If you are unsuccessful with setting up a Blackberry using BIS in the above scenario you might see a couple of Error(s) in the Application Event Logs in Event Viewer:
Log Name: Application
Source: MSExchange Web Services
Event ID: 17
Task Category: Core
Level: Error
Keywords: Classic
User: N/A
Computer: (Internet-Facing CAS)
Description:
Client Access server (Internet-Facing CAS) tried to proxy Exchange Web Services traffic to Client Access server (Non-Internet-Facing CAS). This failed because the registry key "HKLM/System/CurrentControlSet/Services/MSExchange OWA/AllowInternalUntrustedCerts" is set to "0", but no certificate trusted by (Internet-Facing CAS) was available for the SSL encryption of the proxy connection.
and
Log Name: Application
Source: MSExchange Web Services
Date: Event ID: 11
Task Category: Core
Level: Error
Keywords: Classic
User: N/A
Computer: (Internet-Facing CAS)
Description:
Client Access server (Internet-Facing CAS) failed to proxy Exchange Web Services to Active Directory site CN=Non-Internet Facing AD Site,CN=Sites,CN=Configuration,DC=yourdomain,DC=com because none of the Client Access servers in this site are responding. Please check the configuration and status of the servers in site CN=Non-Internet Facing AD Site,CN=Sites,CN=Configuration,DC=yourdomain,DC=com.
The problem is that the Internet-Facing CAS is proxy'ing the request for the EWS Service to the Non-Internet Facing CAS. It is failing because the servers are not trusting the certificate. There will most likely be a self-assigned SSL (which is adequate for internal operations) but we have to configure Microsoft Exchange Server to let you use non-valid (or self-signed) certificates in the proxy scenario. (Side Note: This CAS-to-CAS Proxy'ing problem which was identified in Exchange 2007 and fixed by a Service Pack, so it may be fixed it future patches by Microsoft).
Although the above message says that the registry key AllowInternalUntrustedCerts is set to 0 (0 denying this rule) most likely it doesn't even exist. Another bug is that if it doesn't exist it should be allowing Untrusted Certs, but that isn't the case. So we have to add this key and set it to 1.
To do this, you must make a registry configuration change on the Client Access server that receives the proxy requests. Do the following:
Caution Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
Open the Registry (Start> Run > Regedit)
Browse to HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MSExchange OWA/
Right Click MSExchange OWA, then New > Key
Type in AllowInternalUntrustedCerts
On the right-hand side set the Default value to 1.
Close out of the registry
Note You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect. *You may also need to restart the World Wide Web Publishing Service
No comments:
Post a Comment