Skip to main content

Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Anywhere on Outlook 2007


I recently got my hands on copies of Microsoft’s Windows Server 2008 and Exchange Server 2007 SP1. I’ve always been an early adopter and I was super excited to upgrade from Server 2003 and Exchange 5.5. It was an absolute nightmare to get everything up and running, but I’ve got it all working now and want to share some pointers for you guys out there who might be running into the same problems I did.
My goal was to have a setup that would allow my workstation, laptop, and smart phone to all sync with Exchange using my residential Internet connection. My setup is simple:
  1. Server - Windows Server 2008 and Exchange Server 2007 SP1
  2. Workstation - Windows Vista Business Edition with Outlook 2007
  3. Laptop - Windows Vista Ultimate Edition with Outlook 2007
  4. Smart Phone - Cingular 3125 with Windows Mobile 5
My workstation syncs directly with Exchange 2007 using my LAN, my laptop syncs using “Outlook Anywhere” (previously titled RCP over HTTP), and my smart phone syncs using ActiveSync with Direct Push.

I installed Windows Server 2008, did some basic configuration, and installed Active Directory with Domain Services. Everything was stable, and I started to install Exchange 2007 SP1. Note that you MUST have an 64 bit version of Windows Server 2008, and you MUST have the SP1 version of Exchange Server 2007 in order for things to work on Windows Server 2008.

Exchange 2007 SP1 died several times during the installation. I couldn’t figure it out! Each time it was saying different services weren’t starting on time. After banging my head on this problem for several DAYS reformatting/reinstalling I finally found out that the Exchange services freak out unless you have IPv6 enabled. I had disabled it every time I installed Active Directory. The services dying problem disappeared after I re-enabled IPv6 on my network connection.

Now that I had everything installed I had to migrate my mailbox from Server 2003/Exchange 5.5 to my new Server 2008/Exchange 2007 SP1 configuration. Easier said than done. Long story short I used ExMerge to export my Exchange 5.5 mailbox as a .PST file and then used the Exchange Server 2007 Management Shell to import the .PST file.

First test was to see if Outlook Web Access worked. I hit up http://mydomain/owa. I got an access denied error, so I tried https. It worked but griped about untrusted the SSL cert. I hate messing around with SSL on my personal e-mail so I jumped into inetmgr and changed the Default Web Site SSL Settings to not require SSL. Now I could use the less secure http protocol, but at least I don’t have to see those SSL cert warnings.
Next I wanted to get my workstation syncing.

I used “Mail” from the control panel, removed my existing profile, and added a new one with my new Exchange server’s name. It kept saying it couldn’t find the server, even though I could browse to it on my workstation.

In order to get it to connect I had to change my network connection to use the DNS server, which just so happens to be hosted on the same machine as Exchange. Once it was using the local DNS server it could resolve my Exchange server, which is Server.home.local. Outlook 2007 synced without a problem and pulled down everything.
I wanted to get my phone with Windows Mobile 5 to sync with Exchange. This was the easiest part! I removed my existing Exchange server source on my phone and added a new server source pointing to “mydomain” without using SSL.

It instantly worked and synced without an error. Direct Push works without any additional configuration.
Last up was the laptop and getting Outlook Anywhere working. I enabled Outlook Anywhere on Exchange Server 2007.

Make sure you use Basic authentication! To my disappointment I did some quick research and found that (1) Outlook Anywhere absolutely requires a certificate, and
(2) Outlook Anywhere does not support self-signed certificates. What the! I didn’t want to spend $30/year on some crappy GoDaddy cert so I decided to push through these limitations. I found out that you can actually use a self-signed certificate you just need to make sure it is in the Trusted Root Certificate Authorities division of your certificate storage.

Here is how you generate a self-signed certificate with Exchange Server 2007 to use for Outlook Anywhere on any of your Outlook 2007 client machines:

1. Open the Exchange Management Shell in Windows Server 2008.
(You need to be logged in as a local Administrator and that Administrator needs to be a member of the Exchange Server Administrator group as well as the Exchange View-Only Administrators group in Active Directory. Make Administrator a member of those accounts and reboot for good measure.)

2. Run the following commands:
New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=[*SEE NOTE]”

*Note: this needs to be the exact name of the external domain you are going to use to access Outlook Anywhere.

Enable-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT]
Export-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT] -Path C:\Certificate.pfx -PasswordGet-Credential).password

3. Now you have a cert named Certificate.pfx sitting on C:\ on your Exchange Server. The cert is good for all of the basic Exchange 2007 services. Copy that file to any client machine you want to use to connect to Exchange Server 2007 using Outlook Anywhere.

4. Install the certificate on your client Windows machine by going to Internet Explorer > Tools > Internet Options > Content > Certificates > Trusted Root Certificate Authorities > Import. Grab the cert you generated on your server, accept the warning dialog, and the import is successful.

5. Run Mail from the control panel on the client machine. Add a new profile and setup an account to use an Exchange server. Type the LOCAL NAME of the Exchange server (mine was Server.home.local). Click on “More Settings” and navigate to the “Connection” tab. At the bottom of the “Connection” check the box next to “Connect to Microsoft Exchange Using HTTP.” Click on “Exchange Proxy Settings”. Type the name of your domain in the top URL box. Uncheck the next two boxes. Check the two boxes next to “On fast networks…” and “On slow networks…”. Set your Proxy authentication settings to use Basic Authentication. Click OK a bunch of times and you should be good to go!

My customer deleted the self signed cert created by Exchange 2007.
For the record, if one ever delete the self signed SSL cert create by Exchange 2007, you only need to run this command in the Exchange powershell:

New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=[Your server name]
and the cert is back

Copied for you!


Popular posts from this blog

Recreating a missing VMFS datastore partition in VMware vSphere 5.x and 6.x

    Symptoms A datastore has become inaccessible. A VMFS partition table is missing.   Purpose The partition table is required only during a rescan. This means that the datastore may become inaccessible on a host during a rescan if the VMFS partition was deleted after the last rescan. The partition table is physically located on the LUN, so all vSphere hosts that have access to this LUN can see the change has taken place. However, only the hosts that do a rescan will be affected.   This article provides information on: Determining whether this is the same problem Resolving the problem   Cause This issue occurs because the VMFS partition can be deleted by deleting the datastore from the vSphere Client. This is prevented by the software, if the datastore is in use. It can also happen if a physical server has access to the LUN on the SAN and does an install, for example.   Resolution To resolve this issue: Run the  partedUtil  command on the host with the issues and verify if your output

ما هى ال FSMO Roles

  بأختصار ال FSMO Roles هى اختصار ل Flexible Single Operation Master و هى عباره عن 5 Roles فى ال Active Directory و هما بينقسموا لقسمين A - Forest Roles 1- Schema Master Role و هى ال Role اللى بتتحكم فى ال schema و بيكون فى Schema Master Role واحد فى ال Forest بيكون موجود على Domain Controller و بيتم التحكم فيها من خلال ال Active Directory Schema Snap in in MMC بس بعد ما يتعمل Schema Register بواسطه الامر التالى من ال Cmd regsvr32 schmmgmt.dll 2-Domin Naming Master و هى ال Role المسئوله عن تسميه ال Domains و بتتأكد ان مفيش 2 Domain ليهم نفس الاسم فى ال Forest و بيتم التحكم فيها من خلال ال Active Directory Domains & Trusts B- Domain Roles 1-PDC Emulator و هى ال Role اللى بتتحكم فى ال Password change فى ال domain و بتتحكم فى ال time synchronization و هى تعتبر المكان الافتراضى لل GPO's و هى تعتبر Domain Role مش زى الاتنين الاولانيين و بيتم التحكم فيها من خلال ال Active directory Users & Computers عن طريق عمل كليك يمين على اسم الدومين و نختار operations master فى تاب ال PDC Emu

Unlock the VMware VM vmdk file

  Unlock the VMware VM vmdk file Kill -9 PID Sometimes a file or set of files in a VMFS become locked and any attempts to edit them or delete will give a device or resource busy error, even though the vm associated with the files is not running. If the vm is running then you would need to stop the vm to manipulate the files. If you know that the vm is stopped then you need to find the ESX server that has the files locked and then stop the process that is locking the file(s). 1. Logon to the ESX host where the VM was last known to be running. 2.  vmkfstools -D /vmfs/volumes/path/to/file  to dump information on the file into /var/log/vmkernel 3.  less /var/log/vmkernel  and scroll to the bottom, you will see output like below: a. Nov 29 15:49:17 vm22 vmkernel: 2:00:15:18.435 cpu6:1038)FS3: 130: <START vmware-16.log> b. Nov 29 15:49:17 vm22 vmkernel: 2:00:15:18.435 cpu6:1038)Lock [type 10c00001 offset 30439424 v 21, hb offset 4154368 c. Nov 29 15:49:17 vm22 vmkernel: gen 664