Clicky

I am running Exchange 2003 on a Windows 2003 Server, IIS 6.0.  I recently tried to require SSL for OWA.  
1) I was able to create a certificate without any issues through SelfSSL 1.0  
2) I am not able to access my OWA through http://mail.mysite.com/exchange but can now access it through https://mail.mysite.com/exchange or https://(ip address of mail server)/exchange as it is supposed to work.
3) I then went into IIS expand the default websites and right click on the virtual directory Exchange. I then select the directory security tab and under secure communications I click on Edit and tick the box for Require secure channel (SSL).  
***At this point all email on every the iphone's that we have connected to our exchange mailboxs gets the following error "Cannot Get Mail" followed by "The connection to the server failed".  
The iphones will allow me to create the account with out errors but when I actually go to check the mail it give the error I listed above.
- SSL is check on the iphone
- I reset network settings on the iphone
- I finally threw in the towel and bought a cert from godaddy but although it installed fine and again OWA is working fine, the iphones are still not able to get mail.
 - If I uncheck require secure channel (SSL) in the Exchange virtual directory of IIS the iphones are able to get there emails.

I then tried the following:
-  Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory following microsoft's kb article http://support.microsoft.com/kb/817379
- I then when into AD and click on the security tab and advanced then click the check for inheritable permissions as per another microsoft kb article but that did not work either.
 - I have followed microsoft instructions for recreating the 6 OWA related virtual directories and still no luck.
Note - I start and stop the IIS services after making changes.

Please help!
Thank you in advance.

asked 12/01/2011 08:42

brucie64's gravatar image

brucie64 ♦♦


36 Answers:
what is your settings of the Microsoft-Server-ActiveSync virtual directory???




link

answered

ActionXP123's gravatar image

ActionXP123

Authentication and Access Control
Only Basic checked

Secure Communications
Require Secure Channel (SSL) - unchecked
Ignore Client Certificates - checked
Enable Client Certificate Mapping - unchecked

 
link

answered 2011-12-01 at 17:05:31

brucie64's gravatar image

brucie64

ActionXP123 - here is a screenshot of the Microsoft-Server-ActiveSync virtual directory
link

answered 2011-12-02 at 13:48:10

brucie64's gravatar image

brucie64

Can someone please get back to me on this.

Thanks,
link

answered 2011-12-02 at 14:00:01

brucie64's gravatar image

brucie64

Please work your way through my Exchange 2003 / Activesync article:

http://www.qa.downappz.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

What name you you create your SSL cert using?

Does that match the FQDN you are using to connect to your server via on your mobile phones?
link

answered 2011-12-05 at 12:57:46

alanhardisty's gravatar image

alanhardisty

Thank you for getting back to me, i created the SSL cert using name - mail.(mydomain).com which is the exact name I use for the iphone server settings.

I was going through your Activesync article most of which I have already tried but one thing caught my eye, which was the part where you say"

Exchange 2003 (Not part of Small Business Server):

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany* (no more than 15 characters)
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany* (no more than 15 characters)
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked


Now the thing is when I uncheck SSL in Exchange virtual directory, my OWA is no longer secure and I am able to access it via http://mail.mydomain.com/exchange

My server is a Windows 2003 R2 Standard SP2.
link

answered 2011-12-06 at 14:48:37

brucie64's gravatar image

brucie64

In that case - enable SSL on the Exchange virtual directory and then create the exchange-oma virtual directory as per KB817379 which you have referenced in your question.
link

answered 2011-12-06 at 15:10:56

alanhardisty's gravatar image

alanhardisty

I did that but it still didn't work.
link

answered 2011-12-06 at 15:13:43

brucie64's gravatar image

brucie64

Okay - so with SSL enabled on the Exchange VD, and the Exchange-OMA created - what are the results on the test site?
link

answered 2011-12-07 at 05:12:01

alanhardisty's gravatar image

alanhardisty

I created the secondary virtual directory a few days back but removed it when it didnt work (as well as the regisrty keys).  I will recreate it but there is something I want to be sure of before I do that hopefully you can confirm for me.  On step 14 of the Microsoft KB article it says:
"Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice."
I assume it it refering to the local ip address of my exchangebox but I just want to be sure it is not refering to WAN ip address of my (mail.mydomainname.com).

I am going to recreate the secondary virtual directory but just want to be sure on that before I do.

Thanks you again
link

answered 2011-12-07 at 05:13:21

brucie64's gravatar image

brucie64

Correct - it is the local server IP address not the WAN IP address.
link

answered 2011-12-07 at 10:39:21

alanhardisty's gravatar image

alanhardisty

Ok, done.  I am still getting the same error on the iphones and here is what the test site showed:

Exchange ActiveSync returned an HTTP 500 response.
 


link

answered 2011-12-07 at 12:15:56

brucie64's gravatar image

brucie64

Ooh - not nice.  Have you followed my article for the 500 errors?
link

answered 2011-12-08 at 08:34:56

alanhardisty's gravatar image

alanhardisty

I have gone through most of it, right now I am at this part:

In a recent question on EE, I was advised that running the following command against the unmounted database solved an HTTP 500 error, so if you are still having issues, please try running the integrity check (from a command prompt):

Isinteg –s servername –fix –test alltests

So my question is how do I unmount the database to run the command?

Thanks
link

answered 2011-12-08 at 08:38:51

brucie64's gravatar image

brucie64

Through Exchange System Manager, drill down until you can see the Mailbox Store (Servers> Your Server Name> First Storage Group> Mailbox Store).  When you can, right-click on mailbox store and choose Dismount Store (to mount the store - do the same but choose Mount Store).
link

answered 2011-12-08 at 08:58:01

alanhardisty's gravatar image

alanhardisty

Am I missing something here or is it not simply the fact that the devices have not got the root certificate installed? (or I have not read the thread properly of course)

You specifically mention in your initial question hand-held devices. Is the Sync/access OK if you tried it using a basic windows based laptop for example?
link

answered 2011-12-08 at 09:11:13

keith_alabaster's gravatar image

keith_alabaster

Currently using a GoDaddy cert - so might not be an issue Keith.
link

answered 2011-12-08 at 09:19:49

alanhardisty's gravatar image

alanhardisty

Keith - I am using a godaddy cert because I was having so much trouble with the self cert that I figured i would just throw in the towel and buy a cert to eliminate that.  I followed the instrutions via go daddy to install the cert, everything on it looked ok, but at this point I will not rule anything out.  Let me know if there is anything I can do to test to make sure the cert is good and installed correctly.

Alan - I will do that right now, do I need to stop any services 1st or just unmount?  Also, I assume while the mailbox store is unmounted no one can send or receive email correct?  
Lastly once I remount the database will there be any issues with users who are currently connected to our exchange server via outlook?

link

answered 2011-12-08 at 09:21:25

brucie64's gravatar image

brucie64

You can just unmount - but people will lose access to their mail while you run this (and I would run it twice to make sure as if there are errors after the first run, you will want to run it again until you see 0 errors and 0 fixes).

Once remounted - life will return to normal for your users.
link

answered 2011-12-08 at 09:36:34

alanhardisty's gravatar image

alanhardisty

Go-Daddy normally requires the use of an intermediate certificate as well unless you have specifically brought down and installed the version that has both the intermediate/host element combined. Whilst I do not need the intermediate on my devices, I DID need to insert it into my host server. Hence my question of whether the service is working for devices other than phones as we know certain devices can have issues with these.
link

answered 2011-12-08 at 09:39:34

keith_alabaster's gravatar image

keith_alabaster

Ok, ran the command 2X (first time fixed 5 errors and 2nd time was 0)
Check the iphones and they are still getting the same error, checked the test site and I am still getting the same:
Exchange ActiveSync returned an HTTP 500 response.
link

answered 2011-12-08 at 10:17:52

brucie64's gravatar image

brucie64

Keith - I am having no issues other than the iphones. OWA was working great both inside and outside the network.  I did though try to install a self-cert multiple times with the same results.

Alan - Should I remove those registry keys and the exchange-oma VD at this point?
link

answered 2011-12-08 at 11:13:33

brucie64's gravatar image

brucie64

Time to follow KB883380 me thinks.
link

answered 2011-12-08 at 12:07:17

alanhardisty's gravatar image

alanhardisty

Alan,

yeah, I did that before.  I will remove the registry key and reset the OMA VD's which will put everything back to the way it was originally.

What do you recommend from here?

(A little info - currently I have both VD Exchange as well as VD exchange-oma unchecked for SSL cert.  I am able to go to http://mydomain.com without an issue but I am still getting the same error "Cannot Get Mail - The connection to the server failed" from the exchange iphone mail account.)

link

answered 2011-12-08 at 12:47:42

brucie64's gravatar image

brucie64

Ah - that won't help.

The idea of the exchange-oma VD is to allow SSL to be enabled on the Exchange VD, so please enable SSL on that and make sure SSL is not enabled on the Exchange-OMA VD and then run IISRESET, then test again.
link

answered 2011-12-08 at 13:34:59

alanhardisty's gravatar image

alanhardisty

Alan,

That is how it was originally setup and didnt work.  Tested again and still not working.
link

answered 2011-12-08 at 13:39:10

brucie64's gravatar image

brucie64

Still the 500 error?
link

answered 2011-12-08 at 14:17:08

alanhardisty's gravatar image

alanhardisty

Yes, I did.  

I have now removed the regisrty key and and the reset on the OWA VD's.

Here are my results when I test it
Without SSL checked on Exchange VD:
Connectivity Test Successful with Warnings
Analyzing the certificate chains for compatability problems with Windows Phone devices.
Potential compatibility problems were identified with some versions of Windows Phone.
http://technet.microsoft.com/en-us/library/ee410525(EXCHG.80).aspx

With SSL checked on Exchange VD:
Exchange ActiveSync returned an HTTP 500 response.
link

answered 2011-12-08 at 14:19:26

brucie64's gravatar image

brucie64

Can you please setup a test account and ping me the details to alan @ it-eye.co.uk so that I can test my side.

Many thanks

Alan
link

answered 2011-12-08 at 14:36:13

alanhardisty's gravatar image

alanhardisty

Make sure you follow my guide very carefully:

http://www.qa.downappz.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

If you need SSL enabled for OWA, export a copy of the Exchange VDir settings after ensuring that SSL is disabled and you have run iisreset, then follow KB817379, run iisreset once more and you should be good to go.

If not, let me know.

Alan
link

answered 2011-12-08 at 14:38:21

alanhardisty's gravatar image

alanhardisty

Alan,

That did the trick!!!!
Thank you so much for all your help and sticking with me the whole time!
I wish I could give you more than the 500 points but that is all they will let me give you.

I can't thank you enough for all your help,

Happy Holidays!  
link

answered 2011-12-09 at 08:07:22

brucie64's gravatar image

brucie64

Excellent news - well done.

Don't worry about the points - 500 is plenty.

Have an Excellent (stress-free) Xmas.

Best wishes

Alan
link

answered 2011-12-09 at 09:08:54

alanhardisty's gravatar image

alanhardisty

Thank you so much for your help!!!
Awesome guide!!!  
This guy really knows his stuff!!!
link

answered 2011-12-09 at 09:12:38

brucie64's gravatar image

brucie64

Nice job Alan
link

answered 2011-12-09 at 09:18:33

keith_alabaster's gravatar image

keith_alabaster

Thanks Keith.
link

answered 2011-12-09 at 09:21:05

alanhardisty's gravatar image

alanhardisty

I have same problem on my iPhone after enabling ssl on Exchange 2003, with the Alan guide I've solve the problem.

Alan, you are the best guy to deal with Exchange servers, and your explainations are really awesome and very clear.

Thanks
Aref
link

answered 2011-12-09 at 09:21:43

arefone's gravatar image

arefone

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×63
×30
×18

Asked: 12/01/2011 08:42

Seen: 273 times

Last updated: 12/09/2011 01:18