Solved

OWA / Outlook Anywhere (http over rpc) Certificate

Posted on 2010-11-09
15
795 Views
Last Modified: 2012-05-10
Hi,
I recently purchased a UCC certificate from GoDaddy to service autodiscover.domain.com and mail.domain.com. (primarily for http over rpc from external).

I installed the certificate through certficate magament, and installed/enabled through exchange powershell. (Enable-exchangecertificate –services IIS, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

All went on fine. I am now having issues with my setup, (primarily the services to which the certificates apply). When I apply to SMTP and IIS, Outlook Anywhere then works perfectly from remote devices but fails on OWA in the local domain (certificate error - names do not match - http://sites.owa is being serviced by mail.domain.com).

I have applied various my internal/ucc certificates to services, but something always fails. Any advice on how I should configure this so everything is serviced correctly. Maybe I should be looking at hosts files on my internal netwotk??

Many Thanks
Steven

I am running exchange 2007 SP2. Half of my internal network is using OWA as the main
0
Comment
Question by:noooodlez
  • 6
  • 6
  • 3
15 Comments
 
LVL 3

Accepted Solution

by:
thetime earned 350 total points
ID: 34092455
Just a thought. You only have two names on there. and none of them specify the internal names for your server. You should name all variables of the server (local and external domain names) on the one cert.

We also made the mistake on the first godaddy cert and had similar if not the same problems.

Ours now list all internal and external possibilities and since then we have not had any problems.

eg:

mail.domain.com
autodiscover.domain.com
mail.domain.local
autodiscover.domain.local

Might have negelected a entry or two but you get the picture
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 150 total points
ID: 34092830
The names you need in a SAN / UCC certificate are:
maildomain.com (or whatever you want to use that resolves in DNS to the server)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
With those added and all services assigned to the certificate (SMTP / POP3 / IIS / IMAP) you should have everything working.
You should be able to generate a new Certificate Signing Request by visiting:
https://www.digicert.com/easy-csr/exchange2007.htm
Then copy the output to your server, run the command from the Exchange Management Shell, then copy the CSR request file contents to GoDaddy and re-key the certificate.
Once re-keyed, download the new certificate, import it, then repair the certificate (it won't have the private key) in the a command prompt:
certutil -repairstore my "Certificate Thumbprint"
Then enable the certificate:
Enable-ExchangeCertificate -Thumbprint Certificate_Thumbprint -Services "POP, IMAP,IIS,SMTP"
All should then be well.
0
 

Author Comment

by:noooodlez
ID: 34094541
Thanks for the responses.

 I have the option of changing the alt names on my existing cert by managing it through the godaddy website, so dont think that re-keying will be necessary. I have added servername.domain.local and servername to my existing cert and am now awaiting it being issued (understandable they have a manual checking process).

I'm not sure that they will be happy to issue to just servername though as this could resolve to anywhere. I might just be being paranoid!!!?
I will report back when I know more.
Assuming that all is well with the certificate, what address would my internal clients use to connect to my SBS sites? I assume that the default http://sites/owa and http://servername/owa would be in?
Cheers
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34094936
That's fine - they will send the Administrator of the domain an email for approval - then you just click on the link in the email to approve and then they will re-issue the certificate.
Clients will access via whatever FQDN you have added to the certificate and that resolves in DNS to the IP Address of your server, as long as the configuration of the server is correct.
0
 
LVL 3

Expert Comment

by:thetime
ID: 34099687
Thx alanhardisty for giving him the right names.
0
 
LVL 3

Expert Comment

by:thetime
ID: 34099699
*Assuming that all is well with the certificate, what address would my  internal clients use to connect to my SBS sites? I assume that the  default http://sites/owa and http://servername/owa would be in?

The http://servername/owa would be correct, not so sure about the other one.
0
 

Author Comment

by:noooodlez
ID: 34121082
Right, got my certificate, installed/repaired/enabled my certificate throgh exchange powershell.

Http over RPC works fine (without cert error)
OWA works fine (I had to change the URL we use to match the cert)

Outlook is now giving a certificate error (name mismatch), although SERVERNAME and SERVERNAME.domainname.com are valid alt names on my cert.

I'm further on than I was, only now the situation is worse as the warning message is now appearing on my MDs PC!!

Any more suggestions?

Many Thanks
Steven
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34121161
Is this with locally configured Outlook clients?

If so, how are the clients configured?
0
 

Author Comment

by:noooodlez
ID: 34121186
Yes, this is locally connecting clients. One more thing I have noted.

The certificate is failing because Outlook is attempting to connect to "sites" which is the cname that SBS 2008 sets up for accessing it's iis apps. This is not included in my certificate alt names.

The message comes up twice. Http over RPC is not configured on my connection and I have deleted my sharepoint lists,
0
 
LVL 3

Expert Comment

by:thetime
ID: 34134038
Your MD's PC. Does it it ever leave the office? (if he leaves it at the office don't use the HTTP/rpc methods just use your standard network)

Go to email accounts then edit the exchange accouts
go to more settings
go to enable proxy settings

URL to connect to proxy for exchange.

Is that one pointing to your "Sites" mentioned above or to "mail.domain.com"?
Is "Only connect to proxy server that have this principle name in their cert" ticked?
the principle name that you supply should look like this: "msstd:mail.domain.com"
0
 

Author Comment

by:noooodlez
ID: 34134436
Hi, I may have sent you on a bit of a wild goose chase here. Every PC in the office the same, connecting directly to our exchange server (including my MD).

Http over rpc is not checked on any.

I suspect that exchange is delivering data linked over http somewhere (eg. http://sites/owa).

For the idiot over here (I do not profess to be an expert on certification), what is the relevance of msstd.xzxxxx.xxxxxx.com???

0
 
LVL 3

Expert Comment

by:thetime
ID: 34134605
ok ... (just checking if I can post or not - seems to be a problem with submitting here))
0
 
LVL 3

Expert Comment

by:thetime
ID: 34134622
It's "msstd:xxxx.xxxxxx.com" - see the colon.


Author:saku99Date:16/05/10 08:00 PMAccepted Solution

MSSTD stands for Microsoft Standard form, don't know why it works both ways but I've also noticed that, although I had some instances where outlook did not work without the prefix.

as a side note I had trouble remembering this stupid prefix so now I remember it as :

MicroSoft Sexually Transmitted Disease :)




More Information here about MSSTD
0
 

Author Comment

by:noooodlez
ID: 34135683
OK, I'm going to create a new post on here as I think my original question was answered, the problems I am experiencing now are knock on problems.

You guys feel free to jump in on my new post if you think you can help me further.

Thanks for your time guys, I will distribute points between you accordingly.
0
 

Author Closing Comment

by:noooodlez
ID: 34135854
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now