No announcement yet.

Urgent issue with Exchang 2007 and new SSL cert / activesync

  • Filter
  • Time
  • Show
Clear All
new posts

  • Urgent issue with Exchang 2007 and new SSL cert / activesync

    I just got onsite to try and fix this issue, and really need some help!

    sorry about the weird brackets and - instead of . in the urls, the forum software through I was posting legit URLs, and I am new LOL

    The short version: SBS 2008 running AD, Exchange 2007 etc was setup/migrated from a 2003 server before I came on the scene. It used a self signed certificate.

    Shortly after I came to this company they switched ISPs, and IP addresses. I reprogrammed the IP info in their Cisco ASA5500 and evreything was fine however they had to access activesync on their androids and iphones by ip. this worked fine. They just changed ISPs again. I change the IP info in the gateway, now the phones don't sync. They get a cert. error that can't be bypassed.
    No problem, I buy a 3 year SSL for mail-mydomain-com get it installed and imported etc. Still no dice. The import process didn't go all that smoothly either I may add.

    Also - previously in outlook inhouse, my users exchange accounts were setup with SRV01 or domain.local as the server name, and had no issues. I've replaced the self signed cert with a commercial SSL for mail-mydomain-com. Now my users get an error in outlook asking for them to accept the cert to continue. It shows 3 check boxes, the first 2 green and the last red. The red check says: The name on the certificat is invalid or does not match the name of the site. We used to use SRV01-mydomain-local - that is how it is now setup still in the outlook configs, whereas our new SSL is mail-mydomain-com

    I am reluctant to change anything there - it still works although adding the certificate only removes the error in outlook for a short time, then my users are presented with the error message again, and can continue.

    Anyway back to activesync - I think these errors are all related to the new SSL -
    When I run the connectivity tester from MS I get all the way through to the last bit, and get the error:
    Testing HTTP Authentication Methods for URL [https]://mail-mydomain-com/Microsoft-Server-Activesync/
    HTTP authentication test failed
    An HTTP 500 response was returned for Unknown.HTTP Response Headers
    When I go to [https]://mail-mydomain-com I get what looks like an FTP file listing with only:
    10/12/2010 3:58 PM <dir> aspnet_client
    6/13/2008 5:51 PM 28 robots.txt
    7/25/2014 9:46 AM 1119 Web.configin_it
    in it
    When I go to [https]://mail-mydomain-com/Microsoft-Server-Activesync/
    I get:
    Server Error in '/Microsoft-Server-ActiveSync' Application.
    Security Exception
    Description: The application attempted to perform an operation not allowed by the security policy.
    To grant this application the required permission please contact your system administrator or change
    the application's trust level in the configuration file.

    Exception Details: System.Security.SecurityException: That assembly does not allow partially trusted callers.

    Source Error:

    An unhandled exception was generated during the execution of the current web request.
    Information regarding the origin and location of the exception can be identified using
    the exception stack trace below.

    Stack Trace:

    [SecurityException: That assembly does not allow partially trusted callers.]
    ASP.global_asax..ctor() +0

    I am totally lost here. Any help would be much appreciated! I think I screwed up something
    in realizing the self signed SSL, and when I look in my IIS console, the tree for Active Sync
    Is not listed under Default Website, but under [i think] Web Services
    Thanks again, anyone and everyone!

  • #2
    Re: Urgent issue with Exchang 2007 and new SSL cert / activesync

    Also I notice that OWA, Activesync etc are not under Default WEbsite, but listed under SBS Web Spplications


    • #3
      Re: Urgent issue with Exchang 2007 and new SSL cert / activesync

      The configuration you are seeing in IIS is correct, because this is an SBS Server.
      Therefore the important question is quite simple - did you import the certificate with the wizards in SBS? If not, that is your problem.

      SBS 2008 looks like Exchange 2007, behaves like Exchange 2007, but needs to be managed where possible with the SBS management console.

      SBS likes to use
      If you want to use something else - like, then use the wizard to set the host name to that, then use the SSL wizard to choose the certificate.

      Getting boring I know - but USE THE WIZARDS.
      Just in case you didn't get that - INSTALL THE CERTIFICATE USING THE SSL WIZARD.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.