Forefront TMG - external access issues - probably a certificates issue

[ianh64]

When trying to access Exchange web mail from external, after logging in I get the following error reported in the browser:

Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)

Running TMG Management Console tests on the OWA firewall policy also indicate similar:

Destination Server Certificate Error
0x80090325 - The certificate chain was issued by a certificate authority that was not trusted.

Following the link reported in the test and actioning to generate a certificate and deploy reported in no errors, however I cannot see the certificate in the AD Certificate server store, nor any mention of certificates in any of the GPO's that I have looked at - the implication is that the certificate is deployed by GPO.

The instructions that I followed were from here:
Generating the https certificate
Deploying the certificate

Forefront TMG is running in a domain environment so I opted for automatic deployment as is recommended. We have an enterprise root CA.

The note mentions up to 8 hours for the certificate to propagate, but I have done a GPUPDATE on each machine and also waited a significant number of hours, possibly more than 8, with reboots in between. So it looks like its not working rather than simply taking time to deploy.

Any suggestions of debugging this error?

[ianh64]

Actually, going back through and redoing the instructions - i'm convinced that I have done something wrong - in Internet Explorer/tool/contents/trusted root certificate authorities on the servers for Enterprise Root CA, Exchange Server and TMG/Edge Server I can now see a valid certificate for Forefront TMG HTTPS inspection certificate authority so it looks like it did deploy but still no joy - same error. Not sure when these appeared as they still have yesterdays generated certificate - didn't generate a fresh one today.

Do I need to restart anything or will it sort itself out in time?

[DMcCoy]

You need to see if the certificate for the mail server can be validated by the TMG box. certutil -veify certname.crt and certutil -verify -urlfetch certname.crt will tell you whats going on. If the CRLs are acessible by certutil, you may still have to import them into certificate management manually.

[ianh64]

Thanks for the info. But, what do I use for the certificate files? As far as I can see, no certificate files were created as everything was auto generated and deployed.

Do I have to export a certificate? I did do this for the Forefront TMG created one and that validated OK. But from your helpful comment, it looks like its the Exchange mail servers certificate that I need to be checking and installing on the TMG machine?

There are a couple of nearly identical (only date/time differs) looking certificates in the 'other people' tab of the IE certificates view. These are both issued to the server name (sans domain) and issued by the same. Are these what I am after? If so, if its the right thing to do, how do I get them into the Enterprise Root CA so they can be picked up by other machines? Or do I simply export it, validate it, then copy it to the TMG machine and import? The status of these certificates when looking with ie on the exchange server machine is that neither are trusted because they are not in the trusted root certification authorities store. So it looks like somehow, if they are otherwise the ones that I need, I need to put them in there. If so, do I need both or can I remove the earlier one?

Unfortunately certificates are not up on my list of knowledge.

Thanks

[DMcCoy]

A few things:

Who is the certificate issued by, internal CA or an external provider
If it's internal then you can add the certificate of you CA to the default domain policy, to the trusted authorities.

You should be able to view the cert details in IE for the mail server if you visit it internally, you can then use the copy to file option to get it as a crt file. This is the file you need to validate on the TMG box.

[ianh64]

Thanks for assisting.

I've gone and broken it big time now. As it was a test bed, I decided to delete all certificates that were not issued by the internal CA - Active Directory Certificate Services - Enterprise CA. The aim was to avoid kludging whatever certificate was not in the CA and get a proper one from the outset. Unfortunately, whilst the CA was active, auto enrollment was not so I think at some point, an important certificate got created but not with the correct CA.

Anyhow, to cut a long story short, IIS on the Exchange Server is not working correctly when using ssl connections. Not sure what I broke, ie deleted, so not sure how to reinstate.

Presumably I need to recreate one of the certificates that handles ssl? But not sure which of the many and many different templates handled this.

I did roll back the Exchange Server machine using a hyper-v snapshot to a few days back and that did work do I know its the exchange server or the iis on same machine. But I don't want to revert permanently with this snapshot as its a few days out of date and I had made quite a few Exchange and SQL Server configuration changes in the interim.

Any suggestion on tracking down this likely certificate issue with non functional iis/ssl.

Many thanks