Announcement

Collapse
No announcement yet.

Exchange 2k7 RPC-HTTP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2k7 RPC-HTTP

    Hi all,

    Thought Id get this week going with setting up Outlook over https for our external users and Ive ran into a problem. Whilst testing via testexchangeconnectivity. All seems well until I get to testing SSL certificate and it errors with

    "The certificate chain couldn't be built. You may be missing required intermediate certificates."

    Any ideas? Thanks

  • #2
    Re: Exchange 2k7 RPC-HTTP

    Who has supplied the certificate?

    If it is e.g. GoDaddy, there are some very clear instructions on installing their intermediate certificate on the CAS server
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Exchange 2k7 RPC-HTTP

      Its an SBS 2008 box and the certificate is self signed - is this a problem? Im sure Ive seen it working in the past??

      Thanks

      Comment


      • #4
        Re: Exchange 2k7 RPC-HTTP

        Yeah, self-signed cert is a problem...
        It will work, however it is not recommended...

        But it won`t work with testexchangeconnectivity because they check cert validity and SS certs are no valid.
        But they could be on a PC that has ROOT CA cert installed

        Comment


        • #5
          Re: Exchange 2k7 RPC-HTTP

          Ive been reading into this and the solution seems to be to add the certifcate to the client connecting to the exchange server which I have done - but it doesnt work.

          The machine in question is and has never been on the domain. Reading up on solutions some thoery's are you setup the laptop/workstation on the domain with the self assigned cert and then when you take the client off the lan outlook over https will work.

          Its all very fraustrating...

          Just to throw another spanner in the works - a client on the lan connects to exchange via TCP rather than https - does this play any part in the problem?
          Last edited by 5habbaranks; 28th February 2011, 13:45.

          Comment


          • #6
            Re: Exchange 2k7 RPC-HTTP

            Buy a 3rd party certificate from e.g. www.godaddy.com -- SAN (5 name) cert is about $70 per year, so pays for itself in about 1 hour of frustration
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Exchange 2k7 RPC-HTTP

              Technically the self signed certificate isn't supported for use with Outlook Anywhere and Exchange ActiveSync. Although the rules appear to be different for the SBS crowd, probably because the owners want their "free" certificate to work.

              Getting a UC certificate on to SBS 2008 can be a pain. I have instructions here:
              http://blog.sembee.co.uk/post/SBS-20...tallation.aspx

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Exchange 2k7 RPC-HTTP

                How will this effect the current setup? By that I mean we are using SBS2008 RWW and also iphones. Can I leave them as they are using the internally assigned cert and use a 3rd party cert of outlook over rpc? Thanks

                Also reading that link from Sembee - we have done that bit??? Im at the stage whereby I try and manually configure a client pc away from the network. I have installed the self assigned cert. Just a thought - how much does this differ from how iphones etc connect? I was under the impression that if they work so should the outlook client as they use the same certificate???

                Thanks
                Last edited by 5habbaranks; 28th February 2011, 14:10.

                Comment


                • #9
                  Re: Exchange 2k7 RPC-HTTP

                  As long as you use the same host name that is on the self signed certificate (so remote.example.com if the defaults have been used) then the devices already using the host name will not be affected.

                  Getting a self signed certificate to work correctly with Outlook Anywhere is a pig, and I don't recommend it.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Exchange 2k7 RPC-HTTP

                    Even though I am talking about SBS 2008?? I found an interesting guide within the SBS box itself. When you go to RWW it tells you how to setup outlook anywhere and states that you download the self assigned certificate - why does it reccomend this when it doesnt work??

                    Very confusing...

                    Comment


                    • #11
                      Re: Exchange 2k7 RPC-HTTP

                      The simple reason that the SBS team know that most owners of SBS servers are tight and want their "free" certificate to work.

                      This is despite what it says on Technet.
                      http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

                      "Important: The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync. "

                      Microsoft have basically contradicted themselves.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment


                      • #12
                        Re: Exchange 2k7 RPC-HTTP

                        I have to say I've not had an issue with the SBS self-signed certificate on any of our deployments. We've got multiple SBS (and full-blown Exchange, including our own network) running with internal CAs. We use ActiveSync (Mix of HTC WinMo 6.x and iPhone 4s) and Outlook Anywhere without problems. With SBS we use the install certificate package that is created by SBS for Outlook Anywhere, although I usually install the certificate manually if I have the machine to hand.

                        iPhones are a PITA because you need to either email the certificate as a .cer to another email account or use the iPhone configuration tool to get the certificate on the device. Android and WinMo are simpler seeing as you can drag and drop the .cer file onto the device.

                        When using testexchangeconnectivity for SBS I always tell it to ignore the certificate, as errors are expected with a self-signed cert.

                        why does it reccomend this when it doesnt work??
                        Standard Microsoft, almost all best practice that they dictate for DCs, Exchange and ISA Server (In SBS 2003 Premium) goes out the window in an SBS environment. DCs and Exchange should be seperate, ISA should never co-exist with anything etc etc.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: Exchange 2k7 RPC-HTTP

                          Turns out after all this it was the firewall on the client. I have purchased a public cert anyway as it was only 30 for 4 years, ahh well we live and learn.

                          Im guessing I can leave the self assigned cert in place and run the new cert along side. And then just add the new cert to IIS so anyone browsing will be prompted to install the new certificate?

                          Thanks

                          Comment


                          • #14
                            Re: Exchange 2k7 RPC-HTTP

                            If it's a public cert your clients should already trust it's issuer, I'd also check in your WSUS that the Updates for Root Certs are being installed. It's an optional update in Microsoft Update, can't remember what category it appears in for WSUS.
                            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                            sigpic
                            Cruachan's Blog

                            Comment

                            Working...
                            X