Solved

How to get certsrv to work after removing a certificate on SBS 2003?

Posted on 2011-02-20
50
2,222 Views
Last Modified: 2012-05-11
http://server/certsrv works just fine with current certificate.  When I remove the certificate to create a new one, when I get to the part where you are supposed to get the Pending Request accepted by our Certificate Authority using the http://server/certsrv it says page cannot be found.  The current certificate gets a name mismatch error, OWA works just fine but still gets the error.

SBS 2003 SP2

There are two websites in IIS, Default Web Site and MyCompanyWeb, both use the same certificate, I don't know if that is the problem or not.  I have been working off of the Default Web Site.

When I import the old certificate back in then certsrv starts working again.

the old one has:     server_name.domain_name.com
it should be:       mail.domain_name.com

I have been working on this for 3 days and it is driving me nuts, I have tried all sorts of things I have found on the internet and here to no avail, I hope someone can save me from the madness.

Thanks,
Itzyval
0
Comment
Question by:itzyval
  • 30
  • 17
  • 3
50 Comments
 
LVL 7

Expert Comment

by:jrwarren
Comment Utility
Are you using the wizards to remove the cert and create a new one?

I would suggest re-running the Wizards starting from : Connect to the Internet Wizard and going down.   If you want a new certificate tell it to generate a new request and submit that request, or generate a new self-signed then apply it.   Typically the wizards will clear up the permissions and cert responsivenes for you.

  If that does not work, let us know, as you may have to d some resetting/custom config work to get back to default.

  Are there any web sites hosted on your SBS server that require custom certificates and/or permissions?
0
 
LVL 7

Expert Comment

by:jrwarren
Comment Utility
After a second read, i noticed...

the old one has: server_name.domain_name.com
it should be: mail.domain_name.com

Make sure when you run the wizards to distinguish between internal name (loacal/server) and domain name.  That is a bit tricky for some.

You need the cert to respond to the DNS name not the domain name.  
   The server can be named server_name.domain.local, but you want your cert to respond to mail.domain.com.   Please be sure to take the time to distinguish between those... They are only a screen or two apart, in the wizards, and can lead to some misinterperatation if not read clearly.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You are using SBS - you should be using the wizards to make any changes to certificates and as mentioned, the wizard you should be using is the Connect To The Internet Wizard in Start> Server Management> To Do List.

When you run the wizard, change nothing until you get to the certificate part and then choose create a new certificate, put in a name like mail.domain.com which resolves in DNS back to your server in external DNS, then complete the wizard.

If you user server.domain.com, that's fine if you have an A record in DNS externally that points to the IP address of your server.

If you don't use a name that resolves properly, Activesync, RPC over HTTPS and OWA will complain or simply not work.
0
 

Author Comment

by:itzyval
Comment Utility
I was right-clicking on the website in IIS and using the security tab.  I was not using the Connect To The Internet Wizard.  I will have to try that, sounds promising.

DNS points to the server.domain.com.  I guess I should add a DNS record for mail.domain.com or will running the Connect To The Internet Wizard automatically add one.  We have a hosting company that hosts our website and they probably hold the external DNS.

Huge ice storm has everything down, no electricity, so I can't try anything right now.

Activesync and OWA are working with server.domain.com but I can't get RPC over HTTPS to work because of the name mismatch in the certificate.

Sorry new to all this Certificate stuff.  I understand it just haven't done it.  Thanks for the help.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Run the wizard - it will sort out your certificate issue, but with a self-issued certificate, you will need to export the certificate and import it via IIS to get RPC over HTTPS to work.

If you bought a cert, you don't need to install it on the client.
0
 

Author Comment

by:itzyval
Comment Utility
I am stuck again, I can't export it as a pfx file, and it won't let me import a cer file because we are using SSL.
0
 
LVL 7

Expert Comment

by:jrwarren
Comment Utility
You are trying to import to the server to assign it the Certificate or import it to the client?
0
 

Author Comment

by:itzyval
Comment Utility
I am trying to import into IIS on the default website.
0
 

Author Comment

by:itzyval
Comment Utility
alanhardisty stated that with a self-issued certificate, you will need to export the certificate and import it via IIS to get RPC over HTTPS to work.

I exported out the certificate that the Connect to the Internet Wizard created.  But on the default website in IIS I can't import it because it is not a pbx file.

The name of the Certificate Authority is mail.theworkroom.com

People are using OWA by going to mail.theworkroom.com/exchange

I am trying to setup RPC over HTTPS using mail.theworkroom.com

The original certificate has a name mismatch error that shows up in OWA because the certificate says workdc01.theworkroom.com

Active Sync works and so does OWA, I just need to get RPC over HTTPS working.

Everything runs on one server running SBS 2003 with SP2.

I hope someone helps me figure this out because it is so frustrating.  I just started working on their server and it seems so messed up as far as naming stuff.  Should the Certificate authority be named the same as the FQDN.

Thanks, ItzyVal
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
To install the certificate, you need to export it first via IIS Manager on the server.

Open up IIS Manager, expand Web Sites, then right-click on your Default Web Site and choose properties, then click on the Directory Security Tab, then the View Certificate button, then on the Details Tab of the Certificate Windows.

On the Details Tab, click on Copy To File, click Next, Next, Next, Choose the name and location for the certificate file (Desktop should be easy to find and certificate.cer for the name) then click Next and then Finish.

Copy the certificate.cer file to the computer on a USB stick and then do the following:

Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab.  Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK.  Click Next and then Finish.  Click OK on the next prompt.
0
 

Author Comment

by:itzyval
Comment Utility
Thank you alanhardisty, I think I am getting closer, tried to setup my machine and now this is the error I am getting:  The name cannot be matched to a name in the address list.

I logged into OWA and clicked the to field and typed in my first name and it found me.  But when I look at the Global Address List in Exchange System Manager there are no names showing up.
0
 

Author Comment

by:itzyval
Comment Utility
Ok I totally screwed it all up and had to rebuild the virtual directories, so now I am back to where I started and here I thought I was getting somewhere.

Everything is under the Default Web Site in IIS, Exchange, ActiveSync, OWA, since I am trying to get RPC to work should I make a separate website just for that and create a certificate just for that, will the wizard let me.

I am pulling my hair out..................AAAAAAAAAAAAAAAAAAA
0
 

Author Comment

by:itzyval
Comment Utility
OK here is some information, this is from Exchange Remote Connectivity Analyzer

With the original certificate it says:
Hostname doesn't match any name on the server certificate

With the new certificate generated by the wizard it says:
The Certificate Chain didn't end in a trusted root.

With the new certificate OWA says it can't trust the certificate because it is self signed, but the original one let me right in.
0
 

Author Comment

by:itzyval
Comment Utility
New information in IE I could get past the certificate issue and OWA is working.

It's just Firefox that wouldn't let me get around the self signed certificate issue, it wouldn't even let me add an exception because it said it was a valid website.....strange.
0
 

Author Comment

by:itzyval
Comment Utility
New information in IE I could get past the certificate issue and OWA is working.

It's just Firefox that wouldn't let me get around the self signed certificate issue, it wouldn't even let me add an exception because it said it was a valid website.....strange.
0
 

Author Comment

by:itzyval
Comment Utility
So my question is, is there some way to fix the certificate so that The Certificate Chain ends in a trusted root?

Please come back alanhardisty you are my only hope!

0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
Sorry - I'm currently on holiday so responses will be a little slow!

Right - don't mess with the IIS virtual Directories - leave the RPC directory where it is and don't add a new website - it is not necessary.

You need to re-run the Connect To The Internet Wizard and change nothing apart from the Certificate where you should make a certificate called mail.theworkroom.com not workdc01.theworkroom.com (that won't work as the name does not resolve in DNS unless you have created a DNS record called workdc01 pointing to your SBS servers external IP Address).

Once you have a correctly named SSL certificate, export it, then import it into IE on each client and you will be able to get RPC over HTTPS working without any certificate errors, as long as the IIS settings on the RPC virtual Directory are correct, which running the Connect To The Internet Wizard should make sure are correct.
0
 

Author Comment

by:itzyval
Comment Utility
Everything in DNS is point to the workdc01.  The outside DNS is point to mail.theworkroom.com.  I finally got all the certificates to match with mail.theworkroom.com, and OWA and ActiveSynce are working.

Just can't get Outlook 2007 on a Windows 7 64 bit, to work with RPC over HTTPS.

Should I change DNS to point to mail.theworkroom.com?  If so, where in DNS should I change it?

I think I may just get a certificate from GoDaddy, I didn't set the server up and I think all the name conflicts in the certificate is caused because he named everything just about the same.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If your certificate is named mail.theworkroom.com then you MUST use mail.theworkroom.com in Outlook in the Proxy Settings and as the certificate is self-signed, you need to export the cert on the server and install it via IE on the client.

Or - as you have suggested, buy a Single Name Certificate from GoDaddy using mail.theworkroom.com as the certificate name then you won't have to export and install the certificate onto the clients.

You will need to create an A record called MAIL in your External DNS records (via your Domain Hosts Control Panel) and it needs to point to the same IP Address as workdc01.

Until the DNS record is created, RPC over HTTPS won't work.
0
 

Author Comment

by:itzyval
Comment Utility
When I go to www.DNSSTUFF.com and have it look up domain theworkroom.com, it finds it, but for mail.theworkroom.com it doesn't find anything, but if I type in our external address it returns mail.theworkroom.com.

I will call the hosting company.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I can't resolve mail.theworkroom.com either but I can workdc01.theworkroom.com - whoever setup your server / DNS didn't do the standard thing!!

Make sure you add the A record and it should all start falling into place.
0
 

Author Comment

by:itzyval
Comment Utility
I am on the phone with them and they said they already have a MAIL record under C Names and cannot add another one.  Mail under C Names is pointing at mail@homestead.com which is the hosting company.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Well - at the moment both mail. and workdc01. resolve to the same IP of 208.xx.xxx.29 - is that the fixed IP Address of your server?
0
 

Author Comment

by:itzyval
Comment Utility
Actually I just used that as a fake name because I didn't want to give out specific information.

I logged into the hosting company, finally got the login from our web developer and found out that the domain I need to change DNS settings on is a pointed domain and not a transferred domain.  Plus now the old domain name is suspended for some unknown reason.

I will have to track down what is going on tomorrow because the other hosting company is closed.

Thanks so much for your help, you really have been a blessing.  I will update you tomorrow.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No problems - if you want to post the proper name - you can and I will hide it, or drop me an email (see my profile for details).
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:itzyval
Comment Utility
Alan, I sent you an email to your company address with all the information.  Thanks so much for your help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - thanks for your email.  So - your certificate is a self-issued certificate and looks fine as mail.domain.com

Have you exported the cert and imported it into your client's PC's?

Alan

FYI - flying home from holiday tomorrow morning so won't be about much to respond after about 2 more hours until about this time tomorrow.
0
 

Author Comment

by:itzyval
Comment Utility
Yep I imported it onto my machine here since I work from home and do all my support remotely.  The certificate is in trusted root on my machine.

When I try to open Outlook I get "The Security Certificate is not from a trusted certifying authority.  Error code 8".
0
 

Author Comment

by:itzyval
Comment Utility
Ok I finally got all the login information for all the hosting companies.  And there is an A record named mail pointing to our external IP address.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Sounds like you haven't installed the certificate correctly.

What flavour of Windows are you running and where did you install the certificate?
0
 

Author Comment

by:itzyval
Comment Utility
Windows 7 Enterprise using Outlook 2007.  I tried installing the certificate through IE, and I tried double clicking on it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Did you install it to the Registry as I recommended in comment http:#a34956368 ?
0
 

Author Comment

by:itzyval
Comment Utility
I just removed all the certificates everywhere and tried it again.  Got the same error.
0
 

Author Comment

by:itzyval
Comment Utility
Going to remove it again and then reboot and then install it again.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - if you open up IE and click on Tools, Internet Options, Content Tab, Certificates Button - which tab do you see your certificate installed under?  Trusted Root Certificate Authorities or somewhere else?
0
 

Author Comment

by:itzyval
Comment Utility
Yep it is under Trusted Root Certificate Authorities.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - so assuming your certificate is installed correctly - what settings are you using in Outlook for the Proxy settings?

mail.domain.com and msstd:mail.domain.com ?
0
 

Author Comment

by:itzyval
Comment Utility
just mail.domain.com
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Can you add the msstd:mail.domain.com into the "Only connect to proxy servers that this principal name in their certificate" and try connecting again.

If that fails - please visit https://mail.domain.com/rpc/rpcproxy.dll and enter your credentials and advise the error code you see once logged in.
0
 

Author Comment

by:itzyval
Comment Utility
I tired the principal name and still got same error message.  Went to the link you listed and got a blank page, in the upper right it says certificate error, when I click on the error I get the same message as Outlook "The Security Certificate is not from a trusted certifying authority."
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Very odd.  Do you want to email me some test credentials so that I can setup an account on my laptop here to see if all is well?

I need to go to sign off soon and am travelling back home in the morning (8 hours time), so bed is very attractive right now!
0
 

Author Comment

by:itzyval
Comment Utility
On the error when I click on the Certificate Path tab it says:  This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store but it is.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Try running IE as Administrator then installing the certificate again (right-click the IE icon and choose Run as Administrator).
0
 

Author Comment

by:itzyval
Comment Utility
Tried it, didn't work, got same thing.
0
 

Author Comment

by:itzyval
Comment Utility
Just email the certificate and login and password to your work address.
0
 

Author Comment

by:itzyval
Comment Utility
I have Norton Security Suite, I disabled the whole thing, uninstalled Firefox, removed the certificate, rebooted, ran updates which installed the lastest service pack for Windows 7 64 bit.  Reinstalled the certificate and still I am getting the same error both in outlook and in IE with the rpc link you gave me.
0
 

Author Comment

by:itzyval
Comment Utility
I know you are sleeping but I am going to keep you updated of the things I have tried.  I clicked on the certificate error in the browser and install it the same way you gave me.  Now I am getting a different error:  The name cannot be matched to a name in the address list.  I was getting this one before.  There are a lot of people out there struggling with the same thing I am.  They say everything works fine in Outlook 2003 but 2007 messes everything up.

I downloaded the rpcping tool and when I ran it I got a 401 error, don't know if that has anything to do with anything.  The other pings worked out.  Here is a link to the tool so you know what I am talking about http://support.microsoft.com/kb/831051

I can't wait to see what you find out when you try it on your side.  Thanks for helping me on your holiday you are the best.
0
 

Author Comment

by:itzyval
Comment Utility
omg I got it, you know where the name field is by the check name button, well just for kicks I put in my full name and by god if found my account.  So you are supposed to put in the full name, then when it prompts you to login you login with DOMAIN\username.  So strange, I can't believe it.  I finally got it after like forever and such a simple thing.  Let's see now if I can setup the executive laptop to work, wish me luck.  Hope you enjoyed you Holiday Alan.
0
 

Author Closing Comment

by:itzyval
Comment Utility
If you get "The name cannot be matched to a name in the address list".  First, check that the name does appear in the Default Global Address List.  Second, where is asks for name in the Exchange Setting Box next to the Check Name buttom, make sure you put in their full name, not just their user name.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Excellent news - just got up and checking my emails.

Well done and thanks for the points.

Alan
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now