We have windows 2012R2 with Exchange 2013, we had public ssl certificate that was used both for external and internal users. We decided to not renew certificate and sign a new one with our domain controller CA.I followed this article to configure split-dns (https://practical365.com/exchange-server/avoiding-exchange-2013-server-names-ssl-certificates/) So I've configured all the same way as in article, requested and signed a new certificate for web-server from our domain controller CA, applied new certificate in IIS to "default web page", all worked ok, but on the next day different errors appeared: from error 500 when trying to connect owa to unable to login in ecp with admin account ( it just redirected you to broken owa), and now some users cant send mails via owa or receive it via outlook. I'm just don't know where to look. To be clear we have people that have access to exchange servers but their computers not in domain so they don't trust our new certificate.
-
from time to time I can't login to ecp using new url https://mail.example.com/ecp it redirects me to the owa, but if Im trying access ecp via ip - it works great. – Никита Oct 23 '19 at 11:04
2 Answers
Have you run iisreset as administrator in Command Prompt on Exchange servers to take effect after you binding a new certificate in IIS?
If it persists, open IIS and check on the Application Pools to view whether MSExchangeOWAAppPool and MSExchangeECPAppPool is running on .NET Framework v2.0, and recycle virtual directory for test. Here is the similar thread about 500 error, please refer to: Unable to access OWA or ECP. - "Something went wrong" or "500 unexpected error"
In addition, run below command to remove and recreate owa/ecp virtual directory.
To remove: Remove-OwaVirtualDirectory -Identity "exchange server name\owa (default Web site)"
To recreate: New-OwaVirtualDirectory –WebSiteName
Moreover, check into IIS log file to find any error related to MSExchange on the Exchange 2013 Client Access Server, locate the folder “c:\inetpub\logs\logfiles\W3SVC1”.
- 1,057
- 1
- 5
- 5
-
I'll try recreation today, but interesting thing is that, if you use ip addresses and not domain-names ALL works great, confirmed with different people – Никита Oct 24 '19 at 04:02
-
Have urls set in the virtual directory of owa and ecp pointing to the A record of the exchange server correctly? Run the following command to check urls: Get-OwaVirtualDirectory | fl ExternalUrl,InternalUrl , Get-EcpVirtualDirectory | fl ExternalUrl,InternalUrl You can get A record value in DNS manger. – Joy Zhang Oct 24 '19 at 07:13
-
yes it's correct, Owa and ECP virtual directories pointing to the mail.example.com/ecp and mail.example.com/owa, and on my dns server in example.com zone I have two records for name "mail" that pointing to ips of exchange servers – Никита Oct 24 '19 at 08:04
-
By the way, all application pools in iis use netframework v4 and about logs, I cant read anything from it, these logs files completely unreadable D: – Никита Oct 24 '19 at 08:51
-
Oh my god, do I need to change FQDNS in connectors settings as well ? For now there is old FQDNS like maiserver.example.com and not a new one mail.example.com – Никита Oct 24 '19 at 08:54
-
So, basically after recreation of certificates and owa/ecp directories the only problem remains is non-domain users cant log in or send mails after log in (no internet connection error), BUT it works, If I add our CA certificate to the non-domain computer, to be honest I don't see connection here, I mean it should be just warning that it's not secure and nothing more. – Никита Oct 25 '19 at 05:18
-
You cannot send emails, have any NDR? What errors show? Has your new certificate been successfully applied? Open browser and check if the certificate is the new one. – Joy Zhang Oct 25 '19 at 09:43
