OWA Logon- Cannot logon following renewal self signing certificate on Exchange 2007
I recently renewed my Self Signed Certificate (thumbprint) on my Exchagne 2007 server.
Following the renewal Users are unable to login to OWA either internally or remotely.
Settings
IN IIS 7.0
"Require SSL" is unchecked in both the Default website and OWA site
HTTP Redirection "Redirect requests to this destination" is checked.
In Exchange Management Console
Under Server Configuration - Client Access - OWB - Authentication is set to "Use forms based authentication" - and "User Name" is selected.
The new certificate was moved to the "Trusted Root Certificate Authorites" container on 2007 exchange server.
As far as I can tell all the settings are identical to the settings in IIS 7.0 and Exchange MMC prior to the thumprint update. (I took screen shots of all the settings when I renewed the certificate last year)
I can access default web page and advance to the OWA login screen (Both internally and externally). When I enter my logon credentials ("User Name" and " Password") the page just hangs and I cannot get into OWA. Users with smart phones have
stopped receiving email on thier smart phones / Black Berrries.
I tried out all the relevant solutions I could find on the net and also recreated a new certicate as well with not success.
Any help with this issue would be greatly appreciated.
Note: I know I should be using a third party ssl certificate but the client doesnt want to pay the money at this point to get one.
Thanks
February 6th, 2011 3:58am
OK please give us some more information. what daes the cmdlet get-exchangecertificate notice in the Exchange shell. I think you have to enable the new certificate on the Exchange services and the IIS. In order to use the https connection you have to check
the switch "Require SSL".
regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2011 7:12am
On Sun, 6 Feb 2011 08:54:13 +0000, Arlo15 wrote:
>I recently renewed my Self Signed Certificate (thumbprint) on my Exchagne 2007 server.
"Self signed" or issued by a local PKI CA?
>Following the renewal Users are unable to login to OWA either internally or remotely.
>
>Settings
>
>IN IIS 7.0
>
>"Require SSL" is unchecked in both the Default website and OWA site
>
>HTTP Redirection "Redirect requests to this destination" is checked.
>
>In Exchange Management Console
>
>Under Server Configuration - Client Access - OWB - Authentication is set to "Use forms based authentication" - and "User Name" is selected.
>
>The new certificate was moved to the "Trusted Root Certificate Authorites" container on 2007 exchange server.
Your certificate should be in the local computer's certificate store
in the "Certificates (Local Computer) | Personal | Certificates"
container.
The CA's root certificate goes into the "Trusted Root Certification
Authorities | Certificates", and the CA's intermediate certificate(s)
go into the "Intermediate Certification Authorities | Certificates".
>As far as I can tell all the settings are identical to the settings in IIS 7.0 and Exchange MMC prior to the thumprint update. (I took screen shots of all the settings when I renewed the certificate last year)
>
>I can access default web page and advance to the OWA login screen (Both internally and externally). When I enter my logon credentials ("User Name" and " Password") the page just hangs and I cannot get into OWA. Users with smart phones have stopped receiving
email on thier smart phones / Black Berrries.
>
>I tried out all the relevant solutions I could find on the net and also recreated a new certicate as well with not success.
>
>Any help with this issue would be greatly appreciated.
>
>Note: I know I should be using a third party ssl certificate but the client doesnt want to pay the money at this point to get one.
So the expense of a $30 SSL certificate is less money than you're
charging them to do the work? Wow!
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
February 6th, 2011 10:11am
Dear peddy1st
Thank you for your reply
The read out for get-eschangecertificate is as followws:
get-exchangecertificate shows: Thumprint - The new thumbprint, Services IP.WS, Subject CN=My Mail Server Name
get-exchangecerticate l Lists shows: the same informaiotn except under Services displays IMAP, POP,ISS and SMTP.
I have tried the "Require SSL" (both checked and unchecked and 128 bit checke/unchecked as well) on the OWA container in IIS and also tried "integrated Windw Authntication" and Basic Authentication" in Exchange Managment Console for OWA in the CAS.
I still could not get authenticated access to OWA.
Thank you
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2011 11:23am
Rich Thank you for your reply.
Im a bit confused by what you mean by "your Certificate" and the "CAs" Certificate. I created the certificate on the Exchange 2007 box with teh New-ExchangeCertificate command.
Your certificate should be in the local computer's certificate store
in the "Certificates (Local Computer) | Personal | Certificates"
container.
--Not sure what you mean my "your" certificate - do you mean the certificate that is created in Exchange Managment shell ? If so then it is in the location you suggested
The CA's root certificate goes into the "Trusted Root Certification
Authorities | Certificates", and the CA's intermediate certificate(s)
go into the "Intermediate Certification Authorities | Certificates".
-- Again not sure what you mean by the CAs root Certificate. If you mean the Certificate that was created by New-ExchangeCerticate. If so I it is in the locations you suggested.
Is there something I should try next or is there more information I could provide
Thank you again for your assistance.
February 6th, 2011 11:34am
On Sun, 6 Feb 2011 16:33:01 +0000, Arlo15 wrote:
>Im a bit confused by what you mean by "your Certificate" and the "CAs" Certificate.
You shouldn't be if you answered the '"Self signed" or issued by a
local PKI CA?' I asked.
>I created the certificate on the Exchange 2007 box with teh New-ExchangeCertificate command.
That's all? Nothing else? Just 'new-exchangecertificate" with no other
parameters or switches? Then it's "self-signed".
>Your certificate should be in the local computer's certificate store in the "Certificates (Local Computer) | Personal | Certificates" container. --Not sure what you mean my "your" certificate - do you mean the certificate that is created in Exchange Managment
shell ?
In this case, yes. In the case of a 3rd-party or PKI certificate it
would be that certificate.
>If so then it is in the location you suggested
That's good, but that's not what you said before, which was:
'The new certificate was moved to the "Trusted Root Certificate
Authorites" container on 2007 exchange server.'
>>The CA's root certificate goes into the "Trusted Root Certification Authorities | Certificates", and the CA's intermediate certificate(s) go into the "Intermediate Certification Authorities | Certificates". --
>Again not sure what you mean by the CAs root Certificate.
Since you're really dealing with a 'self-signed' certificate, there's
no CA. Your certificate is untrusted by everyone.
>If you mean the Certificate that was created by New-ExchangeCerticate. If so I it is in the locations you suggested. Is there something I should try next or is there more information I could provide Thank you again for your assistance.
I see that you ran the "get-exchangecertificate" cmdlet and that you
have two certificates?
>get-exchangecertificate shows: Thumprint - The new thumbprint, Services IP.WS, Subject CN=My Mail Server Name
>get-exchangecerticate l Lists shows: the same informaiotn except under Services displays IMAP, POP,ISS and SMTP.
Is the first one (above) the NEW certificate or the OLD certificate?
Has the old one already expired? If not, try this:
get-exchangecertificate -thumbprint <old-thumbprint> |
new-exchangecertificate
FYI, it's a good idea to show the results of the cmdlet (such as
get-exchangecertificate | fl) instead of extracting what you think are
the relevant parts.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2011 1:22pm
--------------------------------------------------------
Mr. Matheisen.
Here is some additional information that I hope is helpful.
The following Sequence of commands was used to make the self signed Certificate (thumbprint) in Exchange 2007 Management Console
Get-ExchangCertificate | List
- Made note of Current (soon to Expire) Thumbprint
New-ExchangeCertificate2007
- Made note of New Thumbprint
Selected Default “Y”
Enable-ExchangeCertificate – ThumbPrint (entered shortened thumbprint listed below) –Service:
ISS
Remove-ExchangeCertivicate –ThumbPrint (enter previously thumbprint)
Current view running the following commands.
Get-ExchangeCertificate
Thumbprint
Services
Subject
7CBBC17ASCC9876FBERS978 (shortened)
IP.WS
CN=MailServer02
Get-ExchangeCertificate | List
AccessRules
: {Sytem.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Secuirty.AccessControlCryptoKeyAccessRule, System.Secuirty.AccessControl.CryptoKeyAccessRule}
CerticateDomains
: {MailServer02, MailServer02.mycomain.com
HasPrivateKey
: True
IsSelfSigned
: True
Issuer
: CN=MailServer02
NotAfter
: 2012/02/06 16:05:52
Not Before
: 2011/02/06 16:05:52
PublicKeySize
: 2048
RootCAType
: Registry
SerialNumber
: 277B749C6485BBBF (Shortened)
Services
: IMAP, POP, IIS, SMTP
Status
: True
Subject
: CN=MailServer02
Thumbprint
: 7CBBC17ASCC9876FBERS978 (shortened)
The Certificate created “MailServer02” is present in the Personal – Trusted Root Certifications Authorities and Intermediate Certification Authorities
container.
An additional response I have noticed with OWA when I try to logon is:
-
If I entry the correct credential the login page just hangs
-
If I entry the incorrect PW for a valid username the screen refreshes and returns the Username and Password fields to blank.
-
I have tried about all the variations for SSL logon and
CAS (forms Based and “users can use one or more altercation methods) and IIS (SSL checked and unchecked) I can think of.
.
Is there something else I should be looking for? Is There more information I can provide?
Any assistance would be appreciated.
Thanks in advance.
February 7th, 2011 1:40am
Hi Arlo25,
Could you please get-owavirtualdirectory cmdlet, and post the information here.
Some information for you:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
How do you publish your external web services, and what about your CERT for your external certificate?
Some information for you:
http://technet.microsoft.com/en-us/library/bb794751.aspx
In my opinion, please confirm the cert name match what you use to access the OWA.
Regards!
Gavin
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2011 4:27am
Hi Gavin;
Thank you for your replay.
Here is the read out of the get-owavirtualdirectory comand As you requestd.
Get-OwaVirtualDirectory
Name
Server
OwaVersion
Owa (Default Web Site)
MailServer02
Exchange2007
Exchange (Default Web S…)
MailServer02
Exchange2007or 2003
Public (Default Web Site)
MailServer02
Exchange2007or 2003
Exchweb (Default Web Site)
MailServer02
Exchange2007or 2003
Exadmin (Default Web Site)
MailServer02
Exchange2007or 2003
Thank you for the links as well I will check them out to see if I can find something useful
In my opinion, please confirm the cert name match what you use to access the OWA.
- How do I do this? When I look in Root Certificates the new Self-Signed Certificate lists: Issued to MailServer02, Issued By MailServer02, Friendly Name is Microsoft Exchange.
Thank you again for your assistance.
February 7th, 2011 7:14am
On Mon, 7 Feb 2011 06:40:33 +0000, Arlo15 wrote:
>Here is some additional information that I hope is helpful.
In your original question you said:
"HTTP Redirection "Redirect requests to this destination" is checked"
When you're trying to use OWA, what URL do you use? If you use
https://mailserver01.mydomain.com does it work any differently if you
use https://mailserver01.mydomain.com/owa ?
When you set the redirect on the default web site did you *remove* the
redirect for the virtual directories beneath it (aspnet_client,
autodiscover, ecp, ews, etc.)?
You also said that SSL was not used on the default web site. Did you
enable it on the other virtual directories that had it set before IIS
propagated the change to the children? (You don't want SSL enabled on
the Powershell virtual directory, though!)
Have you looked at the IIS logs to see what might be happening when
you try logging on?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2011 10:09pm
Hi Arlo,
Firstly, I would suggest that you could learn some information from the link I referred.
Then please use the get-owavirtualdirectory |fl
Check the internal/external url, and what url do you use to access the owa?
Please post more information as Rich requests.
Regards!
Gavin
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
February 8th, 2011 11:01pm
Gavin:
Thanks for the additonal information. I will check in the commad you suggusted to see where it leads. I was able to resolve the issue over the weekend when
I had a bit more free time to troubleshot and review.
Again Thank you.
Everyone:
Thank you for all of your help on this issue.
I was able to resolve the issue over the weekend, seemingly a simple matter of `unchecking` Redirection on the OWA virtual Directory under HTTP Redirect.
I have detailed my information/solution below for others with a similar issue with a similar setup.
Environment
Single Exchange 2007
SP1 64 bit on Server 2008 64 bit. No other special settings or setup in the environment. (1 Exchange, One File Server , One Back up Server – all Server 2008 64 bit). OWA is set for forms based authentication in CAS.
Action
Every year the Exchange 2007 Self Signed Certificate needs to be renewed in Exchange Management Shell (Third party SSL certificate is not used by this client.)
The general series of commands I follwowed for renewing the certificate are as follows:
Get-ExchangeCertificate | List
-
Make note of the current thumbprint
New-ExchangeCertificate
-
Select Default – `Y`
-
Record New Thumbprint
(You can re-run `Get-ExchangeCertificate | List` to review old and new Thumbprint)
To enable new Certificate (thumbprint)
Enable-NewCertificate
-Thumprint (Type in new thumbprint) Services: IIS
To remove old Certificate (thumbprint)
Remove-ExchangeCertificate -Thumprint (Type in Old thumbprint)
-
Confirm with Default prompt for removal `Y`
You can run `Get-ExchangeCertificate | List` to review / Confirm results
Issue
Users were unable to access email via OWA
-
Smart Phone users were able to receive mail on their phones. (contrary to what I wrote initially)
-
Black Berry users with BIS (Black Berry Internet Service) are unable to receive email on Black Berry devices.
-
(Note; BB users are still unable to receive email. I will post my solution this it once I figure out the issue.)
Investigation
It seems that, for lack of a better word, IIS 7.0 seem to revert to some kind of `default` settings and need to be rechecked/reset.
Resolution:
In IIS 7.0:
Default Website
-
in SSL Settings > Uncheck `Require SSL`
-
HTTP Redirect >
Check `Redirect request to this Destination:`
o
Confirm redirect settings, in my case:
https://webmail.domain.com/owa
Other Virtual Directories – EWS –Exadmin-Exchnge-Exchweb-Microsft-Server-ActiveSync- and OAB
-
in SSL Settings > Uncheck `Require SSL`
-
HTTP Redirect >
Uncheck Check `Redirect request to this Destination:`
OWA virtual Directory
-
in SSL Setting > Check `Require SSL`
o
Uncheck `Require 128-bit SSL`
o
Under `Client Certificates` > Select `Ignore`
-
in HTTP Redirect > Uncheck > `Redirect request to this Destination:`
For completeness I will add the settings on the Exchange side.
In Exchange Management Console:
Server Configuration
Client Access > Outlook Web Access tab > Select owa(Default Web Site) > Right Click – Properties:
-
General Tab: Confirmed Internal URL
o
https://mailserver.domain.com/owa
-
Authentication Tab
o
Check radio button – Use forms-based authentication
o
Check radio button -
Username only
o
In Logon domain: confirm domain name is list, in my case: `domain.com`
Hub Transport> Receive Connectors Tab > Select `Client` (Note: `Default` had the same settings)> right click Properties
-
General Tab: Confirmed `Specify the FQDN this …..*
o
Mailserver.domain.com
-
Authentication Tab
o
Checked the following
§
Transport Layer Security (TLS)
§
Basic Authentication
§
Exchange server authentication
§
Integrated windows Authentication
o
Left the following Unchecked
§
Enable Domain Security (Mutual Auth TLS)
§
Offer Basic Authentication only after starting TLS
§
Externally Secured (for example, with IPsec
NOTE; checking the logs in the W3SVC1 folder and using the following article
http://support.microsoft.com/kb/943891/en-us
helpled clue me into the incorrect settings on the HTTP Redirect in the OWA virtual directory in IIS 7.0.
W3SVC1 location--
C:\inetpub\logs\LogFiles\W3SVC1
I hope this is helpful for someone else. As mentioned this was the setup/solution for OWA access after the self signed certificate update for my environment. These may
not be the optimum settings but they worked in my case and they may not work or be relevant to your environment.
Thanks,
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2011 8:45pm
Gavin:
Thanks for the additonal information. I will check in the commad you suggusted to see where it leads. I was able to resolve the issue over the weekend when
I had a bit more free time to troubleshot and review.
Again Thank you.
Everyone:
Thank you for all of your help on this issue.
I was able to resolve the issue over the weekend, seemingly a simple matter of `unchecking` Redirection on the OWA virtual Directory under HTTP Redirect.
I have detailed my information/solution below for others with a similar issue with a similar setup.
Environment
Single Exchange 2007
SP1 64 bit on Server 2008 64 bit. No other special settings or setup in the environment. (1 Exchange, One File Server , One Back up Server – all Server 2008 64 bit). OWA is set for forms based authentication in CAS.
Action
Every year the Exchange 2007 Self Signed Certificate needs to be renewed in Exchange Management Shell (Third party SSL certificate is not used by this client.)
The general series of commands I follwowed for renewing the certificate are as follows:
Get-ExchangeCertificate | List
-
Make note of the current thumbprint
New-ExchangeCertificate
-
Select Default – `Y`
-
Record New Thumbprint
(You can re-run `Get-ExchangeCertificate | List` to review old and new Thumbprint)
To enable new Certificate (thumbprint)
Enable-NewCertificate
-Thumprint (Type in new thumbprint) Services: IIS
To remove old Certificate (thumbprint)
Remove-ExchangeCertificate -Thumprint (Type in Old thumbprint)
-
Confirm with Default prompt for removal `Y`
You can run `Get-ExchangeCertificate | List` to review / Confirm results
Issue
Users were unable to access email via OWA
-
Smart Phone users were able to receive mail on their phones
-
Black Berry users with BIS (Black Berry Internet Service) are unable to receive email on Black Berry devices.
-
(Note; BB users are still unable to receive email. I will post my solution this it once I figure out the issue.)
Investigation
It seems that, for lack of a better word, IIS 7.0 seem to revert to some kind of `default` settings and need to be rechecked/reset.
Resolution:
In IIS 7.0:
Default Website
-
in SSL Settings > Uncheck `Require SSL`
-
HTTP Redirect >
Check `Redirect request to this Destination:`
o
Confirm redirect settings, in my case:
https://webmail.domain.com/owa
Other Virtual Directories – EWS –Exadmin-Exchnge-Exchweb-Microsft-Server-ActiveSync- and OAB
-
in SSL Settings > Uncheck `Require SSL`
-
HTTP Redirect >
Uncheck Check `Redirect request to this Destination:`
OWA virtual Directory
-
in SSL Setting > Check `Require SSL`
o
Uncheck `Require 128-bit SSL`
o
Under `Client Certificates` > Select `Ignore`
-
in HTTP Redirect > Uncheck > `Redirect request to this Destination:`
For completeness I will add the settings on the Exchange side.
In Exchange Management Console:
Server Configuration
Client Access > Outlook Web Access tab > Select owa(Default Web Site) > Right Click – Properties:
-
General Tab: Confirmed Internal URL
o
https://mailserver.domain.com/owa
-
Authentication Tab
o
Check radio button – Use forms-based authentication
o
Check radio button -
Username only
o
In Logon domain: confirm domain name is list, in my case: `domain.com`
Hub Transport> Receive Connectors Tab > Select `Client` (Note: `Default` had the same settings)> right click Properties
-
General Tab: Confirmed `Specify the FQDN this …..*
o
Mailserver.domain.com
-
Authentication Tab
o
Checked the following
§
Transport Layer Security (TLS)
§
Basic Authentication
§
Exchange server authentication
§
Integrated windows Authentication
o
Left the following Unchecked
§
Enable Domain Security (Mutual Auth TLS)
§
Offer Basic Authentication only after starting TLS
§
Externally Secured (for example, with IPsec
NOTE; checking the logs in the W3SVC1 folder and using the following article
http://support.microsoft.com/kb/943891/en-us
helpled clue me into the incorrect settings on the HTTP Redirect in the OWA virtual directory in IIS 7.0.
W3SVC1 location--
C:\inetpub\logs\LogFiles\W3SVC1
I hope this is helpful for someone else. As mentioned this was the setup/solution for OWA access after the self signed certificate update for my environment. These may
not be the optimum settings but they worked in my case and they may not work or be relevant to your environment.
Thanks,
February 13th, 2011 8:45pm
Hi Arlo15,
Thanks for your sharing!
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2011 8:13am