• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 743
  • Last Modified:

SBS2008 SP2 Self Signed Certificate publication to Non domain users

Hi Guys,

I have a an SBS2008SP2 server running Exchange 2007. There are about 15 users connected through locally connected PC's on the SBS domain and another 10 connecting from a workgroup who use RPC/HTTPS to connect to Exchange accounts on the SBS2008 box. All worked well until the trusted certificate expired today.

There is a problem with the existing certificated provider - I'll not go into that. I have managed to get the local domain users operational again by switching to a self signed certificate, however the remote users still see a Security certificate error when they attempt to login to outlook.

I'm aware I need to install the new certificate onto the remote machines but the location of the certificate detailed in various documents says that it should be at  c:\users\Public\Public Downloads (local server) This appears not to be the case.

I have run the fix my network wizard and also run the Internet connection wizard in an attempt to publish to the expected place but to no avail.

The certificate as veiwed in the SBS console-Network-Connectivity tab shows a self signed certificate valid for two years from today (when I created the self signed certificate) The certificate in the public area has a previously created self signed certificate dated to 2015.

How do I get the public area to update with the newly created certificate ??

I have tried the Internet Address Management Wizard through the SBS Console and the 'Setup your Internet Address' option in the above Connectivity tab but this results in the attached errors - I understand this wizard should update the public area. It is sending me around in a circle.

If the non domain users connect over a VPN then they can connect to email. We don't want all users here to have VPN connectivity.

I'm running out of options here, hope someone can help.

Regards
IAMWcapture.docx
0
TrevorWhite
Asked:
TrevorWhite
  • 18
  • 11
1 Solution
 
Cliff GaliherCommented:
You don't. The certificate in the public downloads area is the ROOT certificate. The certificate you created today is a LEAF from that root. Thus p when you use the installer, any leaf created from that root, including the one you created today, will be trusted.

This is by design so that an admin doesn't have to redeploy self signed certificates every two years, they only need to redeploy the root every 5. When a leaf expires and a new one is created, the whole thing "just works."

If a new package was not created then it means the root is still valid and the wizard saw no need to recreate the package. Use it and things will work.
0
 
TrevorWhiteAuthor Commented:
Hi CGaliher,

Thanks for that.
So as far as I understand you the root certificate is used/installed on workstations (by policy for domain members or manually for non domain members)

Is there anything else I need to do when changing from the original Trusted Certificate to the self signed one?

Only I believe I have done this but the non domain users are getting proxy server security certificate warnings.

Thanks
Trevor
0
 
Cliff GaliherCommented:
That's it. If you can post the specific error, I can help troubleshoot.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
TrevorWhiteAuthor Commented:
HI
A little background is nesseccary here.
The reason we can't renew the original cert is because the previous IT guy has control of the domain and the who is has been protected. So we can't simply renew.

I've been trying to purchase a new trusted cert from a different CA (GoDaddy) but again I fall foul of not being in control of the domain. We are working on this but it won't be quick.

So the SBS2008 is currently in a state where a trusted certificate has been requested but is not complete/installed.

My understanding is that when the Trusted Cert is not found it will use the self signed one - can you confirm??

I have been working around the proxy server error by connecting the non domain users by VPN - this gives them access to email (RPC/HTTPS outlook setups)

Only issue is I can't log into them while the VPN is connected. Will capture original error tomorrow.

Can you confirm my understanding about certificate failover ???

Thanks
0
 
Cliff GaliherCommented:
Certificates won't "fail over." there is no logic or fall-back process. If you have a trusted certificate and it expired, IIS will continue to happily serve up that expired certificate until it is replaced.

A certificate is replaced one of several ways.

1) The trusted certificate wizared is run and a new certificate is installed.
2) a new certificate is manually installed or imported.
3) The internet address wizard is run followed by the fix my network wizard, which generates and installs an internally signed leaf certificate.

If any of those occurs, a new certificate is bound and any knowledge of previous certificates is removed. So there isn't any "if certificate A is present, use it-else use certificate B" ...it just doesn't work that way.

-Cliff
0
 
TrevorWhiteAuthor Commented:
I see, I believe I had read that if a Trusted Cert is not found then the self cert is used.

If the trusted cert has status 'Requested' (The CSR was pasted into the GoDaddy page) will running the internet wizard followed by the fix my network wizard cause the 'Requested' cert a problem or can this simply be Installed when available from GoDaddy ???

Sorry for delay - have just had another issue to deal with - Sophos rolled a false positive out and warning swamping me and the rest of the world.

REgards
Trevor
0
 
Cliff GaliherCommented:
Yes, running the wizards will probably kill the certificate request. However I wouldn't worry about that too much; go ahead and do it anyways.

When you have your domain ownership issues resolved, you can generate a new request and on the godaddy side of things you can perform a "rekey" (free) to submit the newly generated request. So while running the wizard will interfere with the existing request, rekeying is trivial and rapid since domain ownership will already be verified.

-Cliff
0
 
TrevorWhiteAuthor Commented:
Thanks Cliff,
I appreciate your time with this - I'll report back later today.

Regards
Trev
0
 
TrevorWhiteAuthor Commented:
Hmmmm
Running the Internet address wizard now gives the errors shown in the attachment, it points to running the fix my network wizard which gives the report shown in the other attachement

I unticked the first two items as these are acceptable and the last is fixed (at least that what the next page of the wizard says.

Comments ???

What is the internet address wizard attempting to do that is failing ??

Cheers
InternetAddressWizardErrors.docx
FixNetworkReport.docx
0
 
Cliff GaliherCommented:
Regarding the fix my network wizard, if you click on the third option to highlight it, the details pane shoild give you more info. The screen grab you posted doesn't show it, nor did you post an errors that the FMNW may be throwing.
0
 
TrevorWhiteAuthor Commented:
Doesn't give much more, but will grab both for you.
Thanks
0
 
TrevorWhiteAuthor Commented:
Here are Internet Wizard Error reports - in full
and FMNW report
IAWReport.docx
FMNWreport.docx
0
 
Cliff GaliherCommented:
Interesting. Grab the log file and look in there for errors and if you can't see the solution, feel free to post it.

The log file is located in (I'm going from memory here at the moment) program files\small business server\logs\DPCW.log

-Cliff
0
 
TrevorWhiteAuthor Commented:
HI,
Well I can see an exception in the log but thats about it.
It looks like some communication check with the Router may have failed - This is a Draytek 2830 with all of the correct ports open abd pointed to the servers single NIC at 192.168.2.200.
The router is sat at 192.168.2.1.

There is another router on the same physical network but on a different subnet (also a draytek 2830) this is for SIP trunks and the Telephone system. Surely not a problem here ???

Here is the log

Thanks again for your time with this.
Regards
Trevor
DPCW.log
0
 
Cliff GaliherCommented:
I can see multiple run throughs with the wizard and the system is generating a new leaf every time with a different thumbprint. Right now it appears to me as though the wizard is failing to pull the proper certificate and is therefore tripping over itself.

I'd go in to the certificate store and remove at least the 3rd-party certificate, and probably wouldn't hurt to clean up any lingering leaf certs as well. But you want/need to leave the root cert intact. Then re-run the wizard. As always, when deleting data, make sure to have a good backup.

-Cliff
0
 
TrevorWhiteAuthor Commented:
OK - This is going to appear noddy . . but

1. What tool do I use to manage the certificates, is this another SBS wizard
2. How do I differenciate a root fro a leaf certificate.

Or can I simply browse to a folder, in which case where are they stored.

Sorry to be a numpty

Cheers
Trev
0
 
Cliff GaliherCommented:
Unfortunately there is no wizard.  But before we go there, it did occur to me to try something. I've never seen it cause a problem before, but I won't rule it out and it'll be less intrusive.

Run the "add a trusted certificate wizard" and when it prompts that you have a request pending, choose the option to cancel the request. Then try rerunning the internet address wizard. One of the URs may have added logic to try and use a certificate from the trusted wizared and if that is in a pending state things *may* go awry. I am not in a position to test-lab it at the moment.
0
 
TrevorWhiteAuthor Commented:
Ah - during one of the attempts to run the wizard I also ran the remove request wizard.
Hope I haven't burnt a bridge
0
 
TrevorWhiteAuthor Commented:
I just followed your line of think though and ran the add trusted cert and selected option to wait for CA. Then ran the add trusted cert wizard again and canceled.

It said it imported the self signed cert.

Do we view manage certs through IE or are these cached copies??
The tabs here describe root certs, etc
If I remove certs from here are they removed from the correct place??

Trev
Have to turn in soon - early start tomorrow
0
 
Cliff GaliherCommented:
Have you tried the internet address wizard after you did the trusted cert wizard bit again? Does it still fail?

To answer your other question, no you do not manage certs through IE. There is a certificate services MMC you must use.

1.Start ¿ Run: mmc.exe
 2.Menu: File ¿ Add/Remove Snap-in…
 3.Under Available snap-ins, select Certificates and press Add.
 4.Select Computer Account for the certificates to manage. Press Next.
 5.Select Local Computer and press Finish.
 6.Press OK to return to the management console.
0
 
TrevorWhiteAuthor Commented:
Hi
Sorry had to get kip last night - Had early start but can get backl to this shortly
Thanks for the Cert Management instructions

Regards
Trev
0
 
TrevorWhiteAuthor Commented:
Hi
Yes ran the IAW but got the same result - no change - it failed!
Are the root and leaf certs obvious in the MCC snapin ??

Back shortly
0
 
Cliff GaliherCommented:
Yes they are
0
 
TrevorWhiteAuthor Commented:
HI
So sorry for the delay - not sur eif you have been involve with this but Sophos mad a huge fopa in introducing a flase positive which was been sinkin most of my time over the last two days.

OK I have looked back at out notes. I am now in control of the our domain.
But would like to get these self signed certificates mopped up.

I have attached some captures of the various certificate stores visible through the snapin.
There appear to be many instances of remote.mpa.me.uk, MPA01.mpa.local and mpa-MPA01-CA. I also note there are differences in the certificate icon.

Which of these should I remove in oreder to resolve the original problem of the SBS IAW not running.

I must admit I'm fealing very exposed about my apparent lack of certificate knowledge. Can you recommed some basic reading that would help in my understanding of how certificates are used to secure services - Thanks.

Trevor
CertCapture.docx
0
 
Cliff GaliherCommented:
I'd remove all remote.* certificates as well as the "sites" certificate. Then retry the wizards.
0
 
TrevorWhiteAuthor Commented:
HI,
OK I removed those certificates but the some problem is apparant.
The Internet Connection wizard runs OK
The IAW runs and ends with the 2 errors and warning already documents
The FMNW runs and just reports the DNS and router warnings which are accounted for.

Feeling like I'm stuck in the dark here.

I'm going to try the trusted Certificate route again seeing as we have control of the domain now. I couldn't see how to revoke the existinh request just now. But will come back if still a problem.

Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr!!!

Trev
0
 
TrevorWhiteAuthor Commented:
Hi,
Well I have alleviated a difficult Monday morning by getting the mail service running albiet not in the desired way.

A few bullets to document the weekends activities (including the night shift on Sunday)

1. Got the Trusted GoDaddy certificate authenticated and downloaded (The IIS version, I presume this was the correct one) This after reruning the SBS trusted cert wizard to get a new CSR and rekeying (leaving state as Requesting)
2. Followed GoDaddy procedure to install certificate (including intermediaries)
3. When I tried to complete the 'Requesting' TCW I got an error something along the lines of 'Not trusted CA' Sorry forgot to make a clear not of that one.
4. After more googling for a solution couldn't make headway so decided to accept the overhead of the selfsigned cert approach, so removed TC (so reverted to Self signed)
5. Mail system still not accessible by OWA or VPN or RPC/HTTP - IAW still throwing an error for RWW (seamed to fix the Exchange Email @mpa.me.uk entry - this may have been after a reboot.
6. Did more research  - rebuilt the OWA virtual directories (found good PS script for SBS2008) Didn't fix
7. Found what I thought was the culprit - MPEC article referring to an original dodgy answer script.Effectively reproduces an MS article on how to Reinstall the Certification Authority Role following the inappropriate population of the CANameOveride - I was looking for a clean install for this role really - completed with all reboots. But IAW still had original problem.
8. Decided to re evaluate and started to check the overall position and found I had RWW access and OWA access. VPN's worked and I could connect by RPC/HTTPS but only through VPN's.
9. Discovered what was limiting the VPN connections and upped the port count form 5 to 10.
10. Last observation - the Root certificate is NOT updating in the Public Downloads area. Part of the CA role removal was to delete the Install Package - it has never been replaced. Indeed none of the files in the Public Downloads area are very recent. I actually appear to have a Public\Public Downloads folder. If I try to create a downloads folder I'm told there is already one there!!! I'm presuming this is an MS special but haven't investigated far.

So In summary we still have the IAW error (RWW) and malfunctioning certificating system

I think the where abouts of the Certificate Installer package is my first stop.

Must get kip now as have been up all night - maybe there will be some further input upon my return.

REgardZzzzzzzzzzzzzzzzz

Trev
0
 
TrevorWhiteAuthor Commented:
Hi Guys,
Problem was resolved by a call to Microsoft.
Not entirely sure how I missed this but the Fix my network wizard creates the root certificate in the public folder not the IAW. Once obtained and installed on all workstations Outlook anywhere worked fine.

I believe it was a culmination of item 7 above and the microsoft guys input (above) resolved the problem.

Maybe more kip would have helped too :-)))))

I'll treat this as resolved by self if no objections.

Thanks
0
 
TrevorWhiteAuthor Commented:
Please see last post regards
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 18
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now