If the client has no "trusted CA certs" then there is no way that RPC over HTTPS is going to work
Typically in an SBS environment, if you set up Certificate Services (AD integrated) then the CS CA cert is added to the Trusted Root CA store for all clients in the domain. Then the issued server auth cert you are using for the IIS website is trusted by all domain-joined clients. Otherwise, it just doesn't work. It violated the fundamental principles of PKI - there needs to be a mutually trusted CA (trusted by both the client and the server) for PKI to work. Cheers Ken From: Gavin Wilby [mailto:[EMAIL PROTECTED] Sent: Saturday, 19 July 2008 3:12 AM To: NT System Admin Issues Subject: Re: SSL cert question I was confusing registered against trusted. On Fri, Jul 18, 2008 at 12:05 AM, Ken Schaefer <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: What do you mean by "no registered certs". You must have a cert on the IIS server (otherwise you can't use HTTPS), and that cert must be issued by a trusted root CA for Outlook to accept it (otherwise, Outlook 2007 at least, displays an error about the cert) Cheers Ken From: Gavin Wilby [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Friday, 18 July 2008 4:19 AM To: NT System Admin Issues Subject: Re: SSL cert question "or RPC over HTTPS then those features will fail" Are you entirly sure about that - I only ask cos I have two sbs sites that use RPC over HTTPS in Outlook and they have *no* registered certs at all, and the connection still works. Or is it more of a case of a valid cert expiring that causes the failure. On Wed, Jul 16, 2008 at 7:34 PM, Simon Butler <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: If you are using Exchange 2003 and are using Exchange ActiveSync or RPC over HTTPS then those features will fail completely as they cannot cope with the certificate prompt. If the certificate is being used to secure SMTP/POP3/IMAP connections then those will also fail, particularly if it is being used to secure incoming email on TLS/SMTPS. Basically anything that uses SSL transparently will stop working. Simon. -- Simon Butler MVP: Exchange, MCSE Amset IT Solutions Ltd. e: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> w: www.amset.co.uk<http://www.amset.co.uk/> w: www.amset.info<http://www.amset.info/> Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/<http://certificatesforexchange.com/> for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/<http://domainsforexchange.net/> -----Original Message----- From: Joe Heaton [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: 16 July 2008 18:40 To: NT System Admin Issues Subject: RE: SSL cert question That's pretty much exactly my question. We have one that expires next week, and since the state doesn't have a budget yet, I'm not allowed to renew it, or even pay $15.00 out of my own pocket to get a GoDaddy cert. So, my boss is asking me if there are security concerns with users accessing through an expired cert, and I just want to be sure one way or the other before giving my "certified" answer... Joe Heaton -----Original Message----- From: Andy Ognenoff [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Wednesday, July 16, 2008 10:33 AM To: NT System Admin Issues Subject: RE: SSL cert question If you're talking about a cert for a web site, clients requesting it will be notified that the cert is expired and warned that there could be problems with it. To my knowledge, if they accept the risk of accepting an expired cert, the encryption still takes place, same as if they accept a cert from a non-globally recognized CA. - Andy O. ________________________________________ From: Joe Heaton [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Wednesday, July 16, 2008 12:28 PM To: NT System Admin Issues Subject: SSL cert question If you have an SSL cert, and it expires, what, if any, functionality is lost? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ No virus found in this incoming message. Checked by AVG - http://www.avg.com<http://www.avg.com/> Version: 8.0.138 / Virus Database: 270.5.0/1555 - Release Date: 7/16/2008 6:43 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
