SSL Standard certificate.  It is all you will need.
 
0
 
12vltmnAuthor Commented:
We are using Server 2003, not SBS.  I do not use http://server/connectcomputer to join PC's to the domain.  When I set up a new machine I change the local workgroup to the domain and join them in that manner.  I created the certificate using the certificate wizard and renewed it the same way by going to the properties of the default web server.
0
 
Alan HardistyCommented:
I still don't get how you have the renewed cert installed on the client.
Can you export the cert via IIS on the server to a .P7B file, then copy that to the client, then install that on the client and see if Outlook starts to work again.
If you need guidance - just let me know.
Alan
0
 
12vltmnAuthor Commented:
Alan:

I exported the cert in .P7B format and imported that to my laptop.  I still cannot connect to OWA using IE.  Same error message.  This is bizarre.  It has been working fine for four years.  What can I check to make sure that SSL is working properly?  Port 443 is listed in IIS.  I am admittedly no expert in this area but I manage to get by with some help.  This is one reason I joined EE.  :o)
0
 
Alan HardistyCommented:
What settings are set on the Directory Security tab of the RPC virtual Directory (SSL / IP Restrictions etc) and the Exchange virtual directory?
0
 
ebooyensCommented:
Sounds to me like you have two issues possible, one about serving OWA on port 443 on the server as I'd expect you to still get to it although IE would complain about not trusting the certificate or whatever, and then the certificate issues.  Have a look at this

http://support.microsoft.com/kb/827330
0
 
12vltmnAuthor Commented:
Alan:

On both virtual directories in IIS, there are no IP restrictions.  Also, when I click "view Certificate" the renewed cert is listed there with the expiration of 8/2/2011 (original was create 8/2/2006).  In the RPC directory, in authentication methods, only "Basic Authentication" is checked.  In the Exchange virtual directory, in authentication methods, Integrated Windows and Basic are both checked.  In the RPCWithCert virtual directory, nothing is checked in the authentication methods window.
0
 
Alan HardistyCommented:
RPC Virtual Directory should be Basic & Integrated Authentication.
Please enable that then run IISreset and try again.
0
 
12vltmnAuthor Commented:
I did as you suggested but I still get the same result.
0
 
Alan HardistyCommented:
Re OWA - what error (assuming you get one) do you see when trying to access OWA externally?
Can you access OWA on the Server itself?
0
 
12vltmnAuthor Commented:
Alan - It was the certificate as you first suggested.  I used the tool offered by ebooyens to determine where the process broke down and all looked good except the certificate.  So I purchased one on godaddy.com, installed and tested.  It works like a champ.  Thanks to both of you for your help.  I have rewarded the points accordingly.

kevin
0
 
jsilooyCommented:
Hello,
I had a problem and still have when using OWA through browser using https://externalipaddress/exchange.  
Trying to look for a solution and testing different existing certificates in IIS 6.0 on the Small business Server 2003 suddenly the error 405-HTTP verb/method not allowed appeared. I spent 3 weeks searching every blog and forum to find the solution. Nothing was the right solution.

Yesterday I installed a 3rd party certificate from Comodo, Mobile SSL, which contains 3 parts, and found on Microsoft how to make a CSR for a 3rd party certificate by setting a new temporary called e.g. mail.comodo.com.  On this virtual website I made the request for a new certificate and copied the content to the field of the 3rd party to order a new cerfiticate. According Microsoft I had to install the required certificates on this temporaty virtual website and also on the Defaultwebsite. Afterwards I deleted the temporary virtual website (mail.comodo.com).  

On the server itself I had access again by typing in IE the https://externalipaddress/exchange and could logon on the OWA logon page and finally had access in the Outlook mailbox. But still the certificate fault was mentioned before the OWA logon page appeared. So I have to contact the provider of the new certificate how to resolve this.

Trying to access OWA externally I couldn't even reach the logon page.

So I logged in into the Zyxel modem, and under the tab Firewall >Rules> I added a new rule> WAN to LAN > tcp:80 and https:443.  I applied and the configuration was made.

After that employees had access to their OWA from home again.

Remains the cerfiticate message for me to solve tomorrow!

So the setting of the firewall on the modem/router could be an issue when OWA is not accessible from any computer on the internet.  I hope this is a good advise to check also the modem/router.

rg. Sylvia Silooy
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 7
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now