none
SBS 2011 Certificate for OWA and Remote

    Question

  • Hi all

    I have a SBS client and have just installed SBS 2011. They are using OWA and have asked me about getting rid of the "Certificate Error" when browsing their OWA site.

    Externally my client accesses the site at "mail.domain.com/OWA". When on the local network they access it by "192.168.1.30/OWA".

    I exported the certificate for the server and imported into my Windows 7 computer but the certificate error is still coming up, regardless of how I connect to this server.

    Why won't IE8 and Windows 7 trust this certificate from the SBS server?

    Thanks

    Richard

    Sunday, September 18, 2011 11:24 PM

Answers

  • The error you are getting seems to be due to a mismatch of URL and SAN...I gues you get to the page with following message:

     

    "There is a problem with this website's security certificate.  The security certificate presented by this website was issued for a different website's address.Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.    We recommend that you close this webpage and do not continue to this website.  

      Click here to close this webpage.  

      Continue to this website (not recommended).  "

     

     

     

    Does CTIW fail to complete because it detect's another source of dhcp in the network?

    If so you can skip that test by making following registry change:

     

    Creating the DWORD "SkipDHCPConfig" and set it to 1 under:HKLM\Software\Microsoft\SmallBusinessServer\Networking.

    Please check following post for details about the same:

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/37d84f55-a8c0-4791-b3ae-581a2653d941/

     

     

    If you are still unable to proceed with CTIW then you may try the following.

     

    I could find 1 link which tells about a registry change to skip CTIW and run IAMW:

     

    changed: HKLM\SOFTWARE\Microsoft\SmallBusinessServer\Networking\ 

    "LastBasicConfigSuccessful"=dword:00000001"

    http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_26470032.html  


     

     

    I tested it on my box and the change did let me run IAMW wizard  without running CTIW,however I am not sure about what can b the repercussions of doing so.Please take a good backup before making any change.

     

     

    Hope this helps!


    Monday, September 19, 2011 1:17 AM

All replies

  • What is the error message you get?

    You have to make sure that the Subject Alternative Name on the cert matches the URL.

    for eg if your URL is https://mail.domain.com/owa....then the corresponding entry should be present on the SAN.

    Also you need to export the root cert from server to the remote client [I guess you have already done that].

    You can run the IAMW Wizard with the correct name[mail prefix] and try again.

    http://blogs.technet.com/b/sbs/archive/2008/10/16/introducing-the-internet-address-management-wizard-part-2-of-3.aspx

     

    Sunday, September 18, 2011 11:40 PM
  • Hi there

    I am using SBS 2011 and the server is hosted in a data center. The server has an internal IP address and NAT translation for an Internet address. The whole Connect to the Internet Wizards has NEVER worked for this server; this server will NEVER be allowed to manage the router it connects to and will NEVER be the default gateway for its clients. In fact this server doesn't do DHCP either.

    I posted a query to this forum about the whole CIW issue, but it was never resolved.

    So since I cannot do the Connect to the Internet part, I cannot do the Internet Address Management Wizard. Of course this has meant I have had to configure all kinds of stuff manually and thank goodness I can do this. I suspect nobody at Microsoft ever considered the possibility that an SBS server might be setup this way.

    But regardless of that rant, and please forgive it (you can see my frustration in it), the Subject Alternative Name might be the way to go. The error I am getting says "the certificate issued for this website was issued for a different websites address. I suspect it is the translation thing happening. So how might I resolve that?

    Thanks

    Richard

    Monday, September 19, 2011 12:17 AM
  • The error you are getting seems to be due to a mismatch of URL and SAN...I gues you get to the page with following message:

     

    "There is a problem with this website's security certificate.  The security certificate presented by this website was issued for a different website's address.Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.    We recommend that you close this webpage and do not continue to this website.  

      Click here to close this webpage.  

      Continue to this website (not recommended).  "

     

     

     

    Does CTIW fail to complete because it detect's another source of dhcp in the network?

    If so you can skip that test by making following registry change:

     

    Creating the DWORD "SkipDHCPConfig" and set it to 1 under:HKLM\Software\Microsoft\SmallBusinessServer\Networking.

    Please check following post for details about the same:

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/37d84f55-a8c0-4791-b3ae-581a2653d941/

     

     

    If you are still unable to proceed with CTIW then you may try the following.

     

    I could find 1 link which tells about a registry change to skip CTIW and run IAMW:

     

    changed: HKLM\SOFTWARE\Microsoft\SmallBusinessServer\Networking\ 

    "LastBasicConfigSuccessful"=dword:00000001"

    http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_26470032.html  


     

     

    I tested it on my box and the change did let me run IAMW wizard  without running CTIW,however I am not sure about what can b the repercussions of doing so.Please take a good backup before making any change.

     

     

    Hope this helps!


    Monday, September 19, 2011 1:17 AM
  • Hi there

    It was the DHCP issue, so I turned off DHCP while I ran the wizard. Once the wizard was done I turned off DCHP on the SBS server and turned it on again at the router. After the wizard I had to fix a few Exchange and other configurations that I had made prior to the wizard, but it is all working now. But I continue to have the certificate problem.

    So now what?

    Thanks

    Richard

    Monday, September 19, 2011 1:29 AM
  • Hi there

    Hey! It works! Terrific.

    But I hate that it was wizard based and I cannot make it work without the wizard. I am supposed to know more than "use the wizard".

    Thanks

    Richard

    Monday, September 19, 2011 1:33 AM
  • Hi 

    Please let me konw if you were able to run IAMW on the server successfuly?

    If not ...then you need to do it to configure the cert properly....and that registry key will let you run IAMW ......at least it does on my test box....Once you have the cert with the right name you should not get the warning page.

    Monday, September 19, 2011 1:35 AM
  • Please note that IAMW will make a lot of changes....including ,but, not limited to configuring your exchange connectors.

     

    Please refer to:

     

    http://blogs.technet.com/b/sbs/archive/2008/10/15/introducing-the-internet-address-management-wizard-part-1-of-3.aspx

     

    http://blogs.technet.com/b/sbs/archive/2008/10/16/introducing-the-internet-address-management-wizard-part-2-of-3.aspx

     

    http://blogs.technet.com/b/sbs/archive/2008/10/17/introducing-the-internet-address-management-wizard-part-3-of-3.aspx

     

     

    Monday, September 19, 2011 1:39 AM
  • But I hate that it was wizard based and I cannot make it work without the wizard. I am supposed to know more than "use the wizard".

    Then you need a different Microsoft product, one or other variant of Windows Server. SBS is *not* a variant of Windows Server, it is a complex network appliance which uses a version of Windows Server as its base OS. If you don't wish to use the wizards, or the appliance configuration system which is what they really are, then you need to find out exactly what each wizard does, every detail and in which order, and hope that the underlying OS allows a user to carry out all of these tasks. It may not.

    Do you create email contacts in Active Directory, setting each LDAP value by hand, or do you do it with the Exchange Manager? What's the difference then in using the SBS Manager rather than setting multiple registry values by hand?

    Joe

    Monday, September 19, 2011 9:10 AM
  • I agree with Joe.SBS is a highly integrated product and the best way to configure is by using the wizards.I know it can get really frustrating when the wizard's donot work as they are supposed to in an ideal scenario and all you see are red X instead of a green check mark ,but, on the other hand it does let you know what had failed and it gives us the option to troubleshoot with the help of log files that are generated for almost every wizard:

    http://blogs.technet.com/b/sbs/archive/2008/10/01/key-small-business-server-2008-log-files.aspx

     

    To answer your question,it is possible to do things manually ,but, its really a pain to do it in all the places.If you refer to the blog I posted before,you will see that IAMW makes lot of changes and doing all that manually can be cumbersome.I don't hold complete expertise in PKI ,however you may refer to folllwoing articles for the manual work [and again its not recommended]:

    http://support.microsoft.com/kb/931351

    http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority

    Monday, September 19, 2011 9:46 AM