Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Setting up a CA for a Secure OWA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Setting up a CA for a Secure OWA - 6.Jun.2005 12:59:00 PM
|
|
|
marcelo73
Posts: 30
Joined: 23.Dec.2004
From: Buenos Aires
Status: offline
|
Hi people. IÆm certainly having a problem trying to configure a secure SSL OWA. IÆve attended a class here in Argentina with ISA Server 2004 MVP Joern Wettern (excellent MVP and person!) this year and he gave us an exercise to do where you set up a secure OWA service using Microsoft CA (Certificate Authority). At this exercise everything went ok but regretfully, when I wanted to the same at my production place I realized I needed a CA and I didnÆt have one. I tried to set it up with no success. Every time I want to get a certificate through http://mydomain/certsrv it begins to generate the request and after that it comes with an error which says: An error occurred while asking for a request. Please contact your administrator for more assistance. ThatÆs all.
I bought Tom Schinder's book Configuring ISA Server 2004 but I can't find (logically) something where it says how to configure a CA.
My OWA is working fine but with no security. Do you think you can help me figure this out?
IÆd appreciate your help,
Marcelo.
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 7.Jun.2005 1:59:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
I'm also having the same problem. I have followed those tutorials to the tee.
On the server after I create the CA from the directory tab in the default web site I went to IE and did the servername/certsrv. Loaded and followed instructions and when I clicked submit it immediately displayed "Error", Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.
I'm assuming the common name or FQDN on the ca is "name.name.com/exchange" since this is how I access OWA ?
Any info and help is greatly appreciated.
Thanks,
Soth
|
|
|
|
RE: Setting up a CA for a Secure OWA - 7.Jun.2005 3:08:00 PM
|
|
|
Henrik Walther
Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: online
|
The common name is the FQDN of the server as it's seen from the Internet.
Typically something like mail.domain.com (without /exchange) depending on your setup.
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 7.Jun.2005 4:14:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
Ok, got the fqdn without the (/exchange) in it. Looks like the enterprise ca installed fine.
Next step?
Do I go on the server and bring up http://servername/certsrv or do I go into IIS under the website i want to create the certificate?
If I do the http://servername/certsrv and submit a request by using a 64 baase encoded I am taken to where you have to paste the cert in. After hitting submit I get an error stating it's failed.
If I go into IIS and create a certificate providing all info is correct, I get in the CA Authority snap-in that it's failed.
I've wracked my brain for days on this now.
Thanks,
soth
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 7.Jun.2005 4:18:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
Additional Info trying to create and submit the new cert is as follows:
Disposition:
never set
Result:
No mapping between account names and security IDs were done.
COM Error Info:
CCertRequest: Submit No mapping between account names and security ID's were done.
Thanks
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 7.Jun.2005 4:33:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
Another bit of info. When I go into IIS under directory security for edit, If I change it to Require SSL, hit ok, then apply, I don't select any of the child nodes to apply it to. I really goofed OWA up the first time by doing this and I am really hesitant about doing that again. Am I suppose to select all child nodes on the UNCPassword nodes and AccessSSLFlags property nodes?
Thanks
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 7.Jun.2005 5:12:00 PM
|
|
|
marcelo73
Posts: 30
Joined: 23.Dec.2004
From: Buenos Aires
Status: offline
|
Soth, how did you solve this? If you go to http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
there I'm having the error just after submitting a Certificate Request or Renewal Request page.
I've pasted the text within certreq.txt and still getting this error.
Hope someone can help me to figure this out.
Thanks, Marcelo.
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 8.Jun.2005 1:12:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
It's not an ISA. Behind a linux firewall if i'm not mistaking with a cisco router.
I have to give it a IP such as 4.33.4.197, 198, 199 to access certain things on our server such as the Database, OWA from outside the lan. Of course thats not our actuall IP Address, just an example, but say 4.33.4.197 will forward to 192.168.0.5
I created my ca for my common name fqdn as 4.33.4.197 instead of mail.domain.com
I'm assuming that was my problem getting it to create and submit. Now i've still not got OWA using SSL yet though. I wonder if it has anything to do with the exchange server being on a totally different subnet than our other servers are?
Soth
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 9.Jun.2005 9:33:00 AM
|
|
|
marcelo73
Posts: 30
Joined: 23.Dec.2004
From: Buenos Aires
Status: offline
|
Madcow, Soth, Henrik and company...
I think my problem (don't know others) is in Henrik Walther's article (http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html) where it says:
----------------------------------------
In the next screen we need to pay extra attention, as the common name reflects the external FQDN (Fully Qualified Domain Name), to spell it out, this is the address external users have to type in their browsers in order to access OWA from the Internet.
Note: As many (especially small to midsized) companies donÆt publish their Exchange servers directly to the Internet, but instead runs the Exchange server on a private IP address, they let their ISPÆs handle their external DNS settings. In most cases the ISP creates a so called A record named mail.domain.com pointing to the companyÆs public IP address, which then forwards the appropriate port (443) to the Exchange servers internal IP address.
----------------------------------------
Ok, this is my case; an ISP creates an A record named mail.mydomain.com pointing to my IP address.
In this place I type mail.mydomain.com (mydomain is my domain, you understand)
Am I doing this ok? or am I making a mistake here?
then... after having completed all the tutorial I type http://mail.mydomain.com/exchange and it works as if I haven't done anything and if I type the same with HTTPS it will say PAGE cannot be displayed.
For heavens sake! Is this SUCH difficult to configure a secure OWA?
I still hope you can help me figure this out. Marcelo.
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 9.Jun.2005 4:24:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
Well i'm still having trouble with windows 2000 Advanced Server as a domain. The other server is on a different segment and runs windows 2003 enterprise with Exchange 2003 enterprise. I can't for the life of me get the certificate services to work right.
I just slapped windows 2003 enterprise and exchange 2003 enterprise on a laptop, granted they are both on the same computer which I know is a bad idea, but I wanted to do some testing though. Promoted the 2003 to a domain, installed exchange 2003, installed the enterprise ca, WOW, it actually issued right off the bat. Not seen this before. Went and requested a new certificate from the default website and activated forms based authenticatin in systems manager for http.
Took about 2 minutes to do this and i've got SSL over OWA. This is on a test system though and both are running 2003 enterprise.
Come on, surely windows 2000 advanced server is causing the problem, or is it due to the exchange being on a 172.16.x.x instead of a 10.1.x.x range?
Soth
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 10.Jun.2005 10:56:00 AM
|
|
|
marcelo73
Posts: 30
Joined: 23.Dec.2004
From: Buenos Aires
Status: offline
|
One question...
Do I have to install CA Server in the same place of the Exchange Server?
Is it because of this https://mail.mydomain.com/exchange doesn't work?
Still trying to solve this... Marcelo.
|
|
|
|
|
RE: Setting up a CA for a Secure OWA - 10.Jun.2005 3:02:00 PM
|
|
|
soth
Posts: 27
Joined: 7.Jun.2005
From: kentucky
Status: offline
|
quote:
Originally posted by marcelo73:
One question...
Do I have to install CA Server in the same place of the Exchange Server?
Is it because of this https://mail.mydomain.com/exchange doesn't work?
Still trying to solve this... Marcelo.
From what i've read you don't have to. I did read where smaller businesses will just go ahead and install it on the exchange server though to make it easier.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Mad]](/image/smiles/mad.gif)
![[Frown]](/image/smiles/frown.gif)
I did manage to submit the ca to the certificate authority though. Opening a web browser on the server and typing "http://servername/certsrv" took me to create/submit a cert. Well on the advanced page I picked the bottom one I believe. Not sure. It was either the bottom on that page or the bottom one on the page before that I was able to submit/create a ca with no problems. When I clicked on that link it took me with a listbox that had my ca that I created when i installed the certificate services.