Activesync and OWA issues

One of my clients has an SBS2008 server and use Nokia mobiles to connect to their exchange accounts.

This has been working fine for the past couple of years, but after a server reboot last month it isn't working. The Nokia's are just coming up with a certificate error, not giving me a chance to install a new certificate or ignore it.

I have run https://www.testexchangeconnectivity.com/ and it fails here:

      Testing HTTP Authentication Methods for URL https://remote.companyname.co.uk/Microsoft-Server-ActiveSync/.
       The HTTP authentication test failed.
        Tell me more about this issue and how to resolve it
                   Additional Details
       The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.

does anyone know what this means? and how to resolve it?

Also, OWA is not working, i am getting this error;

404 - File or directory not found.

or from the server:

Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. Detailed Error InformationModule IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL https://remote.potterowtram.co.uk:443/owa 
Physical Path C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\owa
Logon Method Anonymous
Logon User Anonymous
 Most likely causes:
The directory or file specified does not exist on the Web server.
The URL contains a typographical error.
A custom filter or module, such as URLScan, restricts access to the file.
LVL 4
Neal58Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hendrik WieseInformation Security ManagerCommented:
Check that your certificate has not expired. To do this follow these steps:
1. Open EMC
2. Expand Microsoft on Premises
3. Click on Server Configuration
4. In the bottom middle pane scroll to the right and look at the expiration date to ensure that it has not expired.

If it has you would need to renew it from your Authoritative Certificate provider.

Hope this helps!!!
jbvernejTechnical Support EngineerCommented:
About your Nokia behavior:
Your certificate has expired on the SBS ?
A certificate has often a lifetime of 2 years  long. After 2 years, it expires and generates errors when it is validated by clients. You need to renew your certificate with a new one (to be valid on next 2 years...)

On ExRCA: It seems that you have an IIS issue: some of your IIS web server configuration seem to be lost.

The ExRCA say that it has detected an anonymous access enabled on your Exchange web server and it's not a normal situation, on /Microsoft-ActiveSync virtual directory. Anonymous access must be disabled on it but Basic or integrated has to be used instead.

If OWA doesn't also not working , try to resolved OWA access before ActiveSync (it's simpler)

Check in your IIS Service manager / Exchange system manager the OWA/Activesync Configuration about authentication
Hendrik WieseInformation Security ManagerCommented:
Looking forward to hearing from you
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Neal58Author Commented:
HendrikWiese - sorry you dont say which sub option you wanted me to choose under server configuration . . all I get from clicking on server configuration is the Server name

jbvernej - yeah I was starting to look at issues in IIS. was going through trying to recreate the virtual directories but was getting this error trying to delete:

[PS] C:\Windows\system32>remove-Owavirtualdirectory -identity "popserver\owa (de
fault web site)"

Confirm
Are you sure you want to perform this action?
The Remove-OwaVirtualDirectory cmdlet is removing Outlook Web Access virtual
directory "servername\owa (default web site)".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):a
Remove-OwaVirtualDirectory : Deleting virtual directory 'IIS://servername.domain.local/W3SVC/1/ROOT/owa' on 'servername' failed.
At line:1 char:27
+ remove-Owavirtualdirectory <<<<  -identity "servername\owa (default web site)"
    + CategoryInfo          : InvalidOperation: (servername\owa (Default Web Si
   te):ADObjectId) [Remove-OwaVirtualDirectory], InvalidOperationException
    + FullyQualifiedErrorId : D9473DB1,Microsoft.Exchange.Management.SystemCon
   figurationTasks.RemoveOwaVirtualDirectory
Neal58Author Commented:
also in iis echweb, exchange, exchadmin wont let themselves be expanded

Anonymous is disabled, basic is enabled in IIs on Microsoft-server-activesync
Neal58Author Commented:
if i run get-exchangecertificate here are the results:

[PS] C:\Windows\system32>get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.potterowtram.co.uk, potterowtram.co.uk, POPSERVER.
                     potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 16/02/2014 13:50:08
NotBefore          : 17/02/2012 13:50:08
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 12BFA486000000000006
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.potterowtram.co.uk
Thumbprint         : C6AE2E9B1A90BF3AC2589C9F21C1CBA8BD64BD7F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 24/06/2012 17:10:05
NotBefore          : 25/06/2011 17:10:05
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 4044AF92000000000005
Services           : None
Status             : Valid
Subject            : CN=POPSERVER.potterowtram.local
Thumbprint         : B07190B6091557441AF96DC130E7BC7F835383D1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.potterowtram.co.uk, potterowtram.co.uk, POPSERVER.
                     potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 06/08/2012 15:33:07
NotBefore          : 07/08/2010 15:33:07
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1114B07F000000000004
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.potterowtram.co.uk
Thumbprint         : 9EE44C4511B5F45254E7973B8C86897C56DBAC9F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 13:45:02
NotBefore          : 06/08/2010 13:45:02
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 173E5A93DB87F48D4EFC6F874D2B4C11
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : EB3088C98204EC9B1BB1603FC91FA4F763B79FC5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 11:50:37
NotBefore          : 06/08/2010 11:50:37
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 5BD4508795E497A34019FC0895AC39D2
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : FA288C569DB050752AD9FB4DE11F135FF8A30F0A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 05/08/2012 11:12:46
NotBefore          : 06/08/2010 11:12:46
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610798B5000000000002
Services           : SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 50148AC3E5B3AF87CD91838F1F94B1F45546E06E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {potterowtram-POPSERVER-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 06/08/2015 11:20:36
NotBefore          : 06/08/2010 11:10:38
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 38C504ADCC8350A34ABC56054DACFA0F
Services           : None
Status             : Valid
Subject            : CN=potterowtram-POPSERVER-CA
Thumbprint         : CF2BF294A3B4B364B8C2DBBF13C45EAF51558284
Hendrik WieseInformation Security ManagerCommented:
After you click on server configuration, just select your cas server and at the bottom you will see Exchange certificates. Scroll all the way to the right to see the expiration date.
Neal58Author Commented:
If i click on the server in the list, it just highlights and nothing appears beneath it, which is generally how exch2007 works. I know in 2010 if you highlight the server it gives you those details beneath.
Hendrik WieseInformation Security ManagerCommented:
OK sorry was on Exchange 2010.

On 2007 in powershell "Get-ExchangeCertificate |fl" you should either see something like "expiration date" or "not after" which is the date that your certificate will expire
Neal58Author Commented:
yep, results posted above a couple of posts :)

these 2 are out of date:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 13:45:02
NotBefore          : 06/08/2010 13:45:02
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 173E5A93DB87F48D4EFC6F874D2B4C11
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : EB3088C98204EC9B1BB1603FC91FA4F763B79FC5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 11:50:37
NotBefore          : 06/08/2010 11:50:37
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 5BD4508795E497A34019FC0895AC39D2
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : FA288C569DB050752AD9FB4DE11F135FF8A30F0A
Neal58Author Commented:
using the command get-exchangecertificate -thumbprint <thumbprint> | new-certificate for the first one above it gives the warning:

this certificate will not be used for external TLS connections with an FQDN of <servername.domain.local> becuase the ca-signed cert with thumprint <thuimbprint> takes precedence.

is this ok?
Hendrik WieseInformation Security ManagerCommented:
Yes as long as the CA certificate is not self signed and has not yet expired.
Neal58Author Commented:
ok, the certificates are self signed and were expired . . .

about a minute before your post i told it to continue with yes to all for both the expired certificates.

and now all the pc's are coming up with certificate warnings! oh dear! I assume I need to get the servername.domain.local value back in under the CN field. How would i go about getting it back there?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.