Monday, April 25, 2011

Exchange 2007/2010 with Single Name SSL Certificate

One of the ongoing pain points in implementing Exchange 2007 and Exchange 2010 is the need for a SAN certificate with multiple names in the certificate. Exchange 2007/2010 has web-based services for free/busy searches, offline address book downloads, and autodiscover. By default it is assumed that the name used internally is different from the name used externally. This results in the need for a certificate with multiple names.

From a technical perspective, this is fine. From a cost perspective this is less desirable. A SAN certificate costs in the range of about $350 per year from a Microsoft supported vendor or about $80 per year from GoDaddy.

If you want to use an existing single name SSL certificate, you can. You just need to change the names for the URLs to all match.

First, install your certificate in IIS for the web site hosting the Exchange services. In a standalone install of Exchange Server 2007/2010, these are in the default web site. In SBS 2008, it is  a site named SBS Web Applications.

There are a number of article with the syntax for setting the internal URL for the necessary services to support Outlook with a single label SSL cert. They recommend that you change the internal URL to match your external URL. Something like https://mail.conexion.ca/OAB.

Here is the issue I just had. With the internal URL as https://mail.conexion.ca/OAB on an SBS2008 box, the client credentials were not automatically being passed up to web services. The user was being prompted for a login. I believe this is because a name that is not a single label name is not considered part of the Intranet zone (think IE security zones) and the credentials cannot be automatically passed on. So, we change the URL to http://sites/OAB and all was good.

Two things to note about this:
  • SBS 2008 already had sites set up as a host header for the SBS Web Applications site. Otherwise, you would need to configure at least DNS resolution for your site.
  • HTTP is used on the assumption that SSL is not required internally. We needed to do this to get a single label domain name. If we didn't  the name wouldn't match the certificate and the users would get warnings about certificate errors.
All told, this seemed a bit weird today, but this is what got the job done and the client working properly.

The simple way is to just use a SAN certificate to begin with and avoid the weirdness. GoDaddy is not officially supported, but it does work. Otherwise, Digicert is the cheapest of the officially supported certificate providers.

Friday, April 15, 2011

Free Windows iSCSI Target

For years, Microsoft has had iSCSI target software that lets a Windows Server act as shared storage for clustering. However, this software was only available as part of the Windows Storage Server and you couldn't use it in production environments (unless using an actual Windows Storage Server). As of April 2011, the target software is now available for free and supported in production use!

You can use this for:
  • highly available VMs
  • clustering of file and print services
  • testing environments
I know I'll definitely be using this in classes where we do high availability of VMs. Not sure about the production side yet.

Check it out: http://blogs.technet.com/b/canitpro/archive/2011/04/05/the-microsoft-iscsi-software-target-is-now-free.aspx

Friday, April 8, 2011

Temporary Profile in Windows 7

I'm not sure if there is any real world relevance to this because I created my problem as part of messing around while creating a lab activity. But on the off chance it's useful to anyone.....

Steps to force a user to have a temporary profile:
  1. Log on as an Administrative user.
  2. Delete profile folder for user from C:\Users
Basically, we manually deleted the profile without informing Windows. So, Windows still thinks the profile is there. You should delete a profile from the System Properties Advanced tab. However, if you try to use this now, the deleted user profile is not listed.

To resolve the issue, use Regedit. The list of profiles is maintained in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Each profile has it's own key based on the SID of the user. To identify the key for the failing profile to delete look at the ProfileImagePath value. This value is the file path to the profile and contains the name of the user.

After you've identified the correct key, delete it. On next logon the user profile should be created and work correctly.

Tuesday, April 5, 2011

Exchange Anonymous Relay for External POP User

I have a friend with an office that is prone to flooding in the springtime. This year, she has moved her office before the flood hits, just in case. She uses a POP account with a third party, not her ISP. However, she uses the SMTP host of her ISP. Basically, she downloads messages from the mail provider and then sends them out through her ISP SMTP host.

One of her clients has been kind enough to provide temporary office space for the next month or so. Unfortunately the ISP servicing this office does not allow anonymous relaying. So, I offered to setup relaying for her on our Exchange 2007 server.

Initially I though it would be as easy as creating a mailbox to allow for authentication. It was a bit more complex than I expected.

Here are the steps that were required:
  1. Create an exchange mailbox for authentication of her traffic (we'll call it EXTERNAL). The POP client authenticates outbound traffic with this username and password. The email address of the account is never used, but is EXTERNAL@mydomain.com.
  2. Add her domain (herdomain.com) as an accepted relay domain. Without this Exchange will not send out the message. Exchange will look at the source email address and error out indicating that it is not allowed.
  3. Create a contact for  heremail@herdomain.com.
  4. Give EXTERNAL SendAs permission for the contact hermail@herdomain.com. If this step is not performed you will get an error about not having SendAs permission.
At that point it was good to go. The POP client is authenticated which avoids the need to create an anonymous relay which is inherently risky. And Exchange allows a message from hermail@herdomain.com to be sent out because it is an accepted relay domain and because EXTERNAL has SendAs permission.

You can't configure Send As permission for a contact in EMC. You can do it either in EMS or AD Users and Computers.