NOTE: Didn't know what forum to put this in, so I went with Admin. I am a fairly new IT guy at my company, so be gentle :) We are running single server setup, Exchange 2007. At the start of this week, suddenly the Outlook Web Access and ActiveSync stopped working. I have googled for little over 2 days now, and can't seem to find a proper solution. I read that removing and reinstalling the Client Access Role could fix this, but it did not. Signs indicate it's a certificate problem (because when I start Microsoft Outlook I get a security alert notifying me that the security certificate is not valid, however I can access and send mail with Outlook.), however when I look through the certificates (mmc.exe->certificates) I can't find any certificates with an expiration date that correlates with when this problem occurred. Problem is that I can't seem to locate the proper certificate that has the same expiration date as the one in the alert message. Whats more is that I can access the login screen of the OWA, but when I try to log in I get an error saying that "The page must be viewed over a secure channel". Which doesn't make sense because I did put https:// at the beginning. Any help is greatly appreciated.

Hi, Can you run Get-ExchangeCertificate | fl in Exchange Management Shell (EMS) and post the output?Martina Miskovic

Sure, AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {pat.hostname.no} HasPrivateKey : True IsSelfSigned : False Issuer : CN=hostname-NOFRESCA001-CA, DC=hostname, DC=no NotAfter : 10/20/2012 10:12:35 PM NotBefore : 11/3/2011 2:00:34 PM PublicKeySize : 1024 RootCAType : Enterprise SerialNumber : 698D1518000100000D60 Services : IMAP, POP Status : Valid Subject : CN=pat.hostname.no Thumbprint : C0775CE01BC7D409C216AA8400AA8A965DCB6A0D AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule, System.Security.AccessContr ol.CryptoKeyAccessRule, System.Security.AccessControl.Cryp toKeyAccessRule, System.Security.AccessControl.CryptoKeyAc cessRule} CertificateDomains : {pat, pat.hostname.no} HasPrivateKey : True IsSelfSigned : True Issuer : CN=pat NotAfter : 11/3/2016 11:31:30 AM NotBefore : 11/3/2011 11:31:30 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 3195D5BF40AA27AB4BBBAD0F1390C0EC Services : IMAP, POP, SMTP Status : Valid Subject : CN=pat Thumbprint : CB9DE4E35086C7F6FA5AE446E88B7C13C1304A23 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Pat.hostname.no} HasPrivateKey : True IsSelfSigned : True Issuer : CN=Pat.hostname.no, OU=IT, O=hostname AS, L=Gamle Fredri kstad, S=Ostfold, C=no NotAfter : 11/2/2012 5:04:45 PM NotBefore : 11/3/2011 11:04:45 AM PublicKeySize : 2048 RootCAType : Unknown SerialNumber : EC71C11BC02DBC9943BFEB0FCADF7E8B Services : None Status : Invalid Subject : CN=Pat.hostname.no, OU=IT, O=hostname AS, L=Gamle Fredri kstad, S=Ostfold, C=no Thumbprint : 569737EDE9984036B8154CAFB475AC448792D47D AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule, System.Security.AccessContr ol.CryptoKeyAccessRule, System.Security.AccessControl.Cryp toKeyAccessRule, System.Security.AccessControl.CryptoKeyAc cessRule} CertificateDomains : {*.hostname.no} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Buypass Class 2 CA 1, O=Buypass AS-983163327, C=NO NotAfter : 11/3/2012 9:32:10 AM NotBefore : 11/3/2011 9:32:10 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 229C Services : IIS, SMTP Status : Valid Subject : SERIALNUMBER=974349914, CN=*.hostname.no, O=hostname AS, C=NO Thumbprint : 4957CC6B98174BF1A5C598D6920E861424A39FC8 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {Outlook.hostname.no} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Buypass Class 2 CA 1, O=Buypass AS-983163327, C=NO NotAfter : 1/25/2013 12:15:57 PM NotBefore : 1/25/2010 12:15:57 PM PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 1884 Services : IIS, SMTP Status : Valid Subject : SERIALNUMBER=974349914, CN=Outlook.hostname.no, O=PREDIKT OR AS, C=NO Thumbprint : C3E7C46FCB0C101B8C00C6324275066797C0B31F

What is the name you are using for external access...Outlook.hostname.no ? Run the below commands and check your settings. Get-ActiveSyncVirtualDirectory | fl Identity,internalurl,externalurl Get-ClientAccessServer | fl Identity,*uri* Get-WebServicesVirtualDirectory | fl Identity,internalurl,extenalurl Get-OabVirtualDirectory | fl Identity,internalurl,externalurlMartina Miskovic

I use outlook.hostname.no/owa for external access The commands gave me the following: Get-ActiveSyncVirtualDirectory | fl Identity,internalurl,externalurl: Identity : PAT\Microsoft-Server-ActiveSync (Default Web Site) InternalUrl : https://pat.hostname.no/Microsoft-Server-ActiveSync ExternalUrl : ------ Get-ClientAccessServer | fl Identity,*uri*: Identity : PAT AutoDiscoverServiceInternalUri : https://pat.hostname.no/Autodiscover/Autodiscover.xml ----------- Get-WebServicesVirtualDirectory | fl Identity,internalurl,extenalurl: Identity : PAT\EWS (Default Web Site) InternalUrl : https://pat.hostname.no/EWS/Exchange.asmx ------- Get-OabVirtualDirectory | fl Identity,internalurl,externalurl: Identity : PAT\OAB (Default Web Site) InternalUrl : http://pat.hostname.no/OAB ExternalUrl :

Also ran a check with testexchangeconnectivity.com and got the following: Weird that it tries port 443 when oma.prediktor.no is only set up with port 80.

Hi, I think you should check the settings in ISA. For OWA..https://outlook.hostname.no/owa works. Is it oma or outlook you are using for ActiveSync ? There's a different certificate installed on ISA compared to the Exchange Server. A bit confusing. You have many certificates and it'a not an easy task to find out which one you should use. You have one certificate that it's easy to tell you can delete. (to get the list down) Remove-ExchangeCertificate -Thumbprint 569737EDE9984036B8154CAFB475AC448792D47D IF you allow Outlook Anywhere, you really should configure externalURL for OabVirtualDirectory & WebServicesVirtualDirectory and of course also for ActiveSyncVirtualDirectory. ..and I can see that you have a record configured for Autodiscover.Martina Miskovic

The problem went away by removing 128-bit encryption on both OWA & AS :) Thanks for the help Your're Welcome and thanks for the update!Martina Miskovic