Announcement

Collapse
No announcement yet.

OMA over HTTPS not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OMA over HTTPS not working

    Hi there,

    I would like to configure my Exchange Server 2003 to cope with mobile users having PDA's.

    As Exchange Server is not directly on the public IP address, I am about to configure front-end Linux to handle "RPC over HTTPS" requests.

    Currently, OMA is enabled, but working only with HTTP. As soon as I configure IIS to use HTTPS for OMA, I am not able to use HTTP any longer, but I am not able to use HTTPS as well with the message:

    "The page could not be displayed"


    It must be trivial to many of you, but it is blocking to me. Please help.

    Just an appendix, as this is going to be used internally only, do I really need to have valid certificate for above OMA over HTTPS?

    Finally, I found following Event in Exchange eventlog:

    ---quote
    MSExchangeOMA
    Log: Application
    Type: ERROR
    Computer: RESIEXCH
    Time: Tue Jan 23 13:14:32 2007
    Event ID: 1503
    Description: An unknown error occurred while processing the current request: Message: The remote server returned an error: (403) Forbidden. Source: Microsoft.Exchange.OMA.ExchangeDataProvider Stack trace: at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWeb Request.GetRequestStream() at Microsoft.Exchange.OMA.ExchangeDataProvider.Exchan geServices.GetSpecialFolders() at Microsoft.Exchange.OMA.ExchangeDataProvider.Exchan geServices..ctor(UserInfo user) Message: Exception has been thrown by the target of an invocation. Source: mscorlib Stack trace: at System.Reflection.RuntimeConstructorInfo.InternalI nvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault) at System.Reflection.RuntimeConstructorInfo.Invoke(Bi ndingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture,
    Object[] activationAttributes) at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) at Microsoft.Exchange.OMA.UserInterface.Global.Sessio n_Start(Object sender, EventArgs e) Message: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.Provi derException was thrown. EventMessage: UserMessage: A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator. Source: Microsoft.Exchange.OMA.UserInterface Stack trace: at Microsoft.Exchange.OMA.UserInterface.Global.Sessio n_Start(Object sender, EventArgs e) at System.Web.SessionState.SessionStateModule.RaiseOn Start(EventArgs e) at System.Web.SessionState.SessionStateModule.Complet eAcquireState() at System.Web.SessionState.SessionStateModule.BeginAc quireState(Object source, EventArgs e, AsyncCallback cb, Object extraData) at System.
    Web.AsyncEventExecutionStep.System.Web.HttpApplica tion+IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean& completedSynchronously)
    ---unquote

    Thank you.
    Last edited by rok117; 23rd January 2007, 14:29.

  • #2
    Re: OMA over HTTPS not working

    how do you have kerberos set up between the f-e linux and the b-e server?

    if kerberos isnt configured properly, then exchange will default to NTLM. i dont know that any flavor linux will use NTLM.

    can you see the attempted logons?

    does etheral show any evidence? do a caputer between fe and be and look to see if the requestare 1)even getting there 2)are being denied or passed to teh be properly 3) is there a syn ack?

    see fi you can find a "denied" in the capture...
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

    Comment


    • #3
      Re: OMA over HTTPS not working

      Thank you for replying, it does not have anything to do with the Linux machine. It is just related to SSL, as ..\oma URL is working with "http" and not working with "https".

      As soon as I figure this out, configuring Linux RPC would not cause any trouble.

      To resume: if I set in IIS to use SSL for OMA, OMA is not reachable using both HTTP and HTTPS URLs.

      Comment


      • #4
        Re: OMA over HTTPS not working

        does this make any sense?

        We have been using OWA2000 for a few years now. The front end server sits in a DMZ and communicates to the backend server with a very painfully developed access list. In addition, you need two factor authentication to even get to the login screen.

        If you have a linux server running apache in the DMZ you can use mod_proxy to proxy requests into the trusted/internal network.
        You just need an access list allowing the linux box to connect to OWA on the backend machine.
        Thats the way we have it set up and it seems to work perfectly..
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...

        Comment


        • #5
          Re: OMA over HTTPS not working

          Originally posted by James Haynes View Post
          does this make any sense?
          OK, if the Linux box is the GW then you have 2 choices
          1) port forwarding - not recommended (this way you practically put your server outside)
          2) use reverse proxy. this way you don't expose your main server. This option is divided to two sections: you can use squid or apache as reverse proxy. If you chose to use apache, this is a good guide http://www.penguin.org.il/guides/owa-rproxy/ ...

          Have fun!
          Gili

          Comment


          • #6
            Re: OMA over HTTPS not working

            Make sure that you have not set either /oma, /exchange or /microsoft-server-activesync virtual directories to REQUIRE SSL. That breaks functionality.

            Also ensure that you do not have anonymous authentication enabled on any of those three.

            Does it work without the Linux device, ie internally? You can use Internet Explorer to test, or download the emulator.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: OMA over HTTPS not working

              Hello Sembee,

              Thank you for these suggestions, but it still does not work.

              Now only OMA has checked 128-bit SSL, plus no services are using checked enable anonymous access.

              I am testing only with local IE,
              - http://<name>/oma asks username/oassword when SSL is unchecked
              - https://<name>/oma when SSL is checked, prompts "The page cannot be displayed"

              Comment


              • #8
                Re: OMA over HTTPS not working

                You shouldn't have option under the certificate enable - not require SSL or the use 128bit encryption. Both options should be clear. You should also check that ignore client certificates is enabled as well.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: OMA over HTTPS not working

                  Hi Simon,

                  I have been instructed to configure SSL in following way:

                  - Administrative Tools --> IIS Manager --> <NAME>(local computer) --> Default Web Site -->rightmouse click Properties --> Directory Security --> Secure communications --> Edit

                  and then check there "Require secure channel (SSL)" and "Require 128-bit encryption".


                  Later on, I followed your instructions and have disabled above checkboxes for each individual item under the "Default Web Site" frame (e.g. Exchange, Microsoft-Server-ActiveSync, etc.)


                  Hope this information gives you enough to see what am I doing...


                  Regards.

                  Comment


                  • #10
                    Re: OMA over HTTPS not working

                    Require SSL and and Require 128bit encryption breaks things with Windows Mobile devices.

                    Any reason you are enabling those options? You don't need to have them enabled for SSL support and if you are only opening port 443 on the firewall then they aren't required.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment

                    Working...
                    X