?
Solved

Urgent Help Needed Please!!!

Posted on 2014-11-03
29
Medium Priority
?
73 Views
Last Modified: 2014-11-05
I installed a cert today on my Exchange 2013 Machine this then lost me the ability to login via ecp or owa, I used to get a login screen but now I just get page cannot be displayed

please can anyone help
0
Comment
Question by:pepps11976
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 12
  • 3
29 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40419747
Have you run an iisreset on the server since you made the update ?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40419752
Also you might want to verify your certificate is in good working order.

If the iisreset does not work we might want to look at your cert or just get it reissued, reapply to Exchange, reset IIS and try again.
0
 

Author Comment

by:pepps11976
ID: 40419788
Ok I have managed to get the admin console etc back by using the default cert in PS.

I purchased a wild card cert from godaddy the server name is Exchange and the domain is called name.domain-uk.com

this only happened when I assigned services to the cert.

Go daddy issue two files when I purchased one was a crt and one was a .p7b can somebody please help me to get the cert installed I am not sure what one to use or if I am doing something wrong

Please help
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 29

Expert Comment

by:becraig
ID: 40419807
okie so how did you create the certificate request ?


You will need to complete the pending request, so the matching keypair will be registered on the computer.

One easy way is to do this from the computer the CSR was generated on:
Install the .crt and .p7b from Godaddy   (the p7b probably contains the CA certs)

then open the .crt file look for the serial number portion then open an elevated command prompt and run:
certutil -repairstore  My <serialnumber from above>

Then simply go back to IIS and replace the certificate in IIS with the new one and then iisreset and you are done.
0
 

Author Comment

by:pepps11976
ID: 40419829
i had already completed the pending request so i am guessing i will have to get the cert re issued from Go Daddy

is there any chance you could show me step by step including installing the .p7b as i did this but must have done it wrong because i buggered the whole thing up :)
0
 
LVL 29

Expert Comment

by:becraig
ID: 40419851
Can you verify in the mmc, if the certificate says its private key is installed.
winkey + r
mmc.exe
add remove snap-in
Certificates
Local computer
expand certificates -
look for the ceritificate in the right pane that matches the certificate from Go-Daddy
Double click to open this certificate and see if it says "you have a private key for this certificate installed"

Let me know before you reissue.


The p7b is just for installing the intermediate certs etc.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40419870
if you are doing a reissue of the certificate, and the private key exists (which it didn't before) I would recommend following the EAC steps for the fulfillment. This should not be imported into the Certificate MMC as that is going to cause issues.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40419889
Adam what are the issues that it will cause ?

Help me to understand...
Are you saying that the two keypairs will somehow not know which key they are matched to ?

If you had said once he validates the certificate has the private key present he needs to ensure that certificate is correctly bound to the right services in the EAC I can understand that, but to provide bad information indicating that importing a certificate into a certificate store will somehow cause a problem is in no way correct.
0
 

Author Comment

by:pepps11976
ID: 40419965
This is what i have i am very confused

In EAC under servers certifictaes, i have the certificate that i have installed the services activated on it are smtp and iis

yet the other Certs that come preinstalled with exchnage also have these services enabled.

i looked in the MMC for go daddy and there were a few in there so not sure what i was really looking for.

if i try to broswe to https://server.domain-uk.net/owa i still get cert issue and Outlook users internally still cannot connect
0
 
LVL 29

Expert Comment

by:becraig
ID: 40419997
Ok so I am guessing I should have said specifically to look for the certificate that matches the name of the one you just got from go-daddy as well as the expiration date.

This is just so we do not do a reissue if we do not need to.

winkey + r
mmc.exe
add remove snap-in
Certificates
Local computer
expand certificates -
look for the ceritificate in the right pane that matches the certificate from Go-Daddy (site.domain.com - with expiration date and thumbprint matching the newly issued crt file
(How do you find the thumbprint ?
Double click the .crt file from go-daddy - click on details and scroll down to thumbprint)

Double click to open this certificate (the one that matches the .crt file)  and see if it says "you have a private key for this certificate installed"
Once we are sure you have the private key you can either simply update the certificate in IIS by doing a replace and then an iisreset /noforce

Or update the EAC.
0
 

Author Comment

by:pepps11976
ID: 40420017
ok i found in
Certificates - local Computer - personal - Certificates

i have two there for some reason one has a key and if i look at the thumbprint it matches the one displayed in PS get-exchangecertificate
0
 
LVL 29

Expert Comment

by:becraig
ID: 40420022
Which one is the one that matches the .crt ?

Does the one that matches the thumbprint from the .crt have the private key ?
0
 

Author Comment

by:pepps11976
ID: 40420031
yes it does
0
 

Author Comment

by:pepps11976
ID: 40420091
also if you could confirm something for me my domain is called

tech.tech-uk.com

i bought a wild card *.tech-uk.com should i have purchased a wild card for *.tech.tech-uk.com

or is what i bought ok?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40420097
Great so your request was properly processed.

If you say the cert is correctly bound in Exchange then you  can validate in IIS
If not you can simply run from an exchange cmdlet window


Enable-ExchangeCertificate -Thumbprint <thumbprint of the .crt certificate> -Services POP,IMAP,SMTP,IIS (or whichever services you need to bind)


You can then simply go to IIS just to verify the certificate is correct by clicking on the site then going to edit bindings and click on view certificate and ensure the thumbprint matches, if for any reason it does not you can simply replace the certificate here and bind the certificate with the correct thumbprint then run:
iisreset /noforce and you are done.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40420103
How is your domain structure set up ?

Do you have:
mail.tech.tech-uk.com

or
mail.tech-uk.com

If you have
mail.tech.tech-uk.com then you need  *.tech.tech-uk.com

Wildcards are only for one level / domain
0
 

Author Comment

by:pepps11976
ID: 40420109
ok that may be half my problem then i have

exchange.tech.tech-uk.com

and i only purchased for *.tech-uk.com
0
 
LVL 29

Expert Comment

by:becraig
ID: 40420115
okie so you need a new certificate, that might be you only problem :)
0
 

Author Comment

by:pepps11976
ID: 40420452
ok so i have added a new cert i will need to wait until the morning to see if internal users are still getting certificate error

just out of intereset the public facing domain is domain-uk.com, but the internal domain as i said was name.domain-uk.com

if i want external users to access the /owa using say webmail.domain-uk.com, rather thank name.domain-uk.com

what is it i need to do is it some clever dns stuff?
0
 

Author Comment

by:pepps11976
ID: 40420557
im still confused users are getting certificate issues still!!

the internal users for some reason are accessing via the external Addresss which is not on the cert as stated above how can i get around this???
0
 

Author Comment

by:pepps11976
ID: 40421073
Ok i have an update, the reason internal users were being given cert error is because the Outlook Anywhere internal URL was pointing to mailserver.tech-uk.com, so i have change this to

exchange.tech.tech-uk.com and all is fine with that part as i bought a cert for that.

my last question is the external domain is tech-net.com, so how am i able to stop cert errors when browsing externally to mailserver.tech-uk.com?
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40421289
In internal DNS setup a forward lookup zone called "tech-uk.com" and setup a DNS A record to point mailserver.tech-uk.com (or whatever) to the *internal* IP. So when folks who are using internal DNS lookup tech-uk.com it will see the internal address and redirect them to the internal server (in this case exchange)
0
 

Author Comment

by:pepps11976
ID: 40421368
Internal is fine it's external users not on the domain accessing webmail that is the issue
0
 
LVL 29

Assisted Solution

by:becraig
becraig earned 1000 total points
ID: 40421412
Change your external url to match your internal url and you will be fine.  Just run the set-client access cmdlet and configure the external to match the internal.  Hopefully the internal url is also available on the Internet ?
0
 

Author Comment

by:pepps11976
ID: 40421427
but if I already own tech-uk.com is it not jus a case of creating a subdomain on the actual name in hosted dns?
0
 

Author Comment

by:pepps11976
ID: 40421440
becraig I appreciate your help on this.

its just when we set up the domain it was said best practice not to use .local so instead we added name.domain-uk.com

this is now proving to be causing issues, whereas users only needed before to type mailserver.tech-uk.com this now needs to change.

is there no way around this?

also am I right in saying that internal users also need a cert for connecting via outlook, can they not use the preinstalled certs.

would it then be a case of me rekeying the cert I have back to tech-uk.com and adding that, or do I need the cert

tech.tech-uk.com to allow internal (Outlook) users to connect?
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 1000 total points
ID: 40421484
Your internal and external FQDN on the CAS services should match. this simplifies the namespace along with allows you to keep a single SSL certificate (UC Certificate). I would highly recommend updates the InternalURL to match the ExternalURL and then create a forward lookup zone for the external domain, with an A record pointing to the CAS or Load Balanced VIP.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40421599
Adam's approach would be much easier in my mind since all you have to do is modify your dns records and acquire a new certificate matching the external domain name.

Once that is done and both internal and external urls match the name of the certificate (The current external domain name)

You certificate errors will go away.
0
 

Author Comment

by:pepps11976
ID: 40424282
Ok guys I got around this issue buy Purchasing a multiple SAN User Cert, and going through the wizard in exchange it pretty much added all that I needed.

Thanks all for your help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question