I recently renewed my Self Signed Certificate (thumbprint) on my Exchagne 2007 server. Following the renewal Users are unable to login to OWA either internally or remotely. Settings IN IIS 7.0 "Require SSL" is unchecked in both the Default website and OWA site HTTP Redirection "Redirect requests to this destination" is checked. In Exchange Management Console Under Server Configuration - Client Access - OWB - Authentication is set to "Use forms based authentication" - and "User Name" is selected. The new certificate was moved to the "Trusted Root Certificate Authorites" container on 2007 exchange server. As far as I can tell all the settings are identical to the settings in IIS 7.0 and Exchange MMC prior to the thumprint update. (I took screen shots of all the settings when I renewed the certificate last year) I can access default web page and advance to the OWA login screen (Both internally and externally). When I enter my logon credentials ("User Name" and " Password") the page just hangs and I cannot get into OWA. Users with smart phones have stopped receiving email on thier smart phones / Black Berrries. I tried out all the relevant solutions I could find on the net and also recreated a new certicate as well with not success. Any help with this issue would be greatly appreciated. Note: I know I should be using a third party ssl certificate but the client doesnt want to pay the money at this point to get one. Thanks

OK please give us some more information. what daes the cmdlet get-exchangecertificate notice in the Exchange shell. I think you have to enable the new certificate on the Exchange services and the IIS. In order to use the https connection you have to check the switch "Require SSL". regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

On Sun, 6 Feb 2011 08:54:13 +0000, Arlo15 wrote: >I recently renewed my Self Signed Certificate (thumbprint) on my Exchagne 2007 server. "Self signed" or issued by a local PKI CA? >Following the renewal Users are unable to login to OWA either internally or remotely. > >Settings > >IN IIS 7.0 > >"Require SSL" is unchecked in both the Default website and OWA site > >HTTP Redirection "Redirect requests to this destination" is checked. > >In Exchange Management Console > >Under Server Configuration - Client Access - OWB - Authentication is set to "Use forms based authentication" - and "User Name" is selected. > >The new certificate was moved to the "Trusted Root Certificate Authorites" container on 2007 exchange server. Your certificate should be in the local computer's certificate store in the "Certificates (Local Computer) | Personal | Certificates" container. The CA's root certificate goes into the "Trusted Root Certification Authorities | Certificates", and the CA's intermediate certificate(s) go into the "Intermediate Certification Authorities | Certificates". >As far as I can tell all the settings are identical to the settings in IIS 7.0 and Exchange MMC prior to the thumprint update. (I took screen shots of all the settings when I renewed the certificate last year) > >I can access default web page and advance to the OWA login screen (Both internally and externally). When I enter my logon credentials ("User Name" and " Password") the page just hangs and I cannot get into OWA. Users with smart phones have stopped receiving email on thier smart phones / Black Berrries. > >I tried out all the relevant solutions I could find on the net and also recreated a new certicate as well with not success. > >Any help with this issue would be greatly appreciated. > >Note: I know I should be using a third party ssl certificate but the client doesnt want to pay the money at this point to get one. So the expense of a $30 SSL certificate is less money than you're charging them to do the work? Wow! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Dear peddy1st Thank you for your reply The read out for get-eschangecertificate is as followws: get-exchangecertificate shows: Thumprint - The new thumbprint, Services IP.WS, Subject CN=My Mail Server Name get-exchangecerticate l Lists shows: the same informaiotn except under Services displays IMAP, POP,ISS and SMTP. I have tried the "Require SSL" (both checked and unchecked and 128 bit checke/unchecked as well) on the OWA container in IIS and also tried "integrated Windw Authntication" and Basic Authentication" in Exchange Managment Console for OWA in the CAS. I still could not get authenticated access to OWA. Thank you

Rich Thank you for your reply. Im a bit confused by what you mean by "your Certificate" and the "CAs" Certificate. I created the certificate on the Exchange 2007 box with teh New-ExchangeCertificate command. Your certificate should be in the local computer's certificate store in the "Certificates (Local Computer) | Personal | Certificates" container. --Not sure what you mean my "your" certificate - do you mean the certificate that is created in Exchange Managment shell ? If so then it is in the location you suggested The CA's root certificate goes into the "Trusted Root Certification Authorities | Certificates", and the CA's intermediate certificate(s) go into the "Intermediate Certification Authorities | Certificates". -- Again not sure what you mean by the CAs root Certificate. If you mean the Certificate that was created by New-ExchangeCerticate. If so I it is in the locations you suggested. Is there something I should try next or is there more information I could provide Thank you again for your assistance.

On Sun, 6 Feb 2011 16:33:01 +0000, Arlo15 wrote: >Im a bit confused by what you mean by "your Certificate" and the "CAs" Certificate. You shouldn't be if you answered the '"Self signed" or issued by a local PKI CA?' I asked. >I created the certificate on the Exchange 2007 box with teh New-ExchangeCertificate command. That's all? Nothing else? Just 'new-exchangecertificate" with no other parameters or switches? Then it's "self-signed". >Your certificate should be in the local computer's certificate store in the "Certificates (Local Computer) | Personal | Certificates" container. --Not sure what you mean my "your" certificate - do you mean the certificate that is created in Exchange Managment shell ? In this case, yes. In the case of a 3rd-party or PKI certificate it would be that certificate. >If so then it is in the location you suggested That's good, but that's not what you said before, which was: 'The new certificate was moved to the "Trusted Root Certificate Authorites" container on 2007 exchange server.' >>The CA's root certificate goes into the "Trusted Root Certification Authorities | Certificates", and the CA's intermediate certificate(s) go into the "Intermediate Certification Authorities | Certificates". -- >Again not sure what you mean by the CAs root Certificate. Since you're really dealing with a 'self-signed' certificate, there's no CA. Your certificate is untrusted by everyone. >If you mean the Certificate that was created by New-ExchangeCerticate. If so I it is in the locations you suggested. Is there something I should try next or is there more information I could provide Thank you again for your assistance. I see that you ran the "get-exchangecertificate" cmdlet and that you have two certificates? >get-exchangecertificate shows: Thumprint - The new thumbprint, Services IP.WS, Subject CN=My Mail Server Name >get-exchangecerticate l Lists shows: the same informaiotn except under Services displays IMAP, POP,ISS and SMTP. Is the first one (above) the NEW certificate or the OLD certificate? Has the old one already expired? If not, try this: get-exchangecertificate -thumbprint <old-thumbprint> | new-exchangecertificate FYI, it's a good idea to show the results of the cmdlet (such as get-exchangecertificate | fl) instead of extracting what you think are the relevant parts. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

-------------------------------------------------------- Mr. Matheisen. Here is some additional information that I hope is helpful. The following Sequence of commands was used to make the self signed Certificate (thumbprint) in Exchange 2007 Management Console Get-ExchangCertificate | List - Made note of Current (soon to Expire) Thumbprint New-ExchangeCertificate2007 - Made note of New Thumbprint Selected Default “Y” Enable-ExchangeCertificate – ThumbPrint (entered shortened thumbprint listed below) –Service: ISS Remove-ExchangeCertivicate –ThumbPrint (enter previously thumbprint) Current view running the following commands. Get-ExchangeCertificate Thumbprint Services Subject 7CBBC17ASCC9876FBERS978 (shortened) IP.WS CN=MailServer02 Get-ExchangeCertificate | List AccessRules : {Sytem.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Secuirty.AccessControlCryptoKeyAccessRule, System.Secuirty.AccessControl.CryptoKeyAccessRule} CerticateDomains : {MailServer02, MailServer02.mycomain.com HasPrivateKey : True IsSelfSigned : True Issuer : CN=MailServer02 NotAfter : 2012/02/06 16:05:52 Not Before : 2011/02/06 16:05:52 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 277B749C6485BBBF (Shortened) Services : IMAP, POP, IIS, SMTP Status : True Subject : CN=MailServer02 Thumbprint : 7CBBC17ASCC9876FBERS978 (shortened) The Certificate created “MailServer02” is present in the Personal – Trusted Root Certifications Authorities and Intermediate Certification Authorities container. An additional response I have noticed with OWA when I try to logon is: - If I entry the correct credential the login page just hangs - If I entry the incorrect PW for a valid username the screen refreshes and returns the Username and Password fields to blank. - I have tried about all the variations for SSL logon and CAS (forms Based and “users can use one or more altercation methods) and IIS (SSL checked and unchecked) I can think of. . Is there something else I should be looking for? Is There more information I can provide? Any assistance would be appreciated. Thanks in advance.

Hi Arlo25, Could you please get-owavirtualdirectory cmdlet, and post the information here. Some information for you: http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx How do you publish your external web services, and what about your CERT for your external certificate? Some information for you: http://technet.microsoft.com/en-us/library/bb794751.aspx In my opinion, please confirm the cert name match what you use to access the OWA. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Gavin; Thank you for your replay. Here is the read out of the get-owavirtualdirectory comand As you requestd. Get-OwaVirtualDirectory Name Server OwaVersion Owa (Default Web Site) MailServer02 Exchange2007 Exchange (Default Web S…) MailServer02 Exchange2007or 2003 Public (Default Web Site) MailServer02 Exchange2007or 2003 Exchweb (Default Web Site) MailServer02 Exchange2007or 2003 Exadmin (Default Web Site) MailServer02 Exchange2007or 2003 Thank you for the links as well I will check them out to see if I can find something useful In my opinion, please confirm the cert name match what you use to access the OWA. - How do I do this? When I look in Root Certificates the new Self-Signed Certificate lists: Issued to MailServer02, Issued By MailServer02, Friendly Name is Microsoft Exchange. Thank you again for your assistance.

On Mon, 7 Feb 2011 06:40:33 +0000, Arlo15 wrote: >Here is some additional information that I hope is helpful. In your original question you said: "HTTP Redirection "Redirect requests to this destination" is checked" When you're trying to use OWA, what URL do you use? If you use https://mailserver01.mydomain.com does it work any differently if you use https://mailserver01.mydomain.com/owa ? When you set the redirect on the default web site did you *remove* the redirect for the virtual directories beneath it (aspnet_client, autodiscover, ecp, ews, etc.)? You also said that SSL was not used on the default web site. Did you enable it on the other virtual directories that had it set before IIS propagated the change to the children? (You don't want SSL enabled on the Powershell virtual directory, though!) Have you looked at the IIS logs to see what might be happening when you try logging on? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Arlo, Firstly, I would suggest that you could learn some information from the link I referred. Then please use the get-owavirtualdirectory |fl Check the internal/external url, and what url do you use to access the owa? Please post more information as Rich requests. Regards! Gavin Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Gavin: Thanks for the additonal information. I will check in the commad you suggusted to see where it leads. I was able to resolve the issue over the weekend when I had a bit more free time to troubleshot and review. Again Thank you. Everyone: Thank you for all of your help on this issue. I was able to resolve the issue over the weekend, seemingly a simple matter of `unchecking` Redirection on the OWA virtual Directory under HTTP Redirect. I have detailed my information/solution below for others with a similar issue with a similar setup. Environment Single Exchange 2007 SP1 64 bit on Server 2008 64 bit. No other special settings or setup in the environment. (1 Exchange, One File Server , One Back up Server – all Server 2008 64 bit). OWA is set for forms based authentication in CAS. Action Every year the Exchange 2007 Self Signed Certificate needs to be renewed in Exchange Management Shell (Third party SSL certificate is not used by this client.) The general series of commands I follwowed for renewing the certificate are as follows: Get-ExchangeCertificate | List - Make note of the current thumbprint New-ExchangeCertificate - Select Default – `Y` - Record New Thumbprint (You can re-run `Get-ExchangeCertificate | List` to review old and new Thumbprint) To enable new Certificate (thumbprint) Enable-NewCertificate -Thumprint (Type in new thumbprint) Services: IIS To remove old Certificate (thumbprint) Remove-ExchangeCertificate -Thumprint (Type in Old thumbprint) - Confirm with Default prompt for removal `Y` You can run `Get-ExchangeCertificate | List` to review / Confirm results Issue Users were unable to access email via OWA - Smart Phone users were able to receive mail on their phones. (contrary to what I wrote initially) - Black Berry users with BIS (Black Berry Internet Service) are unable to receive email on Black Berry devices. - (Note; BB users are still unable to receive email. I will post my solution this it once I figure out the issue.) Investigation It seems that, for lack of a better word, IIS 7.0 seem to revert to some kind of `default` settings and need to be rechecked/reset. Resolution: In IIS 7.0: Default Website - in SSL Settings > Uncheck `Require SSL` - HTTP Redirect > Check `Redirect request to this Destination:` o Confirm redirect settings, in my case: https://webmail.domain.com/owa Other Virtual Directories – EWS –Exadmin-Exchnge-Exchweb-Microsft-Server-ActiveSync- and OAB - in SSL Settings > Uncheck `Require SSL` - HTTP Redirect > Uncheck Check `Redirect request to this Destination:` OWA virtual Directory - in SSL Setting > Check `Require SSL` o Uncheck `Require 128-bit SSL` o Under `Client Certificates` > Select `Ignore` - in HTTP Redirect > Uncheck > `Redirect request to this Destination:` For completeness I will add the settings on the Exchange side. In Exchange Management Console: Server Configuration Client Access > Outlook Web Access tab > Select owa(Default Web Site) > Right Click – Properties: - General Tab: Confirmed Internal URL o https://mailserver.domain.com/owa - Authentication Tab o Check radio button – Use forms-based authentication o Check radio button - Username only o In Logon domain: confirm domain name is list, in my case: `domain.com` Hub Transport> Receive Connectors Tab > Select `Client` (Note: `Default` had the same settings)> right click Properties - General Tab: Confirmed `Specify the FQDN this …..* o Mailserver.domain.com - Authentication Tab o Checked the following § Transport Layer Security (TLS) § Basic Authentication § Exchange server authentication § Integrated windows Authentication o Left the following Unchecked § Enable Domain Security (Mutual Auth TLS) § Offer Basic Authentication only after starting TLS § Externally Secured (for example, with IPsec NOTE; checking the logs in the W3SVC1 folder and using the following article http://support.microsoft.com/kb/943891/en-us helpled clue me into the incorrect settings on the HTTP Redirect in the OWA virtual directory in IIS 7.0. W3SVC1 location-- C:\inetpub\logs\LogFiles\W3SVC1 I hope this is helpful for someone else. As mentioned this was the setup/solution for OWA access after the self signed certificate update for my environment. These may not be the optimum settings but they worked in my case and they may not work or be relevant to your environment. Thanks,

Gavin: Thanks for the additonal information. I will check in the commad you suggusted to see where it leads. I was able to resolve the issue over the weekend when I had a bit more free time to troubleshot and review. Again Thank you. Everyone: Thank you for all of your help on this issue. I was able to resolve the issue over the weekend, seemingly a simple matter of `unchecking` Redirection on the OWA virtual Directory under HTTP Redirect. I have detailed my information/solution below for others with a similar issue with a similar setup. Environment Single Exchange 2007 SP1 64 bit on Server 2008 64 bit. No other special settings or setup in the environment. (1 Exchange, One File Server , One Back up Server – all Server 2008 64 bit). OWA is set for forms based authentication in CAS. Action Every year the Exchange 2007 Self Signed Certificate needs to be renewed in Exchange Management Shell (Third party SSL certificate is not used by this client.) The general series of commands I follwowed for renewing the certificate are as follows: Get-ExchangeCertificate | List - Make note of the current thumbprint New-ExchangeCertificate - Select Default – `Y` - Record New Thumbprint (You can re-run `Get-ExchangeCertificate | List` to review old and new Thumbprint) To enable new Certificate (thumbprint) Enable-NewCertificate -Thumprint (Type in new thumbprint) Services: IIS To remove old Certificate (thumbprint) Remove-ExchangeCertificate -Thumprint (Type in Old thumbprint) - Confirm with Default prompt for removal `Y` You can run `Get-ExchangeCertificate | List` to review / Confirm results Issue Users were unable to access email via OWA - Smart Phone users were able to receive mail on their phones - Black Berry users with BIS (Black Berry Internet Service) are unable to receive email on Black Berry devices. - (Note; BB users are still unable to receive email. I will post my solution this it once I figure out the issue.) Investigation It seems that, for lack of a better word, IIS 7.0 seem to revert to some kind of `default` settings and need to be rechecked/reset. Resolution: In IIS 7.0: Default Website - in SSL Settings > Uncheck `Require SSL` - HTTP Redirect > Check `Redirect request to this Destination:` o Confirm redirect settings, in my case: https://webmail.domain.com/owa Other Virtual Directories – EWS –Exadmin-Exchnge-Exchweb-Microsft-Server-ActiveSync- and OAB - in SSL Settings > Uncheck `Require SSL` - HTTP Redirect > Uncheck Check `Redirect request to this Destination:` OWA virtual Directory - in SSL Setting > Check `Require SSL` o Uncheck `Require 128-bit SSL` o Under `Client Certificates` > Select `Ignore` - in HTTP Redirect > Uncheck > `Redirect request to this Destination:` For completeness I will add the settings on the Exchange side. In Exchange Management Console: Server Configuration Client Access > Outlook Web Access tab > Select owa(Default Web Site) > Right Click – Properties: - General Tab: Confirmed Internal URL o https://mailserver.domain.com/owa - Authentication Tab o Check radio button – Use forms-based authentication o Check radio button - Username only o In Logon domain: confirm domain name is list, in my case: `domain.com` Hub Transport> Receive Connectors Tab > Select `Client` (Note: `Default` had the same settings)> right click Properties - General Tab: Confirmed `Specify the FQDN this …..* o Mailserver.domain.com - Authentication Tab o Checked the following § Transport Layer Security (TLS) § Basic Authentication § Exchange server authentication § Integrated windows Authentication o Left the following Unchecked § Enable Domain Security (Mutual Auth TLS) § Offer Basic Authentication only after starting TLS § Externally Secured (for example, with IPsec NOTE; checking the logs in the W3SVC1 folder and using the following article http://support.microsoft.com/kb/943891/en-us helpled clue me into the incorrect settings on the HTTP Redirect in the OWA virtual directory in IIS 7.0. W3SVC1 location-- C:\inetpub\logs\LogFiles\W3SVC1 I hope this is helpful for someone else. As mentioned this was the setup/solution for OWA access after the self signed certificate update for my environment. These may not be the optimum settings but they worked in my case and they may not work or be relevant to your environment. Thanks,

Hi Arlo15, Thanks for your sharing! Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.