Archive for the ‘Exchange’ Category

Nokia Mail for Exchange, Exchange and Client Certificates

Saturday, June 13th, 2009

problem: Mail for Exchange on Nokia mobile phones should authenticate using Client Certificates and username/password against Active Sync of Exchange 2003, to make sure that username/password is not enough to access corporate data.

solution

  1. Create client certificates for the Nokia phones. I did it using Microsoft Certificate server. To do so, go to http://ca-servername/certsrv and "Request a certificate", "User certificate" and hit the submit button (this will create a certificate and the associated private key for the authenticated user). Then hit "Install this certificate" and "yes". Now start "certmgr.msc" (Start\run) and select "Certificate/Current User". Under Personal/Certificates you should find your newly created certificate. Right-click, "All Tasks", "Export...", select "Yes, export the private key" and provide an export password (keep in mind, that you need to enter it on the Nokia phone). Store the .pfx somewhere
  2. Transfer the .pfx file using Nokia PC Suite to the mobile phone
  3. On the nokia phone go: "Menu", "Office", "File Manager" and open the just transferred .pfx file
  4. Enter the export password and select "Save"
  5. Provide a keystorage password (Schl├╝sselspeicher-Passwort in german). This MUST have a length of 6.
  6. Ok and return to the home screen
  7. Now go: "Menu", "System", "Settings", "General", "Security", "Certificate Management", "Personal Certificates", "Options", "Move to Phone Certificates", "Yes" and enter the keystorage password. This makes sure, the user does not have to enter the password for the private key at every sync.
  8. Configure Mail for Exchange as usual. You should find enough information on google/bing on this topic.

To actually authenticate Mail for Exchange/Phone using the certificate I used ISA 2004.
Create an SSL Listener and enable Authentication using Certificates. Make sure the root certificate (or the cert used for signing your client certs) is installed as "Trusted root certificates" in the "Computer Certificates". I then authenticated against Active Directory and ISA will use NTLM/Integrated Security to authenticate as the actual user against Active Sync. On the Exchange Front-End IIS on the "Microsoft-Server-ActiveSync" directory "Integrated Authentication" must be enabled. I forgot if the ISA server must be trusted for delegation for this scenario, but if you have any trouble, check the logs and google/bing for "Trusted for delegation ISA spn".

Note: this setup still requires the username and password to be correctly configured in Mail for Exchange.

Upgrading Exchange 2003 Single Server Setup to Exchange 2007

Wednesday, June 4th, 2008

problem: Upgrading an Exchange 2003 Single Server to Exchange 2007

environment:
Physical Machines

  • Server Name: "mail", Athlon 1 GHz, 1GB RAM, Windows Server 2003 x86, AD, Exchange 2003 SP2 or so, HTTP-RPC Support, OWA
  • Server Name: "bubbles", Intel Q9450 2.67 GHz, 8gb DDR2 RAM. Windows Server 2008 x64
  • Server Name: "pinky", ", Intel Q9450 2.67 GHz, 6gb DDR2 RAM (ABit IP35 won't go past "Post Boot Screen" with 8GB = 4x 2GB DDR2. Windows Server 2008 x64

Virtual Machines using Hyper-V RC1 and RC2

  • Server Name: "mail2k7", Windows Server 2008 x64, AD, Exchange 2007 SP1

introduction / background:

Exchange 2007 is only supported on x64 (yes I know about the x86 version), but there is no in-place upgrade available. Therefore one needs to setup a second machine and so on.

solution:

  • Setup "mail2k7" with Windows Server 2008 on bubbles (hyper-v rc1)
  • Installed AD Role on mail2k7
  • Connected to existing AD on "mail"
  • The old AD was still in Windows 2000 support mode. Therefore upgraded to Windows 2003 mode (Active Directory Sites and Service).
  • Setup DNS Role on mail2k7 added AD-supported Domain Entry (or maybe secondary)
  • Installed Exchange 2007 on mail2k7 (Got prompted for multiple pre-requisite roles, don't forget RPC support, needed for Outlook Anyware
  •  For Outlook Anywhere I needed the following (from here)
    Get-OutlookProvider
    
    Name                                 Server                               SSL
    ----                                 ------                               ---
    EXCH                                 
    EXPR
    WEB                                  
    
    
    Which showed NULL values under server. 
    
    To assign a server to EXCH and WEB, I ran:
    
    set-outlookprovider WEB -server FQDN
    set-outlookprovider EXCH -server FQDN
    
  • Basic Authentication and use the Domain Name at logon
HELO
MAIL FROM:root@eisber.net
RCPT TO:eisber@eisber.net
DATA
Subject: Foo

Body 1
.
QUIT