OWA - following new self signed certificate, access by server name works, but via public address gives 'access is denied'

  • Thread starter mf111
  • Start date Views 788
Status
Not open for further replies.
M

mf111



Hi,

At the end of last year, I went through the procedure outlined here http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html to renew the certificate.

I noticed after this that when attempting to log into OWA via the public address https://www.domain.com/exchange the login page appears fine, however when you type your credentials and click login, it displays a server error page with the error "403 forbidden access is denied" and "You do not have permission to view this directory or page using the credentials that you supplied."

Accessing from the internal address https://server/exchange allows login and works fine.

I notice that the certificate used from the external link is different from the one used through the internal one. The internal one is the new self-signed cert, and the external one is the web server ssl certificate which I don't believe it should be (the web server is completely separate from the exchange server). This may be a red herring.

Anyway, is there something I have missed that needs to be done for the OWA to use the new certificate? The site is published through ISA 2006, so that could be another factor I have not addressed as yet.

Regards,
Martin

 
A

AndyD_ [MVP]

Assumng everything is correct on the Exchange side ( You mentioned it works connecting directly to the Exchange Server. - note that you shuold accessing it via: https://server/owa since this is Exchange 2007)
be sure to follow the ISA steps as well:

http://technet.microsoft.com/en-us/library/bb794751.aspx
Publishing Exchange Server 2007 with ISA Server 2006

http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html
Publishing Exchange 2007 OWA with ISA Server 2006

There are also ISA forums if you have questions about that:
http://social.technet.microsoft.com/Forums/en/category/forefrontedgesecurity

 
M

mf111

Thanks for the links Andy.

Just a bit more background on the problem. There already exists an OWA rule in ISA, and this was working fine prior to the certificate renewal.

I'm not sure if creating the self signed certificate was the wrong thing to do in this environment, and have had very little experience with certificates.

As I see it, there are 4 areas which may be investigated:
1) Exchange Server OWA settings
2) Exchange Server certificate settings
3) IIS settings on the Exchange Server
4) ISA publishing rule

The only thing to change between when it worked, and when it stopped working, was 2), which was the self-signed certificate on Exchange.

At that time (and is still the case) ISA had an OWA publishing rule which used a listener which used the main 3rd party ssl certificate used for the web server.

Currently, the OWA login page comes up fine and only after logging in does it throw the error.

This makes me a bit uneasy about changing anything for fear of breaking stuff which is not causing the problem.

I can see how it would be ISA causing the issue, as when the OWA is accessed directly instead of through the public url, it works fine. At the same time, the ISA rules have not changed, and the webpage for the login comes up fine.... so why would it only fail at the login stage if ISA was the cause?

In the same breath, OWA is working internally, so this would indicate that Exchange and IIS is setup correctly.

Based on this info, would you suggest I target the OWA web publishing rule, IIS, or Exchange?

Regards,
Martin
 
Status
Not open for further replies.
Top