Setting up a CA for a Secure OWA

Setting up a CA for a Secure OWA (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Outlook Web Access

Message

marcelo73 -> Setting up a CA for a Secure OWA (6.Jun.2005 12:59:00 PM)
Hi people. IÆm certainly having a problem trying to configure a secure SSL OWA. IÆve attended a class here in Argentina with ISA Server 2004 MVP Joern Wettern (excellent MVP and person!) this year and he gave us an exercise to do where you set up a secure OWA service using Microsoft CA (Certificate Authority). At this exercise everything went ok but regretfully, when I wanted to the same at my production place I realized I needed a CA and I didnÆt have one. I tried to set it up with no success. Every time I want to get a certificate through http://mydomain/certsrv it begins to generate the request and after that it comes with an error which says: An error occurred while asking for a request. Please contact your administrator for more assistance. ThatÆs all. I bought Tom Schinder's book Configuring ISA Server 2004 but I can't find (logically) something where it says how to configure a CA. My OWA is working fine but with no security. Do you think you can help me figure this out? IÆd appreciate your help, Marcelo.

zodiaczz -> RE: Setting up a CA for a Secure OWA (6.Jun.2005 2:14:00 PM)
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html check that out

madcow -> RE: Setting up a CA for a Secure OWA (6.Jun.2005 3:37:00 PM)
marcelo73: In your IIS click default website -> home directory -> configuration -> options TAB -> and make sure the ENABLE SESSION STATE is selected. If not select this option and restart the IIS and then try to create a certificate again.

soth -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 1:59:00 PM)
I'm also having the same problem. I have followed those tutorials to the tee. On the server after I create the CA from the directory tab in the default web site I went to IE and did the servername/certsrv. Loaded and followed instructions and when I clicked submit it immediately displayed "Error", Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance. I'm assuming the common name or FQDN on the ca is "name.name.com/exchange" since this is how I access OWA ? Any info and help is greatly appreciated. Thanks, Soth

Henrik Walther -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 3:08:00 PM)
The common name is the FQDN of the server as it's seen from the Internet. Typically something like mail.domain.com (without /exchange) depending on your setup.

soth -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 4:14:00 PM)
Ok, got the fqdn without the (/exchange) in it. Looks like the enterprise ca installed fine. Next step? Do I go on the server and bring up http://servername/certsrv or do I go into IIS under the website i want to create the certificate? If I do the http://servername/certsrv and submit a request by using a 64 baase encoded I am taken to where you have to paste the cert in. After hitting submit I get an error stating it's failed. If I go into IIS and create a certificate providing all info is correct, I get in the CA Authority snap-in that it's failed. I've wracked my brain for days on this now. Thanks, soth

soth -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 4:18:00 PM)
Additional Info trying to create and submit the new cert is as follows: Disposition: never set Result: No mapping between account names and security IDs were done. COM Error Info: CCertRequest: Submit No mapping between account names and security ID's were done. Thanks

soth -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 4:33:00 PM)
Another bit of info. When I go into IIS under directory security for edit, If I change it to Require SSL, hit ok, then apply, I don't select any of the child nodes to apply it to. I really goofed OWA up the first time by doing this and I am really hesitant about doing that again. Am I suppose to select all child nodes on the UNCPassword nodes and AccessSSLFlags property nodes? Thanks

marcelo73 -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 5:12:00 PM)
Soth, how did you solve this? If you go to http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html there I'm having the error just after submitting a Certificate Request or Renewal Request page. I've pasted the text within certreq.txt and still getting this error. Hope someone can help me to figure this out. Thanks, Marcelo.

soth -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 8:41:00 PM)
I've not solved it yet I did manage to submit the ca to the certificate authority though. Opening a web browser on the server and typing "http://servername/certsrv" took me to create/submit a cert. Well on the advanced page I picked the bottom one I believe. Not sure. It was either the bottom on that page or the bottom one on the page before that I was able to submit/create a ca with no problems. When I clicked on that link it took me with a listbox that had my ca that I created when i installed the certificate services. Now, to get OWA to use SSL. The only thing I can think of is i'm not selecting the child nodes when I require the web site to use SSL. I don't think the 1st child nodes which have to do with passwords are needed are they? The second nodes which I see are SSLFrames or something like that might though. Please advise if I should select any of these such as "exchange, exadmin, public, exchweb" on the nodes after I require the website to use SSL in order for OWA to work. Thanks, Soth

madcow -> RE: Setting up a CA for a Secure OWA (7.Jun.2005 10:00:00 PM)
Guys I had the same issue... and what I mentioned above worked for me.

soth -> RE: Setting up a CA for a Secure OWA (8.Jun.2005 8:11:00 AM)
quote: Originally posted by MadCow: Guys I had the same issue... and what I mentioned above worked for me. This setting has always been checked on thet server. The ca is issued, but I can't get OWA to use SSL though. That's my problem now. Soth

marcelo73 -> RE: Setting up a CA for a Secure OWA (8.Jun.2005 10:41:00 AM)
quote: Originally posted by MadCow: Guys I had the same issue... and what I mentioned above worked for me. Mad, thanks, that worked for me and let me keep on until a new level of this long process. But... now when I type http://mydomain.com/exchange it won't work. That's good since it has to do it with https. The problem is it doesn't work with https either and when I type http it doesn't say I have to enter a https protocol. Still fighting... any ideas?

marcelo73 -> RE: Setting up a CA for a Secure OWA (8.Jun.2005 11:10:00 AM)
quote: Originally posted by Soth: I've not solved it yet I did manage to submit the ca to the certificate authority though. Opening a web browser on the server and typing "http://servername/certsrv" took me to create/submit a cert. Soth, at least you got to submit the ca. I couldn't do it since it comes with a "Page cannot be displayed" message. May be, this is because my ISA Server. Do you use ISA or another security router software? I think we're going in the right way though we need the mvps here to help us. Marcelo.

soth -> RE: Setting up a CA for a Secure OWA (8.Jun.2005 1:12:00 PM)
It's not an ISA. Behind a linux firewall if i'm not mistaking with a cisco router. I have to give it a IP such as 4.33.4.197, 198, 199 to access certain things on our server such as the Database, OWA from outside the lan. Of course thats not our actuall IP Address, just an example, but say 4.33.4.197 will forward to 192.168.0.5 I created my ca for my common name fqdn as 4.33.4.197 instead of mail.domain.com I'm assuming that was my problem getting it to create and submit. Now i've still not got OWA using SSL yet though. I wonder if it has anything to do with the exchange server being on a totally different subnet than our other servers are? Soth

madcow -> RE: Setting up a CA for a Secure OWA (9.Jun.2005 1:52:00 AM)
quote: Originally posted by marcelo73: quote: Originally posted by MadCow: Guys I had the same issue... and what I mentioned above worked for me. Mad, thanks, that worked for me and let me keep on until a new level of this long process. But... now when I type http://mydomain.com/exchange it won't work. That's good since it has to do it with https. The problem is it doesn't work with https either and when I type http it doesn't say I have to enter a https protocol. Still fighting... any ideas? Add/Remove from control panel and uninstall then reinstall certificate services. And do it all over again. That will do it. [ June 09, 2005, 01:55 AM: Message edited by: MadCow ]

marcelo73 -> RE: Setting up a CA for a Secure OWA (9.Jun.2005 9:33:00 AM)
Madcow, Soth, Henrik and company... I think my problem (don't know others) is in Henrik Walther's article (http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html) where it says: ---------------------------------------- In the next screen we need to pay extra attention, as the common name reflects the external FQDN (Fully Qualified Domain Name), to spell it out, this is the address external users have to type in their browsers in order to access OWA from the Internet. Note: As many (especially small to midsized) companies donÆt publish their Exchange servers directly to the Internet, but instead runs the Exchange server on a private IP address, they let their ISPÆs handle their external DNS settings. In most cases the ISP creates a so called A record named mail.domain.com pointing to the companyÆs public IP address, which then forwards the appropriate port (443) to the Exchange servers internal IP address. ---------------------------------------- Ok, this is my case; an ISP creates an A record named mail.mydomain.com pointing to my IP address. In this place I type mail.mydomain.com (mydomain is my domain, you understand) Am I doing this ok? or am I making a mistake here? then... after having completed all the tutorial I type http://mail.mydomain.com/exchange and it works as if I haven't done anything and if I type the same with HTTPS it will say PAGE cannot be displayed. For heavens sake! Is this SUCH difficult to configure a secure OWA? I still hope you can help me figure this out. Marcelo.

soth -> RE: Setting up a CA for a Secure OWA (9.Jun.2005 4:24:00 PM)
Well i'm still having trouble with windows 2000 Advanced Server as a domain. The other server is on a different segment and runs windows 2003 enterprise with Exchange 2003 enterprise. I can't for the life of me get the certificate services to work right. I just slapped windows 2003 enterprise and exchange 2003 enterprise on a laptop, granted they are both on the same computer which I know is a bad idea, but I wanted to do some testing though. Promoted the 2003 to a domain, installed exchange 2003, installed the enterprise ca, WOW, it actually issued right off the bat. Not seen this before. Went and requested a new certificate from the default website and activated forms based authenticatin in systems manager for http. Took about 2 minutes to do this and i've got SSL over OWA. This is on a test system though and both are running 2003 enterprise. Come on, surely windows 2000 advanced server is causing the problem, or is it due to the exchange being on a 172.16.x.x instead of a 10.1.x.x range? Soth

marcelo73 -> RE: Setting up a CA for a Secure OWA (10.Jun.2005 10:56:00 AM)
One question... Do I have to install CA Server in the same place of the Exchange Server? Is it because of this https://mail.mydomain.com/exchange doesn't work? Still trying to solve this... Marcelo.

soth -> RE: Setting up a CA for a Secure OWA (10.Jun.2005 3:02:00 PM)
quote: Originally posted by marcelo73: One question... Do I have to install CA Server in the same place of the Exchange Server? Is it because of this https://mail.mydomain.com/exchange doesn't work? Still trying to solve this... Marcelo. From what i've read you don't have to. I did read where smaller businesses will just go ahead and install it on the exchange server though to make it easier.

Page: [1] 2 next > >>