Re: Odd certificate issue with Companyweb

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Brandy,

We do not use ISA, so the ISA stuff does not apply.

I am not immediately concerned with companyweb, now. I think if I can find
a way to get the CEICW to use my 3rd-party certificate everything will be
configured correctly. (Since I could not get all the internal websites
working with my 3rd-party certificate, I generated a new self-issued cert
with the CEICW to restore functionality until I know exactly how to use the
CEICW with a 3rd-party cert. Companyweb is now working again via http.) We
do not yet actively use companyweb, by the way. I have future plans to use
it.

Your other instructions basically showed me how to request a 3rd party
certificate, and later process the pending request and install the
certificate. You then gave the steps for fully exporting the certificate to
a .pfx file. I'm familiar with all this. Your final steps were confusing,
however, because when you described how to go into ISA and replace the
certificate on a website (or the default web site), you said in step 24 to
"Select your Self Generated certificate here...." Up until that point, I
thought we were clearly discussing a 3rd-party certificate. I can follow
your instructions and just as easily use a 3rd-party certificate at step 24,
and I have done so. My main concern, however, is not how I can install a
certificate to a web site in IIS; I know how to do that. I need to know how
to use a 3rd-party certficate in the CEICW. That saves me the trouble of
having to manually install the certificate on all the web sites, and the
wizard performs (I think) some additional tasks I'm not familiar with.

Hope that clarifies my situation.

Thanks,

Bryan



""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:9bwZxryyFHA.3772@xxxxxxxxxxxxxxxxxxxxxxxx
> Hello Bryan,
>
> Thank you for posting to the SBS Newsgroup.
>
> I understand that you installed a third party certificate on SBS 2K3
> Server
> and when you accessing Companyweb, you notice that it does not using the
> third party certificate. If I have misunderstood your concern, please let
> me know.
>
> My reply is long, so I strongly suggest you that read through all my
> information below and then perform the steps.
>
> 1> May I know whether you have ISA 2000 or ISA 2004 installed?
>
> 2> What is the certificate that displays when you accessing
> companyweb:444?
> Please capture a screen shot for it.
>
> 3> If you have ISA 2K4 installed, please change the certificate at
> Companyweb Web Listener. To do so, please see:
>
> a. Open the ISA Server 2004 Management, expand to Yourserver\Firewall
> Policy.
>
> b. On the right pane, click Toolbox tab, and you will find the Web
> Listeners listed at the bottom.
>
> c. Expand Web Listeners, and there is SBS Companyweb Listener underneath.
>
> d. Right click SBS Companyweb Listener underneath, go to Properties,
> Preferences tab.
>
> e. Under SSL, click Select.
>
> f. Select your Certificate.
>
> g. Click OK twice.
>
> 4> Double check the certificate on IIS server.
>
> a. Expand to Internet Information Services\Web Sites\Default Web Site.
>
> b. Right click Default Web Site, go to Properties, Directory Security tab.
>
> c. Click View Certificate and double check.
>
> d. Right click Companyweb, go to Properties, Directory Security tab, Click
> View Certificate to double check.
>
> 5> For your reference. How to Install Third Party Certificate with ISA:
>
> 1). Open IIS Manager on server
>
> 2). Expand out Web Sites
>
> 3). Right click on Default Web site
>
> 4). Select Properties
>
> 5). Select Directory Security
>
> 6). Select "Server Certificate"
>
> 7). Select "Remove Current Certificate"
>
> Note, this will temporarily make your SSL not function until you receive
> your requested certificate.
>
> 8). Finish that wizard
>
> 9). Back on the Directory Security Tab, select "Server Certificate" again
>
> 10). Select "Create a new Certificate"
>
> 11). Select Prepare the request now, but send later"
>
> 12). Pick a name and a bit length. 1024 will work fine, unless your
> Certificate provided requests differently
>
> 13). Select your Organizations name and Organizational unit. For further
> information, consult the certifications authorities web site.
>
> 14). Pick your Interne common name, this MUST be your public URL that
> points to this site, example: www.companyname.com
> <http://www.companyname.com>
>
> 15). Enter address
>
> 16). Pick a file name that is easy to remember and find
>
> 17).Send or e-mail this file to your certification authority, which will
> send you a response file containing your new certificate.
>
> When you get your response from the Certificate Authority:
>
> 1). Save certificate file ( *.cer) to an easy to find location
>
> 2). Open IIS Manager on server
>
> 3). Expand out Web Sites
>
> 4). Right click on Default Web site
>
> 5). Select Properties
>
> 6). Select Directory Security
>
> 7). Select "Server Certificate"
>
> 8). Select "Process the pending request and install the certificate"
>
> 9). Enter the path and file name
>
> 10). Complete the wizard
>
> 11). Then, to prevent any problems, Export out the certificate
>
> a. Right click on Default Web site
> b. Select Properties
> c. Select Directory Security
> d. Select "Server Certificate"
> e. Select Export current certificate to a .pfx file
> f. Complete the export wizard. Suggest using Admin password to avoid
> forgetting password
>
> 12). Open ISA, management console
>
> 13). Right click the server name, select Properties
>
> 14). Open the incoming web requests
>
> 15). Select the server listener (usually the only choice) and select Edit
> 16). Use the 'Select button" to select the Certificate that your have
> received from the certification authority (instead of the self generated
> certificate)
>
> 17). Go back to IIS manager
>
> 18).Expand out Web Sites
>
> 19).Right click on Default Web site
>
> 20).Select Properties
>
> 21).Select Directory Security
>
> 22).Select Server Certificate
>
> 23).Choose "Replace Current Certificate"
>
> 24).Select your Self Generated certificate here, that should show as
> "publishing.<servername>.local" when you view it in "View Certificate".
> This allows ISA web publishing.
>
> 25).Restart ISA and IIS
>
> Please take your time to perform the steps above. If anything is unclear,
> please feel free to let me know. I am looking forward to hearing from you!
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
> --------------------
>>From: "Bryan L" <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
>>Subject: Odd certificate issue with Companyweb
>>Date: Thu, 6 Oct 2005 16:32:16 -0500
>>Lines: 38
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-RFC2646: Format=Flowed; Original
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>Message-ID: <#YPvt1ryFHA.2932@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: connellinsurance.com 66.76.216.32
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:159458
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>I recently installed a 3rd-party wildcard certificate on my SBS. I could
>>not use the CEICW to import the new certificate because it was originally
>>requested from/installed on my IIS server. I exported the certificate
> from
>>my IIS server including the private key, then imported the certificate to
>>the SBS using the Certificates snap-in in an MMC. I then used the
>>Certificate Wizard in IIS to install the certificate for the Default Web
>>Site. The certificate works great on the sites under the default site
> (RWW,
>>OMA, etc). So far, so good.
>>
>>However, when I try to visit companyweb, nothing happens. Typing
>>"companyweb" in the IE address bar takes me to the default Welcome page
> for
>>the SBS ("Welcome to Windows Small Business Server 2003. To get started
>>click a link." Four links appear beneath: "My Company's Internal Web
> Site",
>>"Network Configuration Wizard", "Remote Web Workplace", "Information and
>>Answers"). Clicking the first link for the company website does nothing.
>>
>>If I replace the "http:" in the address bar with "https:" and try again,
>>that's when it gets weird. As soon as I hit Go, I get prompted with a
>>certificate security alert. If I view the certificate, it shows me
> details
>>for our 3rd-party wildcard certificate. If I say "Yes' to proceed even
>>though the name doesn't match, I'm taken to the companyweb site on port
> 444.
>>However, if I then double-click the lock icon on the status bar in IE to
>>examine the certificate again, it shows the certificate details for our
>>self-issued certificate; not our 3rd-party wildcard certificate.
>>
>>I need the links to companyweb to work again. Do I need to create a DNS
>>record for companyweb.mydomainname.com and then assign the wildcard
>>certificate to the companyweb site? What happened? The companyweb web
> site
>>in IIS isn't even configured to require SSL, although if I view the
>>certificate on companyweb it shows me our self-issued one. So I'm not
> sure
>>why it won't navigate there until I specify https, or why it's doing the
>>weirdness between the two certificates.
>>
>>Any help appreciated. Thanks!
>>
>>Bryan
>>
>>
>>
>


.

Quantcast