Link to home
Create AccountLog in
Avatar of Charles L
Charles LFlag for United States of America

asked on

OWA and Smartphone email not working after loading SSL certs

Let me start by saying we have an internal Exchange 2007 server, IIS 7, and we have windows mobile and android phones.

A week ago our Network Solutions SSL cert expired for our https://webmail.domain.com site on the server. The url the windows phones use. The android phones were connecting the the IP and were not effected. I went and generated a csr in the exchange console, and sent it to Network Solutions. They then sent our cert, root, and intermediate certs back. I went into IIS, under certificates and loaded the cert. I then binded the cert per their instructions, and loaded the root and intermediate certs through the MMC. I then restarted the default site. Everything went through without an error. I then went to the url in my browser, and I got no certificate errors, and the SSL cert showed the new dates. However, none of the phones sync email now, and when I add /exchange onto the url above, I get a 404 error, which worked with the prior cert. I would appreciate any help! Thank you.
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

The root cert of the issuer (Network Solutions) needs to be in the trusted CA store on the mobile devices? has the root certificate expired on the mobiles?
Avatar of Charles L

ASKER

The phone (android anyway) downloads the SSL cert as part of the config process, which I went through again, and it said successful, but it still will not sync. However, the fact that when I browse to https://webmail.domain.com/excnahge, this gives a 404 error, which was not the case before, you could actually get the OWA login. I do however get the IIS splash page when I just go to .https://webmail.domain.com without /exchange
if your getting a 404 then the site is not running I would guess.
The site is started, or the start is grayed out and stop and refresh (which I have tried) are the only available options. Is there somewhere else I should check?
Avatar of aqtech
aqtech

open web browser on your smartphone and then go to the webmail, it will prompt for the certificate, install the certificate from there then close the browser and then try to logon
Ok, I went to the https://webmail.domain.com and it loaded without any prompt.
It does show a locked padlock as well
1st place to start IMHO is https://testexchangeconnectivity.com - run the Exchange Activesync Test, specify manual server settings and post the results please.

Alan
Ok, here are the results:

ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name webmail.xxxx.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: xx.xx.xx.xxx

Testing TCP port 443 on host webmail.XXXX.com to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name webmail.xxxx.com was found in the Certificate Subject Common name.

Validating certificate trust for Windows Mobile devices.
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE.

Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 12/22/2010 12:00:00 AM, NotAfter = 12/29/2011 11:59:59 PM
Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.

Testing HTTP Authentication Methods for URL https://webmail.XXXX.com/Microsoft-Server-Activesync/.
 The HTTP authentication test failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.
Check your IIS permissions - you have Anonymous Enabled on the Microsoft-Server-Activesync virtual Directory and it should be Basic Only.
The OWA virtual directory should also just be Basic Authentication - so please check this and then run IISRESET and test again.
i agree with alanhardisty about checking the iis permissions
Keep in mind that for Exchange 2007 a Unified Certificate is required due to autodiscover feature.  Did you obtain a standard cert or a unififed cert?
We obtained the same cert we used last year, and it was working, so I assume it is correct. I will check the permissions and then do an IISRESET. Could loading this updated certificate have caused all of this? Everything worked fine up until the cert expired (of course) and the new cert was loaded. The expiration caused the windows mobile phone to stop, and the loading of the new cert caused the BB and Android phones to go down, as well as the webmail access to return the 404 error. Other than loading the new cert, nothing else changed. Nontheless, thank you all so much for your help so far, and I will report back.
The test results say the new cert is fine but the Authentication is not, so I guess it got changed automatically somehow.

Check the IIS authentication, run IISRESET and test again.
Still same result: 404 error on url and this error on android anyway (TouchDown app):

Checking Certificate...
Checking ActiveSync with SSL...
Server is Microsoft-IIS/7.0
ActiveSync version check returned negative, but still trying for 12.1

Checking 2007 with SSL...
Error renewing subscription: Refresh folder list and try again.Checking 2003 with SSL...

I did try to refresh the folder list in the settings without any luck.

As you posted, I went to Microsoft-Active-Sync and OWA under IIS Manager, clicked authentication, and only basic was enabled. I went ahead and did a reset anyway.

The instructions that Network Solutions had me use for the cert import and bindings dealt with the Default Site. Here is what I used:

http://www.networksolutions.com/support/installation-of-an-ssl-on-certificate-microsoft-iis-7-x/

As you can tell, I don't do many of these, so I appreciate you patience and continued help.
Personally, I would use the following for installing certificates:

import-exchangecertificate -path x:\path_to_certificate_file.cer

enable-exchangecertificate -thumbprint Random_String_Of_Numbers_And_Letters -Services POP,IIS,SMTP,IMAP
I tried that first and got an error through the shell. I saw their instructions and used them. Now that I have done it this way....would doing it through the Exchange shell fix what is now broken?

I did change those permissions you mentioned on the default site just to see, and the webmail url actually asked for a user/pass as before, but instead of the owa login coming up after putting in credentials another 404 page. I really am at a loss and the users are not getting any less impatient. I will try shell if that would help. There was a service error when I tried it the first time.
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Ok, ill try to do that. Where would I confirm that active sync itself is in fact running and configured properly? Btw..Happy New Year.
Happy New Year to you too.

https://testexchangeconnectivity.com is the best place for testing all methods of Exchange connectivity.

There are different tests for Activesync / Outlook Anywhere / Incoming & Outgoing mail-flow etc.
I went back and undid the bindings alanhardisty, so you got me on the right track. Backtracking seemed to help. Reversing the binding on the default website worked....all is well!! Sorry about the long delay. This has been a heck of a week.
No problems about the timing - I'm just glad you have the problem resolved.

Thanks for the points.

Alan