Certificate Service Problem
Hello Everyone and thanks for your help in Advance. I am running Exchange Server 2003 Enterprise SP1 on Window Server 2003. My clients connect via OWA and Outlook using HTTP over RPC. Everything was working fine until secure certificate expired this morning. I had been utilizing a certificate issued by the Certificate Services of the Exchange Server. I then went to the IIS managment console, opened the Default Web Site>Directory Security>Server Certificate, then requested the current certificate be renewed. The certificate appears to have been renewed, however, when I try to access OWA via IE 8.0, I get a page cannot be displayed error. However, I can access OWA fine using Firefox. Additionally, I cannot connect to the Exchange server using Outlook RPC over HTTPS. I'm really at a loss as to what to do next. Any help would be greatly appreciated.
January 27th, 2010 3:27am
On Wed, 27-Jan-10 00:27:26 GMT, kmcnet wrote:>Hello Everyone and thanks for your help in Advance. I am running Exchange Server 2003 Enterprise SP1 on Window Server 2003. My clients connect via OWA and Outlook using HTTP over RPC. Everything was working fine until secure certificate expired this morning. I had been utilizing a certificate issued by the Certificate Services of the Exchange Server. So it was a "self-signed" certificate?To renew it, see this URL:http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2010 6:11am
Thanks for the response. I am unclear as to the term "self signed", however the certificate was issued through the certification authority on the Exchannge Server through Windows Server 2003 Certificate Services. When I open the MMC console for Certificate Services, in the folder "Issued Certificate", I do see a certificate that was issued approximately the time of the renewal request. Additionally, with the IIS management console, when I look at the directory security tab for the Default Web Site, and view the certificate, there appears to be a certificate with a new expiration date two years from now. However, the problem appears to be how the client machines are handling the certificate. When accessing OWA with Firefox, everything seems to be fine. However, IE 8 gives a page cannot be displayed error and OUtlook 2007, trying to use HTTPS over RPC, gives an error message "The application experienced an internal error loading the SSL libraries". It then gives me the option of installing the certificate, which I do. However, I still cannot coneect. No other configuration changes have been made on either the client machines, or the server.
January 27th, 2010 2:43pm
On Wed, 27-Jan-10 11:43:02 GMT, kmcnet wrote:>Thanks for the response. I am unclear as to the term "self signed", however the certificate was issued through the certification authority on the Exchannge Server through Windows Server 2003 Certificate Services. When I open the MMC console for Certificate Services, in the folder "Issued Certificate", I do see a certificate that was issued approximately the time of the renewal request. Additionally, with the IIS management console, when I look at the directory security tab for the Default Web Site, and view the certificate, there appears to be a certificate with a new expiration date two years from now. However, the problem appears to be how the client machines are handling the certificate. When accessing OWA with Firefox, everything seems to be fine. However, IE 8 gives a page cannot be displayed error and OUtlook 2007, trying to use HTTPS over RPC, gives an error message "The application experienced an internal error loading the SSL libraries". It then gives me the optionof>installing the certificate, which I do. However, I still cannot coneect. No other configuration changes have been made on either the client machines, or the server. Use the New-ExchangeCertificate cmdlet to generate the CSR. Then usethe CSR to create the certificate. Then use Import-ExchangeCertificateand, finally, Enable-ExchangeCertificate.This is a helpful web site that will create thenew-exchangecertificate cmdlet for you (and their certs seem to workvery well):https://www.digicert.com/easy-csr/exchange2007.htmThis should explain the goings-on with the whole process:http://msexchangeteam.com/archive/2007/02/19/435472.aspx---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2010 7:59pm
Once again, thanks for the reponse. Before I proceed, I'm trying to understand what is happening so i don't compound my erros. First, you are aware this is Exchange 2003, not 2007 since your posts reference 2007. Is there a problem with initiating the renewal request through IIS as opposed to using certificate services or the cmdlet? Why would it be different? Does the command line commands work with 2003?
January 28th, 2010 6:39pm
On Thu, 28-Jan-10 15:39:20 GMT, kmcnet wrote:>Once again, thanks for the reponse. Before I proceed, I'm trying to understand what is happening so i don't compound my erros. First, you are aware this is Exchange 2003, not 2007 since your posts reference 2007. Well, no, it seems I completely overlooked that!>Is there a problem with initiating the renewal request through IIS as opposed to using certificate services or the cmdlet? No. For E2K3, stick with the regular way of renewing the cert (orrequesting a new one).>Why would it be different? Does the command line commands work with 2003? No, it doesn't. I mean the CSR will work, but the cmdlet requiresschema extensions, powershell, and the E2K7 management tools.So, lets start afresh.The certificate appears to be correctly installed in the certificatestore of the local machine account. The issuing CA's root certificateis also found in the trusted root certificates for the local machineaccount.When you use IE8 and connect to https://<server>/Exchange you get apage not found error (404). Or is the error different to a 404? Is ita 401 or a 403 error? And if it is, can you provide the complete errorcode (e.g. 403.1)? Do you get any warning about certificate problems,or is this just a problem with IE8?If you use another IE version (e.g. IE7 or IE6) do you get the sameresults?If IE8 won't display the page, does the little "torn page" icon appearat the right of the address bar? If you click it can you display thepage?---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2010 7:25pm
Again, thanks for the help.You are correct in that I access OWA through https://<server>/Exchange. The exact error message is Internet Explorer cannot display the webpage without any type of error code. There is no warning about certificate errors. The problem appears to be specific to IE 8 since IE 7 displays correctly. Firefox display correctly, but with a certificate error message. Outlook provides and SSL error message. There are no torn page icons anywhere. I have imported the certificate into the local machine and receive a message the import was successful, however, the certificate does not appear in the trusted certification authorities. However, even if it is a certificate problem, I believe I should still get a warning before accessing the page instead of no access whatsoever.
January 29th, 2010 12:32am
On Thu, 28-Jan-10 21:32:11 GMT, kmcnet wrote:>Again, thanks for the help.You are correct in that I access OWA through https://<server>/Exchange. The exact error message is Internet Explorer cannot display the webpage without any type of error code.Try turning off "Show friendly HTTP error messages" in the "Browsing"section of the "Advanced" tab on the "Tools | Internet Options" I'dalso try removing any browsing history ad cached pages and thenrestarting the browser.If you haven't done anything to the default web site, can you browseto just https://<server> ? You should get the standard "UnderConstruction" web page.>There is no warning about certificate errors.Well, if you can't get to the web page you probably won't get acertificate error. :-)>The problem appears to be specific to IE 8 since IE 7 displays correctly.And no certificate error in IE7? That's good.>Firefox display correctly, but with a certificate error message.Firefox doesn't use the certifiacate store, it has its own. Add yourroot certificate: Tools | Options... | Advanced | Encryption | ViewCertificates | Import...>Outlook provides and SSL error message.It shouldn't if the certificate is correct. The name in the ExchangeProxy Settings should match the name in the certificate.>There are no torn page icons anywhere. I have imported the certificate into the local machine and receive a message the import was successful, however, the certificate does not appear in the trusted certification authorities.Use the Certificates MMC snap-in and use "My account". Select the"Trusted Certification Authorities | Certificates" and right-click it.Select "Import..." and suck in your root cert.>However, even if it is a certificate problem, I believe I should still get a warning before accessing the page instead of no access whatsoever.Yes, you should. I think you have a couple of problems, so getting thecertificate stuff squared away will help getting things narrowed down.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2010 1:53am
Thanks again. Tried all of this without any success. I understand there would not be a security message if I can't get to the page, but can't figure out why getting to the page is a problem. Why would a certificate problem cause this to occur? Also, cannot get to https://<server/certsrv in order to download the CA. However, pulled the root cert over to the client machine and imported it, but still no luck. Not sure what to do next.
January 29th, 2010 4:03am
BTW, tried a couple of more things. First, I generated and installed another certificate using the methods from the article:http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.htmlStill did not work. Also, tried opening OWA in Safari and received Safari can't open the page since safari can't establish a secure connection to the server.
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2010 5:36am
On Fri, 29-Jan-10 01:03:35 GMT, kmcnet wrote:>>>Thanks again. Tried all of this without any success.So you can't even get to the default web site??? Is that true from_any_ machine running IE8? That's a pretty simple web page(iisstart.htm).If you look at the "Directory Security" tab on the property page ofthe Default Web Site, the "Authentication and access control" shouldallow anonymous access. The "Secure communications" should require SSLand the "client certificates" should be set to "ignore clientcertificates".>I understand there would not be a security message if I can't get to the page, but can't figure out why getting to the page is a problem.Neither can I.>Why would a certificate problem cause this to occur?It shouldn't.>Also, cannot get to https://<server/certsrv in order to download the CA.Why not?>However, pulled the root cert over to the client machine and imported it, but still no luck. Not sure what to do next.You may want to move ths over to an IIS forum. Right now I don't thinkyou have an Exchange problem if IE7 works.I still don't like the error you say you get with Outlook, though. Ifthe certificate name (the "Subject" property) matches the name in theExchange Proxy Settings, and you have the root CA in your trustedcertificate authority, you should be good. The only thing that mightbe interfering is the inability to check the CA's CRL -- you said youcouldn't get to the CA's URL so that might be a clue.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
January 29th, 2010 6:05am
Its undoubtedly an SSL problem as shown by the Outlook error message. I think the problem in getting to the web page is my firewall redirects SSL traffic to the Exchange server. All other traffic goes elsewhere. So I think IE 8 is handling SSL differently and the firewall is sending the traffic incorrectly. So I think focusing on the Outlook error will fix the problem. What do you mean in your last paragraph of your last post?
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2010 12:08pm
On Fri, 29-Jan-10 09:08:07 GMT, kmcnet wrote:>Its undoubtedly an SSL problem as shown by the Outlook error message. I think the problem in getting to the web page is my firewall redirects SSL traffic to the Exchange server. All other traffic goes elsewhere. So I think IE 8 is handling SSL differently and the firewall is sending the traffic incorrectly. Why not use a network moitor like WireShark and see if the request iseven making it to your Exchange server? The data will be encrypted soyou won't see much, but you'll at least be able to know if the IP usedby your IE8 client is getting as far as the Exchange server.>So I think focusing on the Outlook error will fix the problem. Have you tried http://testexchangeconnectivity.com at all? That maypoint out your problem.>What do you mean in your last paragraph of your last post? Part of the checking done by a client is to verify that thecertificate presented by the server hasn't been revoked. To perfromthat check the client will read the revokation list (the CRL) from theCertificate Authority. If that CA can't be accessed the client maycomplain.---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
January 29th, 2010 9:15pm
http://testexchangeconnectivity.com gave the following error:Request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channelSo, assuming this is correct, I gather this is indicating the certifcate on the server is bad in some fashion. I'm not sure where to look next. Perhaps clear out everything and start over (how exactly)?
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2010 4:42am
On Sun, 31-Jan-10 01:42:05 GMT, kmcnet wrote:>http://testexchangeconnectivity.com gave the following error:Request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channelSo, assuming this is correct, I gather this is indicating the certifcate on the server is bad in some fashion. I'm not sure where to look next. Perhaps clear out everything and start over (how exactly)? I don't remember if I asked this before, but can you use IE8 andconnect directly to the mailbox server from within your companynetwork? Does that work? You should be able to at least connect to thedefault web page for the default web site.Do you have just a single server, or do you also have a Front-Endserver?Explain a little bit about your firewall and how it handles connectionon port 443. Does it simply pass the data straight through or does ittry to decrypt the data stream for inspection and then encrypt itagain? Does the firewall require a certificate, too?---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
January 31st, 2010 6:40am
Thanks again for the help. I've tried using IE 8 behind the firewall using both the FQDN as well as the interanl IP address without success. However, once again, Firefox connects with a security warning. The firewall is very simple, only serving to route traffic on port 443 to the domain server. The Exchange server is standalone and does not utilize a front end configuration. However, there is a separate Windows Server 2003 that acts as the domain controller.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2010 4:52pm
On Sun, 31-Jan-10 13:52:11 GMT, kmcnet wrote:>Thanks again for the help. I've tried using IE 8 behind the firewall using both the FQDN as well as the interanl IP address without success. Well, how about trying this: uncheck the "Require secure channel(SSL)" on the default web site. Cancel the "Inheritance Overrides"dialog.Can you connect to http://<ip-addr> or http://<netbios-name> with IE8now? That should eliminate the question about the certificate.>However, once again, Firefox connects with a security warning.Have you added your root certificate to Firefox's certificate store?>The firewall is very simple, only serving to route traffic on port 443 to the domain server. The Exchange server is standalone and does not utilize a front end configuration. However, there is a separate Windows Server 2003 that acts as the domain controller. ---Rich MatheisenMCSE+I, Exchange MVP
---
Rich Matheisen
MCSE+I, Exchange MVP
January 31st, 2010 7:36pm