OWA / Companyweb Connection Problem
Hi,
I am having a number of issues related to OWA, company web etc. When I try and browse the OWA website using https://server-ip/owa, https://servername/owa or https://servername.domain/owa both are not resolving on both the server and the client PC's internally
or externally. When I use https://localhost/owa this works fine on the server. I have run nslookup and the response is correct. I have not applied any updates before this error started happening. This in-turn has had a knock on effect that I can not resolve
autodiscovery.
I am also experiancing isssues is WSUS - 'the server cannot be found' but this may be a knock on effect. All sites are running in IIS.
I would be very greatful if someone could advise me of a solution as i'm running out of ideas.
Thanks in advance
James
March 8th, 2012 6:39am
Version of Exchange / SBS?
Have you run the Fix My Network wizard? Although it sounds like it is an SSL certificate error. Do you have a commercial certificate on the site?
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 7:01am
Hi Simon,
SBS 2008 / Exchange 2007 SP3
Yes I have run the wizard quite a few times the only issue it is coming back with is 'Could not configure the router'.
The router is set up to forward all relevant ports to the server.
We use a self-assigned certificate.
Thanks
James
March 8th, 2012 7:32am
Was the self-signed certificate installed by SBS or some other process? I still think it is an issue with the SSL certificate - it could be a bad SSL certificate. My preference would be to swap it for a commercial certificate. These can be purchased for
less than $80/year https://certificatesforexchange.com/ and would ensure that you don't have to worry about trust issues and telling users to ignore certificate prompts which I consider a security risk.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 7:49am
The self-signed certifcate was all installed by SBS, and created during inital configutation.
Below is what is included in the site bindings for SBS Web Applications:
The https bind is attached a certiicate which corresponds to mail.domain.com and is valid till 07/2014.
I can order a commercial certifcate if you think that could fix the issue but would a self-assigned one would cause this problem now as in the past it has been fine.
Thanks
James
March 8th, 2012 8:00am
It isn't the bindings that is the issue - it could be a corrupt certificate, which means the SSL session cannot be established. That would also stop WSUS, which also makes connections of SSL.
My preference is always to use a commercial certificate, particularly if the site is internet facing. I don't like users getting prompts.
On SBS 2008 though, the certificate installation has to be done with care. I have notes on the process here:
http://exchange.sembee.info/2007/install/sbs2008ssl.asp
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 8:26am
Ok I'll get a comercial certificate and follow the guide, I'll have an update in a bit.
Thanks
James
March 8th, 2012 9:09am
Hi Simon,
I've installed a comercial certifcate as per the guide, I am still finding a problem with connectivity to these sites.
I re-ran the SBS best practices and it found the following issues:
HTTP Port (TCP 80) Status :
The System process should listen on Port 80, but that port is owned by the process.
HTTPS Port (TCP 443) Status :
The System process should listen on Port 443, but that port is owned by the process.
HTTPS Port (TCP 987) Status :
The System process should listen on Port 987, but that port is owned by the process.
No SSL certificate is configured for the SBS SharePoint site :
The SBS SharePoint site is not associated with an SSL certificate. To configure a certificate for the SBS SharePoint site, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In IIS Manager, double-click
Sites, right-click SBS SharePoint, and then click Edit Bindings. In the Site Bindings dialog box, click the type for https on port 987, and click Edit. In the Edit Site Binding dialog box, select the appropriate certificate, and then click OK.
User account does not show in the Windows SBS Console :
The user account Sharepoint does not have the attributes that are necessary for it to display in the Windows SBS Console.
User account does not show in the Windows SBS Console :
The user account DCS_SERVER does not have the attributes that are necessary for it to display in the Windows SBS Console.
I assume the ports can be ignored, within the IIS Manager the SBS Sharepoint site is bound to the new comercial certificate. Should the user Sharepoint and DCS_SERVER show up in the Windows SBS console?
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2012 9:54am
Did you enable the certificate through the SBS management console?
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 9th, 2012 9:57am
I imported it into Exchange using
Import-ExchangeCertificate -Path C:\CertificateFile.crt
And then used the Add trused Certificate in the SBS Console.
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2012 10:00am
That is the correct way to do it. Otherwise it upsets Exchange.
Have you run the fix my network wizard since installing the certificate?
Is there something else on the system that is using the ports? To get listening errors usually means there is configuration error or something else installed.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 9th, 2012 10:04am
When I ran, pre to the Best Practice Wizard, it brought up the following issues:
When I re-ran the wizard, only the port error was displayed. I dont run anything else on these ports and mail on port 25 functions fine and I can still VPN in.
The only other thought I have is if Trend Worry Business.
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2012 10:34am
Something else is listening to the port. You can try using some of the tools like netstat to see if you can identify what process that is.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 9th, 2012 12:00pm
Hi Simon,
I've jsut done a netstat -ano >> C:\connections.txt and the following entries are listed against 443
TCP 127.0.0.1:443 0.0.0.0:0 LISTENING 4
Should this not be
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2012 12:38pm
If that is the only entry, then it is only listening on 127.0.0.1. Which is wrong.
Try this:
netstat -an | findstr :443
You should get back this (taken from my reference SBS 2008 machine).
C:\Users\NetAdmin>netstat -an | findstr :443
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP [::]:443 [::]:0 LISTENING
Anything else and the bindings are all screwed up.
Run another netstat, this time with -ab and it should tell you what process is listening on the port.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 9th, 2012 3:18pm
Hi Simon,
Thanks for that,
netstat -an | findstr :443 resolved the following
TCP 127.0.0.1:443 0.0.0.0:0 LISTENING
TCP 192.168.10.1:10909 92.123.89.83:443 ESTABLISHED
TCP 192.168.10.1:11266 92.123.89.83:443 ESTABLISHED
TCP 192.168.10.1:17852 92.123.89.83:443 CLOSE_WAIT
TCP 192.168.10.1:18238 92.123.89.83:443 CLOSE_WAIT
TCP 192.168.10.1:18412 92.123.89.83:443 CLOSE_WAIT
TCP 192.168.10.1:26464 92.123.89.83:443 ESTABLISHED
When I ran netstat -ab | findstr :443 in an admin console it cameback with
x: Windows Sockets initialization failed: 5
Thanks,
James
Free Windows Admin Tool Kit Click here and download it now
March 12th, 2012 5:44am
Despite the errors about sockets failing, you should have seen two references to 443:
x: Windows Sockets initialization failed: 5
TCP 0.0.0.0:443 SERVER:0 LISTENING
x: Windows Sockets initialization failed: 5
TCP [::]:443 SERVER:0 LISTENING
So your bindings are wrong. I presume you have checked in IIS manager to see whether they are correct?
If they are shown as correct in IIS, then try restarting IIS services and see if all of the web sites become available - that will show if something else is using the port.
Otherwise it is looking like a corrupt IIS metabase, which isn't pretty to resolve on SBS at all.
Simon.
Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 12th, 2012 1:41pm
Hi,
Looks like only one entry when running the command prompt from admin.
TCP 127.0.0.1:443 0.0.0.0:0 LISTENING
Have restarted IIS Service using iisreset /stop /start /status and all services are running.
The https 443 is bound to the comercial server certificate.
If this is indeed a currupt metabase, what would be the best way of resolving this / is it possible to backup and reinstall or would this just take the currupt metabase into the new install? or is there another way of a clean install but porting over just
email, users and computer information?
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 4:07am
I have just compared with my reference SBS 2008 server and the first image with "localhost" as bound to Port 80 is not the same.
The default web site has port 80 bound to * with nothing list for host name.
The "SBS Web Applications" web site has Sites on port 80 and * on 443. So it is different to what you are seeing.
If the IIS metabase is corrupt, then the cleanup is considerable.
In addition to the steps here:
http://support.microsoft.com/kb/320202
You will need to run the wizards in SBS again and probably fix my network wizard. It is all tightly integrated and it will break quite badly until SBS is sorted out.
You might find it is better to call Microsoft support, pay their fee and get them to fix it for you.
Simon.
Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 14th, 2012 1:25pm
Hi Simon,
I have corrected this and still shows no sign of resolving. I also have applied the latest rollup updates for exchange.
I have also submitted this to
Experts Exchange but no luck yet.
I have only 6 user accounts and 12 PC's is it worth just installing from barebones as my backups don't go back far enough?
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2012 2:15pm
That is your choice.
I still suspect an issue with IIS, where the change isn't being written to the metabase correctly. You can try setting it to something completely different, so it is wrong and then running the Fix My Network wizard so it corrects it, but if the corruption
is extensive then tha tmight not fix it either.
Simon. Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 15th, 2012 3:29pm
I have run edit the Default website ports and the SBS Web Applications ports and bindings to some random number.
I then re-ran the Fix my network wizard, this wanted to correct this are did create the correct bindings. But it seems the error is still there, I guess the database is quite corrupt from what you are saying. The rebuild looks quite complicated and I can
not afford to loose emails. It is sounding like a rebuild might be the better idea, backup all emails to pst files, remove from domain all client pc's and then rebuild from fresh. Using another harddrive is best then I can allways go back to it, as soon as
I know permisions and accounts are setup OK. Would it be worth going to SBS 2011 instead and then import the pst files into the client inbox's.
Thanks
James
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2012 9:25am
Recreating the virtual directories and IIS metabase, while complex, is a lot less complex than rebuilding the server completely - although if an IIS reinstall didn't fix the issue that might be what you are looking at having to do anyway.
If you cut port 25 inbound while doing the work then you will not lose any email.
If you have the licences for SBS 2011 instead, then that would be one option. If you do decide to rebuild be aware of this issue with regards to old email:
http://blogs.technet.com/sbs/archive/2009/05/21/cannot-reply-to-old-emails-or-modify-old-calendar-items-after-pst-mail-migration.aspx
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
March 18th, 2012 10:55am