Brett Casterton 
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
 |
| 6/11/2008 06:03 PM |
|
| Hi All,
Having an issue trying to get any client PC to accept the self signed cert provided by sbs 2008... (External clients for RPC over HTTP)
Tried various things, the machines just wont accept them, they are there in the Certs MMC under trusted auth/local machine, but are not present in the certs in the content tab in IE...
Anybody had this?
Ive done a fair bit of fault finding, will post what i have done so far if needed if no one can think of anything quick....
Many thanks
Brett
|
|
|
|
|
|
Steve Lister
New Zealand
Member since
3/30/2005
Registered Users
Posts: 234
|
| 6/11/2008 11:38 PM |
|
Brett
The simplest way is to get the cert installer from the server \\server\public\public downloads and run that on the clients.
Steve |
|
|
|
|
|
Stan Guinn
Texas, USA
Member since
12/29/2005
Platinum Membership
Posts: 1913
|
| 6/12/2008 06:29 AM |
|
Steve,
->\\server\public\public downloads <--- ??? What's that? |
|
|
|
|
|
Brett Casterton
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
|
| 6/12/2008 11:31 AM |
|
Hi All...
I will try to explain what is going wrong, and what i have tried to do to fix it...
setup DNS A record for remote.mydomain.co.uk
SBS 2008 created self cert for above FQDN
Our main issue is the remote clients (Vista Machines)we tried. All still prompt for certificate, none will accept its installed.
Here is the path we took to try to solve the issue:
1) Installed the self signed cert the standard way by installing it from the browser (Accepted the defaults)
2) Installed cert using browser but forced cert into trusted route cert auth
3) installed cert using browser but forced cert into trusted route cert auth (Local machine)
4) Checked in Cetrs MMC, Cert is in the listing within the MMC in the local machine 7 Local user under trusted route cert auth
5) checked in IE7 -Content/Certs - the certificate is NOT listed on that tab, nor in any other tab with IE7
6) rechecked in the certs MMC, the cert is still there
having looked at the certs there seem to be 2...
1 for remote.mydomain.co.uk that when looked at in the certs MMC has an error and cant be verified so it says and 1 for MYSERVER-SERVER-CA relating to the server itself that seems fine....
Ive also tried installing the certs running IE7 as admin...
Anyhelp..
Brett
|
|
|
|
|
|
Stan Guinn
Texas, USA
Member since
12/29/2005
Platinum Membership
Posts: 1913
|
| 6/12/2008 01:55 PM |
|
You may have tried this, but I'll mention it any way. A cert won't install on a Vista PC unless the person logged on is an administrator. Also, before you try to instal the cert, you have to add the https://remote.mydomain.co.uk to your Trusted Sites on the Security Tab in IE.
Also, noex time you install it. At the "View" step, examine it carefully and be sure both fqdn listed are identical. |
|
|
|
|
|
Brett Casterton
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
|
| 6/12/2008 07:28 PM |
|
| Hi,
Site is listed in IE fine, viewed the cert, reports correct FQDN..
My Mac is having the same issue, throws up error saying the cert is from an unknown authority... stays in the certs folder for about 6 hours then reverts back to telling me its got no cert installed...
Windows machines also report the cert is from an unknown source and cannot be validated..?!?!?!?
Brett
|
|
|
|
|
|
Brett Casterton
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
|
| 6/13/2008 06:52 PM |
|
| Hi,
ive tried everything i can, checked everything... Both the Mac and Vista and XP browsers are saying the cert is not from a trusted source and cannot be verified, so prompts every time...
Ive looked at getting a proper SSL cert, there are lots of different ones available, what type is required for SBS 2008 to work correctly?
Ive looked on www.instantssl.com, which is the one i require?
many thanks
Brett
|
|
|
|
|
|
Stan Guinn
Texas, USA
Member since
12/29/2005
Platinum Membership
Posts: 1913
|
| 6/13/2008 08:42 PM |
|
| From your link I would think the "Essential" would be what you need. Here is another company. I think the "123" is what you would need. ~ http://www.dotster.com/other/ssl/ |
|
|
|
|
|
Brett Casterton
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
|
| 6/13/2008 08:56 PM |
|
| Thanks for the reply Stan..
I have just noticed there is a similar post in the SBS2008/exchange2007 sub heading, seems a few people are having this issue...
Seems having a real SSL Cert is the way to go anyway, they are not that expensive these days...
im going to hope that the RTM version of SBS2008 fixes this issue....
Thanks
Brett
|
|
|
|
|
|
Stan Guinn
Texas, USA
Member since
12/29/2005
Platinum Membership
Posts: 1913
|
| 6/13/2008 09:10 PM |
|
I have never had an issue with certs on and SBS system I support. But I have seen a few posts like yours. If you want to pm me your actual https://fqdn off line I'll look and see if I can see anthing add. Don't send me any PW. I don't need to log on to anything just to look at the cert.
But I agree with you. In the long run buying a cert is a good idea. I have several clients that had support issues with adding remote users until they installed a commercial cert. It is just tough getting a regular user walked through the steps of installing a cert. |
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2114
|
| 6/14/2008 01:34 PM |
|
Posted By Brett Casterton on 6/12/2008 11:31 AM
Hi All...
I will try to explain what is going wrong, and what i have tried to do to fix it...
setup DNS A record for remote.mydomain.co.uk
SBS 2008 created self cert for above FQDN
Brett -
So is the core issue that you're getting prompted about the cert when you attempt to access the internal domain name? If so, don't worry about it and just use the public domain name instead.
SBS 2008 has changed the way they handle internal/external domain names, and it's a huge step inthe correct direction. In the SBS 2003 days, if you tried to access the server using the public domain name from an internal workstation, you could likely run into problems if you were running ISA and/or a business-class firewall at the Internet gateway. SBS 2008 changes that by actually creating an internal DNS record for the public DNS name (i.e., remote.mydomain.co.uk) that resolves to the internal IP address of the server. This way you can simply have all users use the public domain name to access web resources on the SBS server instead of trying to get them to remember one URL for inside and another for outside.
There could still be a problem with the way the cert is performing, and if so, that's something we need to look at, but I'm not going to be losing much sleep over it because I'll be instructing the users at client sites I set up on SBS 2008 to learn the public URL and use that everywhere.
HTH...
-Eriq
|
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Lead Author of Windows Small Business Server 2008 Unleashed
In bookstores December 10, available for pre-order now
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Brett Casterton
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
|
| 6/16/2008 11:35 AM |
|
Eric,
Client machines internal have no issues conecting to the RWW or OWA. Internal clients can view the cert, install it and happily go about there business. The cert has the correct information.
External clients get red cross through the cert when viewed, I have attached an image of the cert with the error shown.
I have not altered anything in SBS, the cert "is as" and was produced by SBS on setup....
Anyhelp on this would be great... the SBS 2003 self cert worked fine BTW on our old system...
Thanks
Brett
|
|
|
|
|
|
Eriq Neale
Texas, USA
Member since
5/3/2005
Microsoft MVP
Posts: 2114
|
| 6/16/2008 01:53 PM |
|
Brett -
The image did not get attached, so I can't tell what you're seeing on your end. Please try again to get the screen shot posted.
Also, you are doing all of this in a test network, correct? RC0 is *not* ready for use in production yet, and there's not going to be a way to "in-place upgrade" from RC0 to other builds or RTM. Just checking...
-Eriq |
|
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Lead Author of Windows Small Business Server 2008 Unleashed
In bookstores December 10, available for pre-order now
Listen to eOnCall at AIRtunZ or visit www.eoncall.com. |
|
|
|
Stan Guinn
Texas, USA
Member since
12/29/2005
Platinum Membership
Posts: 1913
|
| 6/16/2008 03:19 PM |
|
| Eriq, Brett sent me a PM with his FQDN. I looked at the cert and the To: and From: don't match. I'm not up on SBS2008 yet, I advised him to re-reun the steps he used to create the cert and put his FQDN in there. Do you have info on more detailed steps he should take? |
|
|
|
|
|
Brett Casterton
United Kingdom
Member since
1/17/2006
Platinum Membership
Posts: 31
|
| 6/16/2008 06:33 PM |
|
| Eriq,
for some reason it did not attach.. Let me know if you want the link to the FQDN for our system, you can view the certificate live as Stan did. Were not running it as a whole live system, but are giving it a good going over as live as can be if you get my drift.
Something still wierd with this issue, maybe its a RC0 problem, but would have expected this part to work as its quite important...
many thanks
Brett
|
|
|
|
|
|
Steve Lister
New Zealand
Member since
3/30/2005
Registered Users
Posts: 234
|
| 6/17/2008 12:56 AM |
|
[quote]I looked at the cert and the To: and From: don't match.[/quote]
Stan
That is correct. SBS2008 does this a bit differently than 2003.
The SBS box is now a CA so the cert that needs to be installed on the machines is the root cert for your SBS box. That is the purpose of the installer in \\server\public\downloads.
Brett
When you ran the cert installer did it complete sucessfully and do you have a cert in the workstations trusted root store named domain-server-ca
Steve |
|
|
|
|
|
Dean Stefanov
United States
Member since
7/1/2008
Registered Users
Posts: 1
|
| 7/01/2008 09:08 PM |
|
Hi,
The following Step-by-Step Screencast demonstrates how to run the Setup Internet Address wizard in the Getting Started Tasks, SBS 2008:
http://www.netometer.com/video/tutorials/set-up-your-internet-address-sbs-2008
You can see in Step2 how to install the Certificate Distribution Package and how to use it in Remote Web Workplace – OWA, Internal WebSite, setup Outlook Anywhere etc. If you skip this step, beside getting a popup warning about the validity of the certificate you will not be able to access Outlook Anywhere as well as connect remotely to the server or workstations, using the Terminal Services Gateway.
If at some point you decide to add a trusted certificate – like GoDaddy you can find the following screencast helpful:
http://www.netometer.com/video/tutorials/godaddy-add-trusted-certificate-sbs-2008
The video demonstrates how to install one of the most popular certificates – GoDaddy Turbo SSL certificate. It is cheap - $14.99, when you google it and get to GoDaddy web site, but it gets a bit tricky when you have to install it. Before you run the second phase of the wizard, you have to install GoDaddy Intermediate certs package, as it is outlined in the Step-by-Step the video.
Regards,
Dean
|
|
|
|
|
|