Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1131
  • Last Modified:

SSL Certificate SBS 2008 IIS 7

Hi all,

We are trying to enable remote access to our exchange server so we can access the emails via OWA.

Now we have mail.<domain>.co.k pointing to the SBS 2008 server. I have been to www.testexchangeconnectivity.com and run the test and get te following error;

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name email.greerengineering.co.uk in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 81.137.198.78
 
 Testing TCP Port 443 on host email.greerengineering.co.uk to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   The certificate name is being validated.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
 
Now I have created a self-assinged SSL certificate usng IIS 7 but this seems to just be creating the certificate for <servername>.<domain>.local?

how can I specifically create a certificate for mail.<domain>.co.uk

Also, secondly once I have created this I will need to install the certificate onto all the devices going to use the OWA from the public folders?. however two fo the devices that will be connecting to th email server will be a blackberry and an iphone.

I assume the cert will need tobe installed on these too? if so how would we get these onto the phones (web download??)?


Thanks in advance,

Matt
0
flynny
Asked:
flynny
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
Dave StringfellowIT managerCommented:
You cant create a domain certificate when its self certified. You will need get a 3rd part cert from somewhere like godaddy.com (about £30 a year). Then you can use the SBS wizard to install that Cert and everything will work correctly.

With your phones, they work like a browser, they will see the cert, check it, and just use it, you do not need to install them on the devices.
0
 
tonyperthCommented:
Remember to buy a UCC certificate so that you can have multiple names:

remote.<domain>.co.uk
autodiscover.<domain>.co.uk
the name of the server and the local domain etc.

You will obviosly need to create external a records for remote and autodiscover as well.
0
 
flynnyAuthor Commented:
ok I have bought a 2 year SSL from godaddy.

tonyperth - sorry I cannot find these UCC on the godaddy ebsite? what is the cost of these? and are they required?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
tonyperthCommented:
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979

Under the single domain one "Multiple Domains (UCC) £58.47
0
 
tonyperthCommented:
For an SBS2008 it is recommended that you get a UCC certificate so that it can have the multiple domains.  It makes life easeir if you have it, Outlook clients can configure themselves and you will have less issues with mobile devices.  It also makes setting up Outlook anywhere less problematic.
0
 
RickEpnetCommented:
You do not need a UCC certificate with SBS.

Did you use the wizards to setup the internet and the certificate? If you use the wizards it works very smoothly I learned this the hard way coming from an enterprise background.

In the Windows SBS Console

Connect to the Internet
Setup your internet address
Add a trusted certificate.
0
 
flynnyAuthor Commented:
Hi all,

sorry for the delay. The SSL certificate for our domain has finally been authorised and I have installed the certifiate. however I still don't seem to be able to access the OWA?

Performing the test on testexchangeconnectivity.com it connects ok. heres the log;

ExRCA is testing Exchange ActiveSync.
 Exchange ActiveSync was tested successfully.
 Test Steps
 Attempting to resolve the host name email.<ourdomain>.co.uk in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: <ourip>

Testing TCP Port 443 on host email.<ourdomain>.co.uk to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 The certificate name is being validated.
 Successfully validated the certificate name
 Additional Details
 Found hostname email.<ourdomain>.co.uk in Certificate Subject Common name

Validating certificate trust for Windows Mobile Devices
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 Certificate is only trusted on Windows Mobile 6.0 and later. Windows Mobile 5.0 and 5.0 + MSFP devices will not be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

The certificate date is being confirmed to ensure the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 Certificate is valid: NotBefore = 9/4/2010 7:36:01 PM, NotAfter = 9/4/2012 7:36:01 PM"



The IIS configuration is being checked for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates not configured.

Testing Http Authentication Methods for URL https://email.<ourdomain>.co.uk/Microsoft-Server-Activesync/
 The HTTP authentication methods are correct.
 Additional Details
 Found all expected authentication methods and no disallowed methods. Methods Found: Basic

An ActiveSync session is being attempted with the server.
 Testing an ActiveSync session completed successfully
 Test Steps
 ExRCA is attempting to send the OPTIONS command to the server.
 OPTIONS response was successfully received and is valid
 Additional Details
 Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 8.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5,12.0,12.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Mon, 06 Sep 2010 19:22:27 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET



ExRCA is attempting the FolderSync command on the Exchange ActiveSync session.
 The FolderSync command completed successfully.
 Additional Details
 Number of Folders: 22

ExRCA is attempting the initial sync to the Inbox folder. This initial sync won't return any data.
 The Sync command completed successfully.
 Additional Details
 Status: 1

ExRCA is attempting to test the GetItemEstimate command for the Inbox folder.
 Successfully received GetItemEstimate Response from Server
 Additional Details
 Estimate: 48 messages

However when I try to go to https://email.<ourdomain>.co.uk/exchange i get an ie canno connect error message (a 403 forbidden if i try to diagnose?)

Any Ideas here?

Thanksin advance,

Matt.
0
 
flynnyAuthor Commented:
ok, sorry got a bit further...

I went to exchange management console -> server configuration -> client access

select owa and then properties. changed the external url to be email.<ourdomain>.co.uk/owa

now if i then go to https://email.<ourdomain>.co.uk/owa the login scren is appearing.

however if i then type in the user pass i am getting an http 400 Bad Request?

Matt.
0
 
flynnyAuthor Commented:
hmm this seems to be working in firefox and seems to be a problem with ie8? I wold need to solve this as the majority use ie8 in the office?

any ideas why this is happening?

Matt (sorry for multiple posts!)
0
 
RickEpnetCommented:
You should really use the SBS Wizards to do this. I know I did not the first time and had all kinds of issues.
0
 
tonyperthCommented:
In IE8 try adding the certificate to your Trusted route certificates to see if it solves your issue in IE8.
0
 
flynnyAuthor Commented:
Thanks for all the help guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now