Modify OWA authentication mode and assign Certificate Services

Hello everyone, because recently in a project, so a few days not to share with you about Exchange content, today to tell you a previous and to the problem of fault and solutions, hope to help everyone in the future troubleshooting.

First of all, let me restore a scene at that time. There is a company that currently uses the Exchange 2013 messaging system and is using TMG2010 to do Mail publishing. Recently the company purchased a wildcard certificate and wanted to change the wildcard certificate on TMG, but in any case changes and configurations, Exchange publishing has been problematic. Consulted a lot of information, found that many people say that TMG and wildcard certificates have some compatibility issues, in some applications, the release of a bug. Of course, this question is not the point of our main discussion today, anyway this problem is to be resolved in the future, I will also write a blog to share with you.

Let's focus on today's topic: Modifying the OWA authentication method and assigning Certificate Services

In order to do some related testing, and through some KB guidance, we were prepared to replace the company's certificate with a wildcard certificate from an existing private certificate, and to modify the way that OWA was validated (by default: ECP is validated in the same way as OWA), and in the hope of "Basic Authentication", Authenticate directly through a pop-up window and try the OWA and ECP login operations. Because the enterprise is currently using "form-based Authentication", and has developed a "login domain", so that the benefits of the configuration is the user in the login OWA\ECP, only need to belong to the domain account and password can be directly authenticated, eliminating the trouble of entering the domain name, this I believe everyone should know it, You don't have to say more.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/5c/24/wkiom1ubwo-htqg5aadsbzg-aqm279.jpg "height=" 379 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/5C/1F/wKioL1UbW86ydm3HAAC6j-71Kc0327.jpg "height=" 326 "/>

Problem Recurrence:

Next we will simulate the situation of the problem occurs, first replace the public netcom certificate

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/5C/1F/wKioL1UbW9DQn7vsAAEVGxe9Ufo007.jpg "height=" 311 "/>

Select a service to assign the various services of Exchange to this wildcard certificate

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/5C/1F/wKioL1UbW9LAJSOUAADZQ3er-iQ640.jpg "height=" 376 "/>

Tick services based on the existing Exchange environment and roles of the enterprise.

Note: We have checked IIS here, this is the problem point.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/5C/1F/wKioL1UbW9PC_ezUAACE0sdK1Mo723.jpg "height=" 267 "/>

Then switch to the OWA Authentication Mode dialog box and select Basic authentication in use one or more standard authentication methods

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/5C/24/wKiom1UbWpfAfbJvAADqFoVsATY846.jpg "height=" 366 "/>

At this point, you are prompted to restart IIS via Iisreset/noforce and try again.

Note: If you do not want to take the following error, lest you make trouble for yourself, here do not close the open ecp!!!!

Above the red font has prompted everyone, do not close the ECP has been opened, the tragedy is, I have closed ...

Why can't I close the ECP? Let's look at the following symptoms:

After restarting IIS, I first reopened the ECP interface on the external network,

Duang!!!!! Not only does it automatically jump to a owa/? Bo=1 interface, give me an error!!

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/5c/24/wkiom1ubwpmbondvaagnrsv4rna965.jpg "height=" 444 "/>

Then switch to intranet for ECP attempt login

Duang again!!!! Interface can be displayed, but always prompt account password is not correct!!

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/5C/24/wKiom1UbWpvTbRxXAAD9ValS3U4100.jpg "height=" 390 "/>

This is also the case with the OWA interface, and Outlook has broken the link with Exchange Server.

It's a bolt from the blue! Rollback, ECP can't open! No way, only think of the command line.

First of all, we have to analyze the external network and intranet users ie display different content.

First look at the external network: it is obvious that the error message of the external network is likely to be and the public Netcom certificate in the TMG when the issue occurs, resulting in direct access to a valid page (of course, this problem I have not resolved, if you see this article Tatsu people can know, please advise, thank you! ）

Look again intranet: Intranet error prompt account password wrong, this problem is basically and IIS authentication method has appeared the problem.

Then we conquer and try to solve the problem.

Workaround:

1. First we must replace the original certificate

Log on to Exchange Server with Administrator privileges and open EMS

Enter Get-exchangecertificate to view all the certificates in the Exchange Server now, try to find the original certificate, and note the previous certificate thumbprint

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/5c/24/wkiom1ubwpztjuo6aaf7as6zyfm505.jpg "height=" 231 "/>

You can also use get-exchangecertificate if there are too many certificates to find. FL for detailed lookups, with emphasis on distinguishing between labeled "Certificate Names", "Assigning services", and noting "certificate thumbprint"

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/5C/1F/wKioL1UbW9uDMVsOAAHkZJpdqcw543.jpg "height=" 355 "/>

Once the original certificate is found, use the following command to assign the service to the certificate

Enable-exchangecertificate-thumbprint 9e1d0173fa5f35081dfefbf25d1409ed542xxxxx -Services POP,IMAP,SMTP, Iis

For more commands, refer to https://technet.microsoft.com/zh-CN/library/aa997231 (v=exchg.150). aspx

At this point, we can be delighted to see that the Outlook client of the extranet user has been able to successfully connect to Exchange

The certificate issue is replaced, and we'll try to resolve the authentication method for IIS.

At this time, the external network and intranet access to the ECP, found to be able to open the interface normally, but the authentication mode becomes a pop-up window authentication method, and enter the account password, still unable to verify the normal login

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/5c/24/wkiom1ubwqczpzadaae1typsjs4612.jpg "height="/>

First you want to modify the server's IIS authentication mode, open IIS, find the default site under the "Authentication" of OWA (ECP is follow OWA authentication way, so only need to modify OWA)

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/5C/24/wKiom1UbWqLDCnZnAAIvROAJ_0c911.jpg "height=" 369 "/>

Enable "Basic Authentication" and "edit" the default domain name, which also can be achieved without entering the domain name directly login OWA\ECP function

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/5C/1F/wKioL1UbW-GwqqUDAAG4tnOE8fo696.jpg "height=" 356 "/>

After this setting, try again, unfortunately, still pop up the authentication box and eventually fail

650) this.width=650; "title=" image "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/5C/24/ Wkiom1ubwqczpzadaae1typsjs4612.jpg "height="/>

Finally, only try to resolve the issue in the form of a command line

At this point, we'll look at our original set of

As we can see, we're going to drop OWA's authentication method back to "forms-based Authentication"

650) this.width=650; "title=" image "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M01/5C/24/ Wkiom1ubwqxsgvwxaadsma_wbpw532.jpg "height=" 414 "/>

Next, use the following command to view the settings for the OWA virtual directory

Get-owavirtualdirectory-identity "Jh-hq-mail01\owa (Default Web site)" | FL

For detailed commands, refer to https://technet.microsoft.com/zh-cn/library/aa998588 (v=exchg.150). aspx

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/5C/24/wKiom1UbWqfwSkSGAAMD9rr6RXU318.jpg "height=" 465 "/>

Find FormsAuthentication this property, corresponding to the "Forms-based Authentication" this item,

Use the following command to modify its value to True

Set-owavirtualdirectory-identity "Jh-hq-mail01\owa (Default Web site)"-formsauthentication $true

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/5C/24/wKiom1UbWqmDKjeuAACKGccHSeM141.jpg "height="/>

We'll go through get-owavirtualdirectory-identity. "Jh-hq-mail01\owa (Default Web site)" | FL command Check

Found that FormsAuthentication has been modified in order to be true

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/5c/1f/wkiol1ubw-ihxlghaaf4hqjnczy212.jpg "height=" 321 "/>

At this point we restart IIS, then test, the problem is finally resolved, to successfully log on to OWA and ECP

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/5C/24/wKiom1UbWqzAcYa7AADw3KOBYeU438.jpg "height=" 325 "/>

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/5C/24/wKiom1UbWq6z99J5AAEuc1Lir7c369.jpg "height=" 359 "/>

This article is from the "June Ma Run Space" blog, be sure to keep this source http://horse87.blog.51cto.com/2633686/1627201

Modify OWA authentication mode and assign Certificate Services