Well, it was the one thing that made it finally work! The Exchange Admin is a local Admin...
Thanks! jlc -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Wednesday, April 29, 2009 11:03 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert It is NOT required. Or shouldn't be, anyway. If you "Enable Outlook Anywhere" for the CAS and set the external OA URL on the CAS property sheet, this is done for you. If the Exchange Administrator a local administrator on the Exchange server? It should be... ________________________________________ From: Joseph L. Casale [[email protected]] Sent: Wednesday, April 29, 2009 12:48 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Ugh, I finally got it, the addition of a REG_MULTI_SZ entry named "NSPI interface protocol sequences" set to ncacn_http:6004 at HKLM\System\CCS\Services\NTDS\Parameters\ made it work. No where have I seen this documented for E2k7/10 though... Thanks for everything! jlc -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Wednesday, April 29, 2009 7:29 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Are you talking about the ValidPorts registry key? Don't touch it! :-P Exchange autoconfs that in both 2007 and 2010. I'll look into your rpcping results later today... ________________________________________ From: Joseph L. Casale [[email protected]] Sent: Tuesday, April 28, 2009 12:47 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Well in 2003 Server and E2k3, you must specify name and ports for the DC/GC? Also, here are some interesting tidbits done from outside the lan on a wkst With 2k3 res kit: rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 RPCPinging proxy server internal.fqdn.local with Echo Request Packet Sending ping to server Response from server received: 401 Client is not authorized to ping RPC proxy Ping failed. **** rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6001 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 Completed 1 calls in 594 ms 1 T/S or 594.000 ms/T **** rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6002 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 Completed 1 calls in 203 ms 4 T/S or 203.000 ms/T **** rpcping -t ncacn_http -s internal.fqdn.local -o RpcProxy=external.fqdn.com -P "user,dom,pass" -I "user,dom,pass" -H 1 -F 3 -a connect -u 10 -v 3 -e 6004 RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 3 Exception 1722 (0x000006BA) So it looks like I have two problems, the 1722 suggests reg entries (IPv6 is disabled)? This is Exchange 2007/10 (two identical labs built to test) so I don't mangle ports AFAIK? The 401 uptop has me baffled! Thanks so much! jlc -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Tuesday, April 28, 2009 10:04 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert I don't understand your question "no mention of the DC and applicable ports"??? If you specify auth types on the vdirs, you will almost certainly break something. Don't do it. ________________________________________ From: Joseph L. Casale [[email protected]] Sent: Monday, April 27, 2009 5:59 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Appreciate all of that. Well, I am at a loss. I have been troubleshooting this now on my own setup inside and esx server, and even rolled out a new dc and exchange server using 2010 and same behavior. Obviously I am missing something... In the registry, there is no mention of the dc and applicable ports? Is This not something needed in '07/10? Also, is there ever a need to manually specify Auth types on the IIS virtual dirs? Thanks Michael! jlc -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Monday, April 27, 2009 3:03 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007/10 ssl cert Well, they do very different things. :-) The -IncludeAcceptedDomains parameter is a switch. If it is set to true (or just specified without a ":$false", then all of the Accepted Domains in the organization are included in the certificate request (if -GenerateRequest is set to true). I don't think that I have ever used the -IncludeAcceptedDomains switch. The -DomainName parameter is a list of domains that you want to be represented as subject alternative names (SANs) within the certificate. The list of domains in the -DomainName parameter and the contents resulting from the -IncludeAcceptedDomains parameter are merged to come up with a full list of the domains that will be in the SAN list of the certificate request. Finally, the -SubjectName parameter identifies the organization who is requesting the certificate (think of it as the "subject company for the cert"). The organization and country should absolutely be correct. So, a typical certificate request, for a single server environment, where the server is named SERVER1 and the AD domain is named ESSENTIAL.LOCAL and the email domain is TheEssentialExchange.com: new-ExchangeCertificate -GenerateRequest -Path C:\Temp\Cert-request.txt -Subject "c=US, O=The Essential Exchange, CN=mail.TheEssentialExchange.com" -domainName Essential.Local, Server1, Server1.Essential.Local, mail.TheEssentialExchange.com, autodiscover.TheEssentialExchange.com -FriendlyName "Cert for mail.TheEssentialExchange.com" -privateKeyExportable:$true ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
