RHNOC
asked on
Exchange 2007 OWA and ActiveSync Certificate error
I have been transitioning our environment from 2003 to 2007. I am at the point where I am trying to get our Droid users to be able to sync with our Exchange 2007. They were all able to sync with our 2003 exchange FE using the same certificate. When trying to connect to the 2007 exchange server, they get a error, "The certificate from the server is not validated." If I uncheck, "Verify Certificate" it will sync.
When I go to our OWA webpage at: https://webmail.mydomain.com I get no certificate error at all using a web browser. I feel there is something I have over looked and haven't been able to find much from searching the web. Thanks in advance,
When I go to our OWA webpage at: https://webmail.mydomain.com I get no certificate error at all using a web browser. I feel there is something I have over looked and haven't been able to find much from searching the web. Thanks in advance,
You need to address the bindings in IIS. After that try restart the services for IIS. Go to the command prompt and type issreset and press enter.
did you export the certificate (with private key) from the 2003 server, import the certificate on the exchange 2007 server, and run the Enable-ExchangeCertificate -Thumbpring <AFADFA11212> -Services IIS
ASKER
I exported it from the 2003 FE and imported it on the 2007 server. I am not sure what the "Enable-ExchangeCertificat e -Thumbpring is... I am pretty sure the certificate is setup correctly for at least OWA as I do not get any certificate errors when accessing the OWA both Internally and Externally.
Does your certificate have Subject Alternative Names(SANs)? This was introduced in OWA 2007. The Droids may not be using the same site name. Your certificate should have all the possible names that might be used. FOr example you night need webmail, autodiscover, and the FQDN of the server itself as SANs. You can check your cert using this link: _http://www.digicert.com/help/.
Remember if you use Outlook Anywhere or Exchange Active sync any Cert warnings will stop it working. And youll get them with out the SANs.
Remember if you use Outlook Anywhere or Exchange Active sync any Cert warnings will stop it working. And youll get them with out the SANs.
ASKER
Here are the results of www.digicert.com.
DNS resolves 'webmail.mydomain.com' to x.x.x.x
HTTP Server Header: Microsoft-IIS/6.0
SSL certificate
Subject = webmail.mydomain.com
Subject Alternative Names = mydomain.com
This certificate does not use a vulnerable Debian key (this is good)
Certificate Name matches webmail.mydomain.com
Does that answer your question about it having SAN's? I am not using autodiscover at this time. I am not getting any errors on the 2007 server in the event log either. Our 2003 FE server used to give warnings or errors about OWA and ActiveSync issues to aid in troubleshooting. I am just not seeing anything to point me in a direction to research. Thanks again,
DNS resolves 'webmail.mydomain.com' to x.x.x.x
HTTP Server Header: Microsoft-IIS/6.0
SSL certificate
Subject = webmail.mydomain.com
Subject Alternative Names = mydomain.com
This certificate does not use a vulnerable Debian key (this is good)
Certificate Name matches webmail.mydomain.com
Does that answer your question about it having SAN's? I am not using autodiscover at this time. I am not getting any errors on the 2007 server in the event log either. Our 2003 FE server used to give warnings or errors about OWA and ActiveSync issues to aid in troubleshooting. I am just not seeing anything to point me in a direction to research. Thanks again,
Have you checked the permissions on the virtual directories in IIS.
ASKER
What should I be looking for?
run the following on the 2007 server and verify the certificate with these subject names is being used by the iis service
Get-ExchangeCertificate | fl
Get-ExchangeCertificate | fl
ASKER
Two certificates were listed. The first one is the one created during the Exchange 2007 install. The second is the third party one that I imported. Should the one created by exchange still be listed or could that be the problem?
ASKER
The one created by exchange is listed as being used by: IMAP, POP and SMTP. The third party one is listed as being used by IIS.
ASKER
Also listed under "Subject" for the third party certificate the CN = webmail.mydomain.com. Listed under "CertificateDomains" for the third part certificate the result = {webmail.mydomain.com, mydomain.com}
Thanks
Thanks
when you setup the device you should be using webmail.mydomain.com for the server value
have you tried testing your configuration with https://testexchangeconnectivity.com/
have you tried testing your configuration with https://testexchangeconnectivity.com/
ASKER
Yes I have. https://testexchangeconnectivity.com/ passes all tests. On the droid devices they are all configured to use webmail.mydomain.com.
Then this sounds like an issue with the droid and its list of trusted cert authorities
They are connecting over the phone network and not using domain wifi?
They are connecting over the phone network and not using domain wifi?
Is Exchange fully updated?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is exactly it Boilermaker85. As soon as I read you post I remembered there was a cert from the issuer that I installed from their site as well as the webmail.mydomain.com cert. When I exported it for the new server I must have missed that part. I just jumped on their site and installed the root cert on the exchange 2007 server and I could then connect using the droids with the verify certificate option.
Thanks everyone for all your assistance.
Thanks everyone for all your assistance.
:-D