Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2007 OWA and ActiveSync Certificate error

Posted on 2010-11-10
18
Medium Priority
?
1,022 Views
Last Modified: 2012-06-22
I have been transitioning our environment from 2003 to 2007.  I am at the point where I am trying to get our Droid users to be able to sync with our Exchange 2007.  They were all able to sync with our 2003 exchange FE using the same certificate.  When trying to connect to the 2007 exchange server, they get a error, "The certificate from the server is not validated."  If I uncheck, "Verify Certificate" it will sync.  

When I go to our OWA webpage at:  https://webmail.mydomain.com  I get no certificate error at all using a web browser.  I feel there is something I have over looked and haven't been able to find much from searching the web.  Thanks in advance,
0
Comment
Question by:RHNOC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +1
18 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 34105768
You need to address the bindings in IIS. After that try restart the services for IIS. Go to the command prompt and type issreset and press enter.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34108069
did you export the certificate (with private key) from the 2003 server, import the certificate on the exchange 2007 server, and run the Enable-ExchangeCertificate -Thumbpring <AFADFA11212> -Services IIS
0
 

Author Comment

by:RHNOC
ID: 34112820
I exported it from the 2003 FE and imported it on the 2007 server.  I am not sure what the "Enable-ExchangeCertificate -Thumbpring is...   I am pretty sure the certificate is setup correctly for at least OWA as I do not get any certificate errors when accessing the OWA both Internally and Externally.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34113755
Does your certificate have Subject Alternative Names(SANs)? This was introduced in OWA 2007. The Droids may not be using the same site name. Your certificate should have all the possible names that might be used. FOr example you night need webmail, autodiscover, and the FQDN of the server itself as SANs. You can check your cert using this link: _http://www.digicert.com/help/.

Remember if you use Outlook Anywhere or Exchange Active sync any Cert warnings will stop it working. And youll get them with out the SANs.
0
 

Author Comment

by:RHNOC
ID: 34114042
Here are the results of www.digicert.com.

DNS resolves 'webmail.mydomain.com' to x.x.x.x

HTTP Server Header: Microsoft-IIS/6.0

SSL certificate

Subject = webmail.mydomain.com
Subject Alternative Names = mydomain.com

This certificate does not use a vulnerable Debian key (this is good)

Certificate Name matches webmail.mydomain.com


Does that answer your question about it having SAN's?  I am not using autodiscover at this time.  I am not getting any errors on the 2007 server in the event log either.  Our 2003 FE server used to give warnings or errors about OWA and ActiveSync issues to aid in troubleshooting.  I am just not seeing anything to point me in a direction to research.  Thanks again,
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34114300
Have you checked the permissions on the virtual directories in IIS.
0
 

Author Comment

by:RHNOC
ID: 34114560
What should I be looking for?  
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34117077
run the following on the 2007 server and verify the certificate with these subject names is being used by the iis service

Get-ExchangeCertificate | fl
0
 

Author Comment

by:RHNOC
ID: 34122263
Two certificates were listed.  The first one is the one created during the Exchange 2007 install.  The second is the third party one that I imported.  Should the one created by exchange still be listed or could that be the problem?
0
 

Author Comment

by:RHNOC
ID: 34122278
The one created by exchange is listed as being used by:  IMAP, POP and SMTP.  The third party one is listed as being used by IIS.
0
 

Author Comment

by:RHNOC
ID: 34122304
Also listed under "Subject" for the third party certificate the CN = webmail.mydomain.com.  Listed under "CertificateDomains" for the third part certificate the result = {webmail.mydomain.com, mydomain.com}

Thanks
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34122318
when you setup the device you should be using webmail.mydomain.com for the server value

have you tried testing your configuration with https://testexchangeconnectivity.com/
0
 

Author Comment

by:RHNOC
ID: 34122501
Yes I have.  https://testexchangeconnectivity.com/ passes all tests.  On the droid devices they are all configured to use webmail.mydomain.com.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 34123291
Then this sounds like an issue with the droid and its list of trusted cert authorities

They are connecting over the phone network and not using domain wifi?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34123439
Is Exchange fully updated?
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 2000 total points
ID: 34123468
Who is the cert issued from ? Verisign? Entrust? geotrust? or other? Like iendital1097 says, this sounds more and more like the droids do not trust the issuer of the cert. When you exported the cert from the old server, did you also export the root or intermediate CA cert that issued the original cert? I'll bet when you installed that original cert in 2003, you installed a root CA or intermediate CA cert also. When you exported, you die not export the chain, but just the server cert. I think you probably should check the old server cert, see who is in the chain, and then get those authorities on your new server.
0
 

Author Comment

by:RHNOC
ID: 34123645
That is exactly it Boilermaker85.  As soon as I read you post I remembered there was a cert from the issuer that I installed from their site as well as the webmail.mydomain.com cert.  When I exported it for the new server I must have missed that part.  I just jumped on their site and installed the root cert on the exchange 2007 server and I could then connect using the droids with the verify certificate option.  

Thanks everyone for all your assistance.    
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34123770
:-D
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question