asked on
Exchange 2007 to 2013
I have setup a new Exchange 2013 server to replace a exchange 2007 server
Old Server: Server 2008 & Exchange 2007
New Server: Server 2012 & Exchange 2013
Current Situation:
1) Mail is all pointed at the new server, and is currently being passed to the old server (I didn't set this up it's just working)
2) New user accounts work on the new server and send/receive, can be used on ipads/Phones/webmail but not outlook - certificate errors
3) Old users can be used in outlook using the old server but are receiving mail, cant use webmail or iphones as the mail.domain.com is pointed at the new server
4) Administrator mailbox is moved to the new server and can use webmail but not IPads/Phones/outlook
I have created a new certificate request on the new server but I cannot verify it as when I go to https://newserver/certsrv and submit a certificate request I receive the error "no certificate templates could be found. you do not have permission to request a certificate from this CA, or an error occured while accessing the active directory."
I have went through the following:
http://support.microsoft.com/en-us/kb/811418 (they are both the same case)
http://theadminsguide.net/2012/08/29/no-certificate-templates-could-be-found-you-do-not-have-permission-to-request-a-certificate-from-this-ca/ ( I ahve it running as a network service)
I have also made sure anonymous authentication is disabled and using windows authentication on the certsrv and certenroll in IIS
I have added some more certificate templates in the certsrv addin and they show up, but not the web server one which I need, I have even deleted it and re-added it but only new additions show up
Many Thanks
James
Old Server: Server 2008 & Exchange 2007
New Server: Server 2012 & Exchange 2013
Current Situation:
1) Mail is all pointed at the new server, and is currently being passed to the old server (I didn't set this up it's just working)
2) New user accounts work on the new server and send/receive, can be used on ipads/Phones/webmail but not outlook - certificate errors
3) Old users can be used in outlook using the old server but are receiving mail, cant use webmail or iphones as the mail.domain.com is pointed at the new server
4) Administrator mailbox is moved to the new server and can use webmail but not IPads/Phones/outlook
I have created a new certificate request on the new server but I cannot verify it as when I go to https://newserver/certsrv and submit a certificate request I receive the error "no certificate templates could be found. you do not have permission to request a certificate from this CA, or an error occured while accessing the active directory."
I have went through the following:
http://support.microsoft.com/en-us/kb/811418 (they are both the same case)
http://theadminsguide.net/2012/08/29/no-certificate-templates-could-be-found-you-do-not-have-permission-to-request-a-certificate-from-this-ca/ ( I ahve it running as a network service)
I have also made sure anonymous authentication is disabled and using windows authentication on the certsrv and certenroll in IIS
I have added some more certificate templates in the certsrv addin and they show up, but not the web server one which I need, I have even deleted it and re-added it but only new additions show up
Many Thanks
James
ExchangeSSL / HTTPSMicrosoft IIS Web Server
Last Comment
clivingIOS
ASKER
the issue is that the 2013 server isn't allowing people to access their emails via outlook because of this certificate problem, without being able to get the certificate on the new server I cannot use outlook so cannot move the users mailboxes yet?
I cannot issue the certificate because of not being able to submit a certificate request
I cannot issue the certificate because of not being able to submit a certificate request
How have you configured your virtual directories on your Exchange 2013 server? Have you actually installed and SSL certificate on this server? The FQDN that you are using on the virtual directories needs to be the same name that is on the certificate mail.example.com (2013) or legacy.example.com (2007).
You do not need to have access to the UI to generate a CSR. you can also do this from Powershell or IIS.
Generate CSR using IIS
https://www.digicert.com/csr-creation-microsoft-iis-7.htm
Will.
You do not need to have access to the UI to generate a CSR. you can also do this from Powershell or IIS.
Generate CSR using IIS
https://www.digicert.com/csr-creation-microsoft-iis-7.htm
Will.
ASKER
Can I use IIS or Powershell to convert my .req to a .cer ?
ASKER
the certificates on the server are the ones that were created during exchange install, They all say valid but I read that I had to create a certificate because self-signed ones cant be used anymore.
I dont want to pay someone to sign the certificate hence me trying to use the CA
I dont want to pay someone to sign the certificate hence me trying to use the CA
ASKER
I have setup the legacy.domain.com for the old server as i originally skipped, now if I logon to webmail using an existing account it says legacy.domain.com is in a redirect loop
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I understand that they are fairly cheap however I have been told to set it up without using one - at least for now, are you saying that cant be done?
Not saying it cannot be done but you will say yourself a lot of headache using a 3rd party SSL cert.
CareExchange has a complete walk-through for setting up an Internal CA and also shows how to setup/install the AD CS.
http://careexchange.in/how-to-use-a-internal-windows-ca-certificate-authority-in-windows-2012-with-exchange-2013/
Will.
CareExchange has a complete walk-through for setting up an Internal CA and also shows how to setup/install the AD CS.
http://careexchange.in/how-to-use-a-internal-windows-ca-certificate-authority-in-windows-2012-with-exchange-2013/
Will.
ASKER
That's actually the guide I followed, only when I get to step 18 i get the no templates found error:
Step 18:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC
Step 18:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Ok sounds good.
Will.
Will.
ASKER
Ended up buying a certificate just to make things run smoothly, much prefer the older versions and the way they work the new ECP is terrible.
Thanks for your help
Thanks for your help
ASKER
a few factors to the fix
legacy.example.com
mail.example.com
autodiscover.example.com
You generate this certificate from the new Exchange 2013 server. When you get the cer/crt file back you import this back into the Exchange 2013 server. You will need to enabled the services for this using the Enable-ExchangeCertificate
You will then need to export the certificate (with the private key) and import the new certificate into all of the Exchange Servers that hold the CAS role (2007 and 2013).
You then have to enable the certificate on all of the CAS servers as well.
Once that is in place you will need to configure your virtual directories for Exchange 2007 (https://legacy.example.com/owa/oab/etc) You will then use the (https://mail.example.com/owa/oab/etc) for Exchange 2013 virtual directories.
You will leave the autodiscover set to autodiscover.example.com for both. It is also recommeneded that you use Exchange 2013 for ActiveSync as well so ensure that you only setup Exchange 2013 activesycn virtual directory.
I would also suggest that you go through the Exchange Deployment Assistant and make sure that you have gone over all of the steps accordingly.
https://technet.microsoft.com/en-us/office/dn756393.aspx
Will.