+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Forefront TMG - external access issues - probably a certificates issue in Technical; When trying to access Exchange web mail from external, after logging in I get the following error reported in the ...
  1. #1

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9

    Forefront TMG - external access issues - probably a certificates issue

    When trying to access Exchange web mail from external, after logging in I get the following error reported in the browser:

    Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)

    Running TMG Management Console tests on the OWA firewall policy also indicate similar:

    Destination Server Certificate Error
    0x80090325 - The certificate chain was issued by a certificate authority that was not trusted.

    Following the link reported in the test and actioning to generate a certificate and deploy reported in no errors, however I cannot see the certificate in the AD Certificate server store, nor any mention of certificates in any of the GPO's that I have looked at - the implication is that the certificate is deployed by GPO.

    The instructions that I followed were from here:
    Generating the https certificate
    Deploying the certificate

    Forefront TMG is running in a domain environment so I opted for automatic deployment as is recommended. We have an enterprise root CA.

    The note mentions up to 8 hours for the certificate to propagate, but I have done a GPUPDATE on each machine and also waited a significant number of hours, possibly more than 8, with reboots in between. So it looks like its not working rather than simply taking time to deploy.

    Any suggestions of debugging this error?

  2. #2

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Actually, going back through and redoing the instructions - i'm convinced that I have done something wrong - in Internet Explorer/tool/contents/trusted root certificate authorities on the servers for Enterprise Root CA, Exchange Server and TMG/Edge Server I can now see a valid certificate for Forefront TMG HTTPS inspection certificate authority so it looks like it did deploy but still no joy - same error. Not sure when these appeared as they still have yesterdays generated certificate - didn't generate a fresh one today.

    Do I need to restart anything or will it sort itself out in time?

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    You need to see if the certificate for the mail server can be validated by the TMG box. certutil -veify certname.crt and certutil -verify -urlfetch certname.crt will tell you whats going on. If the CRLs are acessible by certutil, you may still have to import them into certificate management manually.

  4. Thanks to DMcCoy from:

    ianh64 (18th June 2010)

  5. #4

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9
    Thanks for the info. But, what do I use for the certificate files? As far as I can see, no certificate files were created as everything was auto generated and deployed.

    Do I have to export a certificate? I did do this for the Forefront TMG created one and that validated OK. But from your helpful comment, it looks like its the Exchange mail servers certificate that I need to be checking and installing on the TMG machine?

    There are a couple of nearly identical (only date/time differs) looking certificates in the 'other people' tab of the IE certificates view. These are both issued to the server name (sans domain) and issued by the same. Are these what I am after? If so, if its the right thing to do, how do I get them into the Enterprise Root CA so they can be picked up by other machines? Or do I simply export it, validate it, then copy it to the TMG machine and import? The status of these certificates when looking with ie on the exchange server machine is that neither are trusted because they are not in the trusted root certification authorities store. So it looks like somehow, if they are otherwise the ones that I need, I need to put them in there. If so, do I need both or can I remove the earlier one?

    Unfortunately certificates are not up on my list of knowledge.

    Thanks

  6. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    A few things:

    Who is the certificate issued by, internal CA or an external provider
    If it's internal then you can add the certificate of you CA to the default domain policy, to the trusted authorities.

    You should be able to view the cert details in IE for the mail server if you visit it internally, you can then use the copy to file option to get it as a crt file. This is the file you need to validate on the TMG box.

  7. #6

    Join Date
    Mar 2010
    Location
    Surrey, UK
    Posts
    120
    Thank Post
    20
    Thanked 3 Times in 3 Posts
    Rep Power
    9

    Now I've gone and done it!

    Thanks for assisting.

    I've gone and broken it big time now. As it was a test bed, I decided to delete all certificates that were not issued by the internal CA - Active Directory Certificate Services - Enterprise CA. The aim was to avoid kludging whatever certificate was not in the CA and get a proper one from the outset. Unfortunately, whilst the CA was active, auto enrollment was not so I think at some point, an important certificate got created but not with the correct CA.

    Anyhow, to cut a long story short, IIS on the Exchange Server is not working correctly when using ssl connections. Not sure what I broke, ie deleted, so not sure how to reinstate.

    Presumably I need to recreate one of the certificates that handles ssl? But not sure which of the many and many different templates handled this.

    I did roll back the Exchange Server machine using a hyper-v snapshot to a few days back and that did work do I know its the exchange server or the iis on same machine. But I don't want to revert permanently with this snapshot as its a few days out of date and I had made quite a few Exchange and SQL Server configuration changes in the interim.

    Any suggestion on tracking down this likely certificate issue with non functional iis/ssl.

    Many thanks

SHARE:
+ Post New Thread

Similar Threads

  1. Forefront TMG Default Gateway
    By teejay in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 26th January 2010, 02:34 PM
  2. anyone using forefront TMG live yet?
    By HMCTech in forum Windows Server 2008
    Replies: 2
    Last Post: 9th October 2009, 07:40 AM
  3. ePortal - external access data protection issues
    By cheredenine in forum MIS Systems
    Replies: 3
    Last Post: 1st May 2009, 08:44 PM
  4. Forefront TMG (Beta) and Server 2008?
    By Zimmer in forum Windows Server 2008
    Replies: 2
    Last Post: 19th January 2009, 02:00 PM
  5. External Trust authentication issues
    By rusty155 in forum Windows
    Replies: 9
    Last Post: 23rd January 2008, 12:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •