Prev: deploy dot Net 4
Next: SBS2003 + Outlook 2007 with SP2 + Vista Pro with SP2 / networksave problem.
From: Cliff Galiher - MVP on 23 Jun 2010 21:35 Mikey, I've posted several steps for you to take and you haven't taken them. I know that having a system not work the way you expect can be frustrating, but randomly changing settings and poking at the system only makes things worse. Here are my final words of advice, then I'll shut up. If you decide you want to pick up the thread of troubleshooting we started, I'll leave it for you to re-engage at that point: 1) This is SBS. Use the wizards. There are many blog posts and talented people that give great advice about Exchange, Windows Server, and other components, but they may not be experienced with SBS. The "thinkg" about SBS is that it sometimes stores settings in odd places that the enterprise versions don't. This is to to allow the wizards and SBS console to work better with integrating the disparate pieces and it allows the wizards to "fix" misconfigured settings. However, if you are making manual change, even when you fix an issue, that means the wizard can actually re-break those settings because he wizard wasn't aware of the manual changes you made. In other words, be careful where you get advice. If the person giving advice isn't aware of the "SBS" way, they may unintentionally be making your life more difficult. This is not a reflection on the person, just a reflection on their skillset with enterprise products. SBS is a unique beast and that needs to be considered. 2) For he reasons above, use the wizards. If you aren't using a wizard to make a change, think twice. Every so often a setting comes up that truly *needs* manual tweaking. But that will come from a skilled SBSer that knows when it is time to stray from wizard-land. If you are straying, be *DARNED* sure you know why. 3) Be patient! Don't poke at things in hopes that a random button will fix an issue. Revoking a self-signed certificate in hopes that it'll cause the 3rd-party cert to take precedence, for example, will not work AND it can cause more problems because that self-signed cert may still be getting used for internal functions. Disabling IPv6 without a clear reason why may seem like a good idea too, but again, usually uases more harm thatn good because the intent going in was unclear. There ya go, and good luck. -- Cliff Galiher Microsoft has opened the Small Business Server forum on Technet! Check it out! http://social.technet.microsoft.com/Forums/en-us/smallbusinessserver/threads Addicted to newsgroups? Read about the NNTP Bridge for MS Forums.
From: Mikey on 23 Jun 2010 21:50 On Jun 23, 8:35 pm, "Cliff Galiher - MVP" <cgali...(a)gmail.com> wrote: > Mikey, > > I've posted several steps for you to take and you haven't taken them. I know > that having a system not work the way you expect can be frustrating, but > randomly changing settings and poking at the system only makes things worse. > Here are my final words of advice, then I'll shut up. If you decide you want > to pick up the thread of troubleshooting we started, I'll leave it for you > to re-engage at that point: > > 1) This is SBS. Use the wizards. There are many blog posts and talented > people that give great advice about Exchange, Windows Server, and other > components, but they may not be experienced with SBS. The "thinkg" about SBS > is that it sometimes stores settings in odd places that the enterprise > versions don't. This is to to allow the wizards and SBS console to work > better with integrating the disparate pieces and it allows the wizards to > "fix" misconfigured settings. However, if you are making manual change, even > when you fix an issue, that means the wizard can actually re-break those > settings because he wizard wasn't aware of the manual changes you made. In > other words, be careful where you get advice. If the person giving advice > isn't aware of the "SBS" way, they may unintentionally be making your life > more difficult. This is not a reflection on the person, just a reflection on > their skillset with enterprise products. SBS is a unique beast and that > needs to be considered. > > 2) For he reasons above, use the wizards. If you aren't using a wizard to > make a change, think twice. Every so often a setting comes up that truly > *needs* manual tweaking. But that will come from a skilled SBSer that knows > when it is time to stray from wizard-land. If you are straying, be *DARNED* > sure you know why. > > 3) Be patient! Don't poke at things in hopes that a random button will fix > an issue. Revoking a self-signed certificate in hopes that it'll cause the > 3rd-party cert to take precedence, for example, will not work AND it can > cause more problems because that self-signed cert may still be getting used > for internal functions. Disabling IPv6 without a clear reason why may seem > like a good idea too, but again, usually uases more harm thatn good because > the intent going in was unclear. > > There ya go, and good luck. > > -- > Cliff Galiher > Microsoft has opened the Small Business Server forum on Technet! Check it > out!http://social.technet.microsoft.com/Forums/en-us/smallbusinessserver/.... > Addicted to newsgroups? Read about the NNTP Bridge for MS Forums. I thought I had replied, saying that the authentication settings you had mentioned above were as you recommended. I am currently waiting for my re-keyed certificate & will let you know how that works. And I will always use wizards, whenever possible!
From: Rich Matheisen [MVP] on 23 Jun 2010 21:51 On Wed, 23 Jun 2010 14:57:24 -0700 (PDT), Mikey <texan767(a)hotmail.com> wrote: [ snip ] >The CN is remote.mydomain.com I tried to make this >exchange.mydomain.com, but SBS's certificate request thinks remote >would be a better name, even though the server is named exchange! >The other names on the certificate are; >autodiscover.mydomain.com >exchange.mydomain.com >exchange.mydomain.local >sites Using your real domain name, and checking the certificate on remote.mydomain.com, those aren't the set of names I see on the certificate. What I see are these three names: mydomain.com remote.mydomain.com <= this is the "CN" soonermail.mydomain.com The certificate is one that you generated from your own CA. Is it safe to assume that all your mobile devices have your domain's root certificate installed as a trusted root certificate? The certificate is good from April 16, 2010 12:20:52PM until April 15, 2012 12:20:52PM The thumbprint of the cert is: e8b02b5f79e896915816a8928b1b5cd8d7d1045a Is this the certificate in which you see the names: exchange.mydomain.com exchange.mydomain.local autodiscover.mydomain.com sites .. . . or are you looking at some other certificate? >In Outlook, I've tried to use remote.mydomain.com and >exchange.mydomain.com & it doesn't like either of them! The "exchange.mydomain.com" isn't present in the cert, so its not working isn't a surprise. >What's even stranger, is that if you try to use OWA from a Mac (& >probably same goes for iPhones), I get the warning that the cert is >invalid. If the machine doesn't trust the issuing CA that may be why. >If I ask to show the certificate, it lists the following; >remote.mydomain.com >wwww.remote.mydomain.com >autodiscover.mydomain.com >exchange >exchange.mydomain.local >sites Where did "www.remote.mydomain.com" come from? You didn't mention that before. >Why isn't exchange.mydomain.com listed there? It's what the browser/ >iphone is looking for, & it's also one of my SAN names!!! Please verify that the certificate you're looking at and the one that's installed on remote.mydomain.com are the same. Use the thumbprints to tell them apart. --- Rich Matheisen MCSE+I, Exchange MVP
From: Rich Matheisen [MVP] on 23 Jun 2010 21:52 On Wed, 23 Jun 2010 17:25:11 -0400, "Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote: >On Wed, 23 Jun 2010 00:20:02 -0600, "Cliff Galiher - MVP" ><cgaliher(a)gmail.com> wrote: > >>Okay, once again getting everyone up to speed. The SRV record has been >>created and I got an updated Autodiscover log, info filtered and two >>important "errors" posted below: >>------------------------ > >Just trying to browse to his server gives me errors that the >certificate's revoked. Which is no longer the case. >Maybe he has the cert installed on the CAS but not on ISA/TMG? Not sure what's changed, but it seems thaere's an awful lot of confusion about what names are on the certificate! --- Rich Matheisen MCSE+I, Exchange MVP
From: Mikey on 24 Jun 2010 02:05
On Jun 23, 8:52 pm, "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote: > On Wed, 23 Jun 2010 17:25:11 -0400, "Rich Matheisen [MVP]" > > <richn...(a)rmcons.com.NOSPAM.COM> wrote: > >On Wed, 23 Jun 2010 00:20:02 -0600, "Cliff Galiher - MVP" > ><cgali...(a)gmail.com> wrote: > > >>Okay, once again getting everyone up to speed. The SRV record has been > >>created and I got an updated Autodiscover log, info filtered and two > >>important "errors" posted below: > >>------------------------ > > >Just trying to browse to his server gives me errors that the > >certificate's revoked. > > Which is no longer the case. > > >Maybe he has the cert installed on the CAS but not on ISA/TMG? > > Not sure what's changed, but it seems thaere's an awful lot of > confusion about what names are on the certificate! > --- > Rich Matheisen > MCSE+I, Exchange MVP Ok, got my new re-keyed certificate, installed per the settings in sean daniel's site & names are correct in it. I have logged onto remote computers, checked the outlook settings & all looks good, but I am still continuously prompted for a pass word. I have used the repair settings & it tells me I'm configured to use exchange, at one point, it asked if I'd like to let exchange settings be configured for me. Authentication settings are as Cliff mentioned earlier. What could it be now? |