Solved

Outlook Web Access stopped working after renewing certificate

Posted on 2010-08-27
17
2,555 Views
Last Modified: 2012-05-10
Last week, our self-made certificate expired on the Exchange server and "remote outlook" (RPC over HTTP) stopped working with an expired certificate error.  However, the Outlook Web Access via browser did work.  On Wednesday evening I renewed the certificate and now none of it works.  If I use the remote outlook it does not ask for authentication and opens Outlook but it will not connect to the Exchange server.  If I use the web browser I get the error: Internet Explorer cannot display the web page.  If I use the same URL without the "s" (just http://) it connects but of course it is garbled due to my setting in IIS to use SSL.  So it seems something regarding the SSL is not working correctly but I cannot figure out what that is.  Right now our OWA is unusable.  I have reset IIS but it did not help.  Any ideas?
0
Comment
Question by:12vltmn
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Self issued SSL certificates need to be installed on each and every client for RPC over HTTPs to work, thus you will need to install the new certificate on every client connecting via this method.

This is one reason why $30 for a 3rd party SSL certificate makes sense as you don't have to manually install it on each client.
0
 

Author Comment

by:12vltmn
Comment Utility
I do not recall having to install the certificate on the client in the past.  Actually, I'm not even sure how to do that.  Will you direct me?  When I open IE, Internet Options, Content, Certificates...the self issued certificate is listed with the correct expiration date of the renewed certificate.  Why does it not work?  It is listed in both the Intermediate and Trusted Root tabs.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Weird.  If you didn't install the new cert - how did it get onto the client?

Are you checking on the server or the client above?

Have you considered spending the $30 for a 3rd party SSL cert to eliminate these problems permanently?
0
 

Author Comment

by:12vltmn
Comment Utility
I do not know how the new cert got onto the client but I'm sure that I have never had to install the self issued certificate on any client.  I originally set up OWA four years ago and it has been working fine with a self issued cert.  I just assume it pulled the cert from the server.  I checked the client above (my laptop) for installed certificates and the cert is listed.  The RPC over HTTPs works fine inside our network but once I am at home it will not connect.  But the OWA via IE does not work even inside our network.  Strange.  

Who has a third party cert for $30?  I pay comodo $149 per year for a cert for one of our other servers.  And I thought they were one of the least expensive.
0
 
LVL 4

Expert Comment

by:ebooyens
Comment Utility
Are you using SBS 2003 or just Server 2003?  I SBS use the SBS wizard to recreate the self-signed certificate.  Do you use the http://server/connectcomputer feature to join PCs to the domain?   May be how they got the certificate without manual install.

If not SBS2003 then I'm not sure what's going on here.  You can still recreate a self-signed cert using selfsll

http://www.visualwin.com/SelfSSL/

But then you will need to re-install the cert of your outlook over https clients

http://blogs.technet.com/b/asiasupp/archive/2007/05/29/self-signed-certificate-issue-when-connecting-to-the-exchange-server.aspx
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 400 total points
Comment Utility
GoDaddy - http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979
$24.99 for a 1 year single name SSL Standard certificate.  It is all you will need.
 
0
 

Author Comment

by:12vltmn
Comment Utility
We are using Server 2003, not SBS.  I do not use http://server/connectcomputer to join PC's to the domain.  When I set up a new machine I change the local workgroup to the domain and join them in that manner.  I created the certificate using the certificate wizard and renewed it the same way by going to the properties of the default web server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I still don't get how you have the renewed cert installed on the client.
Can you export the cert via IIS on the server to a .P7B file, then copy that to the client, then install that on the client and see if Outlook starts to work again.
If you need guidance - just let me know.
Alan
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:12vltmn
Comment Utility
Alan:

I exported the cert in .P7B format and imported that to my laptop.  I still cannot connect to OWA using IE.  Same error message.  This is bizarre.  It has been working fine for four years.  What can I check to make sure that SSL is working properly?  Port 443 is listed in IIS.  I am admittedly no expert in this area but I manage to get by with some help.  This is one reason I joined EE.  :o)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
What settings are set on the Directory Security tab of the RPC virtual Directory (SSL / IP Restrictions etc) and the Exchange virtual directory?
0
 
LVL 4

Assisted Solution

by:ebooyens
ebooyens earned 100 total points
Comment Utility
Sounds to me like you have two issues possible, one about serving OWA on port 443 on the server as I'd expect you to still get to it although IE would complain about not trusting the certificate or whatever, and then the certificate issues.  Have a look at this

http://support.microsoft.com/kb/827330
0
 

Author Comment

by:12vltmn
Comment Utility
Alan:

On both virtual directories in IIS, there are no IP restrictions.  Also, when I click "view Certificate" the renewed cert is listed there with the expiration of 8/2/2011 (original was create 8/2/2006).  In the RPC directory, in authentication methods, only "Basic Authentication" is checked.  In the Exchange virtual directory, in authentication methods, Integrated Windows and Basic are both checked.  In the RPCWithCert virtual directory, nothing is checked in the authentication methods window.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
RPC Virtual Directory should be Basic & Integrated Authentication.
Please enable that then run IISreset and try again.
0
 

Author Comment

by:12vltmn
Comment Utility
I did as you suggested but I still get the same result.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Re OWA - what error (assuming you get one) do you see when trying to access OWA externally?
Can you access OWA on the Server itself?
0
 

Author Closing Comment

by:12vltmn
Comment Utility
Alan - It was the certificate as you first suggested.  I used the tool offered by ebooyens to determine where the process broke down and all looked good except the certificate.  So I purchased one on godaddy.com, installed and tested.  It works like a champ.  Thanks to both of you for your help.  I have rewarded the points accordingly.

kevin
0
 

Expert Comment

by:jsilooy
Comment Utility
Hello,
I had a problem and still have when using OWA through browser using https://externalipaddress/exchange.  
Trying to look for a solution and testing different existing certificates in IIS 6.0 on the Small business Server 2003 suddenly the error 405-HTTP verb/method not allowed appeared. I spent 3 weeks searching every blog and forum to find the solution. Nothing was the right solution.

Yesterday I installed a 3rd party certificate from Comodo, Mobile SSL, which contains 3 parts, and found on Microsoft how to make a CSR for a 3rd party certificate by setting a new temporary called e.g. mail.comodo.com.  On this virtual website I made the request for a new certificate and copied the content to the field of the 3rd party to order a new cerfiticate. According Microsoft I had to install the required certificates on this temporaty virtual website and also on the Defaultwebsite. Afterwards I deleted the temporary virtual website (mail.comodo.com).  

On the server itself I had access again by typing in IE the https://externalipaddress/exchange and could logon on the OWA logon page and finally had access in the Outlook mailbox. But still the certificate fault was mentioned before the OWA logon page appeared. So I have to contact the provider of the new certificate how to resolve this.

Trying to access OWA externally I couldn't even reach the logon page.

So I logged in into the Zyxel modem, and under the tab Firewall >Rules> I added a new rule> WAN to LAN > tcp:80 and https:443.  I applied and the configuration was made.

After that employees had access to their OWA from home again.

Remains the cerfiticate message for me to solve tomorrow!

So the setting of the firewall on the modem/router could be an issue when OWA is not accessible from any computer on the internet.  I hope this is a good advise to check also the modem/router.

rg. Sylvia Silooy
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now