Hello Everyone, I recently renewed a SSL certificate on an Exchange 07 CAS servers (NLB cluster), however when I run "test-OWAConnectivity" I get an error "WARNING: The test was unable to establish a connection to Outlook Web Access." on ServerA. When I run "test-ActiveSyncConnectivity and test-WebServicesConnectivity", I get failures about remote party has closed the transport stream. After exporting the renewed cert from ServerA to ServerB, I ran the same test cmdlets on ServerB, but got "Success" for test-owaconnectivity and got "Count not establish trust relationship for the SSL/TLS sercure channel. The remote certificate is invalid according to the validation procedure" for test-activesyncconnectivity and test-webservicesconnectivity tests commands. I've spent 2days trying to troubleshoot this issue on ServerA and ServerB. Strange thing is that users do not have any problem accessing OWA via web or syncing emails to their mobile device. I would greatly greatly appreciate if someone could help me in resolving this ongoing issue. I would post a screenshotofthe errors but don't know how to...Thanks.

Can you run Get-ExchangeCertificate | fl on the CAS servers and paste it here?Active Directory, 4th Edition - www.briandesmond.com/ad4/

Hi,Additionally, please post the external and internal URl of the OWA.ThanksAllen

ServerA output: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network NotAfter : 1/7/2013 6:59:59 PM NotBefore : 12/7/2009 7:00:00 PM PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 0C4F8C76E2C161535640CFFCA58A50DD Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.domain.com, OU=Terms of use at www.verisign.com /rpa (c)05, OU=IT, O=Company Name , L=City, S=State, C=US Thumbprint : 5GFD73E09E6ECABC570D3AE0BF17F099DJE356AF AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {serverA, ServerA.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=ServerA NotAfter : 4/29/2010 11:03:46 AM NotBefore : 4/29/2009 11:03:46 AM PublicKeySize : 2048 RootCAType : None SerialNumber : C7CNDF73DC85999B41BDDC77659DFF43 Services : SMTP Status : Valid Subject : CN=ServerA Thumbprint : B7DBDFE643BE16B6ADA95CD78AC97277FD43AD43 ServerB output: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network NotAfter : 1/7/2013 6:59:59 PM NotBefore : 12/7/2009 7:00:00 PM PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 0C4F8C76E2C161535640CFFCA58A50DD Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.domain.com, OU=Terms of use at www.verisign.com /rpa (c)05, OU=IT, O=Company Name , L=City, S=State, C=US Thumbprint : 5GFD73E09E6ECABC570D3AE0BF17F099DJE356AF AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {ServerB, ServerB.domain.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=ServerB NotAfter : 4/29/2010 11:04:49 AM NotBefore : 4/29/2009 11:04:49 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 345AD4EAA3B5528C4028C70D324ACF0A Services : SMTP Status : Valid Subject : CN=ServerB Thumbprint : 098D3A6F81E9785DF4A113DF0F9CB506EDD4AC

Hi, Additionally, please post the external and internal URl of the OWA. Thanks Allen ServerA: Internal URL: https://serverA.domain.com/owa External URL: https://mail.domain.com/owa ServerB: Internal URL: https://serverB.domain.com/owa External URL: https://mail.domain.com/owa

If you like to see the screenshots of the errors, Please visit the link below: http://www.petri.co.il/forums/showthread.php?p=190399#post190399 Thanks.

Can someone please provide me the process of renewing a SSL cert on CAS NLB cluster servers to ensure I did it correctly (following the articles found on the web) and didn't miss any steps? Thanks.

Hi,Thank you for your information.I found the internal URLare https://serverA.domain.comand https://serverB.domain.com. The certificate for the IIS which only includes the mail.domain. comPlease understand that test-OWAConnectivity uses the internalURL to do the testing. So, you should include the FQDN of the CAS in thecertificateto work around this issue.ThanksAllen

Allen - When I run test-OWAConnectivity on ServerA, I get a 'Failure'but when I run it on ServerBI get a 'Success.'Wouldn't I getfailures on both if that was the case?

Anotherthing I would like to add is:When I go to IE and type in https://serverB.domain.com/owa the OWA site comes up, however, when type in https://serverA.domain.com/owa it says page cannot be displayed. This leads me to believe something wrong with IIS on ServerA? If thats the case, how can I resolve this? I believe if I can get serverA to display the OWA website, this should resolve all my problems.

Hi,From your latest description, that seems to be the IIS issue. Now please try to delete and recreate the relevant virtual directories based on the Step 1 as the below link to troubleshoot this issue:http://support.microsoft.com/kb/941201After that, please restart the IIS and check this issue.ThanksAllen