For what ever reason you may have at some point in the life of your server you will need to increase the default logging level.
To start with, if you have come from Exchange 2003 you may be in for a bit of a surprise in that this is not set any where in the GUI. Those of you who have been using Exchange 2007 for a while will probably not be overly surprised by this :)
OK to start with lets have a look at what areas we can change the logging levels and what they are set to initially.
To do this open the EMS and type
Get-EveventLogLevel
Which will produce the following output
Identity EventLevel
-------- ----------
MSExchange ActiveSync\Requests Lowest
MSExchange ActiveSync\Configuration Lowest
MSExchange Antispam\General Lowest
MSExchange Assistants\Assistants Lowest
MSExchange Autodiscover\Core Lowest
MSExchange Autodiscover\Web Lowest
MSExchange Autodiscover\Provider Lowest
MSExchange Availability\Availability Service Lowest
MSExchange Availability\Availability Service General Lowest
MSExchange Availability\Availability Service Authentication Lowest
MSExchange Availability\Availability Service Authorization Lowest
MSExchange Cluster\Move Lowest
MSExchange Cluster\Upgrade Lowest
MSExchange Cluster\Action Lowest
MSExchange Common\General Lowest
MSExchange Common\Configuration Lowest
MSExchange Common\Logging Lowest
MSExchange Extensibility\Transport Address Book Lowest
MSExchange Extensibility\MExRuntime Lowest
MSExchange EdgeSync\Synchronization Lowest
MSExchange EdgeSync\Topology Lowest
MSExchange EdgeSync\SyncNow Lowest
MSExchange TransportService\TransportService Lowest
MSExchange Web Services\Core Lowest
MSExchange IMAP4\General Lowest
MSExchange Messaging Policies\Journaling Lowest
MSExchange Messaging Policies\AttachFilter Lowest
MSExchange Messaging Policies\AddressRewrite Lowest
MSExchange Messaging Policies\Rules Lowest
MSExchange Messaging Policies\Prelicensing Lowest
MSExchange Anti-spam Update\HygieneUpdate Lowest
MSExchange Management Application\Shell Lowest
MSExchange Management Application\Console Lowest
MSExchange OWA\FormsRegistry Lowest
MSExchange OWA\Core Lowest
MSExchange OWA\Configuration Lowest
MSExchange OWA\Themes Lowest
MSExchange OWA\SmallIcons Lowest
MSExchange OWA\Proxy Lowest
MSExchange OWA\Transcoding Lowest
MSExchange OWA\ADNotifications Lowest
MSExchange POP3\General Lowest
MSExchange Process Manager\ProcessManager Lowest
MSExchange Repl\Service Lowest
MSExchange Repl\Exchange VSS Writer Lowest
MSExchange Search Indexer\General Lowest
MSExchange Search Indexer\Configuration Lowest
MSExchange Store Driver\General Lowest
MSExchange System Attendant Mailbox\General Lowest
MSExchange Topology\Topology Discovery Lowest
MSExchange ADAccess\General Lowest
MSExchange ADAccess\Cache Lowest
MSExchange ADAccess\Topology Low
MSExchange ADAccess\Configuration Lowest
MSExchange ADAccess\LDAP Lowest
MSExchange ADAccess\Validation Low
MSExchange ADAccess\Recipient Update Service Lowest
MSExchange ADAccess\Site Update Lowest
MSExchangeAL\Ldap Operations Lowest
MSExchangeAL\Service Control Lowest
MSExchangeAL\Attribute Mapping Lowest
MSExchangeAL\Account Management Lowest
MSExchangeAL\Address List Synchronization Lowest
MSExchangeIS\9000 Private\Transport General Lowest
MSExchangeIS\9000 Private\General Lowest
MSExchangeIS\9000 Private\Transport Sending Lowest
MSExchangeIS\9000 Private\Transport Delivering Lowest
MSExchangeIS\9000 Private\Transfer Into Gateway Lowest
MSExchangeIS\9000 Private\Transfer Out Of Gateway Lowest
MSExchangeIS\9000 Private\MTA Connections Lowest
MSExchangeIS\9000 Private\Logons Lowest
MSExchangeIS\9000 Private\Access Control Lowest
MSExchangeIS\9000 Private\Send On Behalf Of Lowest
MSExchangeIS\9000 Private\Send As Lowest
MSExchangeIS\9000 Private\Rules Lowest
MSExchangeIS\9000 Private\Storage Limits Lowest
MSExchangeIS\9000 Private\Background Cleanup Lowest
MSExchangeIS\9000 Private\DS Synchronization Lowest
MSExchangeIS\9000 Private\Views Lowest
MSExchangeIS\9000 Private\Download Lowest
MSExchangeIS\9000 Private\Local Replication Lowest
MSExchangeIS\9000 Private\Folder Access Lowest
MSExchangeIS\9000 Private\Message Access Lowest
MSExchangeIS\9000 Private\Extended Send As Lowest
MSExchangeIS\9000 Private\Extended Send On Behalf Of Lowest
MSExchangeIS\9001 Public\Transport General Lowest
MSExchangeIS\9001 Public\General Lowest
MSExchangeIS\9001 Public\Replication DS Updates Lowest
MSExchangeIS\9001 Public\Replication Incoming Messages Lowest
MSExchangeIS\9001 Public\Replication Outgoing Messages Lowest
MSExchangeIS\9001 Public\Replication NDRs Lowest
MSExchangeIS\9001 Public\Transport Sending Lowest
MSExchangeIS\9001 Public\Transport Delivering Lowest
MSExchangeIS\9001 Public\MTA Connections Lowest
MSExchangeIS\9001 Public\Logons Lowest
MSExchangeIS\9001 Public\Access Control Lowest
MSExchangeIS\9001 Public\Send On Behalf Of Lowest
MSExchangeIS\9001 Public\Send As Lowest
MSExchangeIS\9001 Public\Rules Lowest
MSExchangeIS\9001 Public\Storage Limits Lowest
MSExchangeIS\9001 Public\Replication Site Folders Lowest
MSExchangeIS\9001 Public\Replication Expiry Lowest
MSExchangeIS\9001 Public\Replication Conflicts Lowest
MSExchangeIS\9001 Public\Replication Backfill Lowest
MSExchangeIS\9001 Public\Background Cleanup Lowest
MSExchangeIS\9001 Public\Replication Errors Lowest
MSExchangeIS\9001 Public\DS Synchronization Lowest
MSExchangeIS\9001 Public\Views Lowest
MSExchangeIS\9001 Public\Replication General Lowest
MSExchangeIS\9001 Public\Download Lowest
MSExchangeIS\9001 Public\Local Replication Lowest
MSExchangeIS\9002 System\Recovery Lowest
MSExchangeIS\9002 System\General Lowest
MSExchangeIS\9002 System\Connections Lowest
MSExchangeIS\9002 System\Table Cache Lowest
MSExchangeIS\9002 System\Content Engine Lowest
MSExchangeIS\9002 System\Performance Monitor Lowest
MSExchangeIS\9002 System\Move Mailbox Lowest
MSExchangeIS\9002 System\Download Lowest
MSExchangeIS\9002 System\Virus Scanning Lowest
MSExchangeIS\9002 System\Exchange Writer Lowest
MSExchangeIS\9002 System\Backup Restore Lowest
MSExchangeIS\9002 System\Client Monitoring Lowest
MSExchangeIS\9002 System\Event History Lowest
MSExchangeIS\9002 System\Database Storage Engine Lowest
MSExchangeMailboxAssistants\Service Lowest
MSExchangeMailboxAssistants\OOF Assistant Lowest
MSExchangeMailboxAssistants\OOF Library Lowest
MSExchangeMailboxAssistants\Resource Booking Attendant Lowest
MSExchangeMailboxAssistants\Email_Lifecycle_Assistant Lowest
MSExchangeMailSubmission\General Lowest
MSExchangeMU\General Lowest
MSExchangeSA\Clean Mailbox Lowest
MSExchangeSA\NSPI Proxy Lowest
MSExchangeSA\RFR Interface Lowest
MSExchangeSA\OAL Generator Lowest
MSExchangeSA\Proxy Generation Lowest
MSExchangeSA\RPC Calls Lowest
MSExchangeSA\RPC-HTTP Management Lowest
MSExchangeTransport\SmtpReceive Lowest
MSExchangeTransport\SmtpSend Lowest
MSExchangeTransport\DSN Lowest
MSExchangeTransport\Routing Lowest
MSExchangeTransport\Logging Lowest
MSExchangeTransport\Components Lowest
MSExchangeTransport\RemoteDelivery Lowest
MSExchangeTransport\Pickup Lowest
MSExchangeTransport\Categorizer Lowest
MSExchangeTransport\PoisonMessage Lowest
MSExchangeTransport\MessageSecurity Lowest
MSExchangeTransport\TransportService Lowest
MSExchangeTransport\Exch50 Lowest
MSExchangeTransport\Process Lowest
MSExchangeTransport\ResourceManager Lowest
MSExchangeTransport\Configuration Lowest
MSExchangeTransport\Storage Lowest
MSExchangeTransport\Agents Lowest
MSExchangeTransport\Transport Address Book Lowest
MSExchangeTransport\Orar Lowest
MSExchangeFDS\General Lowest
MSExchangeFDS\FileReplication Lowest
So as you can see we can go into some fairly fine detail as to what exactly we want to increase or decrease.
To change the logging level of say MSExchangeSA\OAL Generation we would type the following into the EWA
Set-EventLogLevel –Identity “MSExchangeSA\OAL Generation” –Level <Lowest,Low,Medium,High,Expert>
If you want to do a bulk change to say of of the Information Store events then here is what you need to type into EMS
Get-EventLogLevel –Identity “MSExchangeIS\*” | Set-EventLogLevel –Level High
We can see the results of tis command below
Identity EventLevel
-------- ----------
MSExchange ActiveSync\Requests Lowest
MSExchange ActiveSync\Configuration Lowest
MSExchange Antispam\General Lowest
MSExchange Assistants\Assistants Lowest
MSExchange Autodiscover\Core Lowest
MSExchange Autodiscover\Web Lowest
MSExchange Autodiscover\Provider Lowest
MSExchange Availability\Availability Service Lowest
MSExchange Availability\Availability Service General Lowest
MSExchange Availability\Availability Service Authentication Lowest
MSExchange Availability\Availability Service Authorization Lowest
MSExchange Cluster\Move Lowest
MSExchange Cluster\Upgrade Lowest
MSExchange Cluster\Action Lowest
MSExchange Common\General Lowest
MSExchange Common\Configuration Lowest
MSExchange Common\Logging Lowest
MSExchange Extensibility\Transport Address Book Lowest
MSExchange Extensibility\MExRuntime Lowest
MSExchange EdgeSync\Synchronization Lowest
MSExchange EdgeSync\Topology Lowest
MSExchange EdgeSync\SyncNow Lowest
MSExchange TransportService\TransportService Lowest
MSExchange Web Services\Core Lowest
MSExchange IMAP4\General Lowest
MSExchange Messaging Policies\Journaling Lowest
MSExchange Messaging Policies\AttachFilter Lowest
MSExchange Messaging Policies\AddressRewrite Lowest
MSExchange Messaging Policies\Rules Lowest
MSExchange Messaging Policies\Prelicensing Lowest
MSExchange Anti-spam Update\HygieneUpdate Lowest
MSExchange Management Application\Shell Lowest
MSExchange Management Application\Console Lowest
MSExchange OWA\FormsRegistry Lowest
MSExchange OWA\Core Lowest
MSExchange OWA\Configuration Lowest
MSExchange OWA\Themes Lowest
MSExchange OWA\SmallIcons Lowest
MSExchange OWA\Proxy Lowest
MSExchange OWA\Transcoding Lowest
MSExchange OWA\ADNotifications Lowest
MSExchange POP3\General Lowest
MSExchange Process Manager\ProcessManager Lowest
MSExchange Repl\Service Lowest
MSExchange Repl\Exchange VSS Writer Lowest
MSExchange Search Indexer\General Lowest
MSExchange Search Indexer\Configuration Lowest
MSExchange Store Driver\General Lowest
MSExchange System Attendant Mailbox\General Lowest
MSExchange Topology\Topology Discovery Lowest
MSExchange ADAccess\General Lowest
MSExchange ADAccess\Cache Lowest
MSExchange ADAccess\Topology Low
MSExchange ADAccess\Configuration Lowest
MSExchange ADAccess\LDAP Lowest
MSExchange ADAccess\Validation Low
MSExchange ADAccess\Recipient Update Service Lowest
MSExchange ADAccess\Site Update Lowest
MSExchangeAL\Ldap Operations Lowest
MSExchangeAL\Service Control Lowest
MSExchangeAL\Attribute Mapping Lowest
MSExchangeAL\Account Management Lowest
MSExchangeAL\Address List Synchronization Lowest
MSExchangeIS\9000 Private\Transport General High
MSExchangeIS\9000 Private\General High
MSExchangeIS\9000 Private\Transport Sending High
MSExchangeIS\9000 Private\Transport Delivering High
MSExchangeIS\9000 Private\Transfer Into Gateway High
MSExchangeIS\9000 Private\Transfer Out Of Gateway High
MSExchangeIS\9000 Private\MTA Connections High
MSExchangeIS\9000 Private\Logons High
MSExchangeIS\9000 Private\Access Control High
MSExchangeIS\9000 Private\Send On Behalf Of High
MSExchangeIS\9000 Private\Send As High
MSExchangeIS\9000 Private\Rules High
MSExchangeIS\9000 Private\Storage Limits High
MSExchangeIS\9000 Private\Background Cleanup High
MSExchangeIS\9000 Private\DS Synchronization High
MSExchangeIS\9000 Private\Views High
MSExchangeIS\9000 Private\Download High
MSExchangeIS\9000 Private\Local Replication High
MSExchangeIS\9000 Private\Folder Access High
MSExchangeIS\9000 Private\Message Access High
MSExchangeIS\9000 Private\Extended Send As High
MSExchangeIS\9000 Private\Extended Send On Behalf Of High
MSExchangeIS\9001 Public\Transport General High
MSExchangeIS\9001 Public\General High
MSExchangeIS\9001 Public\Replication DS Updates High
MSExchangeIS\9001 Public\Replication Incoming Messages High
MSExchangeIS\9001 Public\Replication Outgoing Messages High
MSExchangeIS\9001 Public\Replication NDRs High
MSExchangeIS\9001 Public\Transport Sending High
MSExchangeIS\9001 Public\Transport Delivering High
MSExchangeIS\9001 Public\MTA Connections High
MSExchangeIS\9001 Public\Logons High
MSExchangeIS\9001 Public\Access Control High
MSExchangeIS\9001 Public\Send On Behalf Of High
MSExchangeIS\9001 Public\Send As High
MSExchangeIS\9001 Public\Rules High
MSExchangeIS\9001 Public\Storage Limits High
MSExchangeIS\9001 Public\Replication Site Folders High
MSExchangeIS\9001 Public\Replication Expiry High
MSExchangeIS\9001 Public\Replication Conflicts High
MSExchangeIS\9001 Public\Replication Backfill High
MSExchangeIS\9001 Public\Background Cleanup High
MSExchangeIS\9001 Public\Replication Errors High
MSExchangeIS\9001 Public\DS Synchronization High
MSExchangeIS\9001 Public\Views High
MSExchangeIS\9001 Public\Replication General High
MSExchangeIS\9001 Public\Download High
MSExchangeIS\9001 Public\Local Replication High
MSExchangeIS\9002 System\Recovery High
MSExchangeIS\9002 System\General High
MSExchangeIS\9002 System\Connections High
MSExchangeIS\9002 System\Table Cache High
MSExchangeIS\9002 System\Content Engine High
MSExchangeIS\9002 System\Performance Monitor High
MSExchangeIS\9002 System\Move Mailbox High
MSExchangeIS\9002 System\Download High
MSExchangeIS\9002 System\Virus Scanning High
MSExchangeIS\9002 System\Exchange Writer High
MSExchangeIS\9002 System\Backup Restore High
MSExchangeIS\9002 System\Client Monitoring High
MSExchangeIS\9002 System\Event History High
MSExchangeIS\9002 System\Database Storage Engine High
MSExchangeMailboxAssistants\Service Lowest
MSExchangeMailboxAssistants\OOF Assistant Lowest
MSExchangeMailboxAssistants\OOF Library Lowest
MSExchangeMailboxAssistants\Resource Booking Attendant Lowest
MSExchangeMailboxAssistants\Email_Lifecycle_Assistant Lowest
MSExchangeMailSubmission\General Lowest
MSExchangeMU\General Lowest
MSExchangeSA\Clean Mailbox Lowest
MSExchangeSA\NSPI Proxy Lowest
MSExchangeSA\RFR Interface Lowest
MSExchangeSA\OAL Generator Lowest
MSExchangeSA\Proxy Generation Lowest
MSExchangeSA\RPC Calls Lowest
MSExchangeSA\RPC-HTTP Management Lowest
MSExchangeTransport\SmtpReceive Lowest
MSExchangeTransport\SmtpSend Lowest
MSExchangeTransport\DSN Lowest
MSExchangeTransport\Routing Lowest
MSExchangeTransport\Logging Lowest
MSExchangeTransport\Components Lowest
MSExchangeTransport\RemoteDelivery Lowest
MSExchangeTransport\Pickup Lowest
MSExchangeTransport\Categorizer Lowest
MSExchangeTransport\PoisonMessage Lowest
MSExchangeTransport\MessageSecurity Lowest
MSExchangeTransport\TransportService Lowest
MSExchangeTransport\Exch50 Lowest
MSExchangeTransport\Process Lowest
MSExchangeTransport\ResourceManager Lowest
MSExchangeTransport\Configuration Lowest
MSExchangeTransport\Storage Lowest
MSExchangeTransport\Agents Lowest
MSExchangeTransport\Transport Address Book Lowest
MSExchangeTransport\Orar Lowest
MSExchangeFDS\General Lowest
MSExchangeFDS\FileReplication Lowest
Wednesday, September 30, 2009
Friday, September 25, 2009
Certificates in Exchange Pt. 2
In the last article I spoke about how to generate and apply a 3rd party certificate to you Exchange server.
This time I will be talking about how get get around some of the more common issues that I have seen with certificates and Exchange 2007, I’ll do this as a bit of an FAQ as it is easier for me to organise it that way.
Q: When Outlook 2007 start I get a certificate mismatch error
![[CAS_Cert_err.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivpearEFnxsZQOnKBD5WvTGhNLP7uuoTrf7N_C-ycbc-mcbPzu4uIuVh1xr1L3DX-fEb-4TXe0_5x0UmD-8o0OEZq3Vr_wWZX3wObCOVURVFGnMjyL1ReYru_oLlTWz48wIYb8hTEsCZ4/s1600/CAS_Cert_err.jpg)
A: The cause of this is that the AutoDiscover URL is pointing to an address that does not match the certificate that you have on your CAS server.
The solution for this is fairly simple.
First you need to create a new forward lookup zone in DNS for the domain name on the certificate (this is usually the external address),eg, exchangelabs.com.au.
You then need to create an A record for the coomman name on the certificate, eg mail if your certificate name is mail.exchangelabs.com.au and point it to the internal IP of your CAS server.
After that in powershell on the CAS server type the following
Set-ClientAccessServer -Identity <ClientAccessServerIdParameter> -AutoDiscoverServiceInternalUri https://mail.exchangelabs.com.au/
There may be other entries that need to be added to this new ForwareLookup Zone in DNS as well, specifically if your company web site resolves externally you will need to add an A record for www and the external address.
Q: My Certificate has expired, how do I renew it?
A: Basically you need to create a new request and get a new certificate. If it is the self-signed one then you can do the following in the EMS
Get-ExchangeCertificate
Copy the thumbprint of the self signed certificate that has expired or is about to expire. Then type the following
Get-ExchangeCertificate -thumbprint "<insert thumbprint>" | New-ExchangeCertificate
Q: My phone is giving me a certificate error when I try to connect through ActiveSync
A:Have a look at the previous post , here,I made and see if the certificate is in the root store by default. If its not then have a read of this articles as they describe in detail how to export the certificate on the server and then import it on the phone.
http://support.microsoft.com/kb/915840) and here http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html
Q: I use a wild card certificate and Outlook Anywhere is giving me certificate errors
A: OK What you need to do is to set the Only connect to proxy servers taht have this pricipal name in their certificate to msstd:*.exchangelabs.com.au. You will need to use the Exchange mangement shell cmdlet Set-OutlookProvider to configure these global settings for the AutoDiscover service.
The code for this is
Get-OulookProvider EXPR | Set-OulookProvider -CertPrincipalName msstd:*.exchangelabs.com.au
Get-OulookProvider WEB | Set-OulookProvider -CertPrincipalName msstd:*.exchangelabs.com.au
This time I will be talking about how get get around some of the more common issues that I have seen with certificates and Exchange 2007, I’ll do this as a bit of an FAQ as it is easier for me to organise it that way.
Q: When Outlook 2007 start I get a certificate mismatch error
A: The cause of this is that the AutoDiscover URL is pointing to an address that does not match the certificate that you have on your CAS server.
The solution for this is fairly simple.
First you need to create a new forward lookup zone in DNS for the domain name on the certificate (this is usually the external address),eg, exchangelabs.com.au.
You then need to create an A record for the coomman name on the certificate, eg mail if your certificate name is mail.exchangelabs.com.au and point it to the internal IP of your CAS server.
After that in powershell on the CAS server type the following
Set-ClientAccessServer -Identity <ClientAccessServerIdParameter> -AutoDiscoverServiceInternalUri https://mail.exchangelabs.com.au/
There may be other entries that need to be added to this new ForwareLookup Zone in DNS as well, specifically if your company web site resolves externally you will need to add an A record for www and the external address.
Q: My Certificate has expired, how do I renew it?
A: Basically you need to create a new request and get a new certificate. If it is the self-signed one then you can do the following in the EMS
Get-ExchangeCertificate
Copy the thumbprint of the self signed certificate that has expired or is about to expire. Then type the following
Get-ExchangeCertificate -thumbprint "<insert thumbprint>" | New-ExchangeCertificate
Q: My phone is giving me a certificate error when I try to connect through ActiveSync
A:Have a look at the previous post , here,I made and see if the certificate is in the root store by default. If its not then have a read of this articles as they describe in detail how to export the certificate on the server and then import it on the phone.
http://support.microsoft.com/kb/915840) and here http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html
Q: I use a wild card certificate and Outlook Anywhere is giving me certificate errors
A: OK What you need to do is to set the Only connect to proxy servers taht have this pricipal name in their certificate to msstd:*.exchangelabs.com.au. You will need to use the Exchange mangement shell cmdlet Set-OutlookProvider to configure these global settings for the AutoDiscover service.
The code for this is
Get-OulookProvider EXPR | Set-OulookProvider -CertPrincipalName msstd:*.exchangelabs.com.au
Get-OulookProvider WEB | Set-OulookProvider -CertPrincipalName msstd:*.exchangelabs.com.au
Certificates in Exchange 2007 Pt 1.
There are many uses for certificates in Exchange 2007 and many ways that they will make you want to pull all of your hair out and run screaming to your mother. OK that might be a little melodramatic but they can be a source of frustration.
I am going to start with generating a certificate from a 3rd party CA, like Thawte or VeriSign or who ever you choose to provide your certificates. You don’t need to use an external CA, but for now I will stay with the external CA and cover internal CA’s and the relevant PKI infrastructure later.
Why do I need a 3rd party certificate for my Exchange server?
Well the short answer is that you don’t actually need one. When you install Exchange 2007 the installation process creates a selfsigned certificate that is associated with all of the Exchange Web Services (EWS) so that services like OWA, TLS, Secure POP and IMAP all can be used. The issue with using this self signed certificate is that the computer connecting to your Exchange server needs to have this certificate as a trusted root certificate. If not, services like OWA will display an error in Internet Explorer when you connect. Looking a little something like this
The next issue is with mobile devices that try to connect through ActiveSync. Some of these devices will allow you to connect after an initial certificate error, the iPhone I know will do this. Windows Mobile devices are a little more picky about certificates and would require that this certificate be exported and then imported into their Trusted Root Certificate Store on the device. Now as much fun as going to every user and installing a certificate on their mobile device I find that a 3rd party certificate will save you a significant amount of time and frustration. If you do need to go down this path for what ever reason then this MS support article may assist you in your endeavours (http://support.microsoft.com/kb/915840) and here (http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html)
Before deciding on the CA that you will use for your server please think about what services will be used.
If it will purely be for OWA you will probably be able to get away with using a certificate for some of the newer and possibly cheaper CA’s.
If you are planning on letting your users connect using ActiveSync through a Windows Mobile device then have a look at the existing root CA’s that are in each versions of Windows Mobiles Root Certificate Store here
*Windows Mobile 5.0 with Messaging and Security Feature Pack (MSFP).
I pulled this table form a Microsoft white paper you can find here. There is a lot of information on certificate use on Windows Mobile 5 and 6 when connecting to either Exchange 2003 or Exchange 2007.
So once you have made the decision on which CA you will get you certificate from how do you generate a request. There are 2 way’s. Before going any further it is key to note that the Client Access Server role is the one that take care of all web services and as such should be the server that the requests are done from and installed on, unless you have ISA and plan on publishing Exchange’s web services through that. In which case the certificate should be installed on the ISA server.
In IIS, see below for details on how to do this in Windows 2003 and 2008
1) Open IIS Manager
2) Create a new web site
3) Click Next
4) Give the new site a meaningful name then click next
5) Assign a non-used port to the address
6) Select a path for the new site – it is not important where this points to as no data will be stored or written to this directory
7) Click Next
8) Click Finish
9) Right click on the newly created web site
10) Click Directory Security tab
11) Click Server Certificate
12) The new Certificate Wizard will start
13) Click Create New Certificate Request
14) Click Next
15) Click Create a new certificate. Click Next
16) Click Prepare the request now, but send later
17) Click Next
18) Fill in the relevant details and click next
19) Type in the name that will appear on the certificate
20) Fill in correct location information
21) Save the text file in a place that you can find it.
22) Open the text file and copy all contents.
23) Submit this information to your chosen CA
Once you have the response from your CA follow these instructions
1) Right click on the web site that was created to generate the certificate request.
2) Click Properties
3) Click Directory Security tab
4) Click Server Certificate
5) Click Process the pending request and install the certificate
6) Find the file supplied by the CA
7) Complete the wizard
8) Right click on the default web site (or which ever web site the EWS live in)
9) Click Directory Security tab
10) Click Server Certificates
11) Click Next at the Wizard splash screen
12) Click Replace Current Certificate, click next
13) Select the certificate that you want to use, click next
14) Click next to confirm then finish to complete the wizard
Type in the Powershell commands found in step 6-9 in the Windows 2008 instructions below.
In Windows 2008
1) Open IIS Manager
2) Double Click on Server Certificates located by clicking on the server name in IIS
3)Click Create Certificate Request
4) Fill in all relevant details that are needed on the certificate
5) Leave the default options and click next
6) Specify a location for the certificate request to be saved
Once you have the response from your CA follow these instructions
1) Open IIS manager again and navigate to Server Certificates
2) Click Complete Certificate request
3) Browse to the file supplied by your chosen CA
4) Give the certificate a meaningful name
5) Click Next
6) Open Exchange Management Shell
7) Type the following
Get-ExchangeCertificate
8) Copy and paste the thumbprint from the certificate that you wish to use
9) Type in the following
Enable-ExchangeCertificate –Thumbprint <insert thumbprint here> –Services SMTP,POP,IIS,IMAP
Accept any prompts about replacing certificates for services.
Creating the certificate request using Exchange and Powershell.
1) Type the following
New-ExchangeCertificate -DomainName owa.exchangelabs.com.au, autodiscover.exchangelabs.com.au -FriendlyName ExchangeCertificate -GenerateRequest:$True -Keysize 1024 -path c:\certreq.txt -privatekeyExportable:$true -subjectName "c=au, o=Exchange Labs, CN=exchangelabs.com.au" -IncludeAutoDiscover
Now you may notice something a little different in the shell command above. I have included multiple domain names. These are commanly known as Subject Alternate Names or SAN. They are used to have the same certificate for different domain names. You can have as many as you like on your certificate but be aware that your CA may charge more for SAN certificates and for the number of domain names listed on the certificate.
2) Once you get your file back from your CA type the following in to the EMS
Import-ExchangeCertificate -Path c:\certificates\newcert.cer | Enable-ExchangeCertificate -Services SMTP,IIS,POP,IMAP
Well that that’s it for part one.
Part 2 will be how to troubleshoot some common issues with certificates and some tricks around AutoDiscover.
I am going to start with generating a certificate from a 3rd party CA, like Thawte or VeriSign or who ever you choose to provide your certificates. You don’t need to use an external CA, but for now I will stay with the external CA and cover internal CA’s and the relevant PKI infrastructure later.
Why do I need a 3rd party certificate for my Exchange server?
Well the short answer is that you don’t actually need one. When you install Exchange 2007 the installation process creates a selfsigned certificate that is associated with all of the Exchange Web Services (EWS) so that services like OWA, TLS, Secure POP and IMAP all can be used. The issue with using this self signed certificate is that the computer connecting to your Exchange server needs to have this certificate as a trusted root certificate. If not, services like OWA will display an error in Internet Explorer when you connect. Looking a little something like this
The next issue is with mobile devices that try to connect through ActiveSync. Some of these devices will allow you to connect after an initial certificate error, the iPhone I know will do this. Windows Mobile devices are a little more picky about certificates and would require that this certificate be exported and then imported into their Trusted Root Certificate Store on the device. Now as much fun as going to every user and installing a certificate on their mobile device I find that a 3rd party certificate will save you a significant amount of time and frustration. If you do need to go down this path for what ever reason then this MS support article may assist you in your endeavours (http://support.microsoft.com/kb/915840) and here (http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html)
Before deciding on the CA that you will use for your server please think about what services will be used.
If it will purely be for OWA you will probably be able to get away with using a certificate for some of the newer and possibly cheaper CA’s.
If you are planning on letting your users connect using ActiveSync through a Windows Mobile device then have a look at the existing root CA’s that are in each versions of Windows Mobiles Root Certificate Store here
| Windows Mobile 5.0 | Windows Mobile 6 | |
| Class 2 Public Primary Certificate Authority(VeriSign, Inc.) | X | X |
| Class 3 Public Primary Certificate Authority(VeriSign, Inc.) | X | X |
| Entrust.net Certificate Authority (2048) | X | X |
| Entrust.net Secure Server Certificate Authority | X | X |
| Equifax Secure Certificate Authority | X | X |
| GlobalSign Root CA | X | X |
| GTE CyberTrust Global Root | X | X |
| GTE CyberTrust Root | X | X |
| Secure Server Certificate Authority (RSA) | X | X |
| Thawte Premium Server CA | X | X |
| Thawte Server CA | X | X |
| http://www.valicert.com, (used by GoDaddy.com) | X | X |
| Starfield Class 2 Certificate Authority | X | |
| Go Daddy Class 2 Certificate Authority | X | |
| GeoTrust Global CA | X | |
| Baltimore CyberTrust Root | X | |
| AddTrust External CA Root | X | |
| AAA Certificate Services | X |
I pulled this table form a Microsoft white paper you can find here. There is a lot of information on certificate use on Windows Mobile 5 and 6 when connecting to either Exchange 2003 or Exchange 2007.
So once you have made the decision on which CA you will get you certificate from how do you generate a request. There are 2 way’s. Before going any further it is key to note that the Client Access Server role is the one that take care of all web services and as such should be the server that the requests are done from and installed on, unless you have ISA and plan on publishing Exchange’s web services through that. In which case the certificate should be installed on the ISA server.
In IIS, see below for details on how to do this in Windows 2003 and 2008
1) Open IIS Manager
2) Create a new web site
3) Click Next
4) Give the new site a meaningful name then click next
5) Assign a non-used port to the address
6) Select a path for the new site – it is not important where this points to as no data will be stored or written to this directory
7) Click Next
8) Click Finish
9) Right click on the newly created web site
10) Click Directory Security tab
11) Click Server Certificate
12) The new Certificate Wizard will start
13) Click Create New Certificate Request
14) Click Next
15) Click Create a new certificate. Click Next
16) Click Prepare the request now, but send later
17) Click Next
18) Fill in the relevant details and click next
19) Type in the name that will appear on the certificate
20) Fill in correct location information
21) Save the text file in a place that you can find it.
22) Open the text file and copy all contents.
23) Submit this information to your chosen CA
Once you have the response from your CA follow these instructions
1) Right click on the web site that was created to generate the certificate request.
2) Click Properties
3) Click Directory Security tab
4) Click Server Certificate
5) Click Process the pending request and install the certificate
6) Find the file supplied by the CA
7) Complete the wizard
8) Right click on the default web site (or which ever web site the EWS live in)
9) Click Directory Security tab
10) Click Server Certificates
11) Click Next at the Wizard splash screen
12) Click Replace Current Certificate, click next
13) Select the certificate that you want to use, click next
14) Click next to confirm then finish to complete the wizard
Type in the Powershell commands found in step 6-9 in the Windows 2008 instructions below.
In Windows 2008
1) Open IIS Manager
2) Double Click on Server Certificates located by clicking on the server name in IIS
3)Click Create Certificate Request
4) Fill in all relevant details that are needed on the certificate
5) Leave the default options and click next
6) Specify a location for the certificate request to be saved
Once you have the response from your CA follow these instructions
1) Open IIS manager again and navigate to Server Certificates
2) Click Complete Certificate request
3) Browse to the file supplied by your chosen CA
4) Give the certificate a meaningful name
5) Click Next
6) Open Exchange Management Shell
7) Type the following
Get-ExchangeCertificate
8) Copy and paste the thumbprint from the certificate that you wish to use
9) Type in the following
Enable-ExchangeCertificate –Thumbprint <insert thumbprint here> –Services SMTP,POP,IIS,IMAP
Accept any prompts about replacing certificates for services.
Creating the certificate request using Exchange and Powershell.
1) Type the following
New-ExchangeCertificate -DomainName owa.exchangelabs.com.au, autodiscover.exchangelabs.com.au -FriendlyName ExchangeCertificate -GenerateRequest:$True -Keysize 1024 -path c:\certreq.txt -privatekeyExportable:$true -subjectName "c=au, o=Exchange Labs, CN=exchangelabs.com.au" -IncludeAutoDiscover
Now you may notice something a little different in the shell command above. I have included multiple domain names. These are commanly known as Subject Alternate Names or SAN. They are used to have the same certificate for different domain names. You can have as many as you like on your certificate but be aware that your CA may charge more for SAN certificates and for the number of domain names listed on the certificate.
2) Once you get your file back from your CA type the following in to the EMS
Import-ExchangeCertificate -Path c:\certificates\newcert.cer | Enable-ExchangeCertificate -Services SMTP,IIS,POP,IMAP
Well that that’s it for part one.
Part 2 will be how to troubleshoot some common issues with certificates and some tricks around AutoDiscover.
Subscribe to:
Posts (Atom)
Posts
