4. Resolving SSL certificate issues
To resolve a certificate issue, you’ll need to restore or re-create
the primary SSL certificate on the Client Access server, the Mailbox
server, or both. By default, the self-signed certificate named
Microsoft Exchange is the certificate used for authentication and
encrypting communications whenever you use Outlook Web App, ECP, or the
management tools to work with Exchange.
If
you don’t have a backup or an export of the primary SSL certificate,
you’ll need to re-create the certificate. You can create a new
self-signed certificate using New-ExchangeCertificate. The following
example shows how to configure services, the subject name, and subject
alternative names for MailServer21 in the Pocket-Consultant.com domain:
New-ExchangeCertificate -SubjectName "cn=MailServer21"
-DomainName pocket-consultant.com -IncludeServerFQDN
-Services IIS, IMAP, POP, SMTP
Important
With certificates issued by a local CA or a third-party CA, you can
use the original certificate file. Import the certificate using
Import-ExchangeCertificate and then use Enable-ExchangeCertificate to
enable the certificate for IIS, IMAP, POP, and SMTP services. You can
ensure that the certificate is in use and test services as discussed
previously.
5. Resolving Outlook Web App, ECP, or other virtual directory issues
To resolve a virtual directory issue, you can remove and then
re-create the virtual directory. You won’t always know whether the
problem exists in the front-end configuration, the back-end
configuration, or both, so you may need to remove and re-create the
virtual directory on the related Client Access server and the related
Mailbox server. I recommend removing and re-creating the front-end
virtual directory first and then checking to see if this resolves the
problem before removing and re-creating the back-end virtual directory.
As an example, if you’ve determined the Outlook Web App virtual
directory is misconfigured, you can remove it using
Remove-OwaVirtualDirectory and then re-create it using
New-OwaVirtualDirectory. For example, the following commands remove and
then re-create the Outlook Web App virtual directory from the Default
Web Site on MailServer17:
remove-owavirtualdirectory -identity "mailserver17\owa (Default Web Site)"
new-owavirtualdirectory -server mailserver17
-websitename "Default Web Site"
Important
By default, the New-OwaVirtualDirectory and New-EcpVirtualDirectory
commands enable basic authentication and forms authentication but do
not enable Windows authentication. Because Windows authentication is
required for Outlook Web App and ECP, you must use the commands
Set-OwaVirtualDirectory and Set-EcpVirtualDirectory to modify the
default authentication settings. The following example enables Windows
authentication and disables basic and forms authentication:
set-owavirtualdirectory -identity "mailserver17\owa (Default Web Site)"
-WindowsAuthentication $True -Basicauthentication $false
-Formsauthentication $false
After you re-create a virtual directory you should restart IIS
services. You can do this in IIS Manager or by entering the following
command at an elevated command prompt or shell:
iisreset
You can then test the service using Test-OwaConnectivity, or you can
try to log on to Outlook Web App. If this doesn’t resolve the problem,
you can remove, re-create, and configure the Outlook Web App virtual
directory on the back-end server, as shown in this example:
remove-owavirtualdirectory -identity "mailserver21\owa (Exchange Back End)"
new-owavirtualdirectory -server mailserver21
-websitename "Exchange Back End"
set-owavirtualdirectory -identity "mailserver21\owa (Exchange Back End)"
-WindowsAuthentication $True -Basicauthentication $false
-Formsauthentication $false
Complete the process by restarting IIS services and then
check to ensure the problem is resolved. If the problem isn’t resolved,
look to related services. For example, remote PowerShell must be
properly configured for Outlook Web App and ECP to work. If you suspect
the PowerShell virtual directory is misconfigured, you can remove and
re-create it as well.
