[ExchangeList] Re: Request and install client license for CAS

  • From: "raj nair" <rajnair7@xxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Wed, 20 Aug 2008 22:44:32 +0530

Hi ajmes,
 
I was trying to set it up the way i said in my lab ( without going for the SAN cert) .
 
Thanks

On Wed, Aug 20, 2008 at 8:48 PM, James Chong <jchong@xxxxxxxxxxxxxx> wrote:

You can opt to use a self signed cert though:

 

 

1.       Users will get a cert warning saying it's not from a third party trusted source. You can however; copy the cert and import it into the trusted root cert authority via GPO. Though this will only bypass the cert warning for internal computers.

2.       Outlook anywhere will not work

 

 

What are you trying to do? I'm thinking you want to bypass the warning message for your clients?

 

 

James Chong
Sr. Systems Engineer
Simplexity, LLC.

11130 Sunrise Valley Drive, Suite 300

Reston, VA 20191
O (703) 657-4612
C (703) 863-1483

 

From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of raj nair
Sent: Wednesday, August 20, 2008 10:38 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Re: Request and install client license for CAS

 

Well i had read abt the san cert . But i think you can make it work with the integrated SSL that comes when you install exchange CAS.

As i said if we take " require client certicate" from iis manager it would connect if we type https:// fqdn of cas server/owa  and other virtual directories.

 

Am i wrong ?

 

Thanks



 

On Wed, Aug 20, 2008 at 7:50 PM, James Chong <jchong@xxxxxxxxxxxxxx> wrote:

For 2007 you use the newssl that comes with-exchangecertificate cmdlet rather than from IISmgr or through the browser. You will need to get a third party cert not an internally generated cert.

 

 

Securing an Exchange 2007 Client Access Server using a 3rd party SAN Certificate

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

 

 

 

James Chong
Sr. Systems Engineer
Simplexity, LLC.

11130 Sunrise Valley Drive, Suite 300

Reston, VA 20191
O (703) 657-4612
C (703) 863-1483

 

From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of raj nair
Sent: Wednesday, August 20, 2008 5:39 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Request and install client license for CAS

 

Hello ,

 

Using windows 2003 enter edition having exchange 2007 client access server running on it. SSl comes by default in exchange 2007

i was trying to install a client certificate using certificate services. Installed enterprise root CA on DC . In the client access server, If i go to the IIS manager --> directory security tab and clear the checkbox that says " require client certificate" it works when i connect to owa, exchange virual directories.

 

  From what i understood we need a browser certificate .

 

Have referred some docs on certificate services

 

BUT when i go to http://localhost/certsrv it comes up with 2 options

1) submit user certifiacte

or submit and advanced client certificate

 

Advanced Certificate Request  says:


The policy of the CA determines the types of certificates you can request. Click one of the following options to:  


1)Create and submit a request to this CA.
 
2)Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
 
3)Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
Note: You must have an enrollment agent certificate to submit a request on behalf of another user. 

 

From http://support.microsoft.com/kb/315588/en-us

The server side is alreday there . so i think we have to go to the client certifiacte side. The following is extracted from that doc.

What it says in the doc is not coming up. i dont see an option for browser certificate at all.

FROM DOC:

Install a Client Certificate
In this section, you install a client-side certificate. You can use a certificate from any certificate authority, or you can use Microsoft Certificate Services to generate your own certificate.


To Request a Client-Side Certificate
1. Start Internet Explorer, and then browse to the following page:
http://localhost/CertSrv 
2. Follow these steps in the wizard: a.  Click Request a Certificate, and then click Next.
b.  On the Choose Request Type page, click Web Browser Certificate, and then click Next.
c.  Type the required information. Make sure that you type MSDN in the Company text box.
d.  Click Submit to complete the request.
 
3. Close Internet Explorer.

To Issue a Client-Side Certificate
1. Start the Certificate Authority tool from the Administrative Tools program group.
2. Expand the node for your certificate authority, and then select Pending Requests.
3. Select the certificate request that you just submitted. On the Action menu, point to All Tasks, and then click Issue.
4. Confirm that the certificate appears in the Issued Certificates folder, and then double-click the certificate to view it.
5. On the Details tab, click Copy to File. Save the certificate as a Base-64 encoded X.509 certificate to C:\Clientcert.cer.
6. Close the Properties dialog box for the certificate.
7. Close the Certificate Authority tool.

 

To Install a Client-Side Certificate
1. Open Windows Explorer, and double-click Clientcert.cer to view the certificate file.
2. Follow these steps in the Certificate Import Wizard: a.  On the first page of the wizard, click Install Certificate, and then click Next.
b.  Select the Automatically select the certificate store based on the type of certificate check box, and then click Next.
c.  Click Finish to complete the wizard.
 
3. Dismiss the confirmation message box, and then click OK to close the certificate

 

 

Any help greatly appreciated.!

 

Thanks

Raj

 

 

 


Other related posts: