locked
Weird CAS to CAS proxy error with Mac's RRS feed

  • Question

  • Have Cas to Cas proxy setup between 3 sites.  OWA works fine.  However, trying to setup Outlook 2011 for Mac on a couple of users.  Account gets added fine, however mailbox is blank.  On internet facing CAS, I see the following error:

    Client Access server <Internetfacing CAS> tried to proxy Exchange Web Services traffic to Client Access server <RemotesiteCAS> This failed because the registry key "HKLM/System/CurrentControlSet/Services/MSExchange OWA/AllowInternalUntrustedCerts" is set to "0", but no certificate trusted by  <Internetfacing CAS> was available for the SSL encryption of the proxy connection.

    Checked registry on all CAS (Int facing and remotes) and none of them have the reg key mentioned in the error. 

    Any advice appreciated!

    Tuesday, September 13, 2011 2:23 PM

Answers

  • Hi,

    To resolve this problem, you have two options:

    Method 1. Add the key AllowInternalUntrustedCerts on your your Internet facing CAS server:

    a. Open regedit, expand to HKLM/System/CurrentControlSet/Services/MSExchange OWA

    b. Create a new DWORD value with the name 'AllowInternalUntrustedCerts', set the value to 1.

    c. Restart IIS services.

    Method 2. Manually import the self-sign certiticates which are using by other CAS servers to the Internet facing CAS server:

    a. On your Internet facing CAS server, open IE, broswe to https://cas1.domain.com/owa

    b. You will receive the certificate warning such as this certificate is not trusted. Click Continute.

    c. On OWA logo page, right click and choose properties.

    d. Click Certificate. In Gerneral tab, click "Install Certificate" . Select "Place all certificates in the following store". Click Browse, select "Trusted Root certificate Authorities". Click Ok to install.

    e. Click the Certificateration Path, you may see there are two certificate. One is the root certificate in the top path. Please high it and then click "View Certificate". click "Install Certificate" . Select "Place all certificates in the following store". Click Browse, select "Trusted Root certificate Authorities". Click Ok to install.

    f. Restart IE, https://cas1.domain.com/owa, if  the certificate warning does not pop up, we can sure that the certificate is installed successfully.

    g. Browse to your another cas server and repeat the steps.

     

     

     

    • Marked as answer by IlyaD Friday, September 16, 2011 5:38 PM
    Friday, September 16, 2011 9:42 AM

All replies

  • is this happening to only one mailbox?

    i have seen weird issues like this with EWS and MACs... A few things you may want to look into

    - upgrade exchange 2010 SP1 to rollup2

    -update outlook 2011 mac

    - EWS URLs

    - IIS logs on the CAS server.


    Z-Hire -- Automate IT Account creation process
    Z-Term -- Automate IT account termination process
    Tuesday, September 13, 2011 7:54 PM
  • That is because you're doing CAS to CAS proxy and not using a trusted cert or a third party cert. When you use the default self signed cert it's generated on each individual server so each server does not trust it since it's not from same CA. The self signed cert will work with proxyying if AllowInternalUntrustedCerts is set to 1 or reg key is not present. I have no idea where it's picking up this reg key.

    Didn't you get a third party SAN cert that included all your CAS server names to import into all your CAS servers?


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Tuesday, September 13, 2011 8:07 PM
  • Denny: It is happening to any user who is on a remote site from the Internet facing CAS.  Will look at upgrading and see how that works out.

    James: On my 3rd party SAN cert I was limited to 5 domains and 3 were taken with the exchange default's (autodiscover, legacy, mail) and then added our main site CAS and mail server.  However, the reg key's are not present so I do not understand why it isn't trusting when the default is to trust internal certs.

    Thursday, September 15, 2011 5:15 PM
  • From my understanding, the the default behavior of proxy to proxy ssl is not trusted. So even though that reg key is not there it doesn't matter. I would go ahead and set that reg key to = 1 and test. Make sure you restart any transport services.
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, September 16, 2011 1:26 AM
  • Hi,

    To resolve this problem, you have two options:

    Method 1. Add the key AllowInternalUntrustedCerts on your your Internet facing CAS server:

    a. Open regedit, expand to HKLM/System/CurrentControlSet/Services/MSExchange OWA

    b. Create a new DWORD value with the name 'AllowInternalUntrustedCerts', set the value to 1.

    c. Restart IIS services.

    Method 2. Manually import the self-sign certiticates which are using by other CAS servers to the Internet facing CAS server:

    a. On your Internet facing CAS server, open IE, broswe to https://cas1.domain.com/owa

    b. You will receive the certificate warning such as this certificate is not trusted. Click Continute.

    c. On OWA logo page, right click and choose properties.

    d. Click Certificate. In Gerneral tab, click "Install Certificate" . Select "Place all certificates in the following store". Click Browse, select "Trusted Root certificate Authorities". Click Ok to install.

    e. Click the Certificateration Path, you may see there are two certificate. One is the root certificate in the top path. Please high it and then click "View Certificate". click "Install Certificate" . Select "Place all certificates in the following store". Click Browse, select "Trusted Root certificate Authorities". Click Ok to install.

    f. Restart IE, https://cas1.domain.com/owa, if  the certificate warning does not pop up, we can sure that the certificate is installed successfully.

    g. Browse to your another cas server and repeat the steps.

     

     

     

    • Marked as answer by IlyaD Friday, September 16, 2011 5:38 PM
    Friday, September 16, 2011 9:42 AM
  • Thanks to all.  Adding the key and setting it to 1 worked.
    Friday, September 16, 2011 5:38 PM