Are user certs broken when used on a front end server?

Does a front end exchange 2003 SP2 server support requiring a user
certificate? On the back end server requiring user certs works fine
(but breaks Treo syncing). I therefore set up a front end server and
two virtual servers (one just SSL for treos and the other for Outlook
Web Access).

If I require a cert on the front end virtual directory I want to use
for Outlook Web Access and try it, IE presents a blank box for the user
certificate (when it should present one of the installed user
certificates).  If the backend is configured the same way and a client
connects, their user certs are displayed and work fine.

In each case the same root CA (my own) has been installed and has
issued both the front end server and the back end server their SSL
certs. If I disable mandatory certs on the front end server and just
require ssl everything works fine. Are user certs broken on a front end
server?

-M

0
matt3983 (3)
5/11/2006 7:32:23 PM
exchange.admin 57650 articles. 2 followers. Follow

3 Replies
349 Views

Similar Articles

[PageSpeed] 41

I'm answering my own question. I was able to fix the problem by
importing my root certificate via MMC instead of via IE :

On the Exchange 2003 Front End Box open MMC
add "Certificates" snap-in
select "Computer Account" radio button
select local computer (click finish, close,ok)
Find a copy of the .cer file for your CA (or get another one from
http://certserver/certsrv if you have your own CA set up like I do)
Under Console Root->Certficates->Enterprise Trust right click and
select "all tasks->import" and import the .cer file
Open IIS Manager
Right click the virtual directory you would like to require certs for
Under Directory Security->Secure communications click Edit
Click "Require secure channel (SSL)"
Under "Client certificates" click "Require client certificates"
Click "Enable certificate trust list" and click New or edit
Follow the wizard and "add from store"
Select the certificate in the "Enterprise Trust" location
Assign mapping as required

Hope this helps someone,

-M

PS
You can export a user cert from IE to a PKCS12 file that Firefox on
either Windows or Linux can work with.

0
matt3983 (3)
5/11/2006 8:49:34 PM
If you enable SSL on the FE server, you must turn off SSL on your BE Server. 
Is it possible this is the cause of what you are seeing?

-- 
Ben Winzenz
Exchange MVP
MessageOne
Read my blog!
http://winzenz.blogspot.com
http://feeds.feedburner.com/winzenz (RSS Feed)


"Matt Ramadanovic" <matt@ramtek.us> wrote in message 
news:1147375943.618472.325150@j73g2000cwa.googlegroups.com...
> Does a front end exchange 2003 SP2 server support requiring a user
> certificate? On the back end server requiring user certs works fine
> (but breaks Treo syncing). I therefore set up a front end server and
> two virtual servers (one just SSL for treos and the other for Outlook
> Web Access).
>
> If I require a cert on the front end virtual directory I want to use
> for Outlook Web Access and try it, IE presents a blank box for the user
> certificate (when it should present one of the installed user
> certificates).  If the backend is configured the same way and a client
> connects, their user certs are displayed and work fine.
>
> In each case the same root CA (my own) has been installed and has
> issued both the front end server and the back end server their SSL
> certs. If I disable mandatory certs on the front end server and just
> require ssl everything works fine. Are user certs broken on a front end
> server?
>
> -M
> 


0
Ben
5/11/2006 8:53:27 PM
Thanks for writing back. SSL in this case on the back end server was
usable but not required (I have the default.htm file in the wwwroot
directory redirect any clients that forget to type s to
https://mysever/exchange/). Having people potentially be able to use
the non SSL link if they are behind two firewalls and a few bridging
routers doesn't bother me too much since they will have to do so
manually (assuming they know it is there) and frankly if they are that
far onto my network they are probably sitting in my chair in my server
room already :-)

My problem was definitely using IE to import my own trusted CA cert
instead of the MMC. I was able to undo everything to recreate the
problem and then fix it as per my self post.

Thanks again,

-M

0
matt3983 (3)
5/11/2006 9:31:50 PM
Reply:

Similar Artilces:

Will my sent e-mails be kept in the web server e-mail?
Hello, I am interested in using Windows Mail but first I would like to make sure that all the e-mails I send using Windows Live will be saved both in Windows Live and the website version of each of the e-mail accounts I will add. I would like to know if the same applies for the e-mails I receive. Thanking you in advance. Sincerely yours, Orabidreamer Note that they type of account POP, IMAP, or HTTP will make a difference. Check the box on each account setup that says, "Leave a copy on the server" (Advanced tab). If you have accounts that do not show that t...

Replying to Individual in Newsgroup using Outlook, with O.E. as NG reader
I'm using Outlook 2000 sp1 for E-mailing. It's set-up to use Outlook Express 6 as the newsgroup reader (whilst calling itself Outlook Newsreader). I recently wanted to reply to an individual in a thread. Everything seemed to go okay until I checked the 'Sent Items' of Outlook. There was an E-mail to the individual, but none of the text that I'd included was there, only the original newsgroup message. Does anybody know what's going on, how to fix it, or has anybody got any suggestions ? Thanks in Advance Duncan Anderson O/S = Win X/P home sp1 I think this happens be...

What's the correct procedure to use a CBitmapButton in a dialog (to avoid resouce leaking)?
Hi, I have a CBitmapButton member in a dialog. The problem is that, after exiting my program, there is a cross button staying on my windows 2000's desktop now. The button is exactly the one I used in the dialog. Clicking on it doesn't do anyting. Rebooting the machine doesn't help. The application has been mailed to many customers. Now I expect they'll see this button on their machine but hardly guess that it's caused by my program. In DoDataExchange(), I associate the CBitmapButton member with a push button in the dialog's template. Then in OnInitDialog...

users can't login on one PC
I have 1 PC that was just upgraded to GP 10 SP 2 and now only the SA can login. When a regular user account tries to login they get the error: "The login failed. Attempt to login again or contact your system administrator" That same id is able to login on every other PC so I know it is not SQL DB security and the SA can login from this PC so i am pretty sure it is not the ODBC. Any help would be appreciated. Fliehigh OK So I figured it out this DSN was setup using the IP address of the SQl server and the rest where using the DNS name. I changed it and it worked great. Fli...

Remove Exchange 2003 ADC server from Admin Group
DC's: win2k3 exchange: all 2003 enterprise sp2 1 FE /3 BE -Tried to remove my First exchange server using microsoft's KB822931. -Problem is server still has the ADC server role mapped to it. -Turned it off to test if it's ok but my BE servers servers have started queuing some emails that htey are trying to send to this server. -Emails are from Servername-IS@exchg.mydomain.edu Subject: Hierarchy the other one is the same but subject: Status. -Do i even need to move this role (ADC Server) in light that i dont have any exch 5.5 servers? -can i just uninstall exhc...

Error when using RMS EDC Settle function
Hello. We run RMSsp2, and use PCCharge PaymntSvr EDC software/First Data processor. PCCharge settles fine, if trying from within RMS, receive error on: 1st attempt: "Invalid Merchant" box error appears. 2nd and subsequent attempts "Invalid Destination Zip" box error appears. Erro occurs withing few seconds of settle attempt, settle progress doesnt go beyond 1/10 of progress meter and this error pops up. Any ideas? Our EDC config is fine and all batches and items are ok in PCCharge. thanks luke ...

how to script with user variables in outgoing messages
I want to know if its possible to do this. My company has changed its domain name, and the email addresses will now reflect this domain name. I want to know if its possible to script a notice that goes out with each message, saying that the new email address is now username@newdomain.com. We have an email disclaimer configured, and I was thinking we could script a note in this disclaimer text saying something like: My new email address is now: %username%@newdomain.com, this way, each user that sends a message, the script will append the username variable to domain name. Is something l...

Unable to attach an attachment using mail merge
Anyone know how to do an Outlook mail merge and have it sent an attachment to all merged recipents? I put the attachment into the basic outlook e_mail message and when it merges it strips off the attachment. I am using Word as the E-Mail editor and Outlook 2002 SP2 and merging contacts directly from an Outlook Contact folder. ...

How to use MFC Cstring class in Win32 DLL?
Hello all I am having WIN32 DLL and i have to use CString in it. I tried include <Afx.h> with project setting with both 'use MFC in a static library' as well as 'use MFC in a shared library' option of project setting but firstly i got error fatal error C1189: #error : WINDOWS.H already then i commented #include<windows.h> after that i am getting linking error mfcs42d.lib(dllmodul.obj) : error LNK2005: _DllMain@12 already defined in testdll.obj Debug/testdll.dll : fatal error LNK1169: one or more multiply defined symbols found i tried other options like includi...

Prevent auto recoloring of chart when using Pivot Table data
I have crated a Pivot tabel with data I want to show in a Chart. My problem is when I refresh data the colours of the "data series" changes. For exaple I want one of my series "OK" always be shown in green colour, but after a refresh of pivot all colours changes. This problem is not only colouring. If I have made changes to my chart so that one series ar plotted on a secondary axis, and I change it to another chart type (e.g. the secondary should be shown as a line instead of column) this also changes when refreshing the data. Most irritating! Anyone that knows how to p...

IMF on NLB front end servers?
We run Exchange with a clustered back-end and a pair of front end servers using NLB. Will this scenario work: - configure the FE servers as SMTP bridgehead servers (set them both and apply costs) - install Exchange Intelligent Message Filter on both FE servers. We cannot install on back-end since IMF does not work with clustered servers. Thanks. -GT Hi GT, That scenario should work just fine for you. Hope this helps. -- Scott Schnoll Microsoft This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send email directly to this alias. This ...

uninstall from command line using alternate credentials
WinXP SP3. Is there a way to do this? I am trying to find a way for a power user to uninstall a program using the msiexec + uninstall string from the registry using admin account credentials. Alternativly, I have tried to get the user to do a "run as" on the appwiz.cpl file but I get an error. UPDATE: also tried making a shortcut and running as admin but there is still an error with starting the msiexec. It says something like error statring program, it may be disabled or have no associated programs. I checked the windows installer service and it is running. ...

saving Word document to os x server
I have noticed some strange behaviour while save Word 2004 documents to our os x (10.2.8) server. When I open the Word 2004 document and make a change, then save it, it takes forever to save the document (by forever I mean 2-3 times longer than with Word vX). I keep the document open, make another change, then save again, and it takes not so long to save the document (somewhat faster than Word vX). Again making a change, then saving, and faster saving continues until I save and close. If I then re-open the document and save it, it again takes forever to save. In short: after opening ...

Exchange Email Router CRM Server 2003 & Exchange 2000
Hi NG, I´ve installed CRM1.2 on Win Server 2003 - everythings OK - afterwards I installed the Email Router and followed the steps in IG. The problem now is that I could send mails but incoming mails are not in support queue or in CRM system anyway (answers to a crm mail guid included!) Is it possible to use Server 2003 and Exchange 2000? Thanks and Regards, Bernd Michitsch Yes, they are supported. Where are you sending those messages from? The router will only capture mail that comes in via the SMTP gateway, so it must come from the outside. Matt Parks MVP - Microsoft CRM ------...

Using Microsoft Map in Office XP
How can I add the add-in Microsoft Map to work in Office XP? Thank you for looking. John John MS Map not available with versions 2002 and 2003. MS Map Point is now the application used. Costs about $250.00 US. An alternate is to use MapInfo product(which was the Excel 97 and 2000 product). Very costly at minimum $595.00 US just for upgrade. http://www.mapinfo.com/location/integration But............found this tidbit on the net thanks to Debra Dalgleish. Mystery of the Missing Map Tool: If you believe Microsoft, the Excel Map tool is permanently out of action in Offi...

Updating a form after using a workflow rule to update the entity.
I have a workflow rule that, on create of a contact, calls an assembly and updates an attribute of that assembly. It works a treat, but after saving, the attribute does not appear in the form. I have to close and re-open the contact to see the attribute. Is there any way to have this display immediately? Thanks Saira ...

get sql server schema to xml?
Hello, How can I get table/column schema of a sql server database? i want to convert the entire schema into an xml file. thanks in advance. You can use a DataReader's GetSchemaTable method "suzy" <suzy@spam.com> wrote in message news:ckNyb.372$nL5.173@news-binary.blueyonder.co.uk... > Hello, > > How can I get table/column schema of a sql server database? i want to > convert the entire schema into an xml file. > > thanks in advance. > > Oops, sorry for not posting the link... you can do it with the Connection Object as well... here's a ...

Preventing users from saving forms into unprotected formats
I need to stop users from saving forms into unprotected formats, e.g. RTF (believe it or not, my users like to mess about with form layout, creating business interoperability problems) I have successfully intercepted the FileSave and FileSaveAs commands. I also need to intercept the Save As dialog which comes up for a new dialog when the file is closed, so I'm using a BeforeDocumentClose event handler. I would like them to be able to choose not to save, so I give them a YesNoCancel message, but I can't prevent the regular message coming up if they click No on my message...

User Interface stops working
Hi, I am developing an application using MFC in MS Visual Studio 2005. I created a single dialog based MFC application. The framework generates the code required to create the single dialog box. In the InitInstance() function, the dialog box is created using DoModal() to create a modal dialog box. I have added a tab control in the main dialog box. I have 5 tabs. For each tab, I create a dialog box using MFC. Each dialog box contains various buttons and controls. One dialog box contains an ActiveX control object. When a particular tab is selected by the user, the corresponding dialog ...

Remove Sync Issues / Server Failures message
I'm attempting to remove 3 messages that keep appearing in my Sync Issues / Server Failures folder. I delete them, and the next day they are back again. I've tried extracting them with the ExMerge utility, run in Archive mode to delete them from the store. It fails, and in the ExMerge.log file it says: [11:54:12] Error copying messages from folder '\Sync Issues\Server Failures' (MAPI_W_PARTIAL_COMPLETION) Any ideas how I can extract these messages? ...

OWA 404 error if subject ends in a full stop
I have just applied SP1 to our Exchange2003 server and yet OWA still suffers from the bug that displays a 404 error if you try and read an email where the subject line ends with a full stop. I was hopping this bug would be fixed in SP1. It's not a bug, and it's not a recent development. This is URLScan working as designed - protecting your IIS (which Exchange runs on) from CodeRed-like hacks. You can remove URLScan, but that is NOT my recommendation. I suggest you just educate your users as to the fact that this is the way it is. Tell them it's like the Internet, it's beyo...

problem while using excel
hi, exel sheet displaying page number in background in each and every cell of my sheet in background And displaying message first while opening the sheet as "margins doesn't fit can you please help me with this issue?? View > Normal -- Gary''s Student - gsnu200786 While i am using excel, when i try to copy and paste words, the program becomes very sluggish. very laggy and slow. how do i resolve this? You probably have a lot of formulae, go to TOOLS>OPTIONS>CALCULATION and change it to manual, you can then calculate the workbook by pressing F9, take a look ...

Weed out words using Excel??
Is there a way to automatically isolate an appearance of a word in list of words, eg I have a full dictionary of words, and I want to end up wit a list where the word (for example) "log" appears. So if the big lis contains: logarithm chair table catalogue (each on a sepearte line) The list I would want would be: logarithm catalogue (leaving out the others) Thanks -- Message posted from http://www.ExcelForum.com Hi Have a look at Data / Filter / Autofilter. Andy. PS I'd love to know where you got your text file from!! "sensible >" <<sensible.148ne7@exc...

User Can't Send Mail
When a user has hit their quota limit and I increase it for them what do I need to do to allow the updated limit to be applied to the user so they can send Email again? wait...the default update time for this is 2 hours...or see this: http://support.microsoft.com/kb/327378/en-us -- Susan Conkey [MVP] "D303M" <D303M@discussions.microsoft.com> wrote in message news:563E524F-709F-40CE-A202-228944A920F2@microsoft.com... > When a user has hit their quota limit and I increase it for them what do I > need to do to allow the updated limit to be applied to the user so th...

Discussion lists with Echange Server 2003
Does anyone know if you can setup a discussion list with Exchange server 2k3? I have looked and and looked for the answer but I don't ever get exactly what I am looking for. Thanks. Here you go: http://support.microsoft.com/default.aspx?scid=kb;en-us;821904 Danny pbisucks@hotmail.com "Richard Phippen" wrote: > Does anyone know if you can setup a discussion list with Exchange server 2k3? > I have looked and and looked for the answer but I don't ever get exactly what > I am looking for. > Thanks. ...