Activesync and OWA issues
One of my clients has an SBS2008 server and use Nokia mobiles to connect to their exchange accounts.
This has been working fine for the past couple of years, but after a server reboot last month it isn't working. The Nokia's are just coming up with a certificate error, not giving me a chance to install a new certificate or ignore it.
I have run https://www.testexchangeconnectivity.com/ and it fails here:
Testing HTTP Authentication Methods for URL https://remote.companyname.co.uk/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
Tell me more about this issue and how to resolve it
Additional Details
The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.
does anyone know what this means? and how to resolve it?
Also, OWA is not working, i am getting this error;
404 - File or directory not found.
or from the server:
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. Detailed Error InformationModule IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL https://remote.potterowtram.co.uk:443/owa
Physical Path C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\owa
Logon Method Anonymous
Logon User Anonymous
Most likely causes:
The directory or file specified does not exist on the Web server.
The URL contains a typographical error.
A custom filter or module, such as URLScan, restricts access to the file.
This has been working fine for the past couple of years, but after a server reboot last month it isn't working. The Nokia's are just coming up with a certificate error, not giving me a chance to install a new certificate or ignore it.
I have run https://www.testexchangeconnectivity.com/ and it fails here:
Testing HTTP Authentication Methods for URL https://remote.companyname.co.uk/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
Tell me more about this issue and how to resolve it
Additional Details
The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.
does anyone know what this means? and how to resolve it?
Also, OWA is not working, i am getting this error;
404 - File or directory not found.
or from the server:
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. Detailed Error InformationModule IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL https://remote.potterowtram.co.uk:443/owa
Physical Path C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\owa
Logon Method Anonymous
Logon User Anonymous
Most likely causes:
The directory or file specified does not exist on the Web server.
The URL contains a typographical error.
A custom filter or module, such as URLScan, restricts access to the file.
About your Nokia behavior:
Your certificate has expired on the SBS ?
A certificate has often a lifetime of 2 years long. After 2 years, it expires and generates errors when it is validated by clients. You need to renew your certificate with a new one (to be valid on next 2 years...)
On ExRCA: It seems that you have an IIS issue: some of your IIS web server configuration seem to be lost.
The ExRCA say that it has detected an anonymous access enabled on your Exchange web server and it's not a normal situation, on /Microsoft-ActiveSync virtual directory. Anonymous access must be disabled on it but Basic or integrated has to be used instead.
If OWA doesn't also not working , try to resolved OWA access before ActiveSync (it's simpler)
Check in your IIS Service manager / Exchange system manager the OWA/Activesync Configuration about authentication
Your certificate has expired on the SBS ?
A certificate has often a lifetime of 2 years long. After 2 years, it expires and generates errors when it is validated by clients. You need to renew your certificate with a new one (to be valid on next 2 years...)
On ExRCA: It seems that you have an IIS issue: some of your IIS web server configuration seem to be lost.
The ExRCA say that it has detected an anonymous access enabled on your Exchange web server and it's not a normal situation, on /Microsoft-ActiveSync virtual directory. Anonymous access must be disabled on it but Basic or integrated has to be used instead.
If OWA doesn't also not working , try to resolved OWA access before ActiveSync (it's simpler)
Check in your IIS Service manager / Exchange system manager the OWA/Activesync Configuration about authentication
Looking forward to hearing from you
ASKER
HendrikWiese - sorry you dont say which sub option you wanted me to choose under server configuration . . all I get from clicking on server configuration is the Server name
jbvernej - yeah I was starting to look at issues in IIS. was going through trying to recreate the virtual directories but was getting this error trying to delete:
[PS] C:\Windows\system32>remove
fault web site)"
Confirm
Are you sure you want to perform this action?
The Remove-OwaVirtualDirectory
directory "servername\owa (default web site)".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):a
Remove-OwaVirtualDirectory
At line:1 char:27
+ remove-Owavirtualdirectory
+ CategoryInfo : InvalidOperation: (servername\owa (Default Web Si
te):ADObjectId) [Remove-OwaVirtualDirector
+ FullyQualifiedErrorId : D9473DB1,Microsoft.Exchang
figurationTasks.RemoveOwaV
jbvernej - yeah I was starting to look at issues in IIS. was going through trying to recreate the virtual directories but was getting this error trying to delete:
[PS] C:\Windows\system32>remove
fault web site)"
Confirm
Are you sure you want to perform this action?
The Remove-OwaVirtualDirectory
directory "servername\owa (default web site)".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):a
Remove-OwaVirtualDirectory
At line:1 char:27
+ remove-Owavirtualdirectory
+ CategoryInfo : InvalidOperation: (servername\owa (Default Web Si
te):ADObjectId) [Remove-OwaVirtualDirector
+ FullyQualifiedErrorId : D9473DB1,Microsoft.Exchang
figurationTasks.RemoveOwaV
ASKER
also in iis echweb, exchange, exchadmin wont let themselves be expanded
Anonymous is disabled, basic is enabled in IIs on Microsoft-server-activesyn
Anonymous is disabled, basic is enabled in IIs on Microsoft-server-activesyn
ASKER
if i run get-exchangecertificate here are the results:
[PS] C:\Windows\system32>get-ex
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.potterowtram.co.uk
potterowtram.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 16/02/2014 13:50:08
NotBefore : 17/02/2012 13:50:08
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 12BFA486000000000006
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=remote.potterowtram.co.
Thumbprint : C6AE2E9B1A90BF3AC2589C9F21
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {POPSERVER.potterowtram.lo
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 24/06/2012 17:10:05
NotBefore : 25/06/2011 17:10:05
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 4044AF92000000000005
Services : None
Status : Valid
Subject : CN=POPSERVER.potterowtram.
Thumbprint : B07190B6091557441AF96DC130
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.potterowtram.co.uk
potterowtram.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 06/08/2012 15:33:07
NotBefore : 07/08/2010 15:33:07
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1114B07F000000000004
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=remote.potterowtram.co.
Thumbprint : 9EE44C4511B5F45254E7973B8C
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 13:45:02
NotBefore : 06/08/2010 13:45:02
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 173E5A93DB87F48D4EFC6F874D
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : EB3088C98204EC9B1BB1603FC9
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 11:50:37
NotBefore : 06/08/2010 11:50:37
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 5BD4508795E497A34019FC0895
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : FA288C569DB050752AD9FB4DE1
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {Sites, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 05/08/2012 11:12:46
NotBefore : 06/08/2010 11:12:46
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 610798B5000000000002
Services : SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 50148AC3E5B3AF87CD91838F1F
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {potterowtram-POPSERVER-CA
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 06/08/2015 11:20:36
NotBefore : 06/08/2010 11:10:38
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 38C504ADCC8350A34ABC56054D
Services : None
Status : Valid
Subject : CN=potterowtram-POPSERVER-
Thumbprint : CF2BF294A3B4B364B8C2DBBF13
[PS] C:\Windows\system32>get-ex
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.potterowtram.co.uk
potterowtram.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 16/02/2014 13:50:08
NotBefore : 17/02/2012 13:50:08
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 12BFA486000000000006
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=remote.potterowtram.co.
Thumbprint : C6AE2E9B1A90BF3AC2589C9F21
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {POPSERVER.potterowtram.lo
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 24/06/2012 17:10:05
NotBefore : 25/06/2011 17:10:05
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 4044AF92000000000005
Services : None
Status : Valid
Subject : CN=POPSERVER.potterowtram.
Thumbprint : B07190B6091557441AF96DC130
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {remote.potterowtram.co.uk
potterowtram.local}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 06/08/2012 15:33:07
NotBefore : 07/08/2010 15:33:07
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 1114B07F000000000004
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=remote.potterowtram.co.
Thumbprint : 9EE44C4511B5F45254E7973B8C
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 13:45:02
NotBefore : 06/08/2010 13:45:02
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 173E5A93DB87F48D4EFC6F874D
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : EB3088C98204EC9B1BB1603FC9
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 11:50:37
NotBefore : 06/08/2010 11:50:37
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 5BD4508795E497A34019FC0895
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : FA288C569DB050752AD9FB4DE1
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
CertificateDomains : {Sites, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 05/08/2012 11:12:46
NotBefore : 06/08/2010 11:12:46
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 610798B5000000000002
Services : SMTP
Status : Valid
Subject : CN=Sites
Thumbprint : 50148AC3E5B3AF87CD91838F1F
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
CertificateDomains : {potterowtram-POPSERVER-CA
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=potterowtram-POPSERVER-
NotAfter : 06/08/2015 11:20:36
NotBefore : 06/08/2010 11:10:38
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 38C504ADCC8350A34ABC56054D
Services : None
Status : Valid
Subject : CN=potterowtram-POPSERVER-
Thumbprint : CF2BF294A3B4B364B8C2DBBF13
After you click on server configuration, just select your cas server and at the bottom you will see Exchange certificates. Scroll all the way to the right to see the expiration date.
ASKER
If i click on the server in the list, it just highlights and nothing appears beneath it, which is generally how exch2007 works. I know in 2010 if you highlight the server it gives you those details beneath.
OK sorry was on Exchange 2010.
On 2007 in powershell "Get-ExchangeCertificate |fl" you should either see something like "expiration date" or "not after" which is the date that your certificate will expire
On 2007 in powershell "Get-ExchangeCertificate |fl" you should either see something like "expiration date" or "not after" which is the date that your certificate will expire
ASKER
yep, results posted above a couple of posts :)
these 2 are out of date:
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 13:45:02
NotBefore : 06/08/2010 13:45:02
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 173E5A93DB87F48D4EFC6F874D
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : EB3088C98204EC9B1BB1603FC9
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 11:50:37
NotBefore : 06/08/2010 11:50:37
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 5BD4508795E497A34019FC0895
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : FA288C569DB050752AD9FB4DE1
these 2 are out of date:
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 13:45:02
NotBefore : 06/08/2010 13:45:02
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 173E5A93DB87F48D4EFC6F874D
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : EB3088C98204EC9B1BB1603FC9
AccessRules : {System.Security.AccessCon
.Security.AccessControl.Cr
ty.AccessControl.CryptoKey
ssControl.CryptoKeyAccessR
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.loc
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=POPSERVER
NotAfter : 06/08/2011 11:50:37
NotBefore : 06/08/2010 11:50:37
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 5BD4508795E497A34019FC0895
Services : SMTP
Status : Invalid
Subject : CN=POPSERVER
Thumbprint : FA288C569DB050752AD9FB4DE1
ASKER
using the command get-exchangecertificate -thumbprint <thumbprint> | new-certificate for the first one above it gives the warning:
this certificate will not be used for external TLS connections with an FQDN of <servername.domain.local> becuase the ca-signed cert with thumprint <thuimbprint> takes precedence.
is this ok?
this certificate will not be used for external TLS connections with an FQDN of <servername.domain.local> becuase the ca-signed cert with thumprint <thuimbprint> takes precedence.
is this ok?
Yes as long as the CA certificate is not self signed and has not yet expired.
ASKER
ok, the certificates are self signed and were expired . . .
about a minute before your post i told it to continue with yes to all for both the expired certificates.
and now all the pc's are coming up with certificate warnings! oh dear! I assume I need to get the servername.domain.local value back in under the CN field. How would i go about getting it back there?
about a minute before your post i told it to continue with yes to all for both the expired certificates.
and now all the pc's are coming up with certificate warnings! oh dear! I assume I need to get the servername.domain.local value back in under the CN field. How would i go about getting it back there?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. Open EMC
2. Expand Microsoft on Premises
3. Click on Server Configuration
4. In the bottom middle pane scroll to the right and look at the expiration date to ensure that it has not expired.
If it has you would need to renew it from your Authoritative Certificate provider.
Hope this helps!!!