SSL doesn't work on OWA 2003

C

Captain Colonoscopy

2[H]4U
Joined
Feb 19, 2004
Messages
3,861
Okay, I am trying to enable SSL and Forms Based Authentication for OWA on an Exchange 2003 server. This should be a relatively simple project, nothing I haven't managed to do a few dozen times before. Unfortunately, it isn't working and I need some help.

The server in question is fully patched and up to date. The guy that manages it has tried, unsuccessfully, to get it working and has asked for my assistance. There is already a certificate installed on the server that is good until 2011. The certificate appears to be installed correctly. FBA is enabled in System Mangler. Require SSL is enabled for the entire default website in IIS. He also setup a redirection to HTTPS when you try to access the site with HTTP, this seems to be working. However, I get the page cannot be displayed error message whenever the OWA site is brought up. If I turn off require SSL in Directory Security is IIS then the OWA site works, albeit without SSL.

There are no errors in the Event Logs and I have been searching for answers on the googler to no avail this evening. Anyone here have any ideas of where to start?
 
hmm...sounds like there is a problem with the way the certificate was generated and/or applied to IIS. Are there any intermediate or root certificates that were part of the cert pointing to your site ?
 
hboogz said:
hmm...sounds like there is a problem with the way the certificate was generated and/or applied to IIS. Are there any intermediate or root certificates that were part of the cert pointing to your site ?
Click to expand...

See, that's what I was wondering, too. I looked and the cert authority that generated the certificate is in the intermediaries and root. It's some weird company I haven't heard of before called Starfield or something like that. I may just revoke and then generate the certificate again but I wanted to check and see if there might be something else I was missing before I did that.
 
I don't have the link handy, but i'm sure it's easy enough to find with a google search.Look up OWA 2003's SSL cert requirements -- i'm pretty sure the cert you received may be buggy or during the CSR/generation process something got messed up.

I've used www.breakforth.com in the past and it's worked like a charm all time.

It seems you've covered all config bases on the Exchange side, which leads me to think that it's an issue with the cert.
 
I agree, sounds like a certificate problem. Try self generating a cert just to test with.
 
Personally, I doubt the problem is the certificate. If it were, I'd think you'd be getting an error message... this looks like its not connecting to the 443 port properly at all. You should be able to test this via a command prompt and "telnet <host> 443" and see if you can connect. I'd also look into the permission settings in IIS and (at least for now) removing the HTTP -> HTTPS redirector... one less thing to worry about.
 
Great, now OMA is broken and users are getting ActiveSync error 0x85010001. . . . . I had no idea there were any phones in the mix, just found out a few minutes ago. Just turned on ActiveSynch monitoring on the Exchange server now to see what is going on. Have Basic and Integrated Authentication turned on the default website in IIS.
 
Captain Colonoscopy said:
See, that's what I was wondering, too. I looked and the cert authority that generated the certificate is in the intermediaries and root. It's some weird company I haven't heard of before called Starfield or something like that. I may just revoke and then generate the certificate again but I wanted to check and see if there might be something else I was missing before I did that.
Click to expand...

Since your using the Starfield method, read this article and make sure it is followed.

SSL Enabling OWA 2003 Using a Free 3rd Party Certificate

From what i recall, starfield is not a publicly trusted cert or something similar, i don't recall the exact issue.
 
Personally, I doubt the problem is the certificate. If it were, I'd think you'd be getting an error message... this looks like its not connecting to the 443 port properly at all. You should be able to test this via a command prompt and "telnet <host> 443" and see if you can connect. I'd also look into the permission settings in IIS and (at least for now) removing the HTTP -> HTTPS redirector... one less thing to worry about.
Click to expand...

What kind of error message would one get if the certificate was in fact bad ? In the years i've done exchange work, i've specifically come across certificate issues where the end result was a "page cannot be displayed"

In a Micro$oft world i would advise you or anyone not to really bank on an error code really being much use.
 
I ended up making a separate virtual directory for exchange-oma per the MS KB article and got OMA/ActiveSync working again. Now I just have to piddle with the SSL stuff again. I think I am going to leave that alone until Monday, I don't really feel like working this weekend. :D
 
hboogz said:
What kind of error message would one get if the certificate was in fact bad ? In the years i've done exchange work, i've specifically come across certificate issues where the end result was a "page cannot be displayed"

In a Micro$oft world i would advise you or anyone not to really bank on an error code really being much use.
Click to expand...

I thought you'd get *something*, not just "page cannot be displayed". This could just as well be however forwarding HTTP -> HTTPS was set up. Perhaps just forwarded http://host/exchange to https://host instead of https://host/exchange
 
Well, I checked with their tech guy and apparently they bought some GoDaddy SSL certificates a while ago but no one bothered to install them . . . So I guess I will do that on Monday. I'm done working for the week. I love people . . . I really do . . .
 
Yay, I re-keyed their certificate and re-installed it and it works now! Only problem is I still get the windows logon box first, then the FBA login page. Seems a bit redundant to me. Working on that one right now . . .
 
sweet, turned on windows authentication and the little box thingy disappears. w00t. I got it all fixed now, yay!


Thanks for the tips on the certificate being bad guys. :D
 
You must log in or register to reply here.
Back
Top