Web browsers will return an error such as:

The security certificate issued by this website was not issued by a trusted certificate authority

On inspection of the certificate being issued by the website you may see this error:

The issuer of this certificate could not be found

This can be confusing for people who assume that any certificate issued by a commercial CA such as Thawte will be trusted by devices and web browsers that people are connecting from, especially when it occurs after renewing an existing Thawte SSL certificate.

Thawte has published the reason for this:

On June 27 2010, in the interest of better security, thawte signed all certificates with a primary and secondary intermediate that need to be installed along with the SSL certificate. Any certificate issued on or after this date requires the primary and secondary intermediate to be installed.

The new certificates are issued by an intermediate CA known as “Thawte SSL CA”.  This CA is not automatically trusted by most web browsers.  Thawte provides instructions for installing the correct certificates on the web server or ISA Server that is publishing the website.

Take note of the final steps, the change may not take effect until IIS or ISA Server are restarted.

If your site still have the chaining error, restart the IIS service. If the problem continues, the whole server needs a reboot to use the new roots.

Related posts:

• Exchange Server 2010 and the Benefits of Commercial SSL Certificates
• How to Issue a SAN Certificate to Exchange Server 2010 from a Private Certificate Authority
• Exchange Server 2010 “The Certificate is Invalid for Exchange Server Usage” Error
• How to Assign an SSL Certificate to Exchange Server 2010 Services
• Exchange 2010 Certificate Revocation Checks and Proxy Settings

This article SSL Certificate Trust Errors for New Thawte Certificates is © 2010 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

To use the complete set of features available in Outlook Web App and the Web management interface, you can use the following browsers on a computer running Windows XP, Windows 2003, Windows Vista, or Windows 7:

• Internet Explorer 7 and later versions.
• Firefox 3.0.1 and later versions.
• Chrome 3.0.195.27 and later versions.

On a computer running Max OS X, you can use:

• Safari 3.1 and later versions.
• Firefox 3.0.1 and later versions.

On a computer running Linux, you can use:

• Firefox 3.0.1 and later versions.

If you use a Web browser that doesn’t support the full feature set, Outlook Web App will open in the light version.

The light version is primarily designed for accessibility for the visually impaired.  However with its stripped down interface and limited features it is also useful when on slow connections and has the broadest browser compatiblity of the two versions.

Related posts:

• SSL Certificate Trust Errors for New Thawte Certificates
• Exchange Remote Connectivity Analyzer Updated
• Exchange Server 2010 and the Benefits of Commercial SSL Certificates
• Exchange 2010 Hub Transport Server Backup and Recovery
• Improved Database Integrity Checking in Exchange Server 2010 SP1

This article Exchange Server 2010 OWA Support Browser Matrix is © 2010 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

• New CAPTCHA interface
• New tests for Exchange Web Services (useful for testing Entourage for Mac clients) and Outbound SMTP
• Updates for Exchange 2010 Outlook Web Access
• Password confirmation to reduce test failures from password typos
• Removal of the “Beta” label

The tool also has a slick new interface.  Check out the differences between the old site and the new site.

Old Exchange Remote Connectivity Test Interface

New Exchange Remote Connectivity Test Interface

Check out the Exchange Remote Connectivity Analyzer Tool.

Related posts:

• Configuring the Exchange Server 2007 Client Access Server
• Test your Exchange Server remote connectivity
• SSL Certificate Trust Errors for New Thawte Certificates
• Exchange Server 2010 and the Benefits of Commercial SSL Certificates
• Public Folders Not Replicating Between Exchange 2007 and 2010

This article Exchange Remote Connectivity Analyzer Updated is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Open the ISA Server Management console and navigate to <ISA server name>/Firewall Policy.

Click on Publish Exchange Web Client Access in the Tasks pane on the right side of the ISA Server Management Console.

Enter a meaningful name for the new publishing rule such as “Exchange Remote Access”.  Click Next to continue.

Select the Exchange version Exchange Server 2007 and tick the Outlook Web Access box.  Click Next to continue.

Choose Publish a single Web site or load balancer.  Click Next to continue.

Choose Use SSL to connect to the published Web server or server farm as this is the most secure option.  Click Next to continue.

Enter the FQDN of the Client Access Server.  If for any reason your ISA Server is not able to resolve this name you should also tick the box and enter a name or IP that ISA can use to connect to the server.  Click Next to continue.

Enter the Public Name of the server.  This should match the name on the SSL certificate you imported on the Exchange and ISA servers, the External URL setting on the OWA virtual directory for the Exchange Client Access Server configuration, and the external DNS name that your clients use to connect to Exchange remote access.  Click Next to continue.

Click New to create a new web listener for Exchange Remote Access.

Give the listener a meaningful name such as “ExchangeSSL”.  Click Next to continue.

Choose Require SSL secured connections with clients.  Click Next to continue.

Select the External network to listen for incoming web requests.  If you have more than one external IP address you must click Select IP Addresses and specify which IP address bound to the External network to listen on.  Click Next to continue.

Click Select Certificate and choose the SSL certificate you imported on the ISA Server firewall.  Click Select and then click Next to continue.

Leave the authentication settings set to HTML Form Authentication with Windows (Active Directory).  Click Next to continue.

Clear the Enable SSO check box.  Click Next to continue.

Click Finish to complete the New Web Listener wizard.  Select the web listener you have just created and click Next to continue.

Choose Basic Authentication for authentication delegation.  Click Next to continue.

Note: Delegation using Basic authentication allows a single SSL certificate, public IP address, and ISA publishing rule to be used for all Exchange remote access methods (eg Outlook Web Access and Outlook Anywhere).  In environments with multiple public IP addresses and a requirement to delegate Outlook Anywhere authentication using Kerberos/NTLM then Negotiate(Kerberos/NTLM) would be chosen.

Leave the users set to Authenticated Users.  Click Next to continue.

Click Finish to complete the Publishing Rule wizard.

Right click the newly created rule and choose Properties.

Navigate to the Paths tab.  Click the Add button to add more paths to the publishing rule for ActiveSync, AutoDiscover, and Outlook Anywhere.

Note: If you are planning to publish these services on separate IP addresses and SSL certificates you would not perform these steps.

Add the following paths:

• /rpc/*
• /Microsoft-Server-ActiveSync/*
• /AutoDiscover/*

Click OK when you have added each of the paths to the rule.

Apply the ISA rule changes.

Related posts:

• Publish incoming SMTP to the Exchange Server 2007 server with ISA Server 2006
• Configuring the Exchange Server 2007 Hub Transport Server
• Configuring the Exchange Server 2007 Client Access Server
• SSL Certificate Trust Errors for New Thawte Certificates
• Exchange Remote Connectivity Analyzer Updated

This article Publish Exchange Server 2007 OWA Using ISA Server 2006 is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Open the Exchange Management Console and navigate to Server Configuration/Client Access.

Configure Outlook Web Access

Before Outlook Web Access is published to the internet you must enter the external URL.  Open the properties of the owa (Default Web Site) and enter the external URL in the field shown here.

If you are publishing via ISA Server select the Authentication tab and choose Use one or more standard authentication methods, setting it to Integrated Authentication and Basic Authentication.

Click OK when complete.  A warning will appear that the changes will not take effect until IIS is restarted.

Click OK but don’t worry about restarting IIS yet, we’ll be restarting it soon.

Configure ActiveSync

Similar to Outlook Web Access the ActiveSync external URL must be configured if it is being published to the internet.  Choose the Exchange ActiveSync tab and then open the properties of Microsoft-Server-ActiveSync.

Enter the external URL in the field shown here.

Click OK when complete.

Configure Outlook Anywhere

In the Actions pane to the right of the Exchange Management Console click on Enable Outlook Anywhere.

Enter the external host name in the field shown here.

If you are publishing via an ISA Server on the same external IP address as Outlook Web Access then choose Basic Authentication.  If you can dedicate an external IP address for publishing Outlook Anywhere then choose NTLM Authentication.

Click Enable when complete.  You will receive a warning that Outlook Anywhere will not be available for up to 15 minutes.  Click Finish to clear that warning.

Related posts:

• Test your Exchange Server remote connectivity
• Exchange Remote Connectivity Analyzer Updated
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• Migrate SSL Certificates from Exchange Server 2003 to Exchange Server 2007
• Complete Exchange 2007 Transition Guide

This article Configuring the Exchange Server 2007 Client Access Server is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

The full list of fixes can be found here, and the download files are here.

I’ve updated our Exchange servers here last night and it went smoothly, no problems encountered.

Make sure you read the release notes to be aware of the main issues encountered with Exchange update rollups:

• customised OWA interfaces (backup your customisations as they will be overwritten by the update)
• CAS-proxy deployments (update the internet-facing CAS first)
• managed code services not starting after update (permit access from the server to the Microsoft CRL)

Link: Update Rollup 6 for Exchange Server 2007 Service Pack 1 (KB959241)

Related posts:

• Exchange 2007 OWA stops working with “reason=0” error
• Exchange Server 2007 SP2 Update Rollup 2 Released
• Exchange Remote Connectivity Analyzer Updated
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• Configuring the Exchange Server 2007 Client Access Server

This article Exchange Server 2007 Update Rollup 6 (Critical) is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

 

https://mail.yourdomain.com/owa/auth/logon.aspx?url=https://mail.yourdomain.com/owa/&reason=0

This problem can be caused by either of these conditions:

Cause #1

The Update Rollup was applied while the %systemdrive%\ExchangeSetupLogs folder was missing.

Resolution #1

Replace or restore the ExchangeSetupLogs folder and run the Update Rollup again.

Cause #2

The Update Rollup was applied while IIS services were stopped or disabled.  This will be apparent when you inspect the %systemdrive%\ExchangeSetupLogs\UpdateOwa.log file and find entries with the following text:

 

Getting all Exchange 2007 OWA Virtual Directories
There are no Exchange 2007 OWA Virtual Directories.  Aborting.

Resolution #2

Enable and start the IIS services (which are required for the Client Access Server role) and run the Update Rollup again.

Related posts:

• Exchange Server 2007 Update Rollup 6 (Critical)
• Exchange Server 2007 SP2 Update Rollup 2 Released
• Exchange Remote Connectivity Analyzer Updated
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• Migrate SSL Certificates from Exchange Server 2003 to Exchange Server 2007

This article Exchange 2007 OWA stops working with “reason=0” error is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

You can view the language of a mailbox using the Get-Mailbox cmdlet.

[PS] C:\>Get-Mailbox -Identity "John Smith" | fl name, languages

Name      : John Smith
Languages : {en-AU}

To see all mailboxes that do not match the language you are expecting you can use this PowerShell command, where “en-AU” is the expected language in this example:

[PS] C:\>Get-Mailbox | where {$_.languages -ne "en-AU"} | fl name, languages

Name      : Peter James
Languages : {en-US}

Name      : Frank Wu
Languages : {zh-CN}

To set a user mailbox to the language you desire use the Set-Mailbox cmdlet.

[PS] C:\>Set-Mailbox -Identity "Frank Wu" -Languages "en-AU"

Link: How to change the languages for a user mailbox

Related posts:

• Error “Object is Read Only” During Exchange Server 2007 Public Folder Database Removal
• Which Version of Exchange Am I Running?
• Browsing Mailbox Databases in Exchange 2007 and 2010
• How to Enable AutoAccept on Multiple Exchange 2007 Room Mailboxes
• Exchange Remote Connectivity Analyzer Updated

This article Exchange 2007 mailbox users with incorrect language settings is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

A few days ago I learned about the Microsoft Exchange Server Remote Connectivity Analyzer, and this morning I had cause to give it a try for the first time.

The Microsoft Exchange Server Remote Connectivity Analyzer lets you perform useful tests such as ActiveSync, Autodiscover, Outlook Anywhere, and inbound SMTP.  I ran through the ActiveSync test to verify for one of our remote staff that it was working properly.

The test required valid network credentials in order to perform its analysis.  Though the site is owned and run by Microsoft and the credentials are transmitted via SSL if you had any security or privacy concerns you could simply create a temporary account for the tests and then change its password or delete it immediately afterwards.

In summary, a great tool and one that goes a long way to solving the headache of properly testing new Exchange Server deployments at customer networks.

Related posts:

• Configuring the Exchange Server 2007 Client Access Server
• Exchange Remote Connectivity Analyzer Updated
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• Exchange Server 2007 Update Rollup 6 (Critical)
• Exchange 2007 OWA stops working with “reason=0” error

This article Test your Exchange Server remote connectivity is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Despite our attempts at documenting various break/fix scenarios, it can often be frustrating when trying to locate the information you need to resolve an issue as quickly as you would like. I decided to share this information in an attempt to help you resolve the majority of issues that can prevent your users from successfully logging on to Outlook Web Access.

Read more…

Link: Troubleshooting Outlook Web Access Logon Failures in Exchange Server 2007

Related posts:

• Exchange Remote Connectivity Analyzer Updated
• Publish Exchange Server 2007 OWA Using ISA Server 2006
• Configuring the Exchange Server 2007 Client Access Server
• Exchange Server 2007 Update Rollup 6 (Critical)
• Exchange 2007 OWA stops working with “reason=0” error

This article Troubleshooting Exchange Server 2007 Outlook Web Access Logon Failure is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com