RE: Certification Question

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 8 Mar 2005 06:09:19 -0600

Why not just distribute the CA certifiate as a file and provide
instructions for installing it. Can probably be done from the command
line too, so it could be scriptable. 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, March 07, 2005 10:44 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Both. 

I am bothering with certificates because I also do a lot of trouble
shooting for people and find that if you really want to confuse them set
them up on POP3 and SMTP. Btw most ISP's block incoming SMTP request
from the outside which another reason I want to stick with RPC over
HTTP; clients on the run will be able to plug their machines in just
about anywhere and get connect to their email without having to worry
about reconfiguring their SMTP server. It's always best to keep it
stupid simple. :)

I use it for both in house and ISP. 

Andrew


-----Original Message-----
From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] 
Sent: Monday, March 07, 2005 9:52 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Andrew,
You haven't answered my question.
Are you using Exchange as a ISP mail server ? Or as a corporate email
server or both. If you are trying to provide service for non-corporate
users, why are you bothering with RPC over HTTP and certificates? 


Regards,

Raj





-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, March 07, 2005 5:25 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Al, 

Uhm...

The current way OWA with SSL works is when you go to
https://owa.smoothrunnings.ca/exchanage you will be prompted to accept
the cert. 

Once you accept the cert you then see the OWA login page. You login and
your done..

okay got it?

RPC over HTTP does not prompt the user to accept the cert, it assumes
the user has installed the cert into their computer.. ie in Certificates
for the local computer -> Certificates -> Personal

If you go to your certs machine and type: http://IP/certsrv and login
and choose "download a CA certificate....blah...blah..." and then click
on "Install this CA..blah blah" on the next page the CA will be
installed on the machine you are using to access certsrv. 

Thus when you go to owa.sitename.com/exchange which you just installed
the cert for you will NOT be prompted for the cert. Thus when you use
RPC over HTTP you WILL connect to the exchange server.

I simply don't want users to have access to /certsrv, I would rather
create or used part of the certcarc.asp code (which installs the cert on
your machine) to create a new page which users who are currently using
my email services can access to install the cert on their personal
computers.

I am just trying to figure out if there is a easier way to go about it,
since I don't want to waste my friends time in dismantling Microsoft's
ASP code! :)

Andrew

-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Monday, March 07, 2005 4:40 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Ok.  So you want them to get the cert and install it in the store, a la
the way that you get prompted for an untrusted cert on an IIS page in
IE, only not prompt them for it correct? Basically handle the warnings
etc in another way than a popup else let the popup occur in your process
(in other words, let the user browse to the secure site that tells them
how to set this up and have them insert it in the trusted store or offer
a script that does this for them (I opt for the previous: letting them
see the cert popup, and telling them to accept it and install the cert
vs. automating it.  For many reasons including technical and security
reasons).


I think there are all kinds of issues with doing this, such as the user
has to be able to write to the trusted store etc.  However, I believe
this is the concept you're looking for:

http://support.microsoft.com/kb/297681


Let me know if I missed the concept totally.

al 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
raj.periyasamy@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
tshinder@xxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx




Other related posts: