none
OWA / Companyweb Connection Problem RRS feed

  • Question

  • Hi,

    I am having a number of issues related to OWA, company web etc. When I try and browse the OWA website using https://server-ip/owa, https://servername/owa or https://servername.domain/owa both are not resolving on both the server and the client PC's internally or externally. When I use https://localhost/owa this works fine on the server. I have run nslookup and the response is correct. I have not applied any updates before this error started happening. This in-turn has had a knock on effect that I can not resolve autodiscovery.

    I am also experiancing isssues is WSUS - 'the server cannot be found' but this may be a knock on effect. All sites are running in IIS.

    I would be very greatful if someone could advise me of a solution as i'm running out of ideas.

    Thanks in advance

    James

    Thursday, March 8, 2012 11:39 AM

All replies

  • Version of Exchange / SBS?

    Have you run the Fix My Network wizard? Although it sounds like it is an SSL certificate error. Do you have a commercial certificate on the site?

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, March 8, 2012 12:01 PM
  • Hi Simon,

    SBS 2008 / Exchange 2007 SP3

    Yes I have run the wizard quite a few times the only issue it is coming back with is 'Could not configure the router'.

    The router is set up to forward all relevant ports to the server.

    We use a self-assigned certificate.

    Thanks

    James

    Thursday, March 8, 2012 12:32 PM
  • Was the self-signed certificate installed by SBS or some other process? I still think it is an issue with the SSL certificate - it could be a bad SSL certificate. My preference would be to swap it for a commercial certificate. These can be purchased for less than $80/year https://certificatesforexchange.com/ and would ensure that you don't have to worry about trust issues and telling users to ignore certificate prompts which I consider a security risk.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, March 8, 2012 12:49 PM
  • The self-signed certifcate was all installed by SBS, and created during inital configutation.

    Below is what is included in the site bindings for SBS Web Applications:

    The https bind is attached a certiicate which corresponds to mail.domain.com and is valid till 07/2014.

    I can order a commercial certifcate if you think that could fix the issue but would a self-assigned one would cause this problem now as in the past it has been fine.

    Thanks

    James



    • Edited by JCWells Thursday, March 8, 2012 1:01 PM
    Thursday, March 8, 2012 1:00 PM
  • It isn't the bindings that is the issue - it could be a corrupt certificate, which means the SSL session cannot be established. That would also stop WSUS, which also makes connections of SSL.

    My preference is always to use a commercial certificate, particularly if the site is internet facing. I don't like users getting prompts.

    On SBS 2008 though, the certificate installation has to be done with care. I have notes on the process here:

    http://exchange.sembee.info/2007/install/sbs2008ssl.asp

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, March 8, 2012 1:26 PM
  • Ok I'll get a comercial certificate and follow the guide, I'll have an update in a bit.

    Thanks

    James


    • Edited by JCWells Friday, March 9, 2012 2:58 PM
    Thursday, March 8, 2012 2:09 PM
  • Hi Simon,

    I've installed a comercial certifcate as per the guide, I am still finding a problem with connectivity to these sites.

    I re-ran the SBS best practices and it found the following issues:

     HTTP Port (TCP 80) Status :  
     The System process should listen on Port 80, but that port is owned by the process.
     
      HTTPS Port (TCP 443) Status :  
     The System process should listen on Port 443, but that port is owned by the process.
     
      HTTPS Port (TCP 987) Status :  
     The System process should listen on Port 987, but that port is owned by the process.
     
      No SSL certificate is configured for the SBS SharePoint site :  
     The SBS SharePoint site is not associated with an SSL certificate. To configure a certificate for the SBS SharePoint site, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In IIS Manager, double-click Sites, right-click SBS SharePoint, and then click Edit Bindings. In the Site Bindings dialog box, click the type for https on port 987, and click Edit. In the Edit Site Binding dialog box, select the appropriate certificate, and then click OK.
     
      User account does not show in the Windows SBS Console :  
     The user account Sharepoint does not have the attributes that are necessary for it to display in the Windows SBS Console.
     
      User account does not show in the Windows SBS Console :  
     The user account DCS_SERVER does not have the attributes that are necessary for it to display in the Windows SBS Console.

    I assume the ports can be ignored, within the IIS Manager the SBS Sharepoint site is bound to the new comercial certificate. Should the user Sharepoint and DCS_SERVER show up in the Windows SBS console?

    Thanks

    James

    Friday, March 9, 2012 2:54 PM
  • Did you enable the certificate through the SBS management console?

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, March 9, 2012 2:57 PM
  • I imported it into Exchange using

    Import-ExchangeCertificate -Path C:\CertificateFile.crt

    And then used the Add trused Certificate in the SBS Console.

    Thanks

    James

    Friday, March 9, 2012 3:00 PM
  • That is the correct way to do it. Otherwise it upsets Exchange.

    Have you run the fix my network wizard since installing the certificate?

    Is there something else on the system that is using the ports? To get listening errors usually means there is configuration error or something else installed.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, March 9, 2012 3:04 PM
  • When I ran, pre to the Best Practice Wizard, it brought up the following issues:

    When I re-ran the wizard, only the port error was displayed. I dont run anything else on these ports and mail on port 25 functions fine and I can still VPN in.

    The only other thought I have is if Trend Worry Business.

    Thanks

    James


    • Edited by JCWells Friday, March 9, 2012 3:40 PM
    Friday, March 9, 2012 3:34 PM
  • Something else is listening to the port. You can try using some of the tools like netstat to see if you can identify what process that is.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, March 9, 2012 5:00 PM
  • Hi Simon,

    I've jsut done a netstat -ano >> C:\connections.txt and the following entries are listed against 443

    TCP    127.0.0.1:443          0.0.0.0:0              LISTENING       4

    Should this not be

    TCP 0.0.0.0:443 0.0.0.0:0 LISTENING

    Thanks

    James



    • Edited by JCWells Friday, March 9, 2012 5:49 PM
    Friday, March 9, 2012 5:38 PM
  • If that is the only entry, then it is only listening on 127.0.0.1. Which is wrong.

    Try this:

    netstat -an | findstr :443

    You should get back this (taken from my reference SBS 2008 machine).

    C:\Users\NetAdmin>netstat -an | findstr :443
     TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
     TCP    [::]:443               [::]:0                 LISTENING

    Anything else and the bindings are all screwed up.

    Run another netstat, this time with -ab and it should tell you what process is listening on the port.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, March 9, 2012 8:18 PM
  • Hi Simon,

    Thanks for that,

     netstat -an | findstr :443 resolved the following

     TCP    127.0.0.1:443          0.0.0.0:0              LISTENING
     TCP    192.168.10.1:10909     92.123.89.83:443       ESTABLISHED
     TCP    192.168.10.1:11266     92.123.89.83:443       ESTABLISHED
     TCP    192.168.10.1:17852     92.123.89.83:443       CLOSE_WAIT
     TCP    192.168.10.1:18238     92.123.89.83:443       CLOSE_WAIT
     TCP    192.168.10.1:18412     92.123.89.83:443       CLOSE_WAIT
     TCP    192.168.10.1:26464     92.123.89.83:443       ESTABLISHED

    When I ran netstat -ab | findstr :443 in an admin console it cameback with

    x: Windows Sockets initialization failed: 5

    Thanks,

    James

    Monday, March 12, 2012 9:44 AM
  • Despite the errors about sockets failing, you should have seen two references to 443:

    x: Windows Sockets initialization failed: 5
      TCP    0.0.0.0:443            SERVER:0             LISTENING

    x: Windows Sockets initialization failed: 5
      TCP    [::]:443               SERVER:0             LISTENING

    So your bindings are wrong. I presume you have checked in IIS manager to see whether they are correct?

    If they are shown as correct in IIS, then try restarting IIS services and see if all of the web sites become available - that will show if something else is using the port.

    Otherwise it is looking like a corrupt IIS metabase, which isn't pretty to resolve on SBS at all.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Monday, March 12, 2012 5:41 PM
  • Hi,

    Looks like only one entry when running the command prompt from admin.

    TCP    127.0.0.1:443          0.0.0.0:0              LISTENING

    Have restarted IIS Service using iisreset /stop /start /status and all services are running.

    The https 443 is bound to the comercial server certificate.

    If this is indeed a currupt metabase, what would be the best way of resolving this / is it possible to backup and reinstall or would this just take the currupt metabase into the new install? or is there another way of a clean install but porting over just email, users and computer information?

    Thanks

    James

    Tuesday, March 13, 2012 8:07 AM
  • I have just compared with my reference SBS 2008 server and the first image with "localhost" as bound to Port 80 is not the same.

    The default web site has port 80 bound to * with nothing list for host name.

    The "SBS Web Applications" web site has Sites on port 80 and * on 443. So it is different to what you are seeing.

    If the IIS metabase is corrupt, then the cleanup is considerable.

    In addition to the steps here:

    http://support.microsoft.com/kb/320202

    You will need to run the wizards in SBS again and probably fix my network wizard. It is all tightly integrated and it will break quite badly until SBS is sorted out.

    You might find it is better to call Microsoft support, pay their fee and get them to fix it for you.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Wednesday, March 14, 2012 5:25 PM
  • Hi Simon,

    I have corrected this and still shows no sign of resolving. I also have applied the latest rollup updates for exchange.

    I have also submitted this to Experts Exchange but no luck yet.

    I have only 6 user accounts and 12 PC's is it worth just installing from barebones as my backups don't go back far enough?

    Thanks

    James

    Thursday, March 15, 2012 6:15 PM
  • That is your choice.

    I still suspect an issue with IIS, where the change isn't being written to the metabase correctly. You can try setting it to something completely different, so it is wrong and then running the Fix My Network wizard so it corrects it, but if the corruption is extensive then tha tmight not fix it either.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, March 15, 2012 7:29 PM
  • I have run edit the Default website ports and the SBS Web Applications ports and bindings to some random number.

    I then re-ran the Fix my network wizard, this wanted to correct this are did create the correct bindings. But it seems the error is still there, I guess the database is quite corrupt from what you are saying. The rebuild looks quite complicated and I can not afford to loose emails. It is sounding like a rebuild might be the better idea, backup all emails to pst files, remove from domain all client pc's and then rebuild from fresh. Using another harddrive is best then I can allways go back to it, as soon as I know permisions and accounts are setup OK. Would it be worth going to SBS 2011 instead and then import the pst files into the client inbox's.

    Thanks

    James

    Friday, March 16, 2012 1:25 PM
  • Recreating the virtual directories and IIS metabase, while complex, is a lot less complex than rebuilding the server completely - although if an IIS reinstall didn't fix the issue that might be what you are looking at having to do anyway.

    If you cut port 25 inbound while doing the work then you will not lose any email.

    If you have the licences for SBS 2011 instead, then that would be one option. If you do decide to rebuild be aware of this issue with regards to old email: http://blogs.technet.com/sbs/archive/2009/05/21/cannot-reply-to-old-emails-or-modify-old-calendar-items-after-pst-mail-migration.aspx

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Sunday, March 18, 2012 2:55 PM