Sole's Blog

Posts Tagged ‘How To’

The easiest way (I love easy!) to order and install an SSL certificate on Exchange 2007, is to order a SAN (Subject Alternative Name) certificate with AutoCSR meaning you dont have to create a CSR but instead get a certificate backup file (PKCS#12, P12. PFX). You also save time with the SAN because you only use one certificate for all services and can move services from one domain to another in the certificate with no problems.

Make sure you get a SAN certificate including the full domain name(s) you use to access Outlook Web Access, Outlook Anywhere, Autodiscover and any internal servernames using the certificate (usually free).

The Certificate you order should contain something like this:

• mail.sole.dk and/or owa.sole.dk – for Outlook Web Access
• autodiscover.sole.dk and any other e-mail domain you use with Autodiscover/OA.
• MYSERVER01 and MyServer01.domain.local – and any other internal servername that will be using the certificate

Personally I setup servers to respond only to OWA and ActiveSync on the mail./owa. domain, and use all other services like Outlook Anywhere, etc. on the autodiscover. address, this way I can use Forms Based Authentication/Basic with my OWA/ActiveSync website, and NTLM with my other services. You can see more information about this from my previous blogs here. Some people argue for and against having internal server names in the certificate, but I figure if they are free anyways, and might help why not add them – and if security is so much an issue that internal server names must not be revealed, you have other much bigger problems anyway.

Now some simple commands to manipulate Exchange 2007 SSL certificates. (Stolen from the danish Exchange 2007 guide on FairSSL, I co-authored the manual) Read the rest of this entry »

Sometimes the automatic updates service is interupted while updating the machine, this can result in updates with corrupted data that prevents the service from installing the updates correctly and failing the service. This means the machine will never get past the updates that are giving an error and continue to try and install over and over. This happens on just about any Windows machine that uses Automatic Updates, including Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

• The error prevents the workstation or server in installing updates, roll up packs, hotfixes and service packs, both manually and automatically.
• The error can also be that the Cryptographic service will not start correctly.
• The event error message contains information like not able to verify integrity of update.inf and similair.
• The error is in the verification of the update in Microsoft, this authentication is done with certificates by the Cryptographic service. 

The reason I am describing this error, is that it seems pretty normal, it can happen from servers being shutdown due to power failure, crashes, etc. It took me some while to find any good information on how to correct this error, or more correctly I found alot of information but little that helped.

Read the rest of this entry »

Configuration of Exchange 2007 with Outlook Web Access (OWA), Outlook Anywhere (OA), ActiveSync and Autodiscover can add grey hair to any system administrator or IT consultant. Then also trying to get different authentication schemes and ISA 2006 to play nice is not making it any easier.

Most Administrators have a wish to configure their environments used externally as securely as possible, including using SSL certificates with HTTPS instead of no encryption with HTTP, and using NTLM authentication instead of Basic authentication. But security is not everything, a userfriendly interface like Forms Based Authentication (FBA) is a must to avoid user iritation and support calls.

However getting FBA and NTLM to work together in ISA with Exchange 2007 can be quite scary, so lets go deeper and find out what we need to be aware of to get it working.

Read the rest of this entry »

During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers.

If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server.

Read the rest of this entry »

We had a customer asking for the main part of their Sharepoint website to be accessible from the public with anonymous access, and still have a part of the website require authentication thru Forms Based Authentication (FBA) in ISA 2006 firewall. Since ISA can only have one listener on a website, and the authentication is set on the listener, this was a little bit tricky to solve.

The solution however is extremely simple and I hope this little bit of information will save someone else some time. Read the rest of this entry »

We use Sharepoint for document sharing in our Company, so do many others. With the default settings in Sharepoint and ISA server, when You start a download of a document remotely, You will be prompted to re-authenticate with Your username and password, even if You just logged in.

It is actually quite simple to fix this, so You only have to authenticate one time, instead of twice.

The reason for the problem, is that Microsoft have choosen to use the most secure option as the default, so unless You change the defaults, this is actually the expected behaviour. Read the rest of this entry »