Solved

SSL Certificate SBS 2008 IIS 7

Posted on 2010-09-02
12
1,113 Views
Last Modified: 2012-05-10
Hi all,

We are trying to enable remote access to our exchange server so we can access the emails via OWA.

Now we have mail.<domain>.co.k pointing to the SBS 2008 server. I have been to www.testexchangeconnectivity.com and run the test and get te following error;

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name email.greerengineering.co.uk in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 81.137.198.78
 
 Testing TCP Port 443 on host email.greerengineering.co.uk to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   The certificate name is being validated.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
 
Now I have created a self-assinged SSL certificate usng IIS 7 but this seems to just be creating the certificate for <servername>.<domain>.local?

how can I specifically create a certificate for mail.<domain>.co.uk

Also, secondly once I have created this I will need to install the certificate onto all the devices going to use the OWA from the public folders?. however two fo the devices that will be connecting to th email server will be a blackberry and an iphone.

I assume the cert will need tobe installed on these too? if so how would we get these onto the phones (web download??)?


Thanks in advance,

Matt
0
Comment
Question by:flynny
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 15

Expert Comment

by:Dave_AND
ID: 33584605
You cant create a domain certificate when its self certified. You will need get a 3rd part cert from somewhere like godaddy.com (about £30 a year). Then you can use the SBS wizard to install that Cert and everything will work correctly.

With your phones, they work like a browser, they will see the cert, check it, and just use it, you do not need to install them on the devices.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33585131
Remember to buy a UCC certificate so that you can have multiple names:

remote.<domain>.co.uk
autodiscover.<domain>.co.uk
the name of the server and the local domain etc.

You will obviosly need to create external a records for remote and autodiscover as well.
0
 

Author Comment

by:flynny
ID: 33585196
ok I have bought a 2 year SSL from godaddy.

tonyperth - sorry I cannot find these UCC on the godaddy ebsite? what is the cost of these? and are they required?
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33585207
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979

Under the single domain one "Multiple Domains (UCC) £58.47
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 33585217
For an SBS2008 it is recommended that you get a UCC certificate so that it can have the multiple domains.  It makes life easeir if you have it, Outlook clients can configure themselves and you will have less issues with mobile devices.  It also makes setting up Outlook anywhere less problematic.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 33588599
You do not need a UCC certificate with SBS.

Did you use the wizards to setup the internet and the certificate? If you use the wizards it works very smoothly I learned this the hard way coming from an enterprise background.

In the Windows SBS Console

Connect to the Internet
Setup your internet address
Add a trusted certificate.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:flynny
ID: 33613174
Hi all,

sorry for the delay. The SSL certificate for our domain has finally been authorised and I have installed the certifiate. however I still don't seem to be able to access the OWA?

Performing the test on testexchangeconnectivity.com it connects ok. heres the log;

ExRCA is testing Exchange ActiveSync.
 Exchange ActiveSync was tested successfully.
 Test Steps
 Attempting to resolve the host name email.<ourdomain>.co.uk in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: <ourip>

Testing TCP Port 443 on host email.<ourdomain>.co.uk to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 The certificate name is being validated.
 Successfully validated the certificate name
 Additional Details
 Found hostname email.<ourdomain>.co.uk in Certificate Subject Common name

Validating certificate trust for Windows Mobile Devices
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 Certificate is only trusted on Windows Mobile 6.0 and later. Windows Mobile 5.0 and 5.0 + MSFP devices will not be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

The certificate date is being confirmed to ensure the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 Certificate is valid: NotBefore = 9/4/2010 7:36:01 PM, NotAfter = 9/4/2012 7:36:01 PM"



The IIS configuration is being checked for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates not configured.

Testing Http Authentication Methods for URL https://email.<ourdomain>.co.uk/Microsoft-Server-Activesync/
 The HTTP authentication methods are correct.
 Additional Details
 Found all expected authentication methods and no disallowed methods. Methods Found: Basic

An ActiveSync session is being attempted with the server.
 Testing an ActiveSync session completed successfully
 Test Steps
 ExRCA is attempting to send the OPTIONS command to the server.
 OPTIONS response was successfully received and is valid
 Additional Details
 Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 8.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5,12.0,12.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Mon, 06 Sep 2010 19:22:27 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET



ExRCA is attempting the FolderSync command on the Exchange ActiveSync session.
 The FolderSync command completed successfully.
 Additional Details
 Number of Folders: 22

ExRCA is attempting the initial sync to the Inbox folder. This initial sync won't return any data.
 The Sync command completed successfully.
 Additional Details
 Status: 1

ExRCA is attempting to test the GetItemEstimate command for the Inbox folder.
 Successfully received GetItemEstimate Response from Server
 Additional Details
 Estimate: 48 messages

However when I try to go to https://email.<ourdomain>.co.uk/exchange i get an ie canno connect error message (a 403 forbidden if i try to diagnose?)

Any Ideas here?

Thanksin advance,

Matt.
0
 

Author Comment

by:flynny
ID: 33613194
ok, sorry got a bit further...

I went to exchange management console -> server configuration -> client access

select owa and then properties. changed the external url to be email.<ourdomain>.co.uk/owa

now if i then go to https://email.<ourdomain>.co.uk/owa the login scren is appearing.

however if i then type in the user pass i am getting an http 400 Bad Request?

Matt.
0
 

Author Comment

by:flynny
ID: 33613206
hmm this seems to be working in firefox and seems to be a problem with ie8? I wold need to solve this as the majority use ie8 in the office?

any ideas why this is happening?

Matt (sorry for multiple posts!)
0
 
LVL 14

Accepted Solution

by:
RickEpnet earned 250 total points
ID: 33613215
You should really use the SBS Wizards to do this. I know I did not the first time and had all kinds of issues.
0
 
LVL 8

Assisted Solution

by:tonyperth
tonyperth earned 250 total points
ID: 33615757
In IE8 try adding the certificate to your Trusted route certificates to see if it solves your issue in IE8.
0
 

Author Closing Comment

by:flynny
ID: 33653675
Thanks for all the help guys!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now