Purchased UCC Certificate from DigiCert for SBS 2003 server. Have upcoming SBS 2008 server migration to complete

Hi there,

as far as I remember, Exchange 2003 does not support SAN certificates.

Grts,

Michael

Yesterday I worked with Microsoft support from 7PM to 4AM.
We went through and tried recreating the IIS site for Exchange in its entirety.
\
As you know SBS 2003 doesn't have a wizard for the UCC certificate like the newer versions of Exchange.
The option I chose to secure was mail.companyname.org

In the DigiCert UCC certificate, I gave the cert the following names:
- mail.companyname.org
- company-server.domain.local
- company-server
-autodiscover.companyname.org


I think autodiscover may be 2nd in the list on the cert itself. Not sure if that matters.


Went into IIS, deleted Exchange, Exchweb, Microsoft-Server-Activesync, OMA and public. Then recreated them. Followed KB883380

Ran cscript adsutil.vbs deleteds2mb
Restarted Exchange System Admin
Restarted IIS Admin Svc

Set the site back up

Ran connectivity test when we were back up and running from https://testexchangeconnectivity.com 

We saw that Massync.dll was a older version and applied 2 hotfixes to get it to a newer version.


From computers, Windows XP and Windows 7 and Windows Vista,    https://mail.companyname.org or https://mail.companyname.org/exchange works depending on whether or not i am redirecting the site in IIS.

Those come up fine, they are using the digicert UCC certificate, it shows it is active and healthy certificate.

But mobile phones try to connect and no matter what we do we can't get it to talk.

Iphone, Blackberry from SPrint, Blackberry from Verizon no go. We do have 2 phones that have never stopped working. One was brand new the other day and it couldn't attach until I renewed the certificate. The other, a iPhone has been fine for weeks. Works straight through all of this. I have tried configuring my phone to connect and I have had nothing but  issues.

We keep getting an error code now or Event ID: 3031 Source: ServerActiveSync

Event Type:      Error
Event Source:      Server ActiveSync
Event Category:      None
Event ID:      3031
Date:            2/26/2011
Time:            1:28:55 PM
User:            Domain\User
Computer:      Company-Server
Description:
The mailbox server [company-server.domain.local] does not allow "Negotiate" authentication to its [/exchange-oma] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.  For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).   For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383).   This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Ok. What do you have your authentication and access control settings and secure communications settings set to? (Under Directory Security) on both the Exchange and ActiveSync virtual directories in IIS?

Are you running ISA (firewall)

No ISA, have Cisco FW.

Exchange -  Basic only, Default Domain is \
Microsoft-Exchange-ActiveSync -   Basic    Default Domain is "companydomainname"

I noticed on the OMA directory I do not have a ASP.net tab. One of the articles I saw said to change or make sure that Iam running that VDir under ASP 1.1. Did this get deleted when ASP .net 4.0 was installed?

I see articles out there that talk about re-registering  IIS version that I want, I tried re-registering IIS 1.1 but that didn't work.
Not sure if that has anything to do with this issue. Perhaps the tab came about when ASP.net 2.0 came out. I'll try re-registering that.

What about the Secure communication settings for both of those virtual directories? What are those set to?

On my OMA virtual directory (sbs2k3) I do have asp.net tab so I am not sure why you would not but I suppose when Microsoft had you try those different tasks it could have causes some issues wiht some of your virtual directories??Not sure on that one.

On the Exchange VDir, the Secure Comms settings are Checked "Require SSL" and Require 128bit

On Microsoft-Exchange-ActiveSync they are both unchecked.

Mmhhh...So what error do you get when trying to set up the connection on say an Iphone? Does it allow you to set up the connection but then won't sync up?

The error you are having is because you have forced ssl or form based authentication on your /exchange directory it is a well known issue

http://support.microsoft.com/kb/817379

This isn't a front end back end setup. This is a single server SBS 2003 box. I've been through this article 20 times since 2PM yesterday.

The microsoft engineers and I ran through KB215383 and KB817379

this issue does NOT affect front end servers it is when you have a single box.


rereading your error it seems you have created /exchange-oma so probably went over the article however it seems that you didn't disable ssl or form based authentication on this one

I setup the Exchange account on the phone.
I add the microsoft exchange server mail.companyname.org to the server field.
It comes up and lets me finish the setup. I select mail, contacts and calendar sync. Then I click on save.
the account is created on the iPhone.


I hit the home button.

Go to Mail. I get Cannot Get Mail. The connection to the server failed.

Then I get Event ID: 3031   Server ActiveSync

go to IIS do you have a /exchange-oma virtual directory ? if so is ssl enabled on it

no

Same Activesync error with it enabled on the /exchange-oma vdir

it should NOT be enabled also what authentication methods are enabled on this vdir ?

Basic and Integrated

I am removing the UCC certificate and applying a SSL Cert

browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass

Let us know how the SSL cert goes...It will be interesting to see if it corrects the issue. I have a wild card cert on my server and it functions fine but it does not hurt to try and install the non wild card cert. Especially at this point.

Same issue.

Going to reboot server.

Will try matching this server to another I have operational that is working fine.

browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass


I did this, I get  "There is a problem with the website's security certificate.

I click on continue and I get to the OWA page.
No prompt for user/pass.
My thought there would be that it is using integrated auth

Did you install the Intermediate Certificate? I am sure you did but figured I woudl ask.

This issue is resolved. Now onto the issue of the Blackberry sites not working.

Glad it is working for you!

I would like to split points between you two.

It's ok. You figured it out!

There is still issues with Sprint Blackberry and Verizon Blackberry. I will post fix for those.