Exchange 2007 Certificates (OWA & ActiveSync)
Where to start... I'm trying to wrap my head around certificates for Exchange 2007 (or in general). I have a single Exchange 2007 Server sitting behind TMG. I've purchased an SSL cert called mail.domain.com and installed it on TMG and Exchange as a 443 binding
to the default website. IMAP, POP, IIS, and SMTP are assigned services. This cert DOES NOT match the name of our exchange server. OWA works fine. Since installing this, there was been a constant error of 12014 in the Application log.
Lastly, I'm wanting now to create and assign a self-signed certificate for use with ActiveSync and I'm not quite sure how to go about installing it. Any assistance is greatly appreciated.
jjev
January 20th, 2011 12:10pm
Hi Jev,
Follow this article
http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2011 3:04pm
Thank you for the link m.salah. Is it correct to assume that the 12014 error that I have will not disappear then as the certificate I have purchased doesn't match the name of the exchange server? Purchasing a SAN cert with the OWA and server FQDN is the
only way?jev
January 21st, 2011 2:45am
what all thing you shoudl consider for certificate basis please read the following:-
I am listing the services in Exchange Server 2007 which will require certificate
1. POP3 and IMAP4 client access to Exchange
2. Outlook Web Access
3. Outlook Anywhere
4. Exchange ActiveSync
5. Autodiscover
6. Edge Synchronization.
I will take example of Contoso.com and list down the domains we need to add in the SAN of certificate:
1)Internal & external URLs used for OWA, Outlook Anywhere, POP3/IMAP4, Exchange ActiveSync. Usually, a single URL will be used for these services, but if you are using different URLs for each service, make sure you include it in the SAN.
Example: Contoso.com uses mail.contoso.com for accessing OWA, Outlook Anywhere, ActiveSync, POP3 & IMAP services internally as well externally.
2)URL of Autodiscover.
Considering @Contoso.com will be the email address for Contoso users; the Autodiscover URL they will need to include in the certificate SAN is: Autodiscover.contoso.com, this is beccause outlook is designed to search for autodiscover URL in predefined manner.
3)FQDN & NetBIOS names of the CAS/HT servers.
4)FQDN & NetBIOS name of the Edge server in case it will be used for TLS communication on Internet. If the edge is not used for TLS communication on Internet and self signed certificate should sufficient for edge supporting subscription process.
In our example, Contoso receives secure emails on the Internet through edge server edge.contoso.com hence we need edge.contoso.com added in the certificate SAN.
In short, you need following domains added to certificate SAN in above scenario:
Mail.contoso.com
Autodiscover.contoso.com
FQDN & NetBIOS names of the HT & CAS servers (Optional)
FQDN & NetBIOS names of the Edge servers (Optional).
Related articles:
Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
http://msexchangeteam.com/archive/2007/02/19/435472.aspx
Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx
Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2011 1:35pm
Hi Jev,
A bout the error please try the following steps:
PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
C825AF1799092691FBBDE5D74CED00A7CE0C2DD8 IPUWS. CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State...
0E0D0054620D996193621BA7BDDB32E82FCB60D9 IP..S. CN=Servername
Now if you were to look at your Receive Connectors, you will see a Default Receive Connector. This connector should only have an FQDN of blank, server FQDN, or server shortname.
So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN:
[PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN
Identity : servername\Default servername
Fqdn : servername
The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector. So you'll need a certificate enabled for SMTP that matches the FQDN on
that default Receive Connector. The self-signed certificate is a SAN cert that has both the servername and servername FQDN. If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP.
Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
January 23rd, 2011 2:17am
Thank you both - I believe the issue I'm having is caused by using a single SSL certificate which matches my DNS entry (mail.domain.com) for OWA. The default receive connector is the FQDN of the box which this certificate does not match, hence
the error. I'm purchasing a SAN certificate this afternoon that will include:
autodiscover.domain.com
mail.domain.com
activesync.domain.com
ExchangeNETbios
ExchangeFQDN
This should be sufficient for my use. There should be no reason I cannot use the same Web Listener for OWA/ActiveSync, right?jev
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2011 1:55pm
Thanks to you both for your assistance - I've now managed, using a SAN certificate from the great folks over at DigiCert, to clear the TLS error and secure OWA / ActiveSync. Just have one issue remaining which deals with ActiveSync.
I have it working internally; there are mobile devices now able to retrieve messaging data from Exchange, but when I try to configure the same mobile device to use ActiveSync outside of our network, it fails. Using
https://testexchangeconnectivity.com, everything now passes except for the below. I'm certain it is likely something very simple I'm overlooking.
Testing HTTP Authentication Methods for URL
https://mail.domain.com/Microsoft-Server-Activesync/.
The HTTP authentication test failed.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
jev
January 27th, 2011 2:36pm
Try Disable the forms-based authentication for the Exchange virtual directory and authentication
to “Basic” and “Integrated”.
Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2011 12:54am