Exchange Transition Scenario (2003 to 2007) – Day 3

Filed under: ms tip — Tags: 2003 to 2007, autodiscover, CAS, certificate, MS Exchange, OWA, SAN, SSL — Mehmet Bora Teoman @ 18:29

REQUESTING SSL CERTIFICATE FOR CAS SERVER AND IMPLEMENTING IT

In Day 1 and 2, we planned the Exchange 2007 organisation, put the related jobs in an order, prepare Active Directory and installed the first Exchange 2007 server, CAS server, for our organisation. In Day 3, i will request SSL certificate for CAS server and implement it through IIS administrative console. Also I will configure few other services that Exchange 2007 server offers to use this newly implemented SSL certificate.

I decide to get a third party SSL certificate for CAS server. Exchange 2007 automatically create a certificate for itself and use it but this SSL certificate is not trusted by web browsers. Therefore i have to get this service from an authority. I choose godaddy.com for this purpose. To request a certificate form godaddy.com, i have to create a requesting file from CAS server. I use IIS administrative console instead of powershell interface.

To create certificate request, i click on the name of server in IIS7 console and double click the “Server Certificates” icon on the right side. In Actions menu, i click “Create certificate request…” link (Figure 1) and fill all the necessary information throughout the wizard. FQDN is one of the entries in this wizard and i write mail.mstip.com for this area. At the end of wizard, a text file is created. I upload the text file to the request field of godaddy.com and wait for the answer. An informational mail is sent by godaddy.com and i am ready to download the certificate.

Figure 1: Certificate request wizard

In most Microsoft articles, SAN (Subject Alternative Name) certificate is explained for different services (autodiscover, owa etc) of CAS server. This type of certificate can serve for different FQDNs (i.e. mail.mstip.com, email.mstip.com, autodiscover.mstip.com etc) and you don’t have to request more than one certificate for these different FQDNs. All-in-One certificate :). But it is a bit expensive than a regular certificate. Therefore, i get a regular certificate and will arrange the different services to serve users via only one FQDN.

After i download the certificates (i said certificates because i download two of them. One is an intermediate certificate of godaddy.com, the other one is the real SSL certificate), i import the intermediate certificate to the CAS server. I open the local certificate console of CAS server (start -> mmc -> File -> add/remove snap-in -> certificates) and from Intermediate Certificate -> Certificates field, i right click the empty space on the right side and select Import. Just show the downloaded godaddy intermediate certificate to the wizard and it is done.

Figure 2: godaddy intermediate certificate

Then I go to the IIS7 console to install the mail.mstip.com certificate. There is a “Complete certificate request…” link instead of “Create certificate request” link now. I click it but the job is not done yet. I have to bind this certificate to my website. I select the “Default We Site” on the left side and click the link “Bindings…” on the righthand side menu. I select the https, press Edit button on the next window and select the newly added mail.mstip.com certificate from the SSL certificates list. I close all the open windows by pressing OK buttons and open a command prompt. Then i run iisreset command. After all, I have an OWA server with a new SSL certificate.

Figure 3: Binding the SSL certificate to the default web site

Now it is time to run ExBPA tool. Is there any problem until now? After i run the tool, i get an <’ClientAccessRole’ configured partially> error on CAS server. I think that error is caused by a registry key. Because Exchange 2007 writes a registry key during setup so that if anything happens, it can detect that setup is not finished properly. Therefore, i search for the word ClientAccessRole in registry. Under HKLM\SOFTWARE\Microsoft\Exchange\v8.0\ClientAccessRole and HKLM\SOFTWARE\Wow6432Node\Microsoft\Exchange\v8.0\ClientAccessRole, I delete the registry keys Watermark and Action which are related to the case (before that i backup the registry of course :) ). Also I add another String Value key named ConfiguredVersion under the same containers and give a value of 8.2.176.2 for Exchange Server 2007 SP2. After restarting the CAS server, there is no error message in ExBPA. I run all the tests (health, performance, connectivity) on my Exchange Organisation and everything seems good.

Note: It is very risky to make changes in registry. So be cautious. I don’t take any responsibility for your actions.

Now it is time to try whether my CAS server is working or not. After I create the related DNS entry for mail.mstip.com, I write mail.mstip.com to my web browser and sign-in. The first screen is coming from the new Exchange 2007 server but after a successful login, i see my mailbox content in Exchange 2003 format. Because i don’t move my mailbox to an Exchange 2007 server yet.

After a few testing day, i will uninstall the Exchange 2003 frontend server. I think that 3 to 5 days will be enough for testing my new CAS server.

Figure 4: Exchange 2007 OWA login screen

I got an SSL certificate for my mail.mstip.com URL now and i use it for OWA access. But i also want to use this certificate for other services (if you remember, the certificate is not a SAN certificate). One of the reasons for this is the warning messages that i faced while opening Outlook 2007 client. These warnings can be passed by pressing OK buttons but they are irritating. Here is what it’s like:

Figure 5: SSL certificate warning displayed by Outlook 2007

To get rid of this, i re-configure the domain name for the services of Exchange 2007. The commands that i run via Exchange Management Shell are shown below. The thing that i do with these commands are to say each service to use the newly assigned URL:

1.command: Get-ExchangeCertificate

Thumbprint Services Subject
———- ——– ——-
BDE672C3AACE2586BA7786XXXXXXXXXXA346A9 SIP.W CN=mail.mstip.com

2.command: Enable-exchangecertificate -services IIS -Thumbprint BDE672C3AACE2586BA7786XXXXXXXXXXA346A9

With this command, i configure IIS to use SSL certificate. After that, i change the URL for Autodiscover service. To do this, we run the third command first and learn already used URL:

3.command: Get-ClientAccessServer -Identity CAS | FL

The below line is one of the lines of the command output;

AutoDiscoverServiceInternalUri : https://CAS/Autodiscover/Autodiscover.xml

With command 4, i change the URL as i want:

4.command: Set-ClientAccessServer -Identity CAS -AutoDiscoverServiceInternalUri https://mail.mstip.com/Autodiscover/Autodiscover.xml

After fourth command, i receive only one warning now. After the sixth command i get rid of the second warning also.

5.command: Set-WebServicesVirtualDirectory -Identity “CAS\EWS (Default Web Site)” -InternalURL https://mail.mstip.com/EWS/Exchange.asmx -BasicAuthentication:$true

6.command: Set-OABVirtualDirectory -Identity “CAS\OAB (Default Web Site)” -InternalURL https:// mail.mstip.com /OAB

That is all for today. We implemented the SSL certificate to our CAS server. Also we configured other services of CAS server to use this new SSL certificate. Bye for now.