Sunday, April 18, 2010

Identify Exchange Server 2010 ActiveSync certificate errors

The easiest way to find out if you have a certificate-related problem is to log into Outlook Web App (OWA). OWA and ActiveSync both require SSL, and use the client access server (CAS). ActiveSync and OWA also use the same SSL certificate, so if OWA works properly, you can rule out a certificate issue.
As you test OWA, here are some things to keep in mind:
• By default, Exchange Server 2010 is configured to use a self-signed certificate with OWA. However, self-signed certificates are not compatible with ActiveSync. You need to use a valid X.509 certificate.
• When you enter the URL for OWA, make sure that the URL points to the same CAS that ActiveSync is using.
• Be sure to use the HTTPS prefix in your OWA URL.
• When OWA loads, make note of any certificate-related warning messages you receive. If the certificate has expired, it will not work with ActiveSync.
• If you receive a warning that the certificate name does not match the host name, verify that you have entered the server's fully qualified domain name (FQDN) as a part of the URL --, as opposed to https://Lab-E2K10/owa.
Entering the URL without using a FQDN can trigger false certificate identity errors. If a certificate identity error is legitimate, you will need a new certificate.
• You will receive a warning message (Figure 1) if the computer does not trust the certificate authority (CA) that issued the certificate to Exchange Sever 2010. Both Windows and Windows Mobile are configured to trust most major third-party certificate authorities by default.

Figure 1. A certificate-related warning message may signal an untrusted CA.

If you are using your own CA, you must configure your computers and mobile devices to trust it. Windows-based CAs have a Web interface you can use to download a CA certificate. This certificate then must be added to the computer or device's certificate store. The Web interface is accessible at /CertSrv target="_blank">http:///CertSrv (Figure 2).

Figure 2. Use the certificate authority's Web interface to download required CAs.

• An Enterprise certificate authority that is running Windows Server 2008 does not allow Web enrollment for mobile devices unless you install the Network Device Enrollment Service. Although it's possible to download the CA certificate, which allows the device to trust your Enterprise CA, using other methods, it's best to use the Network Device Enrollment Service.
• When you attempt to access OWA using an HTTPS session, Internet Explorer may display an error message stating that the page cannot be displayed. If this occurs, try accessing OWA using an HTTP session, instead of HTTPS.
If you receive a message telling you that the HTTP session is forbidden, there is probably an issue with the server's SSL certificate or its bindings. If you continue to receive the same error whether you use HTTP or HTTPS, this may signal a DNS problem.

A crash course in IIS 7

Unlike its earlier versions, Exchange Server 2010 requires Windows Server 2008 and Internet Information Sservice (IIS) 7. And the process for setting up SSL is quite different in IIS 7 than it was in IIS 6.
In IIS 7, SSL certificates are applied at the server level. If you look at the IIS Manager and select the listing for your IIS server, the details pane will contain a Server Certificates icon (Figure 3).

Figure 3. SSL certificates are applied to IIS 7 at the server level.

When you click the Server Certificates icon, the details pane displays the SSL certificates currently associated with the server. As you can see, the Actions pane contains an option to create a certificate request. If you're using your own CA, you'll have to use this link to create a text file containing the certificate request.
Next, use the certificate enrollment website to perform a certificate request, using the contents of the text file. When this process is complete, the website will allow you to download a certificate. After doing so, you must use the Complete Certificate Request link (Figure 4) to make IIS aware of the new certificate.

Figure 4. Clicking on the Server Certificates icon causes IIS 7 to display the existing SSL certificates.

Although SSL certificates are managed at the server level, SSL encryption is actually enabled or disabled at the individual website level. OWA and ActiveSync are both a part of the Default Web Site and have SSL enabled by default. You can use the SSL Settings icon to verify that SSL encryption is enabled (Figure 5).

Figure 5. SSL is either enabled or disabled at the website level.

Configuring a site's bindings

One step that often is overlooked involves configuring a site's bindings. In the case of SSL, site bindings tell IIS which certificate it should use for a particular site. If you look back at Figure 5, you'll notice a Bindings link, which is located in the Actions pane. Clicking on this link displays the existing site bindings.
To make sure that the site is using the correct certificate, select the HTTPS binding and click Edit. The IIS Manager will display the Edit Site Bindings dialog box (Figure 6), lets you choose the certificate you'd like to use with the site.

Figure 6. Select the certificate you'd to associate with the website.

When testing this procedure in the lab, I ran into some problems and discovered they were related to the bindings. Although the bindings on my Exchange 2010 Server were configured correctly, they became corrupted -- causing Internet Explorer to display a Page Cannot Be Displayed error when I attempted to access OWA.


1 comment: