Solved

SBS 2011 SSL problems

Posted on 2013-01-10
17
1,081 Views
Last Modified: 2013-01-10
About 1 month ago our SSL Certificate expired.  It was purchased by our local IT Vendor from Godaddy.com.  Since it was not purchased in our account, I had to get new ones from them and install.  It was a bit of a pain, but I was able to get this to work.  I was able to confirm this by checking the ssl certificate with a web tool (sslshopper) and also got errors to go away on phones and remote web access users.

Fast forward to yesterday.....Our server hung and needed to be rebooted, after the restart we began to have problems with Active Sync of Android phones (Iphones still work), the remote web access also failed to work.  I logged into the server and found that the "Active Directory Certificate Services" which is set to auto, was not started.  When I attempt to start it I get an error.  

Here is a couple of the red circle errors from the event Viewer

1.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

2.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

3.Microsoft Exchange could not find a certificate that contains the domain name SACSVDC01.CMS.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Connector with a FQDN parameter of SACSVDC01.CMS.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I think that all of these are related, but if additional info is needed let me know.
0
Comment
Question by:calmoving
  • 9
  • 8
17 Comments
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764296
Did you use the Third Party Trusted Certificates wizard to do the CSR and import?

Were the Intermediates properly installed before?

Philip
0
 

Author Comment

by:calmoving
ID: 38764420
Yes I requested the certificate from the server and added the sub domains (mail., remote.) and received them back from Go Daddy.... after installation this has worked for over a month, now all of a sudden there is an issue.  One thing that I am suspect of is the new SSL does not have any .local attached to it.... I have no idea if that has anything to do with it.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764448
We are talking about Small Business Server 2011 Standard?

Philip
0
 

Author Comment

by:calmoving
ID: 38764464
Yes I believe it is standard.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764485
Okay.

Then only one URL can be used to access all of the resources hosted on SBS STD.

https://remote.domain.com is the one the Internet Address wizard picks.

Autodiscover on the Internet can be set up using the same URL for remote devices/Outlook Anywhere.

Have the Connect to the Internet and the Internet Address wizards been run?

Philip
0
 

Author Comment

by:calmoving
ID: 38764499
I am attempting to run them now (I did not deploy this server, and did not re-run after the ssl was installed)  I will post anything that I find after it is complete.
0
 

Author Comment

by:calmoving
ID: 38764524
That completed succesfully.  I attempted to start Active Directory Certificate Services again and got a error message in the logs

1. Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CMS-SACSVDC01-CA Keyset does not exist 0x80090016 (-2146893802).

2.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

3.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764547
Why are you starting the CA?

That has nothing to do with the SSL certificate that gets installed via the TPTC wizaard mentioned above.

If the wizards replaced the GoDaddy SSL on RWA/OAS/OWA/ETC then run the Third Party Trusted Certificate wizard and choose the "Already installed on this server" option. Choose the GD one.

Philip
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:calmoving
ID: 38764614
I used the trustedcert.exe to install the SSL Originally.  Now when I try to open the program I get an error.
1.Application: TrustedCert.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.WindowsServerSolutions.CoreNetworking.CNetException
Stack:
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.GetCARootCert()
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.IsCertTrusted(System.Security.Cryptography.X509Certificates.X509Certificate2)
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.CreatePropertyBag()
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.Main()

2.Faulting application name: TrustedCert.exe, version: 6.1.7900.0, time stamp: 0x4cd854c2
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16850, time stamp: 0x4e211da1
Exception code: 0xe0434352
Fault offset: 0x000000000000a88d
Faulting process id: 0x299c
Faulting application start time: 0x01cdef713b765511
Faulting application path: C:\Program Files\Windows Small Business Server\Bin\TrustedCert.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 85607d37-5b64-11e2-ab03-782bcb5f44ac
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764635
Are you starting the Wizard from within the SBS Console?

Philip
0
 

Author Comment

by:calmoving
ID: 38764641
If I attempt to open the MMC and load the Certification Authority, I get an error that certificate information can not be from a stopped service, please start the active directory certificate service.
0
 

Author Comment

by:calmoving
ID: 38764650
Yes I normally attempt to open it from within the console, I have also attempted from the MMC.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764664
Click Start --> SBS Native Tools --> [Enter] --> UAC --> Continue.

Click on the Certificates node.
Click on Personal.
Click on Certificates folder.

You will see the relevant certificates there.

Again, the CA has _nothing_ to do with what is needed.

Philip
0
 

Author Comment

by:calmoving
ID: 38764701
Ok I have 4 certificates in there.
3 are self signed, 2 of which have key icons on them
1 is a GD, also with a key icon.
0
 
LVL 38

Accepted Solution

by:
Philip Elder earned 500 total points
ID: 38764719
I am not sure what has happened there as the Trusted Certificate wizard should just work. The local CA is _only_ set up by the SBS Suite itself to work within the wizard structure.

Start again:
Connect to the Internet Wizard
Internet Address Wizard
then:
Fix My Network Wizard.

Finally:
Third Party (SSL).

Philip
0
 

Author Comment

by:calmoving
ID: 38765261
Ok I figured it out... it was the binding of the SSL....now to figure out what is going on with the other errors I am getting, thank you for your help
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38765275
You are welcome. :)

Philip
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now