Prev: deploy dot Net 4
Next: SBS2003 + Outlook 2007 with SP2 + Vista Pro with SP2 / networksave problem.
From: Mikey on 22 Jun 2010 20:41 On Jun 22, 4:44 pm, "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote: > On Tue, 22 Jun 2010 00:59:24 -0700 (PDT), Mikey <texan...(a)hotmail.com> > wrote: > > > > > > >On Jun 21, 10:00 pm, "Rich Matheisen [MVP]" > ><richn...(a)rmcons.com.NOSPAM.COM> wrote: > >> On Mon, 21 Jun 2010 19:26:24 -0700 (PDT), Mikey <texan...(a)hotmail.com> > >> wrote: > > >> [ snip ] > > >> >> If you're having a problem getting the CSR generated for submission to > >> >> the CA, try using DigiCert's tool for that: > > >> >>https://www.digicert.com/easy-csr/exchange2007.htm > >> >> --- > >> >> Rich Matheisen > >> >> MCSE+I, Exchange MVP > > >> >I tried & am getting a message that either I can't over write the file > >> >(there's nothing there with that currect name!) or I don't have > >> >sufficient privelages! > >> >Is an administrator acount not what it used to be? > > >> I guess that depends on what you mean. > > >> 1. Did you have a problem renaming the CSR file that already exists? > >> 2. Did you have a problem deleting the CSR file that already exists? > >> 3. Did you add "-force:$true" to the cmdlet to overwrite the existing > >> CSR file? > > >> -Force <SwitchParameter> > >> Use this parameter switch to overwrite an existing certificate > >> request file that matches the same file path as specified in > >> this cmdlet. > >> By default, this cmdlet will not overwrite existing files. > > >> 4. Did you tell the cmdlet to write the CSR file to a different path? > >> --- > >> Rich Matheisen > >> MCSE+I, Exchange MVP > > >See post above yours. > > If I was looking at this in a web browser that might make sense. But > if you're refering to your other posting at 3:59AM it doesn't answer > any of the questions I asked. > --- > Rich Matheisen > MCSE+I, Exchange MVP I didn't have a CSR there to overwrite. What kept me from writing the request was that even though I am logged in as the administrator, I haven't got in the habit of using the 'run as administrator' option. Once I did that, it created the request, I re-keyed my certificate, but when I tried to install it, it wouldn't, saying it didn't match the name of the server, or something along those lines, probably because the original request was for remote.mydomain.com & I tried to create it for exchange.mydomain.com. As Cliff suggested, I changed my SRV record to point to remote.mydomain.com. so now any knid of smart phone connects with no problem, I am not getting warnings when using OWA, but I still cannot connect remote clients using Outlook Anywhere! The test exchange website still throws up a bunch of error, as well, so I am open for any suggestions, including jumping off of a very tall building at this point! Seriously, I appreciate all the help you guys are offering, it's been a loooong day....
From: Rich Matheisen [MVP] on 22 Jun 2010 23:19 On Tue, 22 Jun 2010 17:41:27 -0700 (PDT), Mikey <texan767(a)hotmail.com> wrote: [ snip ] >I didn't have a CSR there to overwrite. What kept me from writing the >request was that even though I am logged in as the administrator, I >haven't got in the habit of using the 'run as administrator' option. >Once I did that, it created the request, I re-keyed my certificate, >but when I tried to install it, it wouldn't, saying it didn't match >the name of the server, or something along those lines, probably >because the original request was for remote.mydomain.com & I tried to >create it for exchange.mydomain.com. >As Cliff suggested, I changed my SRV record to point to >remote.mydomain.com. so now any knid of smart phone connects with no >problem, I am not getting warnings when using OWA, but I still cannot >connect remote clients using Outlook Anywhere! And Outlook's "Exchange Proxy Settings" use what server name? >The test exchange >website still throws up a bunch of error, as well, so I am open for >any suggestions, You've already been offered suggestions. One of them was to reveal the names you're using in the certificate and in Outlook. You can't expect to get meaningful help for an identity problem if you remain anonymous. --- Rich Matheisen MCSE+I, Exchange MVP
From: Cliff Galiher - MVP on 23 Jun 2010 02:20 Okay, once again getting everyone up to speed. The SRV record has been created and I got an updated Autodiscover log, info filtered and two important "errors" posted below: ------------------------ Certificate trust is being validated. The test passed with some warnings encountered. Please expand the additional details. Additional Details Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information. -------------------------------- Fore issue #1, I viewed the certificate and it is issued by GoDaddy. GoDaddy uses "intermediate" certificates that must also be installed to resolve this warning. Here is a blog post outlining the process. Perform this process to resolve the warning. http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html -------------------------------- ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs. Autodiscover settings weren't obtained when the Autodiscover POST request was sent. Test Steps Attempting to Retrieve XML AutoDiscover Response from url https://xxxxxxxxxxxxxxxxxxxxxx/Autodiscover/Autodiscover.xml for user xxxxxxxxxxxxxxxxxxt(a)xxxxxxxxxxxxxxxxxx.yyy Failed to obtain AutoDiscover XML response. Additional Details A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown ----------------------------------- Issue #2: The URL is not returning any autodiscover info with a 401 error. This is usually an authentication error, so what I'd recommend doing is opening IIS via the snap-in located in Administrative tools. Expand the sites and find the site called "SBS Web Apps" Locate the "autodiscover" virtual directory and select it. Click on "authentication" in the center pane under the IIS group. There should be TWO authentication methods enabled. Basic authentication is used for external clients. Since they operate over SSL, the channel is still secure so the weakness of basic authentication is mitigated and this is safe. Windows Authentication is used by internal clients. All other authentication methods should be DISABLED. That should hopefully resolve the remaining issues. -- Cliff Galiher Microsoft has opened the Small Business Server forum on Technet! Check it out! http://social.technet.microsoft.com/Forums/en-us/smallbusinessserver/threads Addicted to newsgroups? Read about the NNTP Bridge for MS Forums.
From: Rich Matheisen [MVP] on 23 Jun 2010 17:25 On Wed, 23 Jun 2010 00:20:02 -0600, "Cliff Galiher - MVP" <cgaliher(a)gmail.com> wrote: >Okay, once again getting everyone up to speed. The SRV record has been >created and I got an updated Autodiscover log, info filtered and two >important "errors" posted below: >------------------------ Just trying to browse to his server gives me errors that the certificate's revoked. Maybe he has the cert installed on the CAS but not on ISA/TMG? --- Rich Matheisen MCSE+I, Exchange MVP
From: Mikey on 23 Jun 2010 17:57
On Jun 22, 10:19 pm, "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote: > On Tue, 22 Jun 2010 17:41:27 -0700 (PDT), Mikey <texan...(a)hotmail.com> > wrote: > > [ snip ] > > >I didn't have a CSR there to overwrite. What kept me from writing the > >request was that even though I am logged in as the administrator, I > >haven't got in the habit of using the 'run as administrator' option. > >Once I did that, it created the request, I re-keyed my certificate, > >but when I tried to install it, it wouldn't, saying it didn't match > >the name of the server, or something along those lines, probably > >because the original request was for remote.mydomain.com & I tried to > >create it for exchange.mydomain.com. > >As Cliff suggested, I changed my SRV record to point to > >remote.mydomain.com. so now any knid of smart phone connects with no > >problem, I am not getting warnings when using OWA, but I still cannot > >connect remote clients using Outlook Anywhere! > > And Outlook's "Exchange Proxy Settings" use what server name? > > >The test exchange > >website still throws up a bunch of error, as well, so I am open for > >any suggestions, > > You've already been offered suggestions. One of them was to reveal the > names you're using in the certificate and in Outlook. You can't expect > to get meaningful help for an identity problem if you remain > anonymous. > --- > Rich Matheisen > MCSE+I, Exchange MVP The CN is remote.mydomain.com I tried to make this exchange.mydomain.com, but SBS's certificate request thinks remote would be a better name, even though the server is named exchange! The other names on the certificate are; autodiscover.mydomain.com exchange.mydomain.com exchange.mydomain.local sites In Outlook, I've tried to use remote.mydomain.com and exchange.mydomain.com & it doesn't like either of them! What's even stranger, is that if you try to use OWA from a Mac (& probably same goes for iPhones), I get the warning that the cert is invalid. If I ask to show the certificate, it lists the following; remote.mydomain.com wwww.remote.mydomain.com autodiscover.mydomain.com exchange exchange.mydomain.local sites Why isn't exchange.mydomain.com listed there? It's what the browser/ iphone is looking for, & it's also one of my SAN names!!! |