Wednesday, September 24, 2008

SSL Certificates and Outlook Anywhere with Exchange 2007 on Windows Server 2008

I have been setting up an Exchange 2007 server on Windows Server 2008. The outright drastic change of Exchange from the previous version both in the administrative user interface and underlying infrastructure is enough to make you second guess your Exchange expertise. Running Exchange 2007 on top of Windows Server 2008 more than doubles the learning curve. Two main points gave me quite the headache that I was able to overcome with lots of research and patience: SSL certificates and Outlook Anywhere.

SSL Certificates

Exchange 2007 introduced a lot of new ways for the Outlook client to be setup and connect quickly and seamlessly…for the end user. For the system administrator however one must purchase expensive, specialized certificates called a Unified Communications Certificate that allow for more than one URL in the certificate (Subject Alternative Names). For example if your exchange server is named “ex2007” you may need to have the following alternate names:

  • ex2007
  • ex2007.domain.local
  • autodiscover.domain.local
  • mail.domain.com
  • autodiscover.domain.com

Microsoft was kind enough to include a certificate that will allow mail processing and other functions to work internally, but not externally. Generating the certificate also requires you to get your hands dirty in the Exchange Management Shell, a superset of the Power Shell. Since the server I was working on used split DNS I considered getting a wildcard certificate instead of a UCC. Unfortunately I read online that the Exchange 2007 POP3 and IMAP does not support wildcard certificates and neither do Windows Mobile devices. So I was about to give in and purchase a UCC when I saw a post saying that you can use a tricky SRV DNS entry in your public DNS zone to allow you to get away with a regular SSL certificate.

  • _autodiscover._tcp IN SRV 0 100 443 mail.domain.com.

By placing this record in your public DNS zone the Outlook client will redirect the autodiscover.domain.com lookup to mail.domain.com. This allows the OWA webmail, Outlook Anywhere, POP3S, IMAPS, and SMTPS to all use the same simple SSL certificate of mail.domain.com.

TIP: Here is a tool to generate a EMS command for your certificate request: https://www.digicert.com/easy-csr/exchange2007.htm

Outlook Anywhere

Now that I tackled the overly complicated certificate issue, I ran into an issue in getting Outlook Anywhere to work. Outlook continually prompted me for my credentials and then told me Outlook must be online or connected to complete this action. After reviewing the Exchange configuration settings hundreds of times and making sure it was set according to Microsoft’s specifications I gave up. I assumed the unique setup I was working on just wouldn’t allow Outlook Anywhere to work. Then I noticed a Microsoft KB article highlighted in the msexchange.org newsletter: http://support.microsoft.com/default.aspx?scid=kb;en-us;954389&sd=rss&spid=10926. The article described the exact issue I was having in the exact scenario of my setup. I followed method 2 in the article and the issue immediately cleared up.

UPDATED:

Microsoft just released Exchange 2007 SP1 Rollup 4 which addresses the wildcard certificate problem (KB948896) as well as the Outlook Anywhere problem.

Posted by at No comments:
Labels: , , ,

Wednesday, September 3, 2008

Blackberry Services Fail to Start

blackberry controller service error

I was working with a customer who was having trouble with their Blackberry Enterprise Server not sending and receiving email. Apparently their server had lost power and ever since then the Blackberry Controller service would not start.

The Event log picture is displayed above, but for indexing purposes I will list the event details below:

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7024

Date: 9/3/2008

Time: 3:14:48 PM

User: N/A

Computer: SSIN2K3

Description:

The BlackBerry Controller service terminated with service-specific error 5003 (0x138B).

 

I determined the executable file from the services snap in and decided to run it from the command line.  It gave me the following error:

C:\Program Files\Research In Motion\BlackBerry Enterprise Server>BlackBerryController.exe

Starting ...

Could not connect to Service Control Manager. Using console mode ...

'BlackBerry Controller' - console mode (enter 'x' or 'X' to exit)

Starting Controller

Found Dispatcher for server SSIN2K3 as 'BlackBerry Dispatcher' at '\\127.0.0.1',

PID=9552

Failure, see log for details

Stopping BlackBerry Agent Controller...

BlackBerry Agent Controller Stopped

 

I found the logs located in C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs.  Choosing the folder named for today’s date, I looked through the logs and found one of the logs mentioned that it “could not start the syslog receiver subsystem.”  On a whim I remembered an issue I have had recently with SBS servers of the DNS Server service randomly taking high port numbers and locking them out.  So I stopped the DNS Server service, started the Blackberry Controller service and it worked.  Then I started the DNS Server service again, and the Blackberry mail is flowing again. 

 

UPDATED:

Some have asked how to permanently fix this issue because every now and then the DNS service will usurp those “random” UDP ports.  Here is Microsoft’s KB article on the fix. It involved editing the registry and specifying the range of ports the server can use. 

Posted by at 18 comments:
Labels: , ,
Subscribe to: Posts (Atom)