Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 690
  • Last Modified:

OWA is now not working

I had to acquire a new certificate for exchange because the other one had expired...once I did this, we could no longer access our mail through OWA...any ideas on how to fix this...when I do go to our mail site, it redirects me to the IIS7 page...after it displays "the resource can not be found"  thanks in advance...
0
Daniel Fishkin
Asked:
Daniel Fishkin
  • 29
  • 27
1 Solution
 
FeebleminderCommented:
Go to this site and scroll down until you get to the IIS Manager Section and follow from there.
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Which site should I go to?  thanks
0
 
FeebleminderCommented:
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Thanks...do I then need to go on to the create an ssl binding?
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
I think this is where I am having an issue... issue with certificate
0
 
FeebleminderCommented:
Click on Default Web Site> on the right-side you will see Edit Site bindings as in the photo below.
 

Click on bindings and highlight https        443 and click Edit

Under SSL Certificate choose your new certificate and press okay.

Restart IIS service
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Here is what I have under connections...I tried to create a new one, but it did not work...am I missing something here...
I did a new certificate at 2:50 today, and it is the Micrososft exchange certificate... Server Cert  Server Cert
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
here is a better screen shot of the server certificates server cert
0
 
FeebleminderCommented:
Okay get out of that.

Open up Exchange Management Shell and input this, then post result here.

Get-ExchangeCertificate
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Thanks so much for all your help....here is the screen shot... Exchange cert
0
 
FeebleminderCommented:
Sorry thinking to fast... rerun but with

Get-ExchangeCertificate | List

The symbol is a PIPE below the backspace (hold SHIFT)
0
 
FeebleminderCommented:
Also which was the old Exchange CERT?
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Here it is...the screenshot of the old exchange cert is the first image...
 oldexchange list pt list pt2
0
 
FeebleminderCommented:
Enable-ExchangeCertificate -Thumbprint D84003E50FA2FED378F44DAC572B22D8879FB8BB -Service IIS

(That was hard to read, but verify that Thumbprint is correct and paste and run)

Then run

Remove-ExchangeCertificate -Thumbprint CC95DE5A9C369........... (Fill in the old cert thumbprint)
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
OK...I did that...but still no access to the OWA...
0
 
FeebleminderCommented:
Did you restart you IIS service?
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
yes, however it still shows that it is not trusted still not trusted
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
if it helps, here is the owa address

https://mail.lhwcpas.com/owa

0
 
FeebleminderCommented:
What method did you use to renew your certificate? I noticed that your Certs are not similar from old cert to new cert.

Also when you use a self-signed certificate, it will show up as not trusted place it in the Trusted Root Certification Authorities store.

0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
I just copied the LHW-DC-01 certificate into the trusted root cert folder, and it now shows it as trusted..but still no access.... cert ok 1 cert ok 2
0
 
FeebleminderCommented:
Lets start over and create a new Exchange Certificate. Use this command in Exchange Management Shell:

New-ExchangeCertificate

Enter: y

The certificate needs to have in the same attributes that the old cert had.
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
ok...did that... new exchange cert
0
 
FeebleminderCommented:
Run this.... it will duplicate the configuration of the original Cert.

New-ExchangeCertificate -FriendlyName "Exchange Self-Signed Certificate" -SubjectName "cn=Sites" -DomainName Sites,LHW-DC-01.lhwcpas.local -PrivateKeyExportable:$True | Enable-ExchangeCertificate -Services POP,IMAP,IIS,SMTP
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
OK, did that, however it still says that it is not trusted...giving me the to enable please install in the trusted root cert folder
0
 
FeebleminderCommented:
Enable-ExchangeCertificate -Thumbprint ############ -Service IIS

(Insert the Thumbprint of the new CERT)

Then run

Remove-ExchangeCertificate -Thumbprint D84003E50FA2FED378F44DAC572B22D8879FB8BB (Fill in the thumbprint for both obsolete Certs now)
0
 
FeebleminderCommented:
0
 
FeebleminderCommented:
Also, please post the new Get-ExchangeCertificate | List


Thank you
0
 
FeebleminderCommented:
Also post Get-WebServicesVirtualDirectory | fl server,*url
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Here is the new list...which one is the thumbprint I want to use....
Thumbprint         : 518A6C90F50821AC9B356FF673B0C8DDDDCEA762
or
Thumbprint         : 2C2C1E0F60350B21A085F6170BE52E9F163AF61D

         Welcome to the Exchange Management Shell!

 Full list of cmdlets:          get-command
 Only Exchange cmdlets:         get-excommand
 Cmdlets for a specific role:   get-help -role *UM* or *Mailbox*
 Get general help:              help
 Get help for a cmdlet:         help <cmdlet-name> or <cmdlet-name> -?
 Show quick reference guide:    quickref
 Exchange team blog:            get-exblog
 Show full output for a cmd:    <cmd> | format-list

Tip of the day #27:

Do you want to work with data that is contained in a CSV file? Use Import-CSV to
 assign the data to an object. For example, type:

 $MyCSV = Import-CSV TestFile.CSV

You can then manipulate the data easily in the Exchange Management Shell. For ex
ample, if there is a column called Mailboxes in the CSV data, you can use the fo
llowing commands to sort or group the data by the Mailboxes column:

To sort: $MyCSV | Sort Mailboxes
To group: $MyCSV | Group Mailboxes

[PS] C:\Windows\System32>Get-ExchangeCertificate | List


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, LHW-DC-01.lhwcpas.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 9/9/2012 11:02:38 PM
NotBefore          : 9/9/2011 11:02:38 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 2327C03099E8B28A45336AC09B846825
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 518A6C90F50821AC9B356FF673B0C8DDDDCEA762

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {LHW-DC-01, LHW-DC-01.lhwcpas.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=LHW-DC-01
NotAfter           : 9/9/2012 10:14:17 PM
NotBefore          : 9/9/2011 10:14:17 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : E95707F800D4BE844056919B26B7DC6B
Services           : SMTP
Status             : Valid
Subject            : CN=LHW-DC-01
Thumbprint         : 2C2C1E0F60350B21A085F6170BE52E9F163AF61D

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {LHW-DC-01.lhwcpas.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=lhwcpas-LHW-DC-01-CA
NotAfter           : 9/8/2012 9:39:05 PM
NotBefore          : 9/9/2011 9:39:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61030B84000000000010
Services           : None
Status             : Valid
Subject            : CN=LHW-DC-01.lhwcpas.local
Thumbprint         : 45075DB49638690EADABEC53EFF8E4B91C780861

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {lhwcpas-LHW-DC-01-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=lhwcpas-LHW-DC-01-CA
NotAfter           : 8/31/2014 11:25:06 AM
NotBefore          : 8/31/2009 11:15:06 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 659542A92E4D26AD40502F682EA2E98B
Services           : None
Status             : Valid
Subject            : CN=lhwcpas-LHW-DC-01-CA
Thumbprint         : B6A2F05759F25BCB25B1CD2979150C4428A7405B

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-W6USPDUS3FZ}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-W6USPDUS3FZ
NotAfter           : 8/23/2019 6:36:39 PM
NotBefore          : 8/25/2009 6:36:39 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : C804AD7DFF6A248D487EF2E10F890FD8
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-W6USPDUS3FZ
Thumbprint         : 480E6FFEA4F73DC13D5B12CE0B07892CCDD41FA2



[PS] C:\Windows\System32>
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
here is the screenshot of the webserivces diorectory webservices
0
 
FeebleminderCommented:
These are good to use:

Enable-ExchangeCertificate -Thumbprint 518A6C90F50821AC9B356FF673B0C8DDDDCEA762 -Service IIS



Remove-ExchangeCertificate -Thumbprint 2C2C1E0F60350B21A085F6170BE52E9F163AF61D

0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Here is the latest getExchangeCert List

Remove-ExchangeCertificate -Thumbprint 2C2C1E0F60350B21A085F6170BE52E9F163AF61D


Get-ExchangeCertificate | List


         Welcome to the Exchange Management Shell!

 Full list of cmdlets:          get-command
 Only Exchange cmdlets:         get-excommand
 Cmdlets for a specific role:   get-help -role *UM* or *Mailbox*
 Get general help:              help
 Get help for a cmdlet:         help <cmdlet-name> or <cmdlet-name> -?
 Show quick reference guide:    quickref
 Exchange team blog:            get-exblog
 Show full output for a cmd:    <cmd> | format-list

Tip of the day #21:

Sometimes it's useful to convert the output of a cmdlet to a string to interoper
ate with native cmdlets. For example, type:

 Get-Command | Out-String | Findstr "command"

[PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint 518A6C90F50821AC
9B356FF673B0C8DDDDCEA762 -Service IIS
[PS] C:\Windows\System32>Remove-ExchangeCertificate -Thumbprint 2C2C1E0F60350B21
A085F6170BE52E9F163AF61D

Confirm
Are you sure you want to perform this action?
Remove certificate with thumbprint 2C2C1E0F60350B21A085F6170BE52E9F163AF61D?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y
[PS] C:\Windows\System32>Get-ExchangeCertificate | List


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, LHW-DC-01.lhwcpas.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Sites
NotAfter           : 9/9/2012 11:02:38 PM
NotBefore          : 9/9/2011 11:02:38 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 2327C03099E8B28A45336AC09B846825
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 518A6C90F50821AC9B356FF673B0C8DDDDCEA762

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {LHW-DC-01.lhwcpas.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=lhwcpas-LHW-DC-01-CA
NotAfter           : 9/8/2012 9:39:05 PM
NotBefore          : 9/9/2011 9:39:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61030B84000000000010
Services           : None
Status             : Valid
Subject            : CN=LHW-DC-01.lhwcpas.local
Thumbprint         : 45075DB49638690EADABEC53EFF8E4B91C780861

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {lhwcpas-LHW-DC-01-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=lhwcpas-LHW-DC-01-CA
NotAfter           : 8/31/2014 11:25:06 AM
NotBefore          : 8/31/2009 11:15:06 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 659542A92E4D26AD40502F682EA2E98B
Services           : None
Status             : Valid
Subject            : CN=lhwcpas-LHW-DC-01-CA
Thumbprint         : B6A2F05759F25BCB25B1CD2979150C4428A7405B

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-W6USPDUS3FZ}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-W6USPDUS3FZ
NotAfter           : 8/23/2019 6:36:39 PM
NotBefore          : 8/25/2009 6:36:39 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : C804AD7DFF6A248D487EF2E10F890FD8
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-W6USPDUS3FZ
Thumbprint         : 480E6FFEA4F73DC13D5B12CE0B07892CCDD41FA2



[PS] C:\Windows\System32>
0
 
FeebleminderCommented:
Have you implemented the Trusted Certificate Group Policy?

0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Doing that now...
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
still not working....when I go to https://mail.lhwcpas.com/owa i get server error 404 and says it is not trusted...although it says trusted on the site..
0
 
FeebleminderCommented:
We are down to IIS now. Go into IIS and drill down to owa. over on the right side see if you can browse with 443
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
How do I go into IIS...
0
 
FeebleminderCommented:
administrative tools> internet information services manager.

Same place we were when we began.

check owa SSL settings to make sure that SSL is enabled, require 128-bit SSL is checked and ignore client certificates is checked.
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
here seems to be the issue... issue
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
evertything is set in SSL
 SSL settings
0
 
FeebleminderCommented:
Early did you make a change to the binding 443 in the default web site? If so, go back in and change it back to the servers cert.

Okay, lets make checks from the top. Click on your server name in IIS> Server Certificates

Take a screenshot and post.

Next, click Default Web Site. On the right under Manage Website, click Restart.

Test external site mail.server.com/owa

0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
In regards to the bindings, it is set on the Exchange Self-Signed Certi...by server, do you mean another certificate...
if I select another certificate, I get a warning message...

I have attached the screen shots... Server Certificates
still nothing... warnings...
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
here is an issue that I get if I click into OWA under SBS web applications...will this cause an issue... owa/home
0
 
FeebleminderCommented:
change the 443 binding to LHW-DC-01.lhwcpas.local
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
did that...still a no go...when I go to https://localhost, it directs me to the IIs7 page...
0
 
FeebleminderCommented:
right click Default web site > edit permissions and verify names are as follows:

SYSTEM                   FULL CONTROL
LOCAL SERVICE      FULL CONTROL
NETWORK SERVICE FULL CONTROL
Administrators         FULL CONTROL
Users                       R&E, List, Read
IIS_IUSRS                R&E, List, Read
Trusted Installer      FULL CONTROL
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
all setup like this
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
just noticed this issue...and it won't met me set it up img 1 img 2
0
 
FeebleminderCommented:
run the Fix My Network wizard from the SBS Console
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Here i another issue issue
0
 
FeebleminderCommented:
Open Services.msc and Restart All exchange services that are running/Automatic and IIS services.

You need to add the external url to OWA in Exchange Console, as well.
0
 
FeebleminderCommented:
Did you run the Fix My Network utility by chance?

It is a good to find mistakes with the server/certificates/etc...
0
 
FeebleminderCommented:
Can you start the OWA Web Site, yet? The site is pulling the correct certificate now it just need to be enabled.
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
Still having issues...fix my network will not fix the OWA issue...here are the screens shots of the issues... issue1 issue2
0
 
Daniel FishkinOwner and Principal ConsultantAuthor Commented:
I was able to resolve this, however, I can not now scan to email with the BizHub c451...it says login error...I believe at some point I deleted the scan to email receive connector, and don't recall the settings...
0
 
FeebleminderCommented:
I do not have much experience working with a bizhub. Please submit a new question To have someone with more experience assist you.

What was the final fix, please post?

Thank you,
Feebleminder
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 29
  • 27
Tackle projects and never again get stuck behind a technical roadblock.
Join Now