Solved

Purchased UCC Certificate from DigiCert for SBS 2003 server. Have upcoming SBS 2008 server migration to complete

Posted on 2011-02-25
34
1,155 Views
Last Modified: 2012-05-11
I purchased a UCC Certificate for my server because the other one was expiring and the new server in the next 3-6 months will be SBS 2008 or 2011.

I can't seem to get IIS working with mobile phones, i.e. Blackberry devices can't use the cell phone manufacturer site like http://sprint.blackberry.com to setup a OWA connection to the Exchange server for mail send/receive. I also can't seem to get ActiveSync to work with the UCC certificate either.

The first name in the Certificate is mail.companyname.org.

I would think that it would be the primary name the certificate would be using.

IIS was letting us get to the OWA page just fine from mail.companyname.org/exchange
I even attempted to get the site working by performing the redirection from the default website to /Exchange instead of c:\inetsrv\wwwroot

That didn't seem to work.


Does SBS 2003 or more specifically Exchange 2003 not work with UCC Certificates?
0
Comment
Question by:PatrickDoman
  • 19
  • 8
  • 6
  • +1
34 Comments
 
LVL 11

Expert Comment

by:MichaelVH
ID: 34987152
Hi there,

as far as I remember, Exchange 2003 does not support SAN certificates.

Grts,

Michael
0
 
LVL 49

Accepted Solution

by:
Akhater earned 250 total points
ID: 34988291
Excahange 2003 does support SAN certificates i use it all the time
0
 
LVL 4

Assisted Solution

by:Llacy80
Llacy80 earned 250 total points
ID: 34988490
Yes Akhater is right, Exchange 2k3 does indeed support SAN certs.

Please tell me the process you went through ti request this cert and install it?

I was not able to gather from your original post whether or not you are actually able to access OWA externally with the new cert in place?
0
 

Author Comment

by:PatrickDoman
ID: 34988713
Yesterday I worked with Microsoft support from 7PM to 4AM.
We went through and tried recreating the IIS site for Exchange in its entirety.
\
As you know SBS 2003 doesn't have a wizard for the UCC certificate like the newer versions of Exchange.
The option I chose to secure was mail.companyname.org

In the DigiCert UCC certificate, I gave the cert the following names:
- mail.companyname.org
- company-server.domain.local
- company-server
-autodiscover.companyname.org


I think autodiscover may be 2nd in the list on the cert itself. Not sure if that matters.


Went into IIS, deleted Exchange, Exchweb, Microsoft-Server-Activesync, OMA and public. Then recreated them. Followed KB883380

Ran cscript adsutil.vbs deleteds2mb
Restarted Exchange System Admin
Restarted IIS Admin Svc

Set the site back up

Ran connectivity test when we were back up and running from https://testexchangeconnectivity.com

We saw that Massync.dll was a older version and applied 2 hotfixes to get it to a newer version.


From computers, Windows XP and Windows 7 and Windows Vista,    https://mail.companyname.org or https://mail.companyname.org/exchange works depending on whether or not i am redirecting the site in IIS.

Those come up fine, they are using the digicert UCC certificate, it shows it is active and healthy certificate.

But mobile phones try to connect and no matter what we do we can't get it to talk.

Iphone, Blackberry from SPrint, Blackberry from Verizon no go. We do have 2 phones that have never stopped working. One was brand new the other day and it couldn't attach until I renewed the certificate. The other, a iPhone has been fine for weeks. Works straight through all of this. I have tried configuring my phone to connect and I have had nothing but  issues.

We keep getting an error code now or Event ID: 3031 Source: ServerActiveSync

Event Type:      Error
Event Source:      Server ActiveSync
Event Category:      None
Event ID:      3031
Date:            2/26/2011
Time:            1:28:55 PM
User:            Domain\User
Computer:      Company-Server
Description:
The mailbox server [company-server.domain.local] does not allow "Negotiate" authentication to its [/exchange-oma] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.  For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).   For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383).   This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34988851
Ok. What do you have your authentication and access control settings and secure communications settings set to? (Under Directory Security) on both the Exchange and ActiveSync virtual directories in IIS?

Are you running ISA (firewall)
0
 

Author Comment

by:PatrickDoman
ID: 34988868
No ISA, have Cisco FW.

Exchange -  Basic only, Default Domain is \
Microsoft-Exchange-ActiveSync -   Basic    Default Domain is "companydomainname"

0
 

Author Comment

by:PatrickDoman
ID: 34988885
I noticed on the OMA directory I do not have a ASP.net tab. One of the articles I saw said to change or make sure that Iam running that VDir under ASP 1.1. Did this get deleted when ASP .net 4.0 was installed?
0
 

Author Comment

by:PatrickDoman
ID: 34988936
I see articles out there that talk about re-registering  IIS version that I want, I tried re-registering IIS 1.1 but that didn't work.
Not sure if that has anything to do with this issue. Perhaps the tab came about when ASP.net 2.0 came out. I'll try re-registering that.


0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34988957
What about the Secure communication settings for both of those virtual directories? What are those set to?

On my OMA virtual directory (sbs2k3) I do have asp.net tab so I am not sure why you would not but I suppose when Microsoft had you try those different tasks it could have causes some issues wiht some of your virtual directories??Not sure on that one.

0
 

Author Comment

by:PatrickDoman
ID: 34988961
On the Exchange VDir, the Secure Comms settings are Checked "Require SSL" and Require 128bit

On Microsoft-Exchange-ActiveSync they are both unchecked.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34989046
Mmhhh...So what error do you get when trying to set up the connection on say an Iphone? Does it allow you to set up the connection but then won't sync up?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34989294
The error you are having is because you have forced ssl or form based authentication on your /exchange directory it is a well known issue

http://support.microsoft.com/kb/817379
0
 

Author Comment

by:PatrickDoman
ID: 34989386


This isn't a front end back end setup. This is a single server SBS 2003 box. I've been through this article 20 times since 2PM yesterday.

0
 

Author Comment

by:PatrickDoman
ID: 34989390
The microsoft engineers and I ran through KB215383 and KB817379

0
 
LVL 49

Expert Comment

by:Akhater
ID: 34989401
this issue does NOT affect front end servers it is when you have a single box.


rereading your error it seems you have created /exchange-oma so probably went over the article however it seems that you didn't disable ssl or form based authentication on this one
0
 

Author Comment

by:PatrickDoman
ID: 34989405
I setup the Exchange account on the phone.
I add the microsoft exchange server mail.companyname.org to the server field.
It comes up and lets me finish the setup. I select mail, contacts and calendar sync. Then I click on save.
the account is created on the iPhone.


I hit the home button.

Go to Mail. I get Cannot Get Mail. The connection to the server failed.

Then I get Event ID: 3031   Server ActiveSync
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34989411
go to IIS do you have a /exchange-oma virtual directory ? if so is ssl enabled on it
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:PatrickDoman
ID: 34989424
no
0
 

Author Comment

by:PatrickDoman
ID: 34989429
Same Activesync error with it enabled on the /exchange-oma vdir
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34989438
it should NOT be enabled also what authentication methods are enabled on this vdir ?
0
 

Author Comment

by:PatrickDoman
ID: 34989468
Basic and Integrated
0
 

Author Comment

by:PatrickDoman
ID: 34989475
I am removing the UCC certificate and applying a SSL Cert
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34989476
browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34989554
Let us know how the SSL cert goes...It will be interesting to see if it corrects the issue. I have a wild card cert on my server and it functions fine but it does not hurt to try and install the non wild card cert. Especially at this point.

0
 

Author Comment

by:PatrickDoman
ID: 34989559
Same issue.
0
 

Author Comment

by:PatrickDoman
ID: 34989582
Going to reboot server.

Will try matching this server to another I have operational that is working fine.
0
 

Author Comment

by:PatrickDoman
ID: 34989609
browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass


I did this, I get  "There is a problem with the website's security certificate.

I click on continue and I get to the OWA page.
No prompt for user/pass.
My thought there would be that it is using integrated auth
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34989636
Did you install the Intermediate Certificate? I am sure you did but figured I woudl ask.
0
 

Assisted Solution

by:PatrickDoman
PatrickDoman earned 0 total points
ID: 34989653
Actually I just thought I would go through all of the IIS sites.

I saw that the Default Web Site and CompanyWeb were both sharing port 80. Somehow they both started.

Anyway, I changed companyweb to port 81 and 444 and restarted IIS.

Then I looked back at my iPhone and to my amazement the mail account was downloading messages.

I went back to sprint.blackberry.com and I am still having the issues trying to get that setup.


So iPhones are back up and running from what I can see.
0
 

Author Comment

by:PatrickDoman
ID: 34989677
This issue is resolved. Now onto the issue of the Blackberry sites not working.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34989681
Glad it is working for you!
0
 

Author Comment

by:PatrickDoman
ID: 34989684
I would like to split points between you two.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34989712
It's ok. You figured it out!
0
 

Author Closing Comment

by:PatrickDoman
ID: 35025236
There is still issues with Sprint Blackberry and Verizon Blackberry. I will post fix for those.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now