Exchange Server 2007: Renewing the self-signed certificate

Exchange Server 2007 issues itself a self-signed certificate for use with services like SMTP, IMAP, POP, IIS and UM. The certificate is issued for a period of one year.

The self-signed certificate meets an important need - securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It's not recommended to use these for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

However, should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these need to be renewed - just as you would renew certificates from 3rd-party or in-house CAs.

 To renew the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:

Get-ExchangeCertificate -domain "e12postcard.e12labs.com" | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:

Get-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F" | New-ExchangeCertificate

If the existing certificate is being used for SMTP, you will get the following prompt:

Confirm
Overwrite existing default SMTP certificate,
'C5DD5B60949267AD624618D8492C4C5281FDD10F' (expires 8/22/2008 7:20:34 AM), with certificate '3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E' (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

Type y to continue. A new certificate is generated.

Thumbprint   Services   Subject
----------   --------   -------
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E   .....   CN=E12Postcard

The new certificate is generated and enabled. Examine the new certificate:

Get-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" | fl

 The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP - IIS is missing.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint "3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E" -services IIS

This enables the certificate for IIS (in addition to any other services it may already be enabled for - it adds to existing values of the services property).

 Test services are working with the new certificate. If it works as expected, the old certificate can be removed:

Remove-ExchangeCertificate -thumbprint "C5DD5B60949267AD624618D8492C4C5281FDD10F"

Related posts:
- Outlook Anywhere and Exchange's Self-Signed Certificate
- Which name should I use as Common Name for my UC certificate?
- DigiCert: A Certificate Authority with excellent customer service

Xbox 360 and Zune themes for Outlook Web Access

In line with the much sought-after :) Xbox theme for OWA 2003, the Exchange team just went live with the (drumroll) Xbox 360 and Zune themes OWA 2007 SP1. Get them from the team blog: "New OWA themes for Exchange Server 2007 SP1".

Next on the wish-list: A Mac OS X theme for OWA, to go with the cool new iMacs and Mac Book Pros...? :)

DigiCert: A Certificate Authority with excellent customer service

I finally took the plunge and decided to get a certificate from a public Certificate Authority (CA) for my Exchange Server 2007 server at home. A certificate that supports Subject Alternative Names (SAN certificate, aka "Unified Communications" certificate), no less. Having dealt with a number of CAs in the past, and having heard some horror stories about getting a certificate that supports Subject Alternative Names, I wasn't quite looking forward to the exercise.

Thanks to Office Communications Server (OCS) MVP (and fellow Zenpriser till recently... ) Lee Mackey, the CA he recommended - DigiCert - provided exemplary customer service.

Chain of events:
- Generate SAN certificate request using the New-ExchangeCertificate command from Exchange Server 2007 (for a couple of domains, includes the Autodiscover.domain.com fqdn).
- Submit request to DigiCert
- Get confirmation emails from DigiCert (for multiple domains)
- Within a few seconds, while I'm still clicking on the confirmation messages, I get a call from a DigiCert rep to confirm the details
- The rep informs me the physical/mailing address with the domain registrar for one of the domains is not current or not the same as the one I provided when requesting the cert
- Rep waits while I correct it on the domain registrar's web site
- Confirms the address is updated in the registrar's WHOIS info
- Asks for a photo ID to be uploaded on their secure site
- I email him the photoID instead of uploading it
- By the time I'm back from the scanner/copier to my desk, and hit refresh, the photo ID shows up on DigiCert's web site
- Within a few minutes I get the certificate in by email
- Install certificate and test it with the different domains - works!

An impressive and positive customer service experience - these guys rock! If you're in the market for a digital certificate, check them out.

Requesting and using certificates for Exchange Server 2007

- KB 929395 Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007
- Use the Import-ExchangeCertificate command to import the new certificate, and Enable-ExchangeCertificate command to enable the new certificate for Exchange services you want to use it with (IIS, SMTP, IMAP, POP, and UM)
- Also recommend reading the team blog post by John Speare: Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
- SAN certificates cost significantly more than regular SSL certificates as of now. Figure out if using multiple regular certificates (may require additional IP address) works out for your deployment.

ISA Server issues

- Forms-Based Authentication: If using ISA (ISA 2006 in my case) to publish Exchange CAS URLs for OWA, disable the Forms-Based Authentication on Exchange's OWA virtual directory, else you'll get two Forms-Based Auth pages and will end up having to authenticate twice - once with ISA, and once with Exchange.
- A useful doc if you're publishing with ISA 2006: Publishing Exchange Server 2007 with ISA Server 2006.
- ISA and SAN Certs: ISA 2004/2006 still have issues with SAN certs, discussed in the ISA team blog: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing.

SCRIPT: Turning on Filter Junk Email

OWA users who never logon using Outlook do not have their Junk Mail filtering option turned on by default. Exchange MVP Glen Scales has a script here that allows you to turn this on programmatically for Exchange Server 2007 users.

Happy Birthday OWA: Outlook Web Access Turns 10!

Outlook Web Access, the web-based interface for accessing Exchange, turns 10 today! Released on May 23, 1997, as part of Exchange 5.0, OWA went by the name "Exchange Web Access" back then.



OWA has come a long way since Exchange 5.0 - abandoning its ability to live on a separate (non-Exchange) IIS server on the way (amongst other things), and gaining exciting new capabilities. Here's an interesting post on the team blog about the evolution of OWA - "Outlook Web Access - A catalyst for web evolution"

OWA 2003 was a huge improvement over OWA 2000 - it became my client of choice to access Exchange. It also became one of the reasons a few deployments I was involved with chose to upgrade - once remote users got hooked to OWA 2003, many didn't want to go back to Outlook client over VPN. (Yes, RPC over HTTP has been around since then, but in the absence of stronger authentication support like RSA SecurID, it's been a challenge to have security folks agree to such access in many cases).



The shiny new OWA in Exchange Server 2007 is quite impressive - it's much closer to an Outlook client - including:
- capability to right-click items and get OWA/email related options (instead of those related to a web page)
- a "browsable" GAL/Address Book that was missing in previous versions (and added by third-party solutions like MessageWare)
- the Outlook-like behavior of new messages popping up without having to refresh
- the new OOF wizard with different OOF options for internal and external recipients and ability to restrict OOFs to a users' Contacts
- Junk Mail management options (Safe/Blocked senders)
- ability to manage Windows Mobile devices
- empty Deleted Items on exit/logoff
- and the less annoying pop-up meeting reminders to name a few.

(A more extensive list of the new features in OWA 2007 can be found in "Client Features in Outlook Web Access" in the product documentation).

Even "OWA Light" - the interface seen by legacy and non-IE browsers, is quite feature-rich and a pleasure to use.

The missing features like deleted item recovery, S/MIME support, Public Folder access, rules, etc. have been a thorny issue. Luckily, these are making their way back in SP1 [read previous post "Exchange Server 2007 SP1: A bag of goodies!"].

It'll be interesting to see what OWA has in store for E14 - the next version of Exchange (yes, I know Exchange 2007/E12 just RTMed, but that's the nature of software companies... with one product version shipped, it's time to work on the next one... :).

Windows Vista and Outlook Web Access

If you're using a version of Windows Vista since Beta 2 (including RTM), the version of IE7 included with Vista does not have or support the DHTML Editing (ActiveX) control that allows you to compose or reply to messages in Outlook Web Access. As a result, when you try to compose or reply to messages using OWA, you see the part of the message where you would type your message body is grayed out (like a missing image).

To fix it, you need to install the update in KB 911829. Requires Exchange Server 2003 SP2.

SCRIPT: Show OWA Users

This is a modified script that shows current OWA/HTTP logons to the Store(s) on a given server(s). The script takes NetBIOS names of servers as command-line arguments (separated by spaces), uses the Exchange_Logon WMI class to connect to a server and retrieve list of users currently logged on.

ShowHTTPLogons.vbs EXCH1 EXCH2 EXCH3

[If Cscript is not your default scripting engine, it is advisable to add Cscript when you run this: cscript SHOWHTTPLogons.vbs EXCH1 EXCH2 EXCH3]

It omits any non-HTTP logons, and displays the mailbox (display name), logged on user, and the Store name in a comma-separated format.

To dump output to a CSV file, simply add ">MyOutputFileName.csv" to the end of the command when running the script. E.g. cscript ShowHTTPLogons.vbs EXCH1 EXCH2 EXCH3 >MyOutputFileName.csv

The script does not display logons by the System account (NT AUTHORITY\SYSTEM), but these are counted and displayed as a summary, in addition to the number of actual HTTP logons by users. Please note, even in one OWA session, you could have multiple HTTP logons on the Store, so this is by no means a way to calculate the actual number of users currently logged on using OWA. You will see repeated entries for mailboxes because of this (... it's not a very tidy script, but written in a hurry....hopefully I will be able to fix that at a later date).

Download:
showHTTPLogons.zip

Note: You will need to extract the file and rename it with a VBS extension.

Users Cannot Save or Send Mail in Japanese using OWA

Users in Japan cannot send and receive messages in Japanese. They get an error in Japanese.

Translation: You cannot send the message because the code page of this language was not found on the server. Contact your system administrator

This is actually documented in the Exchange Server 2003 RTM Release Notes. Go to Known Issues | Clients link.

Solution: Install the East Asian language files on all front-end and mailbox servers.
1. Go to Control Panel | Regional & Language options | Languages
2. Check the "Install files for East Asian languages" checkbox [screenshot]

Will require the Windows Server source files/CD, and will need to reboot as well.