none
Activesync and OWA issue on SBS2008

    Question

  • I have moved this here from the Exchange Forums:

    One of my clients has an SBS2008 server and use Nokia mobiles to connect to their exchange accounts.

    This has been working fine for the past couple of years, but after a server reboot last month it isn't working. The Nokia's are just coming up with a certificate error, not giving me a chance to install a new certificate or ignore it.

    I have run https://www.testexchangeconnectivity.com/ and it fails here:

          Testing HTTP Authentication Methods for URL https://remote.companyname.co.uk/Microsoft-Server-ActiveSync/.
           The HTTP authentication test failed.
            Tell me more about this issue and how to resolve it
                       Additional Details
           The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.

    does anyone know what this means? and how to resolve it?

    Also, OWA is not working, i am getting this error;

    404 - File or directory not found.

    or from the server:

    Error Summary
    HTTP Error 404.0 - Not Found
    The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. Detailed Error InformationModule IIS Web Core
    Notification MapRequestHandler
    Handler StaticFile
    Error Code 0x80070002
    Requested URL https://remote.potterowtram.co.uk:443/owa
    Physical Path C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\owa
    Logon Method Anonymous
    Logon User Anonymous
    Most likely causes:
    The directory or file specified does not exist on the Web server.
    The URL contains a typographical error.
    A custom filter or module, such as URLScan, restricts access to the file.

    Thursday, March 15, 2012 9:09 AM

Answers

  • That's again incorrect configuration.It only occurs if you re install exchange completely or at least the CAS role.

    Have a look at the following link,run the powershell script mentioned in it to get the default configuration of SBS [in SBS Exchange VD's run under SBS WEB APPLICATIONS]:

    http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx

    Wednesday, March 21, 2012 6:38 AM
  • OWA is working again.

    exchange conecctivity analyzer is successful.

    reconnecting the nokias, they are still coming up with an issue on the certificate. They do work as long as you say "accept certificate this time only". If you choose always accept it seems to stall and not work.

    thanks all

    Wednesday, March 28, 2012 9:59 AM

All replies

  • Hi

    Are we getting a similar error in Event viewer :-

    Log Name:      System
    Source:        Microsoft-Windows-IIS-W3SVC
    Date:          8/1/2010 11:04:03 AM
    Event ID:      1007
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A

    Please go ahead and check if SBSwebapplications is started in IIS. If not start it . It might through up an error that the port is being used by some other website , please let me know if that is the case.

    Thanks

    SID

    • Proposed as answer by Raj Gera Thursday, March 15, 2012 10:43 AM
    • Unproposed as answer by darksidekiller1958 Thursday, March 15, 2012 2:34 PM
    Thursday, March 15, 2012 10:36 AM
  • HI,

    Please check if the correct certificate is binded to SBS web application.
    Also check if the certificate is valid or expired.

    Only Anonymous authentication should be enabled on SBS Web Application.

    Thanks

    Raj

    Thursday, March 15, 2012 10:46 AM
  • hi Raj,

    Please check if the correct certificate is binded to SBS web application.  - - How do i do this?

    I checked if the certificate was expired, and 2 of them were, so i ran this command "get-exchangecertificate -thumbprint <thumbprint> | new-certificate" and it gives the warning:

    this certificate will not be used for external TLS connections with an FQDN of <servername.domain.local> becuase the ca-signed cert with thumprint <thuimbprint> takes precedence.

    I said Yes to All on this, but now all the user pcs are coming up with certificate errors opening outlook!

    Thursday, March 15, 2012 2:12 PM
  • You check for the cert by going to properties of SBS WEB APPLICATIONS->edit bindings->443->click view against your cert name.

    Re run-IAMW wizard from sbs console ....it will create the required self signed cert and bind it as well.


    Thursday, March 15, 2012 2:19 PM
  • Sid,

    that error is not coming up in event viewer.

    SBS web applications is already started

    Thursday, March 15, 2012 2:39 PM
  • This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store - is what is currently said against the cert for sbs web applications on 443

    still worth recreating certificate in iamw?

    Thursday, March 15, 2012 2:42 PM
  • You need to install the root cert on client:

    http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

    However still go ahead and run IAMW,it only creates a leaf cert....

    Thursday, March 15, 2012 2:46 PM
  • where do I check anonymous authentication?
    Thursday, March 15, 2012 2:47 PM
  • Hi,

    At first, please check the virtual directory settings in the IIS manager according to the article below:

    Title: Default Authentication Settings for Exchange-related Virtual Directories
    URL: http://technet.microsoft.com/en-us/library/gg263433(v=exchg.80).aspx

    Note: After making the changes in the IIS manager, please runiisreset in the command prompt to make sure the changes take effect.

    If the certificate is self-signed certificate, you need to install the Root CA in the mobile device to make sure the trust could be inherited.

    And you need to enter the following URL in the IE browser on the server:

    https://localhost/owa
    https://localhost/Microsoft-Exchange-ActiveSync

    After entering the credentials, please let me know the webpage you have received.

    Please post back your output result here to get further analysis.

    Regards,
    James


    James Xiong

    TechNet Community Support

    Friday, March 16, 2012 6:40 AM
    Moderator
  • ok, changes made were:

    default web site - untick require ssl

    autodiscover - tick ssl + 128

    ews - tick basic auth, ssl + 128

    exadmin - tick ssl + 128

    exchange - tick ssl + 128

    exchweb - tick ssl + 128

    oab - enable basic auth, tick ssl + 128

    owa - tick ssl + 128

    public - tick 128

    RPC - enable windows auth, enable ssl + require 128

    RPC with Cert - the technet article says by default all auth is disabled, mine has windows auth enabled, I havent changed these ones yet as I am not sure i should . . . ?

    unified messaging - tick ssl + 128

    going to https://localhost/owa gives certificate warning, then login box, then will login to OWA as normal

    going to https://localhost/Microsoft-Exchange-ActiveSync shows

    HTTP Error 404.0 - Not Found

    The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

    Module IIS Web Core
    Notification MapRequestHandler
    Handler StaticFile
    Error Code 0x80070002
    Requested URL https://localhost:443/Microsoft-Exchange-ActiveSync
    Physical Path C:\inetpub\wwwroot\Microsoft-Exchange-ActiveSync
    Logon Method Anonymous
    Logon User Anonymous

    and shows certificate error on the address bar. I have tried installing the certificate but htis does not help.

    Friday, March 16, 2012 11:57 AM
  • also, now in IIS SBS Web Applications is showing as stopped. when i try to start it i get the error: the web site cannot be started. another web site may be using the same port.

    also, I have tried running the set up your internet address wizard, but it crashed each time i ran it!

    Friday, March 16, 2012 11:59 AM
  • At which state did the wizard fail/crash?RWW or exchange?

    Which other website is using the same port?Is it the default website?

    Stop all websites for 10 minutes and then start SBS WEB Applications.Then one by one start the other websites to find out which is causing the conflict.

    SBS Web Applications should have the binding for 443 and correct certificate attached to it and also a binding for port 80.

    Sunday, March 18, 2012 6:13 AM
  • I'm not sure when it is crashing! it starts off doijng the RWW, but crashed before any tick appears by it.

        

    see link of error screenshot: http://imageshack.us/photo/my-images/24/poperrro.jpg/

    SBS web app and default are both using bindings on 443 and 80



    Monday, March 19, 2012 12:04 PM
  • Remove 443 from default website.

    On SBS WEB APPLICATIONS edit the binding for 443 and click view certificate and check which certificate is selected.

    Next go to c:\program files\windows small business server\logs and rename dpcw.log to dpcw.old,then re run IAMW and collect the freshly generated dpcw.log.Put it on public interface of your sky drive and post the link here.

    Tuesday, March 20, 2012 3:25 AM
  • default website has owa and exchange etc running under it . . .
    Tuesday, March 20, 2012 3:52 PM
  • That's again incorrect configuration.It only occurs if you re install exchange completely or at least the CAS role.

    Have a look at the following link,run the powershell script mentioned in it to get the default configuration of SBS [in SBS Exchange VD's run under SBS WEB APPLICATIONS]:

    http://technet.microsoft.com/en-us/library/dd767439(WS.10).aspx

    Wednesday, March 21, 2012 6:38 AM
  • just a note to say, I didnt have time yesterday to do this, will hopefully get time today.
    Friday, March 23, 2012 8:49 AM
  • Hi,

    Any Update?

    Towards the output result, https://localhost/Microsoft-Server-ActiveSync returned HTTP 404: The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

    It seems that the ActiveSync feature corrupted on the server side, I suggest that you could rebulid the ActiveSync virtual directory to verify the issue.

    Remove-ActiveSyncVirtualDirectory

    New-ActiveSyncVirtualDirectory

    To get the command help, you could run this command in the EMS "Get-help <Your_Queried_Command>-detailed"

    Regards,

    James


    James Xiong

    TechNet Community Support

    Tuesday, March 27, 2012 12:58 AM
    Moderator
  • This is the result of the powershell script on the above technet article. I wasnt sure what to do about the certificates so i said no to all on them:


    [PS] C:\Windows\system32>.\sbscasreinstall.ps1
    BACKUP object "20120328T102908" added
    Connecting to "POPSERVER.potterowtram.local"
    Logging in as current user using SSPI
    Exporting directory to file C:\Users\ChurchMicros\AppData\Local\Temp\httpbackup_
    129774005498032977.ldf
    Searching for entries...
    Writing out entries............
    12 entries exported

    The command has completed successfully
    Remove-ExchangeCertificate : The internal transport certificate cannot be remov
    ed because that would cause the Microsoft Exchange Transport service to stop. T
    o replace the internal transport certificate, create a new certificate. The new
     certificate will automatically become the internal transport certificate. You
    can then remove the existing certificate.
    Parameter name: Thumbprint
    At C:\Windows\system32\sbscasreinstall.ps1:58 char:120
    + Get-ExchangeCertificate | Where { $_.Subject -eq "$DefaultExchangeCertificate
    " } | ForEach { Remove-ExchangeCertificate <<<<  -Thumbprint $_.Thumbprint }
        + CategoryInfo          : InvalidArgument: (:) [Remove-ExchangeCertificate
       ], ArgumentException
        + FullyQualifiedErrorId : 767D4613,Microsoft.Exchange.Management.SystemCon
       figurationTasks.RemoveExchangeCertificate


    Confirm
    Are you sure you want to perform this action?
    Remove certificate with thumbprint B669A5065F76A4E8BFB684A6EBF8617D6624E13C?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):l

    Confirm
    Are you sure you want to perform this action?
    Remove certificate with thumbprint EB3088C98204EC9B1BB1603FC91FA4F763B79FC5?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):l

    Confirm
    Are you sure you want to perform this action?
    Remove certificate with thumbprint FA288C569DB050752AD9FB4DE11F135FF8A30F0A?
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
    (default is "Y"):l

    path                                    system.webServer
    ----                                    ----------------
    SBS Web Applications/ews                system.webServer
    SBS Web Applications/AutoDiscover       system.webServer
    SBS Web Applications/oab                system.webServer

    Attempting stop...
    Internet services successfully stopped
    Attempting start...
    Internet services successfully restarted
    C:\Program Files\Microsoft\Exchange ...
    WARNING: For these configuration changes to take effect, you must restart
    Internet Information Services (IIS). To restart IIS, run the following command:
     "iisreset /noforce".
    \\.\BackOfficeStorage
    \\.\BackOfficeStorage\potterowtram.c...
    \\.\BackOfficeStorage\potterowtram.c...
    \\.\BackOfficeStorage\potterowtram.c...
    C:\Program Files\Microsoft\Exchange ...
    C:\Program Files\Microsoft\Exchange ...
    C:\Program Files\Microsoft\Exchange ...
    C:\Program Files\Microsoft\Exchange ...
    C:\Program Files\Microsoft\Exchange ...

    Attempting stop...
    Internet services successfully stopped
    Attempting start...
    Internet services successfully restarted
    Unlocked section "system.webServer/security/authentication/windowsAuthentication
    " at configuration path "MACHINE/WEBROOT/APPHOST".
    Applied configuration changes to section "system.webServer/security/authenticati
    on/windowsAuthentication" for "MACHINE/WEBROOT/APPHOST/SBS Web Applications/ews"
     at configuration commit path "MACHINE/WEBROOT/APPHOST"
    Applied configuration changes to section "system.webServer/security/authenticati
    on/windowsAuthentication" for "MACHINE/WEBROOT/APPHOST/SBS Web Applications/Auto
    Discover" at configuration commit path "MACHINE/WEBROOT/APPHOST"
    Applied configuration changes to section "system.webServer/security/authenticati
    on/windowsAuthentication" for "MACHINE/WEBROOT/APPHOST/SBS Web Applications/oab"
     at configuration commit path "MACHINE/WEBROOT/APPHOST"
    "Default Web Site" successfully started.
    ERROR ( hresult:800700b7, message:Command execution failed.
    Cannot create a file when that file already exists.
     )


    Wednesday, March 28, 2012 9:36 AM
  • OWA is working again.

    exchange conecctivity analyzer is successful.

    reconnecting the nokias, they are still coming up with an issue on the certificate. They do work as long as you say "accept certificate this time only". If you choose always accept it seems to stall and not work.

    thanks all

    Wednesday, March 28, 2012 9:59 AM
  • What kinda of certificate do u use?Trusted or self issued?
    Thursday, March 29, 2012 12:36 AM