|
Home > Archive > IIS and SMTP > January 2005 > SSL and OWA
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| I have decided to secure my OWA site using SSL. I have followd the
instructions for installing certificate services, creating a server
certificate and used the external domain name as the common name for the
server.
Having applied the certificate I can now no longer access OWA internally
(can't check it externally). I used to be able to do this but only by using
the server name and not the FQDN. I am assuming this is something to do with
having told the certificate server that the common name is the FQDN.
Any suggestions as to why I can't access the server. If I use HTTP and the
internal server name I get Error 403 forbidden. If I use HTTPS I get the page
you are looking for cannot be displayed.
| |
|
| Ok - managed to get a little bit further. Having added the FQDN to my hosts
file I can now access it using the full name. However, I still get the same
errors. 403 forbidden without HTTPS and cannot find server or DNS error with
HTTPS. Take out the cert and it all works fine, put in the cert and it all
stops etc etc etc
"Raven" wrote:
> I have decided to secure my OWA site using SSL. I have followd the
> instructions for installing certificate services, creating a server
> certificate and used the external domain name as the common name for the
> server.
>
> Having applied the certificate I can now no longer access OWA internally
> (can't check it externally). I used to be able to do this but only by using
> the server name and not the FQDN. I am assuming this is something to do with
> having told the certificate server that the common name is the FQDN.
>
> Any suggestions as to why I can't access the server. If I use HTTP and the
> internal server name I get Error 403 forbidden. If I use HTTPS I get the page
> you are looking for cannot be displayed.
| |
| Ken Schaefer 2005-01-19, 8:48 pm |
| Using the IIS Logfiles, verify that the requests are going to the correct
site.
Also, if you are using IIS6, you should be able to see the HTTP substatus
code in the logfile entry. Please post that so we can see why you are
getting an Access Denied.
Lastly, you can use SSLDiag to troubleshoot the SSL issues:
http://www.microsoft.com/downloads/...&displaylang=en
Cheers
Ken
"Raven" <Raven@discussions.microsoft.com> wrote in message
news:3BB267E8-A2B7-4169-A680-01A240E6064E@microsoft.com...[vbcol=seagreen]
> Ok - managed to get a little bit further. Having added the FQDN to my
> hosts
> file I can now access it using the full name. However, I still get the
> same
> errors. 403 forbidden without HTTPS and cannot find server or DNS error
> with
> HTTPS. Take out the cert and it all works fine, put in the cert and it all
> stops etc etc etc
>
> "Raven" wrote:
>
| |
|
| Well I looked in the IIS log file but there was nothing that seemed even to
relate to SSL in there. I did a simulated handshake using SSL diagnostics and
got the following (is there no way to attach files to these messages?)
System time: Thu, 20 Jan 2005 13:42:33 GMT
Connecting to 127.0.0.1:443
Connected
Handshake: 108 bytes sent
Handshake: 1415 bytes received
Handshake: 182 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: mail.macleandata.co.uk
Server certificate subject: C=GB, S=Midlands, L=Leicestershire, O=Maclean
Data, OU=IT, CN=mail.macleandata.co.uk
Server certificate issuer: C=US, CN=mail.macleandata.co.uk
Server certificate validity: From 1/19/2005 8:52:59 AM To 1/19/2007 8:52:59 AM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: 301 bytes of encrypted data received
Status:
HTTP/1.1 401 Access Denied
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Thu, 20 Jan 2005 13:42:33 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="127.0.0.1"
Content-Length: 24
Content-Type: text/html
HTTPS: server disconnected
Error: Access is Denied.
Final handshake: 23 bytes sent successfully
- - - - - - - - END - - - - - - - - -
"Ken Schaefer" wrote:
> Using the IIS Logfiles, verify that the requests are going to the correct
> site.
> Also, if you are using IIS6, you should be able to see the HTTP substatus
> code in the logfile entry. Please post that so we can see why you are
> getting an Access Denied.
>
> Lastly, you can use SSLDiag to troubleshoot the SSL issues:
> http://www.microsoft.com/downloads/...&displaylang=en
>
> Cheers
> Ken
>
>
> "Raven" <Raven@discussions.microsoft.com> wrote in message
> news:3BB267E8-A2B7-4169-A680-01A240E6064E@microsoft.com...
>
>
>
| |
|
| The IIS log files only had the following reference
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-01-20 13:35:48
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status cs(User-Agent)
2005-01-20 13:35:48 192.168.16.2 - 192.168.16.2 80 GET /exchange - 403
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
2005-01-20 13:42:33 127.0.0.1 - 127.0.0.1 443 GET / - 401 SSLDiag
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-01-20 13:50:11
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status cs(User-Agent)
2005-01-20 13:50:11 192.168.16.13 - 192.168.16.2 80 GET /exchange - 403
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
2005-01-20 13:56:19 192.168.16.2 - 192.168.16.2 80 GET
/CertEnroll/Maclean.crl - 404 CryptRetrieveObjectByUrl::InetSchemeProv
ider
2005-01-20 13:59:11 192.168.16.13 - 192.168.16.2 80 GET /exchange - 403
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+1.0.3705)
I then ran the SSL diagnostics and went for a simulated handshake. This
generated
System time: Thu, 20 Jan 2005 13:42:33 GMT
Connecting to 127.0.0.1:443
Connected
Handshake: 108 bytes sent
Handshake: 1415 bytes received
Handshake: 182 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: mail.macleandata.co.uk
Server certificate subject: C=GB, S=Midlands, L=Leicestershire, O=Maclean
Data, OU=IT, CN=mail.macleandata.co.uk
Server certificate issuer: C=US, CN=mail.macleandata.co.uk
Server certificate validity: From 1/19/2005 8:52:59 AM To 1/19/2007 8:52:59 AM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: 301 bytes of encrypted data received
Status:
HTTP/1.1 401 Access Denied
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Thu, 20 Jan 2005 13:42:33 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="127.0.0.1"
Content-Length: 24
Content-Type: text/html
HTTPS: server disconnected
Error: Access is Denied.
Final handshake: 23 bytes sent successfully
Is this of any use because it means very little to me
"Ken Schaefer" wrote:
> Using the IIS Logfiles, verify that the requests are going to the correct
> site.
> Also, if you are using IIS6, you should be able to see the HTTP substatus
> code in the logfile entry. Please post that so we can see why you are
> getting an Access Denied.
>
> Lastly, you can use SSLDiag to troubleshoot the SSL issues:
> http://www.microsoft.com/downloads/...&displaylang=en
>
> Cheers
> Ken
>
>
> "Raven" <Raven@discussions.microsoft.com> wrote in message
> news:3BB267E8-A2B7-4169-A680-01A240E6064E@microsoft.com...
>
>
>
|
|
|
|
|