Wildcard certificates SSL or TLS Encryption, 1102 errors, Blackberry.
I have a Network Solutions wildcard certificate for my domain, in this post:*.DOMAIN.COM, the certificate works fine with OWA and HTTPS:// however, I can't connect devices like a Blackberry, the server records the following application log messages:
MSExchangeIMAP4 1102
The IMAP4 service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.
And also:
MSExchangePOP3 1102
The POP service failed to connect using SSL or TLS encryption. A valid certificate is not configured to respond to SSL/TLS connections. Check the configured hostname as well as which certificates are installed in the Personal Certificates store of the Computer.
This is the "Get-Exchangecertificate | fl" cerificate
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {*.DOMAIN.COM}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=Network Solutions Certificate Authority, O=Network Solutions L.L.C., C=USNotAfter : 8/26/2010 7:59:59 PMNotBefore : 8/25/2008 8:00:00 PMPublicKeySize : 2048RootCAType : UnknownSerialNumber : xxxxxxxx2286314E78E1471AD24BBxxxxServices : IMAP, POP, IIS, SMTPStatus : UnknownSubject : CN=*.DOMAIN.COM, OU=......
Thumbprint : 63ECFCFD130BBC75DE229DCCF3A868A65B1AC1EC
Are wilcard certificates a valid option for Exchange Server 2007 SP1? If not, what other certificate I will need, one specific for the server? Netbios name, external DNS Name, symbolic name (ie Exchange) or all of the previous names?
Thanks,
September 2nd, 2008 4:18pm
I just have a long conversation withmy CA provider, Network Solutions. Microsoft Exchange Server 2007 SP1 does -not- accept wildcards certificates ie: *.domain.com as per his instructions, I need two certificates and the wilcard cert is not a replacement:
exchange.domain.com ("exchange" is any name referenced externally by the MX record)
autodiscover.domail.com ("autodiscover" is s pseudo name, no physical server)
I will wait for them to create the certificates and will report results.
For Exchange, the real way to do this is to go with a "UCC" provider and to have one certificate with multiple domains on it.
So, either Microsoft start acceptingwildcard certificates on Exchange or Network Solutions start selling UCC certificates, so far, the only option is to go with another UCC vendor, like GoDaddy.
If, like me, you already installed and try to activate a certificate that is not working, you can easy the connection with your blackberries with this temporary solution:run your service run unencrypted:
Start the"Exchange Management Console" -> Server Configuration -> Client Access -> select the "POP3 IMAP4" Tab
then select the IMAP4 and on the right actions select IMAP4 properties, click the tab Authentication and (only while you wait for the certicates) select "Plain Text Logon (Basic Authentication) No TLS Connection...."
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2008 12:42am
If you can wait, I recommend you wait for Update Rollup 4 for Exchange 2007 SP1. If no issues found, the RU4 should be released in coming week.
If not, you can use the followingcommands to work around the issue. Please understand the work arounds are just that: Work Arounds. They do not fix the issue and if you can wait, I recommend you do so.
The commands to use are:
Set-PopSettings -X509CertificateName Pop.yourdomain.comSet-ImapSettings -X509CertificateName Imap.yourdomain.com
Note: If you run Get-Exchangecertificate <thumbprint>| fl cmdlet, the Services field is displayed as None.
HTH,
Bhargav
September 3rd, 2008 12:43am
I would highly recommend against disabling security mechanisms and expose your communication streams. Please wait for Update Rollup 4 if you can. If not, use the work around I mentioned earlier and report your findings here so everyone can benefit.
Thanks,
Bhargav
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2008 12:55am
Bhargav,is that Update Rollup for Microsoft Exchange Server 2007 SP1 non RTM ?I'm currently on Rollup 2 and can't see any benefits applying rollup 3. I'll try your cmdlets on this thread so that i could get rid of POP3 and IMAP4 errors.Cheers,
September 18th, 2008 7:08am
I am referring to Rollup 4 for SP1. It is not released yet.
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2008 8:22am
The Update Rollup 4 for Exchange 2007 SP1 has been released. More details at: http://msexchangeteam.com/archive/2008/10/07/449931.aspx
The update is live at: http://www.microsoft.com/downloads/details.aspx?FamilyId=8B492ED2-EA92-412F-A852-3AA1C58D9499&displaylang=en
Related KB article: http://support.microsoft.com/?kbid=952580
October 10th, 2008 6:37am
SP1 Update Rollup 4 was the solution.
Now I have a few certificates that I do not need!! Iordered a fewhost specific certificates).
Fast and simple installation.
Some Exchange services were not automatically restarted by the installer.
Thanks for the advise,
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 10:37pm