Problems with Certificate Services and OWA

[Tim Nichols]

Our Exchange 2003 server was running on a Windows 2000 Server, using OWA
with forms-based authentication and was setup as a Certificate Authority.
We suffered a bad system crash that resulting in me having to reinstall
Windows and Exchange using the Disaster Recovery option, and then restoring
Information Stores from backup.

After restoring the server to fully working order, I needed to setup OWA to
use SSL for forms-based authentication. So, I installed Certificate
Services on this server, as I did before, and made it the Enterprise Root
CA. It gave a prompt that there was already a server with the same name
setup as a CA root so I clicked the option to overwrite this. I installed
the certificate as Microsoft explains in the knowledgebase articles, and
everything looks right. However, when trying to access the HTTPS address
for OWA, I get a page cannot be found. I have imported the certificate into
IIS...am I overlooking something?

Please assist if at all possible, thanks.

-Tim Nichols
MCP

 

[Terry]

You may have to set the SSL port in IIS. Sometimes it blank on a new
install. Set it to 443.

 

[Terry]

PS: If it did set it up in IIS on another website, but not the one for OWA,
you *MAY* have to close your broswer and try again after you turn port 443
on in the OWA website.

IE funkeyness.

 

[Tim Nichols]

Terry-

Thank you for your fast response. I just checked and yes, the port in IIS
is set to 443, so I don't think that is the issue. I still get the Page
cannot be displayed screen when I try to pull it up.

Could there be a problem with the Certificate Authority in Active Directory
since the original server crashed?

-Tim

 

[Terry]

Tim,
There may be a conflict if you have the old CA certificate loaded on the
workstations.You may have to remove the old cert. IE is *REALLY* bad about
reporting SSL certificate problems. Often it will simply hang and then
display the "The page cannot be displayed" error.

I often use Firefox as a diagnostic utility for looking at SSL certificate
problems. Give it a try. If it simply reports that it does not know who the
CA is, but works anyway after you tell it to accept the certificate, I
suspect that you will need to reinstall the cert for the workstation(s).

--Terry

 

[Tim Nichols]

Terry-

You were right on the money. Firefox gave me a much more detailed error
message. This is what it displays:

Alert
Could not establish an encrypted connection because certificate presented by
<serverA> is invalid or corrupted. Error Code: -8102

What do you think?

-Tim

 

[Terry]

Tim-

Well, I must admit I have never used the CA in Windows to sign SSL
certificates.I use OpenSSL to self sign my certificates. But this is what I
would do. Remove the certificate from IIS. Create a new certificate request,
sign it and install the signed certificate.

Hope that helps. Let me know.

Terry Trapp

 

[Tim Nichols]

Terry-

That worked. Rather than using the existing certificate (which I did the
first time), I requested a new certificate, after removing the certificate
that wasn't working. This appears to have fixed the problem.

Thanks for your help. Certificate Services and security are not my cup of
tea, but I am learning.

-Tim

 

[Guest]

Could you please tell me where I can obtain the firefox diagonostic utility
as I am having the same problem i.e. cannot access my owa site from internet
and have checked with my ISP who say they do not block my SSL.
SSOR