Solved

Activesync and OWA issues

Posted on 2012-03-13
15
2,281 Views
Last Modified: 2012-04-02
One of my clients has an SBS2008 server and use Nokia mobiles to connect to their exchange accounts.

This has been working fine for the past couple of years, but after a server reboot last month it isn't working. The Nokia's are just coming up with a certificate error, not giving me a chance to install a new certificate or ignore it.

I have run https://www.testexchangeconnectivity.com/ and it fails here:

      Testing HTTP Authentication Methods for URL https://remote.companyname.co.uk/Microsoft-Server-ActiveSync/.
       The HTTP authentication test failed.
        Tell me more about this issue and how to resolve it
                   Additional Details
       The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.

does anyone know what this means? and how to resolve it?

Also, OWA is not working, i am getting this error;

404 - File or directory not found.

or from the server:

Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. Detailed Error InformationModule IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL https://remote.potterowtram.co.uk:443/owa
Physical Path C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\owa
Logon Method Anonymous
Logon User Anonymous
 Most likely causes:
The directory or file specified does not exist on the Web server.
The URL contains a typographical error.
A custom filter or module, such as URLScan, restricts access to the file.
0
Comment
Question by:Neal58
  • 9
  • 5
15 Comments
 
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 37714014
Check that your certificate has not expired. To do this follow these steps:
1. Open EMC
2. Expand Microsoft on Premises
3. Click on Server Configuration
4. In the bottom middle pane scroll to the right and look at the expiration date to ensure that it has not expired.

If it has you would need to renew it from your Authoritative Certificate provider.

Hope this helps!!!
0
 
LVL 8

Expert Comment

by:jbvernej
ID: 37714045
About your Nokia behavior:
Your certificate has expired on the SBS ?
A certificate has often a lifetime of 2 years  long. After 2 years, it expires and generates errors when it is validated by clients. You need to renew your certificate with a new one (to be valid on next 2 years...)

On ExRCA: It seems that you have an IIS issue: some of your IIS web server configuration seem to be lost.

The ExRCA say that it has detected an anonymous access enabled on your Exchange web server and it's not a normal situation, on /Microsoft-ActiveSync virtual directory. Anonymous access must be disabled on it but Basic or integrated has to be used instead.

If OWA doesn't also not working , try to resolved OWA access before ActiveSync (it's simpler)

Check in your IIS Service manager / Exchange system manager the OWA/Activesync Configuration about authentication
0
 
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 37714061
Looking forward to hearing from you
0
 
LVL 4

Author Comment

by:Neal58
ID: 37714101
HendrikWiese - sorry you dont say which sub option you wanted me to choose under server configuration . . all I get from clicking on server configuration is the Server name

jbvernej - yeah I was starting to look at issues in IIS. was going through trying to recreate the virtual directories but was getting this error trying to delete:

[PS] C:\Windows\system32>remove-Owavirtualdirectory -identity "popserver\owa (de
fault web site)"

Confirm
Are you sure you want to perform this action?
The Remove-OwaVirtualDirectory cmdlet is removing Outlook Web Access virtual
directory "servername\owa (default web site)".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):a
Remove-OwaVirtualDirectory : Deleting virtual directory 'IIS://servername.domain.local/W3SVC/1/ROOT/owa' on 'servername' failed.
At line:1 char:27
+ remove-Owavirtualdirectory <<<<  -identity "servername\owa (default web site)"
    + CategoryInfo          : InvalidOperation: (servername\owa (Default Web Si
   te):ADObjectId) [Remove-OwaVirtualDirectory], InvalidOperationException
    + FullyQualifiedErrorId : D9473DB1,Microsoft.Exchange.Management.SystemCon
   figurationTasks.RemoveOwaVirtualDirectory
0
 
LVL 4

Author Comment

by:Neal58
ID: 37714135
also in iis echweb, exchange, exchadmin wont let themselves be expanded

Anonymous is disabled, basic is enabled in IIs on Microsoft-server-activesync
0
 
LVL 4

Author Comment

by:Neal58
ID: 37714148
if i run get-exchangecertificate here are the results:

[PS] C:\Windows\system32>get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.potterowtram.co.uk, potterowtram.co.uk, POPSERVER.
                     potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 16/02/2014 13:50:08
NotBefore          : 17/02/2012 13:50:08
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 12BFA486000000000006
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.potterowtram.co.uk
Thumbprint         : C6AE2E9B1A90BF3AC2589C9F21C1CBA8BD64BD7F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 24/06/2012 17:10:05
NotBefore          : 25/06/2011 17:10:05
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 4044AF92000000000005
Services           : None
Status             : Valid
Subject            : CN=POPSERVER.potterowtram.local
Thumbprint         : B07190B6091557441AF96DC130E7BC7F835383D1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.potterowtram.co.uk, potterowtram.co.uk, POPSERVER.
                     potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 06/08/2012 15:33:07
NotBefore          : 07/08/2010 15:33:07
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1114B07F000000000004
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=remote.potterowtram.co.uk
Thumbprint         : 9EE44C4511B5F45254E7973B8C86897C56DBAC9F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 13:45:02
NotBefore          : 06/08/2010 13:45:02
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 173E5A93DB87F48D4EFC6F874D2B4C11
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : EB3088C98204EC9B1BB1603FC91FA4F763B79FC5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 11:50:37
NotBefore          : 06/08/2010 11:50:37
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 5BD4508795E497A34019FC0895AC39D2
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : FA288C569DB050752AD9FB4DE11F135FF8A30F0A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 05/08/2012 11:12:46
NotBefore          : 06/08/2010 11:12:46
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610798B5000000000002
Services           : SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 50148AC3E5B3AF87CD91838F1F94B1F45546E06E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {potterowtram-POPSERVER-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=potterowtram-POPSERVER-CA
NotAfter           : 06/08/2015 11:20:36
NotBefore          : 06/08/2010 11:10:38
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 38C504ADCC8350A34ABC56054DACFA0F
Services           : None
Status             : Valid
Subject            : CN=potterowtram-POPSERVER-CA
Thumbprint         : CF2BF294A3B4B364B8C2DBBF13C45EAF51558284
0
 
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 37714194
After you click on server configuration, just select your cas server and at the bottom you will see Exchange certificates. Scroll all the way to the right to see the expiration date.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Author Comment

by:Neal58
ID: 37714218
If i click on the server in the list, it just highlights and nothing appears beneath it, which is generally how exch2007 works. I know in 2010 if you highlight the server it gives you those details beneath.
0
 
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 37714261
OK sorry was on Exchange 2010.

On 2007 in powershell "Get-ExchangeCertificate |fl" you should either see something like "expiration date" or "not after" which is the date that your certificate will expire
0
 
LVL 4

Author Comment

by:Neal58
ID: 37714271
yep, results posted above a couple of posts :)

these 2 are out of date:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 13:45:02
NotBefore          : 06/08/2010 13:45:02
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 173E5A93DB87F48D4EFC6F874D2B4C11
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : EB3088C98204EC9B1BB1603FC91FA4F763B79FC5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {POPSERVER, POPSERVER.potterowtram.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=POPSERVER
NotAfter           : 06/08/2011 11:50:37
NotBefore          : 06/08/2010 11:50:37
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 5BD4508795E497A34019FC0895AC39D2
Services           : SMTP
Status             : Invalid
Subject            : CN=POPSERVER
Thumbprint         : FA288C569DB050752AD9FB4DE11F135FF8A30F0A
0
 
LVL 4

Author Comment

by:Neal58
ID: 37714475
using the command get-exchangecertificate -thumbprint <thumbprint> | new-certificate for the first one above it gives the warning:

this certificate will not be used for external TLS connections with an FQDN of <servername.domain.local> becuase the ca-signed cert with thumprint <thuimbprint> takes precedence.

is this ok?
0
 
LVL 20

Expert Comment

by:Hendrik Wiese
ID: 37714814
Yes as long as the CA certificate is not self signed and has not yet expired.
0
 
LVL 4

Author Comment

by:Neal58
ID: 37714838
ok, the certificates are self signed and were expired . . .

about a minute before your post i told it to continue with yes to all for both the expired certificates.

and now all the pc's are coming up with certificate warnings! oh dear! I assume I need to get the servername.domain.local value back in under the CN field. How would i go about getting it back there?
0
 
LVL 4

Accepted Solution

by:
Neal58 earned 0 total points
ID: 37776039
0
 
LVL 4

Author Closing Comment

by:Neal58
ID: 37795049
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now