RE: Certification Question

  • From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 7 Mar 2005 17:24:34 -0500

Al, 

Uhm...

The current way OWA with SSL works is when you go to 
https://owa.smoothrunnings.ca/exchanage you will be prompted to accept the 
cert. 

Once you accept the cert you then see the OWA login page. You login and your 
done..

okay got it?

RPC over HTTP does not prompt the user to accept the cert, it assumes the user 
has installed the cert into their computer.. ie in Certificates for the local 
computer -> Certificates -> Personal

If you go to your certs machine and type: http://IP/certsrv and login and 
choose "download a CA certificate....blah...blah..." and then click on "Install 
this CA..blah blah" on the next page the CA will be installed on the machine 
you are using to access certsrv. 

Thus when you go to owa.sitename.com/exchange which you just installed the cert 
for you will NOT be prompted for the cert. Thus when you use RPC over HTTP you 
WILL connect to the exchange server.

I simply don't want users to have access to /certsrv, I would rather create or 
used part of the certcarc.asp code (which installs the cert on your machine) to 
create a new page which users who are currently using my email services can 
access to install the cert on their personal computers.

I am just trying to figure out if there is a easier way to go about it, since I 
don't want to waste my friends time in dismantling Microsoft's ASP code! :)

Andrew


-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
Sent: Monday, March 07, 2005 4:40 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Ok.  So you want them to get the cert and install it in the store, a la the
way that you get prompted for an untrusted cert on an IIS page in IE, only
not prompt them for it correct? Basically handle the warnings etc in another
way than a popup else let the popup occur in your process (in other words,
let the user browse to the secure site that tells them how to set this up
and have them insert it in the trusted store or offer a script that does
this for them (I opt for the previous: letting them see the cert popup, and
telling them to accept it and install the cert vs. automating it.  For many
reasons including technical and security reasons).


I think there are all kinds of issues with doing this, such as the user has
to be able to write to the trusted store etc.  However, I believe this is
the concept you're looking for:

http://support.microsoft.com/kb/297681


Let me know if I missed the concept totally.

al   

-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, March 07, 2005 3:56 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Al,

I am not looking to bypass the whole logon and get a cert installed. I want
it so my clients can install the cert on their machines; some may have use
notebooks when they are on the go and use their home computers when they are
back from being on the go, while others may just want to use their home
computers.

I just want to make it available for them to install it on whatever machine
they choose, the last thing I want them doing is installing the cert on some
internet café machine, or a another persons or company machine that doesn't
belong to them, in the case when using OWA with SSL.

The other issue with automating certs is that RPC over HTTP does not prompt
a user for verification of the cert, it automatically assumes the user has
the cert already installed and if it doesn't they simply do not get access
to their email... period. 

Andrew




-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Monday, March 07, 2005 3:35 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Sounds like you're saying exactly what I wrote.  You want to bypass the
whole logon and get a cert installed on the local machine step by automating
it so you can avoid using a trusted cert from a third-party vendor.  

What am I missing with that?

 

-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, March 07, 2005 2:51 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

No I am not saying that. 

I am saying, if I want to get some joe access to RPC over HTTP over the net
for $10 per month say, I want to be able to easily get him to install the
cert on his local machine which sits in his house or office and setup his
outlook 2k3 so he can RPC over HTTP into my box and get his email. 

Andrew


-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Monday, March 07, 2005 2:28 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

http://www.MSExchange.org/

Some background?  

Where do you want to install the cert? 

Are you saying that this is a cert you created (that would be why the logon
to https://webserver/certsrv ) and you want to install it in the trusted
store on the local machine without user intervention?  Or something else?

Al 

-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, March 07, 2005 12:40 PM
To: [ExchangeList]
Subject: [exchangelist] Certification Question

http://www.MSExchange.org/

Does anyone know of away to build a page which will send a cert to a client
and give them instructions on how to setup outlook 2003 for RPC over HTTP? I
can do the instructions and security part I just need to know how I would
setup the "install CA" part without having them login into /certsrv and
complicate things. :)

Thanks
Andrew


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as: 
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts:

  1. Home
  2. exchangelist
  3. Archive
  4. 03-2005