Forefront TMG - external access issues - probably a certificates issue
When trying to access Exchange web mail from external, after logging in I get the following error reported in the browser:
Error Code: 500 Internal Server Error. The certificate chain was issued by an authority that is not trusted. (-2146893019)
Running TMG Management Console tests on the OWA firewall policy also indicate similar:
Destination Server Certificate Error
0x80090325 - The certificate chain was issued by a certificate authority that was not trusted.
Following the link reported in the test and actioning to generate a certificate and deploy reported in no errors, however I cannot see the certificate in the AD Certificate server store, nor any mention of certificates in any of the GPO's that I have looked at - the implication is that the certificate is deployed by GPO.
The instructions that I followed were from here:
Generating the https certificate
Deploying the certificate
Forefront TMG is running in a domain environment so I opted for automatic deployment as is recommended. We have an enterprise root CA.
The note mentions up to 8 hours for the certificate to propagate, but I have done a GPUPDATE on each machine and also waited a significant number of hours, possibly more than 8, with reboots in between. So it looks like its not working rather than simply taking time to deploy.
Any suggestions of debugging this error?
Now I've gone and done it!
Thanks for assisting.
I've gone and broken it big time now. As it was a test bed, I decided to delete all certificates that were not issued by the internal CA - Active Directory Certificate Services - Enterprise CA. The aim was to avoid kludging whatever certificate was not in the CA and get a proper one from the outset. Unfortunately, whilst the CA was active, auto enrollment was not so I think at some point, an important certificate got created but not with the correct CA.
Anyhow, to cut a long story short, IIS on the Exchange Server is not working correctly when using ssl connections. Not sure what I broke, ie deleted, so not sure how to reinstate.
Presumably I need to recreate one of the certificates that handles ssl? But not sure which of the many and many different templates handled this.
I did roll back the Exchange Server machine using a hyper-v snapshot to a few days back and that did work do I know its the exchange server or the iis on same machine. But I don't want to revert permanently with this snapshot as its a few days out of date and I had made quite a few Exchange and SQL Server configuration changes in the interim.
Any suggestion on tracking down this likely certificate issue with non functional iis/ssl.