Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SBS 2011 SSL problems

Posted on 2013-01-10
17
1,089 Views
Last Modified: 2013-01-10
About 1 month ago our SSL Certificate expired.  It was purchased by our local IT Vendor from Godaddy.com.  Since it was not purchased in our account, I had to get new ones from them and install.  It was a bit of a pain, but I was able to get this to work.  I was able to confirm this by checking the ssl certificate with a web tool (sslshopper) and also got errors to go away on phones and remote web access users.

Fast forward to yesterday.....Our server hung and needed to be rebooted, after the restart we began to have problems with Active Sync of Android phones (Iphones still work), the remote web access also failed to work.  I logged into the server and found that the "Active Directory Certificate Services" which is set to auto, was not started.  When I attempt to start it I get an error.  

Here is a couple of the red circle errors from the event Viewer

1.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

2.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

3.Microsoft Exchange could not find a certificate that contains the domain name SACSVDC01.CMS.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Connector with a FQDN parameter of SACSVDC01.CMS.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I think that all of these are related, but if additional info is needed let me know.
0
Comment
Question by:calmoving
  • 9
  • 8
17 Comments
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764296
Did you use the Third Party Trusted Certificates wizard to do the CSR and import?

Were the Intermediates properly installed before?

Philip
0
 

Author Comment

by:calmoving
ID: 38764420
Yes I requested the certificate from the server and added the sub domains (mail., remote.) and received them back from Go Daddy.... after installation this has worked for over a month, now all of a sudden there is an issue.  One thing that I am suspect of is the new SSL does not have any .local attached to it.... I have no idea if that has anything to do with it.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764448
We are talking about Small Business Server 2011 Standard?

Philip
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:calmoving
ID: 38764464
Yes I believe it is standard.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764485
Okay.

Then only one URL can be used to access all of the resources hosted on SBS STD.

https://remote.domain.com is the one the Internet Address wizard picks.

Autodiscover on the Internet can be set up using the same URL for remote devices/Outlook Anywhere.

Have the Connect to the Internet and the Internet Address wizards been run?

Philip
0
 

Author Comment

by:calmoving
ID: 38764499
I am attempting to run them now (I did not deploy this server, and did not re-run after the ssl was installed)  I will post anything that I find after it is complete.
0
 

Author Comment

by:calmoving
ID: 38764524
That completed succesfully.  I attempted to start Active Directory Certificate Services again and got a error message in the logs

1. Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CMS-SACSVDC01-CA Keyset does not exist 0x80090016 (-2146893802).

2.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

3.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764547
Why are you starting the CA?

That has nothing to do with the SSL certificate that gets installed via the TPTC wizaard mentioned above.

If the wizards replaced the GoDaddy SSL on RWA/OAS/OWA/ETC then run the Third Party Trusted Certificate wizard and choose the "Already installed on this server" option. Choose the GD one.

Philip
0
 

Author Comment

by:calmoving
ID: 38764614
I used the trustedcert.exe to install the SSL Originally.  Now when I try to open the program I get an error.
1.Application: TrustedCert.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.WindowsServerSolutions.CoreNetworking.CNetException
Stack:
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.GetCARootCert()
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.IsCertTrusted(System.Security.Cryptography.X509Certificates.X509Certificate2)
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.CreatePropertyBag()
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.Main()

2.Faulting application name: TrustedCert.exe, version: 6.1.7900.0, time stamp: 0x4cd854c2
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16850, time stamp: 0x4e211da1
Exception code: 0xe0434352
Fault offset: 0x000000000000a88d
Faulting process id: 0x299c
Faulting application start time: 0x01cdef713b765511
Faulting application path: C:\Program Files\Windows Small Business Server\Bin\TrustedCert.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 85607d37-5b64-11e2-ab03-782bcb5f44ac
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764635
Are you starting the Wizard from within the SBS Console?

Philip
0
 

Author Comment

by:calmoving
ID: 38764641
If I attempt to open the MMC and load the Certification Authority, I get an error that certificate information can not be from a stopped service, please start the active directory certificate service.
0
 

Author Comment

by:calmoving
ID: 38764650
Yes I normally attempt to open it from within the console, I have also attempted from the MMC.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38764664
Click Start --> SBS Native Tools --> [Enter] --> UAC --> Continue.

Click on the Certificates node.
Click on Personal.
Click on Certificates folder.

You will see the relevant certificates there.

Again, the CA has _nothing_ to do with what is needed.

Philip
0
 

Author Comment

by:calmoving
ID: 38764701
Ok I have 4 certificates in there.
3 are self signed, 2 of which have key icons on them
1 is a GD, also with a key icon.
0
 
LVL 38

Accepted Solution

by:
Philip Elder earned 500 total points
ID: 38764719
I am not sure what has happened there as the Trusted Certificate wizard should just work. The local CA is _only_ set up by the SBS Suite itself to work within the wizard structure.

Start again:
Connect to the Internet Wizard
Internet Address Wizard
then:
Fix My Network Wizard.

Finally:
Third Party (SSL).

Philip
0
 

Author Comment

by:calmoving
ID: 38765261
Ok I figured it out... it was the binding of the SSL....now to figure out what is going on with the other errors I am getting, thank you for your help
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38765275
You are welcome. :)

Philip
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HTTP to HTTPS redirect is not working 1 93
powershell - detection of system errors 3 41
Migrating from SBS - cont 17 91
How do I write a redirect rule for this scenario? 2 32
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question