|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Dual https on same server not workingIIS 6.0 on MS Exchange Front-end server.
Two sites (mail.domain.com and mail2.domain.com) each listening on its own IP address. mail for OWA and mail2 for OMA/ActiveSync Two certs are imported into the local store. If I "view certificate" on each of the web sites, the correct certificate show up. Both sites are using port 443 for SSL. mail works fine, but when i go to mail2 (using it's name or the IP), IIS seems to be feeding up the cert associated with "mail.", causing the browser to report an unmatched certificate. the only thing I can think of is that the cert for mail2 was assigned to the web site and I later deleted the entire site because it was set up wrong. I then imported the cert again without generating a new cert request and getting the cert authority to re-issue it. Is this my problem? Use SSLDiag to troubleshoot.
http://blogs.msdn.com/david.wang/archive/2006/01/18/IIS-Diagnostics-Toolkit-January-2006-Released.aspx Your steps are fine because you don't need to regenerate cert requests nor re-issue certificates. You just need to make sure you have the Server Certificate and its private key and that both are imported to the right Secure Store. All the wizards and other steps simply ensure you do the right things. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Norm wrote: Show quoteHide quote > IIS 6.0 on MS Exchange Front-end server. > Two sites (mail.domain.com and mail2.domain.com) each listening on its own > IP address. mail for OWA and mail2 for OMA/ActiveSync > Two certs are imported into the local store. > If I "view certificate" on each of the web sites, the correct certificate > show up. Both sites are using port 443 for SSL. > mail works fine, but when i go to mail2 (using it's name or the IP), IIS > seems to be feeding up the cert associated with "mail.", causing the browser > to report an unmatched certificate. > > the only thing I can think of is that the cert for mail2 was assigned to the > web site and I later deleted the entire site because it was set up wrong. I > then imported the cert again without generating a new cert request and > getting the cert authority to re-issue it. Is this my problem? Seems as though somewhere along the way my SSL port for mail2 got blanked out
and this was caught with the ssldiag tool. Now i'm in the situation where IIS complains that the port is in use when starting mail2 site. Can one not have iis listen on port 443 on two ports simultaneously or is there a "special" way to make this work. Show quoteHide quote "David Wang" wrote: > Use SSLDiag to troubleshoot. > > http://blogs.msdn.com/david.wang/archive/2006/01/18/IIS-Diagnostics-Toolkit-January-2006-Released.aspx > > Your steps are fine because you don't need to regenerate cert requests > nor re-issue certificates. You just need to make sure you have the > Server Certificate and its private key and that both are imported to > the right Secure Store. All the wizards and other steps simply ensure > you do the right things. > > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > Norm wrote: > > IIS 6.0 on MS Exchange Front-end server. > > Two sites (mail.domain.com and mail2.domain.com) each listening on its own > > IP address. mail for OWA and mail2 for OMA/ActiveSync > > Two certs are imported into the local store. > > If I "view certificate" on each of the web sites, the correct certificate > > show up. Both sites are using port 443 for SSL. > > mail works fine, but when i go to mail2 (using it's name or the IP), IIS > > seems to be feeding up the cert associated with "mail.", causing the browser > > to report an unmatched certificate. > > > > the only thing I can think of is that the cert for mail2 was assigned to the > > web site and I later deleted the entire site because it was set up wrong. I > > then imported the cert again without generating a new cert request and > > getting the cert authority to re-issue it. Is this my problem? > > Norm wrote on Wed, 13 Dec 2006 15:43:01 -0800:
> Seems as though somewhere along the way my SSL port for mail2 got blanked You cannot have them on the same IP address - I have 3 sites all using their > out and this was caught with the ssldiag tool. Now i'm in the situation > where IIS complains that the port is in use when starting mail2 site. Can > one not have iis listen on port 443 on two ports simultaneously or is > there a "special" way to make this work. own SSL certs on IIS6, each one is on it's own IP address. Dan Perhaps I had misleading info in my reply. The two IIS instances are
listening on separate ip addresses as well. The fix: I changed one site to to listen on all unassigned interfaces / stopped started iis / changed it back to listening on only the single ip and voila. Now, on to better things... Show quoteHide quote "Daniel Crichton" wrote: > Norm wrote on Wed, 13 Dec 2006 15:43:01 -0800: > > > Seems as though somewhere along the way my SSL port for mail2 got blanked > > out and this was caught with the ssldiag tool. Now i'm in the situation > > where IIS complains that the port is in use when starting mail2 site. Can > > one not have iis listen on port 443 on two ports simultaneously or is > > there a "special" way to make this work. > > You cannot have them on the same IP address - I have 3 sites all using their > own SSL certs on IIS6, each one is on it's own IP address. > > Dan > > > Norm wrote on Thu, 14 Dec 2006 05:29:00 -0800:
> Perhaps I had misleading info in my reply. The two IIS instances are Sorry, missed the original post info that mentioned they were on separate IP > listening on separate ip addresses as well. The fix: I changed one > site > to to listen on all unassigned interfaces / stopped started iis / changed > it back to listening on only the single ip and voila. Now, on to better > things... addresses. Dan Solved.
Wan't fun trying to do it the way i was trying, which was trying to set up a second owa site from scratch over and over and still having it fail the OMA part on the second instance. I tried something else. I simply exported my working OWA site and imported it again, changed the name, the IP and the cert and all works. That took 5 minutes to do. I DO know how to set up OWA, really. I set up the first instance that i ended up copying. Once again I am humbled at the vast mysteries within Windows. BTW the reason I need two instances is to run forms-based owa and oma over ssl thru ISA. Show quoteHide quote "Norm" wrote: > IIS 6.0 on MS Exchange Front-end server. > Two sites (mail.domain.com and mail2.domain.com) each listening on its own > IP address. mail for OWA and mail2 for OMA/ActiveSync > Two certs are imported into the local store. > If I "view certificate" on each of the web sites, the correct certificate > show up. Both sites are using port 443 for SSL. > mail works fine, but when i go to mail2 (using it's name or the IP), IIS > seems to be feeding up the cert associated with "mail.", causing the browser > to report an unmatched certificate. > > the only thing I can think of is that the cert for mail2 was assigned to the > web site and I later deleted the entire site because it was set up wrong. I > then imported the cert again without generating a new cert request and > getting the cert authority to re-issue it. Is this my problem? > > > 
Other interesting topics
IIS7 with multiple web sites - Windows Auth only working on localhost
UNC Share causing Internal Server Error 500 Could not load type 'System.Web.Security.AccessRoleProvider' Win2K3, IIS6, and IE6 - Can't get IWA/NTLM to work Login not require a domain in IIS hosted site? Virus in IFRAME injected into our ASP pages (downloader trojan on client) notepad will not save .config file in iis7 IIS Security and files upload/create "Certificate does not have a private key" Multiple SSL - Same Server - Same Port/IP |
|||||||||||||||||||||||
