Problems with Certificate Services and OWA

[Guest]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

Our Exchange 2003 server was running on a Windows 2000 Server, using OWA
with forms-based authentication and was setup as a Certificate Authority.
We suffered a bad system crash that resulting in me having to reinstall
Windows and Exchange using the Disaster Recovery option, and then restoring
Information Stores from backup.

After restoring the server to fully working order, I needed to setup OWA to
use SSL for forms-based authentication. So, I installed Certificate
Services on this server, as I did before, and made it the Enterprise Root
CA. It gave a prompt that there was already a server with the same name
setup as a CA root so I clicked the option to overwrite this. I installed
the certificate as Microsoft explains in the knowledgebase articles, and
everything looks right. However, when trying to access the HTTPS address
for OWA, I get a page cannot be found. I have imported the certificate into
IIS...am I overlooking something?

Please assist if at all possible, thanks.

-Tim Nichols
MCP

 

[terry]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

You may have to set the SSL port in IIS. Sometimes it blank on a new
install. Set it to 443.

"Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
news:ObJ%2390FbFHA.3280@TK2MSFTNGP09.phx.gbl...
> Our Exchange 2003 server was running on a Windows 2000 Server, using OWA
> with forms-based authentication and was setup as a Certificate Authority.
> We suffered a bad system crash that resulting in me having to reinstall
> Windows and Exchange using the Disaster Recovery option, and then
restoring
> Information Stores from backup.
>
> After restoring the server to fully working order, I needed to setup OWA
to
> use SSL for forms-based authentication. So, I installed Certificate
> Services on this server, as I did before, and made it the Enterprise Root
> CA. It gave a prompt that there was already a server with the same name
> setup as a CA root so I clicked the option to overwrite this. I installed
> the certificate as Microsoft explains in the knowledgebase articles, and
> everything looks right. However, when trying to access the HTTPS address
> for OWA, I get a page cannot be found. I have imported the certificate
into
> IIS...am I overlooking something?
>
> Please assist if at all possible, thanks.
>
> -Tim Nichols
> MCP
>
>

 

[terry]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

PS: If it did set it up in IIS on another website, but not the one for OWA,
you *MAY* have to close your broswer and try again after you turn port 443
on in the OWA website.

IE funkeyness.

"Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
news:3d96a$42a74618$45264c04$4970@NEWSOUTH.NET...
> You may have to set the SSL port in IIS. Sometimes it blank on a new
> install. Set it to 443.
>
> "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> news:ObJ%2390FbFHA.3280@TK2MSFTNGP09.phx.gbl...
> > Our Exchange 2003 server was running on a Windows 2000 Server, using OWA
> > with forms-based authentication and was setup as a Certificate
Authority.
> > We suffered a bad system crash that resulting in me having to reinstall
> > Windows and Exchange using the Disaster Recovery option, and then
> restoring
> > Information Stores from backup.
> >
> > After restoring the server to fully working order, I needed to setup OWA
> to
> > use SSL for forms-based authentication. So, I installed Certificate
> > Services on this server, as I did before, and made it the Enterprise
Root
> > CA. It gave a prompt that there was already a server with the same name
> > setup as a CA root so I clicked the option to overwrite this. I
installed
> > the certificate as Microsoft explains in the knowledgebase articles, and
> > everything looks right. However, when trying to access the HTTPS
address
> > for OWA, I get a page cannot be found. I have imported the certificate
> into
> > IIS...am I overlooking something?
> >
> > Please assist if at all possible, thanks.
> >
> > -Tim Nichols
> > MCP
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

Terry-

Thank you for your fast response. I just checked and yes, the port in IIS
is set to 443, so I don't think that is the issue. I still get the Page
cannot be displayed screen when I try to pull it up.

Could there be a problem with the Certificate Authority in Active Directory
since the original server crashed?

-Tim

"Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
news:3d96a$42a74618$45264c04$4970@NEWSOUTH.NET...
> You may have to set the SSL port in IIS. Sometimes it blank on a new
> install. Set it to 443.
>
> "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> news:ObJ%2390FbFHA.3280@TK2MSFTNGP09.phx.gbl...
>> Our Exchange 2003 server was running on a Windows 2000 Server, using OWA
>> with forms-based authentication and was setup as a Certificate Authority.
>> We suffered a bad system crash that resulting in me having to reinstall
>> Windows and Exchange using the Disaster Recovery option, and then
> restoring
>> Information Stores from backup.
>>
>> After restoring the server to fully working order, I needed to setup OWA
> to
>> use SSL for forms-based authentication. So, I installed Certificate
>> Services on this server, as I did before, and made it the Enterprise Root
>> CA. It gave a prompt that there was already a server with the same name
>> setup as a CA root so I clicked the option to overwrite this. I
>> installed
>> the certificate as Microsoft explains in the knowledgebase articles, and
>> everything looks right. However, when trying to access the HTTPS address
>> for OWA, I get a page cannot be found. I have imported the certificate
> into
>> IIS...am I overlooking something?
>>
>> Please assist if at all possible, thanks.
>>
>> -Tim Nichols
>> MCP
>>
>>
>
>

 

[terry]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

Tim,
There may be a conflict if you have the old CA certificate loaded on the
workstations.You may have to remove the old cert. IE is *REALLY* bad about
reporting SSL certificate problems. Often it will simply hang and then
display the "The page cannot be displayed" error.

I often use Firefox as a diagnostic utility for looking at SSL certificate
problems. Give it a try. If it simply reports that it does not know who the
CA is, but works anyway after you tell it to accept the certificate, I
suspect that you will need to reinstall the cert for the workstation(s).

--Terry

"Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
news:edaPvWGbFHA.720@TK2MSFTNGP15.phx.gbl...
> Terry-
>
> Thank you for your fast response. I just checked and yes, the port in IIS
> is set to 443, so I don't think that is the issue. I still get the Page
> cannot be displayed screen when I try to pull it up.
>
> Could there be a problem with the Certificate Authority in Active
Directory
> since the original server crashed?
>
> -Tim

 

[Guest]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

Terry-

You were right on the money. Firefox gave me a much more detailed error
message. This is what it displays:

Alert
Could not establish an encrypted connection because certificate presented by
<serverA> is invalid or corrupted. Error Code: -8102

What do you think?

-Tim

"Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
news:a1d2d$42a75f9a$45264c04$31991@NEWSOUTH.NET...
> Tim,
> There may be a conflict if you have the old CA certificate loaded on
> the
> workstations.You may have to remove the old cert. IE is *REALLY* bad about
> reporting SSL certificate problems. Often it will simply hang and then
> display the "The page cannot be displayed" error.
>
> I often use Firefox as a diagnostic utility for looking at SSL certificate
> problems. Give it a try. If it simply reports that it does not know who
> the
> CA is, but works anyway after you tell it to accept the certificate, I
> suspect that you will need to reinstall the cert for the workstation(s).
>
> --Terry
>
> "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> news:edaPvWGbFHA.720@TK2MSFTNGP15.phx.gbl...
>> Terry-
>>
>> Thank you for your fast response. I just checked and yes, the port in
>> IIS
>> is set to 443, so I don't think that is the issue. I still get the Page
>> cannot be displayed screen when I try to pull it up.
>>
>> Could there be a problem with the Certificate Authority in Active
> Directory
>> since the original server crashed?
>>
>> -Tim
>
>

 

[terry]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

Tim-

Well, I must admit I have never used the CA in Windows to sign SSL
certificates.I use OpenSSL to self sign my certificates. But this is what I
would do. Remove the certificate from IIS. Create a new certificate request,
sign it and install the signed certificate.

Hope that helps. Let me know.

Terry Trapp


"Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
news:e7pGxRPbFHA.2996@TK2MSFTNGP10.phx.gbl...
> Terry-
>
> You were right on the money. Firefox gave me a much more detailed error
> message. This is what it displays:
>
> Alert
> Could not establish an encrypted connection because certificate presented
by
> <serverA> is invalid or corrupted. Error Code: -8102
>
> What do you think?
>
> -Tim
>
> "Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
> news:a1d2d$42a75f9a$45264c04$31991@NEWSOUTH.NET...
> > Tim,
> > There may be a conflict if you have the old CA certificate loaded on
> > the
> > workstations.You may have to remove the old cert. IE is *REALLY* bad
about
> > reporting SSL certificate problems. Often it will simply hang and then
> > display the "The page cannot be displayed" error.
> >
> > I often use Firefox as a diagnostic utility for looking at SSL
certificate
> > problems. Give it a try. If it simply reports that it does not know who
> > the
> > CA is, but works anyway after you tell it to accept the certificate, I
> > suspect that you will need to reinstall the cert for the workstation(s).
> >
> > --Terry
> >
> > "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> > news:edaPvWGbFHA.720@TK2MSFTNGP15.phx.gbl...
> >> Terry-
> >>
> >> Thank you for your fast response. I just checked and yes, the port in
> >> IIS
> >> is set to 443, so I don't think that is the issue. I still get the
Page
> >> cannot be displayed screen when I try to pull it up.
> >>
> >> Could there be a problem with the Certificate Authority in Active
> > Directory
> >> since the original server crashed?
> >>
> >> -Tim
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.exchange.clients,microsoft.public.exchange2000.general,microsoft.public.win2000.general (More info?)

Terry-

That worked. Rather than using the existing certificate (which I did the
first time), I requested a new certificate, after removing the certificate
that wasn't working. This appears to have fixed the problem.

Thanks for your help. Certificate Services and security are not my cup of
tea, but I am learning.

-Tim

"Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
news:92223$42a862bf$45264c04$32646@NEWSOUTH.NET...
> Tim-
>
> Well, I must admit I have never used the CA in Windows to sign SSL
> certificates.I use OpenSSL to self sign my certificates. But this is what
> I
> would do. Remove the certificate from IIS. Create a new certificate
> request,
> sign it and install the signed certificate.
>
> Hope that helps. Let me know.
>
> Terry Trapp
>
>
> "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> news:e7pGxRPbFHA.2996@TK2MSFTNGP10.phx.gbl...
>> Terry-
>>
>> You were right on the money. Firefox gave me a much more detailed error
>> message. This is what it displays:
>>
>> Alert
>> Could not establish an encrypted connection because certificate presented
> by
>> <serverA> is invalid or corrupted. Error Code: -8102
>>
>> What do you think?
>>
>> -Tim
>>
>> "Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
>> news:a1d2d$42a75f9a$45264c04$31991@NEWSOUTH.NET...
>> > Tim,
>> > There may be a conflict if you have the old CA certificate loaded on
>> > the
>> > workstations.You may have to remove the old cert. IE is *REALLY* bad
> about
>> > reporting SSL certificate problems. Often it will simply hang and then
>> > display the "The page cannot be displayed" error.
>> >
>> > I often use Firefox as a diagnostic utility for looking at SSL
> certificate
>> > problems. Give it a try. If it simply reports that it does not know who
>> > the
>> > CA is, but works anyway after you tell it to accept the certificate, I
>> > suspect that you will need to reinstall the cert for the
>> > workstation(s).
>> >
>> > --Terry
>> >
>> > "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
>> > news:edaPvWGbFHA.720@TK2MSFTNGP15.phx.gbl...
>> >> Terry-
>> >>
>> >> Thank you for your fast response. I just checked and yes, the port in
>> >> IIS
>> >> is set to 443, so I don't think that is the issue. I still get the
> Page
>> >> cannot be displayed screen when I try to pull it up.
>> >>
>> >> Could there be a problem with the Certificate Authority in Active
>> > Directory
>> >> since the original server crashed?
>> >>
>> >> -Tim
>> >
>> >
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.general,microsoft.public.exchange.clients,microsoft.public.exchange2000.general (More info?)

Could you please tell me where I can obtain the firefox diagonostic utility
as I am having the same problem i.e. cannot access my owa site from internet
and have checked with my ISP who say they do not block my SSL.
SSOR

"Tim Nichols" wrote:

> Terry-
>
> That worked. Rather than using the existing certificate (which I did the
> first time), I requested a new certificate, after removing the certificate
> that wasn't working. This appears to have fixed the problem.
>
> Thanks for your help. Certificate Services and security are not my cup of
> tea, but I am learning.
>
> -Tim
>
> "Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
> news:92223$42a862bf$45264c04$32646@NEWSOUTH.NET...
> > Tim-
> >
> > Well, I must admit I have never used the CA in Windows to sign SSL
> > certificates.I use OpenSSL to self sign my certificates. But this is what
> > I
> > would do. Remove the certificate from IIS. Create a new certificate
> > request,
> > sign it and install the signed certificate.
> >
> > Hope that helps. Let me know.
> >
> > Terry Trapp
> >
> >
> > "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> > news:e7pGxRPbFHA.2996@TK2MSFTNGP10.phx.gbl...
> >> Terry-
> >>
> >> You were right on the money. Firefox gave me a much more detailed error
> >> message. This is what it displays:
> >>
> >> Alert
> >> Could not establish an encrypted connection because certificate presented
> > by
> >> <serverA> is invalid or corrupted. Error Code: -8102
> >>
> >> What do you think?
> >>
> >> -Tim
> >>
> >> "Terry" <ttrapp.spam.me.not@org.insurors.r3m0v3m3> wrote in message
> >> news:a1d2d$42a75f9a$45264c04$31991@NEWSOUTH.NET...
> >> > Tim,
> >> > There may be a conflict if you have the old CA certificate loaded on
> >> > the
> >> > workstations.You may have to remove the old cert. IE is *REALLY* bad
> > about
> >> > reporting SSL certificate problems. Often it will simply hang and then
> >> > display the "The page cannot be displayed" error.
> >> >
> >> > I often use Firefox as a diagnostic utility for looking at SSL
> > certificate
> >> > problems. Give it a try. If it simply reports that it does not know who
> >> > the
> >> > CA is, but works anyway after you tell it to accept the certificate, I
> >> > suspect that you will need to reinstall the cert for the
> >> > workstation(s).
> >> >
> >> > --Terry
> >> >
> >> > "Tim Nichols" <tnichols@NOSPAMtoyodatrw.com> wrote in message
> >> > news:edaPvWGbFHA.720@TK2MSFTNGP15.phx.gbl...
> >> >> Terry-
> >> >>
> >> >> Thank you for your fast response. I just checked and yes, the port in
> >> >> IIS
> >> >> is set to 443, so I don't think that is the issue. I still get the
> > Page
> >> >> cannot be displayed screen when I try to pull it up.
> >> >>
> >> >> Could there be a problem with the Certificate Authority in Active
> >> > Directory
> >> >> since the original server crashed?
> >> >>
> >> >> -Tim
> >> >
> >> >
> >>
> >>
> >
> >
>
>
>