Solved

Urgent Help Needed Please!!!

Posted on 2014-11-03
29
62 Views
Last Modified: 2014-11-05
I installed a cert today on my Exchange 2013 Machine this then lost me the ability to login via ecp or owa, I used to get a login screen but now I just get page cannot be displayed

please can anyone help
0
Comment
Question by:pepps11976
  • 14
  • 12
  • 3
29 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Have you run an iisreset on the server since you made the update ?
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Also you might want to verify your certificate is in good working order.

If the iisreset does not work we might want to look at your cert or just get it reissued, reapply to Exchange, reset IIS and try again.
0
 

Author Comment

by:pepps11976
Comment Utility
Ok I have managed to get the admin console etc back by using the default cert in PS.

I purchased a wild card cert from godaddy the server name is Exchange and the domain is called name.domain-uk.com

this only happened when I assigned services to the cert.

Go daddy issue two files when I purchased one was a crt and one was a .p7b can somebody please help me to get the cert installed I am not sure what one to use or if I am doing something wrong

Please help
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
okie so how did you create the certificate request ?


You will need to complete the pending request, so the matching keypair will be registered on the computer.

One easy way is to do this from the computer the CSR was generated on:
Install the .crt and .p7b from Godaddy   (the p7b probably contains the CA certs)

then open the .crt file look for the serial number portion then open an elevated command prompt and run:
certutil -repairstore  My <serialnumber from above>

Then simply go back to IIS and replace the certificate in IIS with the new one and then iisreset and you are done.
0
 

Author Comment

by:pepps11976
Comment Utility
i had already completed the pending request so i am guessing i will have to get the cert re issued from Go Daddy

is there any chance you could show me step by step including installing the .p7b as i did this but must have done it wrong because i buggered the whole thing up :)
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Can you verify in the mmc, if the certificate says its private key is installed.
winkey + r
mmc.exe
add remove snap-in
Certificates
Local computer
expand certificates -
look for the ceritificate in the right pane that matches the certificate from Go-Daddy
Double click to open this certificate and see if it says "you have a private key for this certificate installed"

Let me know before you reissue.


The p7b is just for installing the intermediate certs etc.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
if you are doing a reissue of the certificate, and the private key exists (which it didn't before) I would recommend following the EAC steps for the fulfillment. This should not be imported into the Certificate MMC as that is going to cause issues.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Adam what are the issues that it will cause ?

Help me to understand...
Are you saying that the two keypairs will somehow not know which key they are matched to ?

If you had said once he validates the certificate has the private key present he needs to ensure that certificate is correctly bound to the right services in the EAC I can understand that, but to provide bad information indicating that importing a certificate into a certificate store will somehow cause a problem is in no way correct.
0
 

Author Comment

by:pepps11976
Comment Utility
This is what i have i am very confused

In EAC under servers certifictaes, i have the certificate that i have installed the services activated on it are smtp and iis

yet the other Certs that come preinstalled with exchnage also have these services enabled.

i looked in the MMC for go daddy and there were a few in there so not sure what i was really looking for.

if i try to broswe to https://server.domain-uk.net/owa i still get cert issue and Outlook users internally still cannot connect
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Ok so I am guessing I should have said specifically to look for the certificate that matches the name of the one you just got from go-daddy as well as the expiration date.

This is just so we do not do a reissue if we do not need to.

winkey + r
mmc.exe
add remove snap-in
Certificates
Local computer
expand certificates -
look for the ceritificate in the right pane that matches the certificate from Go-Daddy (site.domain.com - with expiration date and thumbprint matching the newly issued crt file
(How do you find the thumbprint ?
Double click the .crt file from go-daddy - click on details and scroll down to thumbprint)

Double click to open this certificate (the one that matches the .crt file)  and see if it says "you have a private key for this certificate installed"
Once we are sure you have the private key you can either simply update the certificate in IIS by doing a replace and then an iisreset /noforce

Or update the EAC.
0
 

Author Comment

by:pepps11976
Comment Utility
ok i found in
Certificates - local Computer - personal - Certificates

i have two there for some reason one has a key and if i look at the thumbprint it matches the one displayed in PS get-exchangecertificate
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Which one is the one that matches the .crt ?

Does the one that matches the thumbprint from the .crt have the private key ?
0
 

Author Comment

by:pepps11976
Comment Utility
yes it does
0
 

Author Comment

by:pepps11976
Comment Utility
also if you could confirm something for me my domain is called

tech.tech-uk.com

i bought a wild card *.tech-uk.com should i have purchased a wild card for *.tech.tech-uk.com

or is what i bought ok?
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 28

Expert Comment

by:becraig
Comment Utility
Great so your request was properly processed.

If you say the cert is correctly bound in Exchange then you  can validate in IIS
If not you can simply run from an exchange cmdlet window


Enable-ExchangeCertificate -Thumbprint <thumbprint of the .crt certificate> -Services POP,IMAP,SMTP,IIS (or whichever services you need to bind)


You can then simply go to IIS just to verify the certificate is correct by clicking on the site then going to edit bindings and click on view certificate and ensure the thumbprint matches, if for any reason it does not you can simply replace the certificate here and bind the certificate with the correct thumbprint then run:
iisreset /noforce and you are done.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
How is your domain structure set up ?

Do you have:
mail.tech.tech-uk.com

or
mail.tech-uk.com

If you have
mail.tech.tech-uk.com then you need  *.tech.tech-uk.com

Wildcards are only for one level / domain
0
 

Author Comment

by:pepps11976
Comment Utility
ok that may be half my problem then i have

exchange.tech.tech-uk.com

and i only purchased for *.tech-uk.com
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
okie so you need a new certificate, that might be you only problem :)
0
 

Author Comment

by:pepps11976
Comment Utility
ok so i have added a new cert i will need to wait until the morning to see if internal users are still getting certificate error

just out of intereset the public facing domain is domain-uk.com, but the internal domain as i said was name.domain-uk.com

if i want external users to access the /owa using say webmail.domain-uk.com, rather thank name.domain-uk.com

what is it i need to do is it some clever dns stuff?
0
 

Author Comment

by:pepps11976
Comment Utility
im still confused users are getting certificate issues still!!

the internal users for some reason are accessing via the external Addresss which is not on the cert as stated above how can i get around this???
0
 

Author Comment

by:pepps11976
Comment Utility
Ok i have an update, the reason internal users were being given cert error is because the Outlook Anywhere internal URL was pointing to mailserver.tech-uk.com, so i have change this to

exchange.tech.tech-uk.com and all is fine with that part as i bought a cert for that.

my last question is the external domain is tech-net.com, so how am i able to stop cert errors when browsing externally to mailserver.tech-uk.com?
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
In internal DNS setup a forward lookup zone called "tech-uk.com" and setup a DNS A record to point mailserver.tech-uk.com (or whatever) to the *internal* IP. So when folks who are using internal DNS lookup tech-uk.com it will see the internal address and redirect them to the internal server (in this case exchange)
0
 

Author Comment

by:pepps11976
Comment Utility
Internal is fine it's external users not on the domain accessing webmail that is the issue
0
 
LVL 28

Assisted Solution

by:becraig
becraig earned 250 total points
Comment Utility
Change your external url to match your internal url and you will be fine.  Just run the set-client access cmdlet and configure the external to match the internal.  Hopefully the internal url is also available on the Internet ?
0
 

Author Comment

by:pepps11976
Comment Utility
but if I already own tech-uk.com is it not jus a case of creating a subdomain on the actual name in hosted dns?
0
 

Author Comment

by:pepps11976
Comment Utility
becraig I appreciate your help on this.

its just when we set up the domain it was said best practice not to use .local so instead we added name.domain-uk.com

this is now proving to be causing issues, whereas users only needed before to type mailserver.tech-uk.com this now needs to change.

is there no way around this?

also am I right in saying that internal users also need a cert for connecting via outlook, can they not use the preinstalled certs.

would it then be a case of me rekeying the cert I have back to tech-uk.com and adding that, or do I need the cert

tech.tech-uk.com to allow internal (Outlook) users to connect?
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 250 total points
Comment Utility
Your internal and external FQDN on the CAS services should match. this simplifies the namespace along with allows you to keep a single SSL certificate (UC Certificate). I would highly recommend updates the InternalURL to match the ExternalURL and then create a forward lookup zone for the external domain, with an A record pointing to the CAS or Load Balanced VIP.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Adam's approach would be much easier in my mind since all you have to do is modify your dns records and acquire a new certificate matching the external domain name.

Once that is done and both internal and external urls match the name of the certificate (The current external domain name)

You certificate errors will go away.
0
 

Author Comment

by:pepps11976
Comment Utility
Ok guys I got around this issue buy Purchasing a multiple SAN User Cert, and going through the wizard in exchange it pretty much added all that I needed.

Thanks all for your help
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now