none
Exchange 2007 - Outlook Web Access setup

    Question

  • I have recently completed a (fairly standard) Exchange 2007 install on a brand new (Windows 2008) server. I would now like to set up outlook web access. I have done nothing to change the default settings for OWA at this stage - however OWA does not work internally (or externally). I believe this is to do with the default security settings? Do I need to make changes to the 'default web site' in the IIS 7.0 Manager? I have looked everywhere and can’t find any simple instructions for what needs to be done to the default OWA set-up to get it working.

    Wednesday, April 15, 2009 1:25 PM

Answers

All replies

  • What roles are installed on the server?

    What URL are you using?  Are you tring to access a mailbox on Exchange 07 or Exchange 03?

    Have you tried to go to https://localhost/exchange from the actual Exchange Server?

    BP
    Wednesday, April 15, 2009 4:12 PM
  • The following roles are installed o n the Exchange Server:

    ·         Mailbox Server   

    ·         Client Access Server   

    ·         Unified Messaging Server   

    ·         Hub Transport Server   

    The URL I am using is: https://localhost/owa from the actual Exchange Server. ( I have also tried https://localhost/owa and get the same  result)

     

    Internet Explorer then comes up with the following message:

     

    There is a problem with this website's security certificate.

    The security certificate presented by this website was not issued by a trusted certificate authority.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. 

     We recommend that you close this webpage and do not continue to this website. 

    ·         Click here to close this webpage. 

    ·         Continue to this website (not recommended). 

    ·         More information

     

    When I click on Continue with this website the URL in explorer bar changes to: “https://localhost/owa/auth/logon.aspx?url=https://localhost/owa/&reason=0

    And I get a certificate error, and no page loads.

    I don’t get to a point where I get to select a mailbox.

    Thursday, April 16, 2009 2:04 AM
  • Hi,

     

    First please try to run get-exchangecertificate |fl and then post the output here.Also please post the certificate error here.

     

    Please check if the user or service account has been specified under the Advance
    Settings-> attribute Physical Path Credentials.

    Besides,I’d like to know the OS version of the Exchange Server,if you have patched all the latest rollups for Exchange Server.

     

    More information about certificate share with you:

     

    Certificate Use in Exchange Server 2007

    http://technet.microsoft.com/en-us/library/bb851505.aspx

     

    Regards,

    Xiu

    Thursday, April 16, 2009 7:37 AM

  • [PS] C:\Windows\System32>get-exchangecertificate | fl


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel.pvh.local
    NotAfter           : 23/02/2012 12:00:00 AM
    NotBefore          : 23/02/2009 12:00:00 AM
    PublicKeySize      : 1024
    RootCAType         : None
    SerialNumber       : 7CF983C1A73BF4AE4EA60312CC19CDAB
    Services           : None
    Status             : Valid
    Subject            : CN=pvh-mel.pvh.local
    Thumbprint         : 43C05E3CEAAF76EC97D7D784075E800AC20E68B8

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel.pvh.local
    NotAfter           : 23/02/2012 12:00:00 AM
    NotBefore          : 23/02/2009 12:00:00 AM
    PublicKeySize      : 1024
    RootCAType         : None
    SerialNumber       : 6037CC2A0A3FA39840CCEF94B45C58E5
    Services           : IIS
    Status             : Valid
    Subject            : CN=pvh-mel.pvh.local
    Thumbprint         : F470C981991AF5B3177ADB798B26F76F78440235

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel.pvh.local
    NotAfter           : 10/02/2012 12:00:00 AM
    NotBefore          : 10/02/2009 12:00:00 AM
    PublicKeySize      : 1024
    RootCAType         : None
    SerialNumber       : 7A4BDD8A9C545B914D49AF11DFFBA95E
    Services           : None
    Status             : Valid
    Subject            : CN=pvh-mel.pvh.local
    Thumbprint         : 33ED46541B16884394C252030FB698BA8E000809

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel.pvh.local
    NotAfter           : 10/02/2012 12:00:00 AM
    NotBefore          : 10/02/2009 12:00:00 AM
    PublicKeySize      : 1024
    RootCAType         : None
    SerialNumber       : 5347CE22AF63BC9F471E35542E3F9D3F
    Services           : None
    Status             : Valid
    Subject            : CN=pvh-mel.pvh.local
    Thumbprint         : A79B9FA97C616CB485B101D42EF71909C8A09DA7

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-PVH-MEL}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-PVH-MEL
    NotAfter           : 7/02/2019 6:09:47 PM
    NotBefore          : 9/02/2009 6:09:47 PM
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 96CE70E39025D6A7431D1844DBB33DFA
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-PVH-MEL
    Thumbprint         : 812971F8D7DB5540ABC653CAA8A6CDC50FC121BD

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel.pvh.local
    NotAfter           : 9/02/2012 12:00:00 AM
    NotBefore          : 9/02/2009 12:00:00 AM
    PublicKeySize      : 1024
    RootCAType         : None
    SerialNumber       : B984DCF49EA7EAA84241DFC4C8DCC547
    Services           : None
    Status             : Valid
    Subject            : CN=pvh-mel.pvh.local
    Thumbprint         : 681B79AA0FD57C10EA02E7430FE0408289B1AD84

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel, pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel
    NotAfter           : 21/12/2009 5:12:08 PM
    NotBefore          : 21/12/2008 5:12:08 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 9635EDD836BE86B146774A5E523E8141
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=pvh-mel
    Thumbprint         : 2C554614BA61EBF39F904B121A20ADD16AAF782A



    I dont understand this: "Please check if the user or service account has been specified under the Advance
    Settings-> attribute Physical Path Credentials."

    AS stated above, " I have recently completed a (fairly standard) Exchange 2007 install on a brand new (Windows 2008) server." It has been well patched with the latest rollups. (Rollup 6 for Exchange Server 2007 SP 1)

    any ideas? many thanks. 

    Thursday, April 16, 2009 11:47 AM
  • firewall?

    Can you get to OWA from the actual machine specifing localhost or the machine name?
    BP
    Thursday, April 16, 2009 1:28 PM
  • as you can see from above , "The URL I am using is: https://localhost/owa from the actual Exchange Server."
    Friday, April 17, 2009 5:59 AM
  • Hi,

     

    I note that you have several certificates installed. For IIS services, you have two certificates, we need to verify whether a valid certificate has been issued to OWA from Internet Information Services(IIS) manager. And then try to remove the additional one. You can delete the certificate from Certificate MMC.

    1.       Please open Internet Information Services(IIS) manager(Note: Start-Administrative Tools- Internet Information Services(IIS) manager)

    2.        Find OWA virtual directory under “Default Web Site” and then right click on it.

    3.       Please navigate to “Directory Security” tab, click on “View Certificate” in “Secure communication” area.

    4.       Please check against “Issue to” on “General” tab to verify whether it is the same with the site name.(Note: URL for OWA: https://sitename/owa )

    5.       Please check whether the certificate has a private key.

    6.       Please remember the Thumbprint(Note: you can find it from the drop-list in “Detail” tab) of this certificate, we need to find this certificate from certificate MMC.

    Then we need to verify this certificate in certificate MMC.

     

    1. Please type “MMC” from a command prompt.

    2. Click “File”-“Add/Remove Snap-in”-“Add”-“Certificates”-“Add”-“Computer Account”-“Local computer”-“Finish”.

    3.  In the console, please check whether it is under “Trust Root Certification Authorities”

    4.  Please find the certificate and check whether it is the same as the one for OWA virtual directory.

     

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel.pvh.local
    NotAfter           : 23/02/2012 12:00:00 AM
    NotBefore          : 23/02/2009 12:00:00 AM
    PublicKeySize      : 1024
    RootCAType         : None
    SerialNumber       : 6037CC2A0A3FA39840CCEF94B45C58E5
    Services           :
    IIS
    Status             : Valid
    Subject            : CN=pvh-mel.pvh.local
    Thumbprint         :
    F470C981991AF5B3177ADB798B26F76F78440235

     

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {pvh-mel, pvh-mel.pvh.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=pvh-mel
    NotAfter           : 21/12/2009 5:12:08 PM
    NotBefore          : 21/12/2008 5:12:08 PM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 9635EDD836BE86B146774A5E523E8141
    Services           : IMAP, POP,
    IIS, SMTP
    Status             : Valid
    Subject            : CN=pvh-mel
    Thumbprint         :
    2C554614BA61EBF39F904B121A20ADD16AAF782A

     

    Regards,

    Xiu

     

    Friday, April 17, 2009 6:20 AM
  • Thank you for your help so far.

    the verison of Internet Information Services(IIS) manager that i have (version 7.0.6000.16386 ) does not have the commands you have listed.

    When i go to the OWA directory and right click on it (step 2 in your sintructions) i do not have an option "Directory Security".
    Friday, April 17, 2009 7:33 AM
  • Sorry, I missed that it is IIS 7.

     

    We can check the certificate through steps below. 
     

    1.    Open IIS manager.

    2.    Navigate to “Default Web Site”.

    3.    Click “Bindings” from action pane.

    4.    Hit “Https” and then click edit.

    5.    In SSL certificate area, please try to select the certificate from the drop list. It should be pvh-mel.And you can access OWA use https://pvh-mel/owa.


    Besides, I recommend you to delete the additonal certificate from certificate MMC.

    Regards,

    Xiu

     

     

    Friday, April 17, 2009 8:35 AM
  • Thank you!

    There are 8  options ( 7 Certificates) listed under teh HTTPS SSL certificate area in "Edit Bindings"; they are

    Not Selected
    pvh-mel.pvh.local
    pvh-mel.pvh.local
    WMSvc-PVH-MEL
    pvh-mel.pvh.local
    pvh-mel.pvh.local
    pvh-mel.pvh.local
    Microsoft Exchange

    When i select each one and then choose 'view' they all say "This CA Root Certificate is not trusted", except for "WMSvc-PVH-MEL" and "Microsoft Exchange" which say " this certificate is intended for the following purposes, Ensure the identify of a remote computer, All insurance policies"

    Which one should i use?

    Also, what form(s) of authentication should i have under Default Web Site > Authentication? should it be anonymous? Forms? ???
    What form of authentication should i have under the OWA site > Authentication?

    Friday, April 17, 2009 9:26 AM
  • Hi,

    From my lab, it should be "Microsoft Exchange".

    For default web site:  "Anonymous Authentication" is enabled.
    For OWA: "Basic Authentication" is enabled.

    You can refer to the article below:

    http://msexchangeteam.com/archive/2008/02/01/447989.aspx

    Regards,
    Xiu

    Friday, April 17, 2009 9:45 AM
  • MartenPeck,

    The only concern I have is that your CA which appears to be pvh-mel.pvh.local is not trusted.  Is this a domain CA?  It appears to be self assigned....

    Keep in Mind that the Microsoft Exchange Cert is self assigned and only valid for 1 year while a cert from you CA can be good for X amount of years.  I have seen clients who suddenly have OWA stop working b/c the default cert has expired and owa stops working.

    Depending on how many CAS servers you have in your environment and if you have ISA or not (using SSL Bridging) you may want to get a third party cert for your CAS server(s).  Users will also get a cert warning when connecting to the exchange server if the cert is a self signed cert. 
    BP
    Friday, April 24, 2009 1:39 PM