PatrickDoman
asked on
Purchased UCC Certificate from DigiCert for SBS 2003 server. Have upcoming SBS 2008 server migration to complete
I purchased a UCC Certificate for my server because the other one was expiring and the new server in the next 3-6 months will be SBS 2008 or 2011.
I can't seem to get IIS working with mobile phones, i.e. Blackberry devices can't use the cell phone manufacturer site like http://sprint.blackberry.com to setup a OWA connection to the Exchange server for mail send/receive. I also can't seem to get ActiveSync to work with the UCC certificate either.
The first name in the Certificate is mail.companyname.org.
I would think that it would be the primary name the certificate would be using.
IIS was letting us get to the OWA page just fine from mail.companyname.org/excha nge
I even attempted to get the site working by performing the redirection from the default website to /Exchange instead of c:\inetsrv\wwwroot
That didn't seem to work.
Does SBS 2003 or more specifically Exchange 2003 not work with UCC Certificates?
I can't seem to get IIS working with mobile phones, i.e. Blackberry devices can't use the cell phone manufacturer site like http://sprint.blackberry.com to setup a OWA connection to the Exchange server for mail send/receive. I also can't seem to get ActiveSync to work with the UCC certificate either.
The first name in the Certificate is mail.companyname.org.
I would think that it would be the primary name the certificate would be using.
IIS was letting us get to the OWA page just fine from mail.companyname.org/excha
I even attempted to get the site working by performing the redirection from the default website to /Exchange instead of c:\inetsrv\wwwroot
That didn't seem to work.
Does SBS 2003 or more specifically Exchange 2003 not work with UCC Certificates?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yesterday I worked with Microsoft support from 7PM to 4AM.
We went through and tried recreating the IIS site for Exchange in its entirety.
\
As you know SBS 2003 doesn't have a wizard for the UCC certificate like the newer versions of Exchange.
The option I chose to secure was mail.companyname.org
In the DigiCert UCC certificate, I gave the cert the following names:
- mail.companyname.org
- company-server.domain.loca l
- company-server
-autodiscover.companyname. org
I think autodiscover may be 2nd in the list on the cert itself. Not sure if that matters.
Went into IIS, deleted Exchange, Exchweb, Microsoft-Server-Activesyn c, OMA and public. Then recreated them. Followed KB883380
Ran cscript adsutil.vbs deleteds2mb
Restarted Exchange System Admin
Restarted IIS Admin Svc
Set the site back up
Ran connectivity test when we were back up and running from https://testexchangeconnectivity.com
We saw that Massync.dll was a older version and applied 2 hotfixes to get it to a newer version.
From computers, Windows XP and Windows 7 and Windows Vista, https://mail.companyname.org or https://mail.companyname.org/exchange works depending on whether or not i am redirecting the site in IIS.
Those come up fine, they are using the digicert UCC certificate, it shows it is active and healthy certificate.
But mobile phones try to connect and no matter what we do we can't get it to talk.
Iphone, Blackberry from SPrint, Blackberry from Verizon no go. We do have 2 phones that have never stopped working. One was brand new the other day and it couldn't attach until I renewed the certificate. The other, a iPhone has been fine for weeks. Works straight through all of this. I have tried configuring my phone to connect and I have had nothing but issues.
We keep getting an error code now or Event ID: 3031 Source: ServerActiveSync
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3031
Date: 2/26/2011
Time: 1:28:55 PM
User: Domain\User
Computer: Company-Server
Description:
The mailbox server [company-server.domain.loc al] does not allow "Negotiate" authentication to its [/exchange-oma] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme. For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379). For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383). This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
We went through and tried recreating the IIS site for Exchange in its entirety.
\
As you know SBS 2003 doesn't have a wizard for the UCC certificate like the newer versions of Exchange.
The option I chose to secure was mail.companyname.org
In the DigiCert UCC certificate, I gave the cert the following names:
- mail.companyname.org
- company-server.domain.loca
- company-server
-autodiscover.companyname.
I think autodiscover may be 2nd in the list on the cert itself. Not sure if that matters.
Went into IIS, deleted Exchange, Exchweb, Microsoft-Server-Activesyn
Ran cscript adsutil.vbs deleteds2mb
Restarted Exchange System Admin
Restarted IIS Admin Svc
Set the site back up
Ran connectivity test when we were back up and running from https://testexchangeconnectivity.com
We saw that Massync.dll was a older version and applied 2 hotfixes to get it to a newer version.
From computers, Windows XP and Windows 7 and Windows Vista, https://mail.companyname.org or https://mail.companyname.org/exchange works depending on whether or not i am redirecting the site in IIS.
Those come up fine, they are using the digicert UCC certificate, it shows it is active and healthy certificate.
But mobile phones try to connect and no matter what we do we can't get it to talk.
Iphone, Blackberry from SPrint, Blackberry from Verizon no go. We do have 2 phones that have never stopped working. One was brand new the other day and it couldn't attach until I renewed the certificate. The other, a iPhone has been fine for weeks. Works straight through all of this. I have tried configuring my phone to connect and I have had nothing but issues.
We keep getting an error code now or Event ID: 3031 Source: ServerActiveSync
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3031
Date: 2/26/2011
Time: 1:28:55 PM
User: Domain\User
Computer: Company-Server
Description:
The mailbox server [company-server.domain.loc
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Ok. What do you have your authentication and access control settings and secure communications settings set to? (Under Directory Security) on both the Exchange and ActiveSync virtual directories in IIS?
Are you running ISA (firewall)
Are you running ISA (firewall)
ASKER
No ISA, have Cisco FW.
Exchange - Basic only, Default Domain is \
Microsoft-Exchange-ActiveS ync - Basic Default Domain is "companydomainname"
Exchange - Basic only, Default Domain is \
Microsoft-Exchange-ActiveS
ASKER
I noticed on the OMA directory I do not have a ASP.net tab. One of the articles I saw said to change or make sure that Iam running that VDir under ASP 1.1. Did this get deleted when ASP .net 4.0 was installed?
ASKER
I see articles out there that talk about re-registering IIS version that I want, I tried re-registering IIS 1.1 but that didn't work.
Not sure if that has anything to do with this issue. Perhaps the tab came about when ASP.net 2.0 came out. I'll try re-registering that.
Not sure if that has anything to do with this issue. Perhaps the tab came about when ASP.net 2.0 came out. I'll try re-registering that.
What about the Secure communication settings for both of those virtual directories? What are those set to?
On my OMA virtual directory (sbs2k3) I do have asp.net tab so I am not sure why you would not but I suppose when Microsoft had you try those different tasks it could have causes some issues wiht some of your virtual directories??Not sure on that one.
On my OMA virtual directory (sbs2k3) I do have asp.net tab so I am not sure why you would not but I suppose when Microsoft had you try those different tasks it could have causes some issues wiht some of your virtual directories??Not sure on that one.
ASKER
On the Exchange VDir, the Secure Comms settings are Checked "Require SSL" and Require 128bit
On Microsoft-Exchange-ActiveS ync they are both unchecked.
On Microsoft-Exchange-ActiveS
Mmhhh...So what error do you get when trying to set up the connection on say an Iphone? Does it allow you to set up the connection but then won't sync up?
The error you are having is because you have forced ssl or form based authentication on your /exchange directory it is a well known issue
http://support.microsoft.com/kb/817379
http://support.microsoft.com/kb/817379
ASKER
This isn't a front end back end setup. This is a single server SBS 2003 box. I've been through this article 20 times since 2PM yesterday.
ASKER
The microsoft engineers and I ran through KB215383 and KB817379
this issue does NOT affect front end servers it is when you have a single box.
rereading your error it seems you have created /exchange-oma so probably went over the article however it seems that you didn't disable ssl or form based authentication on this one
rereading your error it seems you have created /exchange-oma so probably went over the article however it seems that you didn't disable ssl or form based authentication on this one
ASKER
I setup the Exchange account on the phone.
I add the microsoft exchange server mail.companyname.org to the server field.
It comes up and lets me finish the setup. I select mail, contacts and calendar sync. Then I click on save.
the account is created on the iPhone.
I hit the home button.
Go to Mail. I get Cannot Get Mail. The connection to the server failed.
Then I get Event ID: 3031 Server ActiveSync
I add the microsoft exchange server mail.companyname.org to the server field.
It comes up and lets me finish the setup. I select mail, contacts and calendar sync. Then I click on save.
the account is created on the iPhone.
I hit the home button.
Go to Mail. I get Cannot Get Mail. The connection to the server failed.
Then I get Event ID: 3031 Server ActiveSync
go to IIS do you have a /exchange-oma virtual directory ? if so is ssl enabled on it
ASKER
no
ASKER
Same Activesync error with it enabled on the /exchange-oma vdir
it should NOT be enabled also what authentication methods are enabled on this vdir ?
ASKER
Basic and Integrated
ASKER
I am removing the UCC certificate and applying a SSL Cert
browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass
Let us know how the SSL cert goes...It will be interesting to see if it corrects the issue. I have a wild card cert on my server and it functions fine but it does not hurt to try and install the non wild card cert. Especially at this point.
ASKER
Same issue.
ASKER
Going to reboot server.
Will try matching this server to another I have operational that is working fine.
Will try matching this server to another I have operational that is working fine.
ASKER
browse to https://servername/exchange-oma do you get a form based authentication or a popup for user/pass
I did this, I get "There is a problem with the website's security certificate.
I click on continue and I get to the OWA page.
No prompt for user/pass.
My thought there would be that it is using integrated auth
I did this, I get "There is a problem with the website's security certificate.
I click on continue and I get to the OWA page.
No prompt for user/pass.
My thought there would be that it is using integrated auth
Did you install the Intermediate Certificate? I am sure you did but figured I woudl ask.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This issue is resolved. Now onto the issue of the Blackberry sites not working.
Glad it is working for you!
ASKER
I would like to split points between you two.
It's ok. You figured it out!
ASKER
There is still issues with Sprint Blackberry and Verizon Blackberry. I will post fix for those.
as far as I remember, Exchange 2003 does not support SAN certificates.
Grts,
Michael