Solved

Exchange 2007 OWA and ActiveSync Certificate error

Posted on 2010-11-10
18
998 Views
Last Modified: 2012-06-22
I have been transitioning our environment from 2003 to 2007.  I am at the point where I am trying to get our Droid users to be able to sync with our Exchange 2007.  They were all able to sync with our 2003 exchange FE using the same certificate.  When trying to connect to the 2007 exchange server, they get a error, "The certificate from the server is not validated."  If I uncheck, "Verify Certificate" it will sync.  

When I go to our OWA webpage at:  https://webmail.mydomain.com  I get no certificate error at all using a web browser.  I feel there is something I have over looked and haven't been able to find much from searching the web.  Thanks in advance,
0
Comment
Question by:RHNOC
  • 8
  • 4
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 34105768
You need to address the bindings in IIS. After that try restart the services for IIS. Go to the command prompt and type issreset and press enter.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34108069
did you export the certificate (with private key) from the 2003 server, import the certificate on the exchange 2007 server, and run the Enable-ExchangeCertificate -Thumbpring <AFADFA11212> -Services IIS
0
 

Author Comment

by:RHNOC
ID: 34112820
I exported it from the 2003 FE and imported it on the 2007 server.  I am not sure what the "Enable-ExchangeCertificate -Thumbpring is...   I am pretty sure the certificate is setup correctly for at least OWA as I do not get any certificate errors when accessing the OWA both Internally and Externally.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34113755
Does your certificate have Subject Alternative Names(SANs)? This was introduced in OWA 2007. The Droids may not be using the same site name. Your certificate should have all the possible names that might be used. FOr example you night need webmail, autodiscover, and the FQDN of the server itself as SANs. You can check your cert using this link: _http://www.digicert.com/help/.

Remember if you use Outlook Anywhere or Exchange Active sync any Cert warnings will stop it working. And youll get them with out the SANs.
0
 

Author Comment

by:RHNOC
ID: 34114042
Here are the results of www.digicert.com.

DNS resolves 'webmail.mydomain.com' to x.x.x.x

HTTP Server Header: Microsoft-IIS/6.0

SSL certificate

Subject = webmail.mydomain.com
Subject Alternative Names = mydomain.com

This certificate does not use a vulnerable Debian key (this is good)

Certificate Name matches webmail.mydomain.com


Does that answer your question about it having SAN's?  I am not using autodiscover at this time.  I am not getting any errors on the 2007 server in the event log either.  Our 2003 FE server used to give warnings or errors about OWA and ActiveSync issues to aid in troubleshooting.  I am just not seeing anything to point me in a direction to research.  Thanks again,
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34114300
Have you checked the permissions on the virtual directories in IIS.
0
 

Author Comment

by:RHNOC
ID: 34114560
What should I be looking for?  
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34117077
run the following on the 2007 server and verify the certificate with these subject names is being used by the iis service

Get-ExchangeCertificate | fl
0
 

Author Comment

by:RHNOC
ID: 34122263
Two certificates were listed.  The first one is the one created during the Exchange 2007 install.  The second is the third party one that I imported.  Should the one created by exchange still be listed or could that be the problem?
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 

Author Comment

by:RHNOC
ID: 34122278
The one created by exchange is listed as being used by:  IMAP, POP and SMTP.  The third party one is listed as being used by IIS.
0
 

Author Comment

by:RHNOC
ID: 34122304
Also listed under "Subject" for the third party certificate the CN = webmail.mydomain.com.  Listed under "CertificateDomains" for the third part certificate the result = {webmail.mydomain.com, mydomain.com}

Thanks
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34122318
when you setup the device you should be using webmail.mydomain.com for the server value

have you tried testing your configuration with https://testexchangeconnectivity.com/
0
 

Author Comment

by:RHNOC
ID: 34122501
Yes I have.  https://testexchangeconnectivity.com/ passes all tests.  On the droid devices they are all configured to use webmail.mydomain.com.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34123291
Then this sounds like an issue with the droid and its list of trusted cert authorities

They are connecting over the phone network and not using domain wifi?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34123439
Is Exchange fully updated?
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 34123468
Who is the cert issued from ? Verisign? Entrust? geotrust? or other? Like iendital1097 says, this sounds more and more like the droids do not trust the issuer of the cert. When you exported the cert from the old server, did you also export the root or intermediate CA cert that issued the original cert? I'll bet when you installed that original cert in 2003, you installed a root CA or intermediate CA cert also. When you exported, you die not export the chain, but just the server cert. I think you probably should check the old server cert, see who is in the chain, and then get those authorities on your new server.
0
 

Author Comment

by:RHNOC
ID: 34123645
That is exactly it Boilermaker85.  As soon as I read you post I remembered there was a cert from the issuer that I installed from their site as well as the webmail.mydomain.com cert.  When I exported it for the new server I must have missed that part.  I just jumped on their site and installed the root cert on the exchange 2007 server and I could then connect using the droids with the verify certificate option.  

Thanks everyone for all your assistance.    
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34123770
:-D
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now