[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1183
  • Last Modified:

Purchased UCC Certificate from DigiCert for SBS 2003 server. Have upcoming SBS 2008 server migration to complete

I purchased a UCC Certificate for my server because the other one was expiring and the new server in the next 3-6 months will be SBS 2008 or 2011.

I can't seem to get IIS working with mobile phones, i.e. Blackberry devices can't use the cell phone manufacturer site like http://sprint.blackberry.com to setup a OWA connection to the Exchange server for mail send/receive. I also can't seem to get ActiveSync to work with the UCC certificate either.

The first name in the Certificate is mail.companyname.org.

I would think that it would be the primary name the certificate would be using.

IIS was letting us get to the OWA page just fine from mail.companyname.org/exchange
I even attempted to get the site working by performing the redirection from the default website to /Exchange instead of c:\inetsrv\wwwroot

That didn't seem to work.


Does SBS 2003 or more specifically Exchange 2003 not work with UCC Certificates?
0
PatrickDoman
Asked:
PatrickDoman
  • 19
  • 8
  • 6
  • +1
3 Solutions
 
MichaelVHCommented:
Hi there,

as far as I remember, Exchange 2003 does not support SAN certificates.

Grts,

Michael
0
 
AkhaterCommented:
Excahange 2003 does support SAN certificates i use it all the time
0
 
Llacy80Commented:
Yes Akhater is right, Exchange 2k3 does indeed support SAN certs.

Please tell me the process you went through ti request this cert and install it?

I was not able to gather from your original post whether or not you are actually able to access OWA externally with the new cert in place?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
PatrickDomanAuthor Commented:
Yesterday I worked with Microsoft support from 7PM to 4AM.
We went through and tried recreating the IIS site for Exchange in its entirety.
\
As you know SBS 2003 doesn't have a wizard for the UCC certificate like the newer versions of Exchange.
The option I chose to secure was mail.companyname.org

In the DigiCert UCC certificate, I gave the cert the following names:
- mail.companyname.org
- company-server.domain.local
- company-server
-autodiscover.companyname.org


I think autodiscover may be 2nd in the list on the cert itself. Not sure if that matters.


Went into IIS, deleted Exchange, Exchweb, Microsoft-Server-Activesync, OMA and public. Then recreated them. Followed KB883380

Ran cscript adsutil.vbs deleteds2mb
Restarted Exchange System Admin
Restarted IIS Admin Svc

Set the site back up

Ran connectivity test when we were back up and running from https://testexchangeconnectivity.com 

We saw that Massync.dll was a older version and applied 2 hotfixes to get it to a newer version.


From computers, Windows XP and Windows 7 and Windows Vista,    https://mail.companyname.org or https://mail.companyname.org/exchange works depending on whether or not i am redirecting the site in IIS.

Those come up fine, they are using the digicert UCC certificate, it shows it is active and healthy certificate.

But mobile phones try to connect and no matter what we do we can't get it to talk.

Iphone, Blackberry from SPrint, Blackberry from Verizon no go. We do have 2 phones that have never stopped working. One was brand new the other day and it couldn't attach until I renewed the certificate. The other, a iPhone has been fine for weeks. Works straight through all of this. I have tried configuring my phone to connect and I have had nothing but  issues.

We keep getting an error code now or Event ID: 3031 Source: ServerActiveSync

Event Type:      Error
Event Source:      Server ActiveSync
Event Category:      None
Event ID:      3031
Date:            2/26/2011
Time:            1:28:55 PM
User:            Domain\User
Computer:      Company-Server
Description:
The mailbox server [company-server.domain.local] does not allow "Negotiate" authentication to its [/exchange-oma] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.  For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).   For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383).   This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


0
 
Llacy80Commented:
Ok. What do you have your authentication and access control settings and secure communications settings set to? (Under Directory Security) on both the Exchange and ActiveSync virtual directories in IIS?

Are you running ISA (firewall)
0
 
PatrickDomanAuthor Commented:
No ISA, have Cisco FW.

Exchange -  Basic only, Default Domain is \
Microsoft-Exchange-ActiveSync -   Basic    Default Domain is "companydomainname"

0
 
PatrickDomanAuthor Commented:
I noticed on the OMA directory I do not have a ASP.net tab. One of the articles I saw said to change or make sure that Iam running that VDir under ASP 1.1. Did this get deleted when ASP .net 4.0 was installed?
0
 
PatrickDomanAuthor Commented:
I see articles out there that talk about re-registering  IIS version that I want, I tried re-registering IIS 1.1 but that didn't work.
Not sure if that has anything to do with this issue. Perhaps the tab came about when ASP.net 2.0 came out. I'll try re-registering that.


0
 
Llacy80Commented:
What about the Secure communication settings for both of those virtual directories? What are those set to?

On my OMA virtual directory (sbs2k3) I do have asp.net tab so I am not sure why you would not but I suppose when Microsoft had you try those different tasks it could have causes some issues wiht some of your virtual directories??Not sure on that one.

0
 
PatrickDomanAuthor Commented:
On the Exchange VDir, the Secure Comms settings are Checked "Require SSL" and Require 128bit

On Microsoft-Exchange-ActiveSync they are both unchecked.
0
 
Llacy80Commented:
Mmhhh...So what error do you get when trying to set up the connection on say an Iphone? Does it allow you to set up the connection but then won't sync up?
0
 
AkhaterCommented:
The error you are having is because you have forced ssl or form based authentication on your /exchange directory it is a well known issue

http://support.microsoft.com/kb/817379
0
 
PatrickDomanAuthor Commented:


This isn't a front end back end setup. This is a single server SBS 2003 box. I've been through this article 20 times since 2PM yesterday.

0
 
PatrickDomanAuthor Commented:
The microsoft engineers and I ran through KB215383 and KB817379

0
 
AkhaterCommented:
this issue does NOT affect front end servers it is when you have a single box.


rereading your error it seems you have created /exchange-oma so probably went over the article however it seems that you didn't disable ssl or form based authentication on this one
0
 
PatrickDomanAuthor Commented:
I setup the Exchange account on the phone.
I add the microsoft exchange server mail.companyname.org to the server field.
It comes up and lets me finish the setup. I select mail, contacts and calendar sync. Then I click on save.
the account is created on the iPhone.


I hit the home button.

Go to Mail. I get Cannot Get Mail. The connection to the server failed.

Then I get Event ID: 3031   Server ActiveSync
0
 
AkhaterCommented:
go to IIS do you have a /exchange-oma virtual directory ? if so is ssl enabled on it
0
 
PatrickDomanAuthor Commented:
no
0
 
PatrickDomanAuthor Commented:
Same Activesync error with it enabled on the /exchange-oma vdir
0
 
AkhaterCommented:
it should NOT be enabled also what authentication methods are enabled on this vdir ?
0
 
PatrickDomanAuthor Commented:
Basic and Integrated
0
 
PatrickDomanAuthor Commented:
I am removing the UCC certificate and applying a SSL Cert
0
 
AkhaterCommented:
browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass
0
 
Llacy80Commented:
Let us know how the SSL cert goes...It will be interesting to see if it corrects the issue. I have a wild card cert on my server and it functions fine but it does not hurt to try and install the non wild card cert. Especially at this point.

0
 
PatrickDomanAuthor Commented:
Same issue.
0
 
PatrickDomanAuthor Commented:
Going to reboot server.

Will try matching this server to another I have operational that is working fine.
0
 
PatrickDomanAuthor Commented:
browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass


I did this, I get  "There is a problem with the website's security certificate.

I click on continue and I get to the OWA page.
No prompt for user/pass.
My thought there would be that it is using integrated auth
0
 
Llacy80Commented:
Did you install the Intermediate Certificate? I am sure you did but figured I woudl ask.
0
 
PatrickDomanAuthor Commented:
Actually I just thought I would go through all of the IIS sites.

I saw that the Default Web Site and CompanyWeb were both sharing port 80. Somehow they both started.

Anyway, I changed companyweb to port 81 and 444 and restarted IIS.

Then I looked back at my iPhone and to my amazement the mail account was downloading messages.

I went back to sprint.blackberry.com and I am still having the issues trying to get that setup.


So iPhones are back up and running from what I can see.
0
 
PatrickDomanAuthor Commented:
This issue is resolved. Now onto the issue of the Blackberry sites not working.
0
 
Llacy80Commented:
Glad it is working for you!
0
 
PatrickDomanAuthor Commented:
I would like to split points between you two.
0
 
Llacy80Commented:
It's ok. You figured it out!
0
 
PatrickDomanAuthor Commented:
There is still issues with Sprint Blackberry and Verizon Blackberry. I will post fix for those.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 19
  • 8
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now