Certificate Error in OWA
I have an Enterprise CA running in our Domain. We have Exchange 2003 SP3 running on MS Server 2K3 SP2 sitting behind a box running ISA2004 on MS Server 2K3 SP2. Our Web Server is being published on the ISA server. Our Exchange server is being publised on the ISA server as well. OWA and the Web Server are using the same Web Listener point to the public IP address. Question:On a non-domain machine (at home) when I try to connect to OWA from Internet Explorer 8.0 I am getting a Certificate Error with the message There is a problem... The security certificate presented by this website was not issued by a Trusted Certificate Authority. When I click on the red check and Install the certificate it imports fine but I am still getting a Certificate Error. This same thing happened the first time in Firefox (until I created an exception) and the am getting a certificate error with Chrome as well.To set up the certificate it created it on the box with the Web Server then exported it to the ISA server under certificate/personal. Then, I copied and pasted the certificate to the Trusted folder. At that point I pointed the Web Listener to the newly exported certificate.I am getting the same error on many (but not all) Windows XP machines within the domain as well. One point of interest: On a laptop running Windows 7 ultimate I recieved the certificate error once on all browsers now when I point to OWA the authenication box pops up.I would appreicate some help, this is an annoying problem.Thanks in Advance
March 2nd, 2010 2:39pm
You may want to install the domain certificate chain on the home machine and add the OWA path into trusted sites
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2010 3:14pm
Is the SSL cert configured for autoenrollment in group policy, i have done that before to ensure it is configured the same way on all machines.
March 2nd, 2010 3:16pm
Your suggestion is good. When I look at Certification path all I see is the name of the certification not the path to the CA. Could you please explain the procedure to install the Domain Certification Chain? And by home machine I assume you are referring to the non-domain machine.Could you be so kind as to show me the path for autoenrollment. For example Computer Configuration/Windows Settings.........Thanks
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2010 11:25pm
Hi,Did you confirm the certificate under Trusted Root Certification Authorties in client computer?Please click Start, click Run, input MMC, click File and select Add/Remove Snap-in, click Add button, highlight Certificates, clikc Add button, select My user account, click Finish button, click OK.Locate Certificates under Trusted Certification Authorities, was the certificate that you installed avaiable?ThanksAllen
March 3rd, 2010 9:56am
When you connect to the Certificate Server through IIS you have the ability to download the organisation certificate chain. This will then need to be imported into your trusted root certificate authority in the certificates MMCIf you cast you eye over the followinghttp://blog.meigh.eu/2010/01/27/creating-a-new-ssl-certificate-in-exchange-2007-cas.aspxlook for the part on downloading the certificate chain.Once downloaded import on the non-domain machine. When you to OWA you should not get any warning messages if its imported correctly. IF you do try exporting the SSL certificate in importing that into the personal folder in the certificates MMC.IF this works you will need to script the install some way on non-domain machineshope this makes sense still early here
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2010 10:33am
When I look on the client computer I DO NOT see the certificate installed but I DO see the CA listed in the Trusted Root Certification Authorities
March 3rd, 2010 9:41pm
Hi,This issue should not be occurred since the CA was listed in the Trusted Root Certification Authorities on the client side. Did you apply the certificate on the ISA server?ThanksAllen
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2010 8:39am
As a test it would be worth installing the certificate you installed on your ISA onto the machine, ie export the cert and import on non-domain machine.Also As Allen says test you web listening rules.A good site to use for testing is https://www.testexchangeconnectivity.com/
March 4th, 2010 10:32am
Hi,Any update on this issue?Thanks
Allen
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2010 4:46am