Exchange 2013 EAS / EWS Multi Instance後續

 

 

 

 

 

基於係一部Exchange CAS之內同意可以用唔同嘅Authentication Method (Password, Kerberos, Certificate) 。 而發現Exchange EWS係會兩個instance 同時response(Password Auth / Certificate Auth) , 邊成Outlook Client 當要用Web Service做notification嘅時候,IIS出現 Error 500 0 64。

“POST /EWS/Exchange.asmx – 443 – 10.0.1.35 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.7927;+Pro) – 500 0 64 15”

但係點解呢?

係無人講EWS Multi Instance嘅情況之下,搵左四日都無咩頭粹。 方向改變諗如何令Outlook 只搵Default 個EWS,而MobileDevice 既Mail Profile 因為由MDM (MobileIron) 控制,所以EWS 係指定用Cert Auth。再引伸落去諗就係AutoDiscover 去做Restriction。 亦發現用 ‘https://testconnectivity.microsoft.com’ 去試會出現 Failure。原因係用咗CBA 嘅 EWS vDIR….. Test Failed….

最後好彩地搵到Hints,就係AutoDiscover WebSite 嘅URL。 當初係用CNAME 指去 CAS 嘅 internal name。呢個就係Root Cause。

搵出嘅係,當DNS 搵AutoDiscover而係用 CNAME point去CAS internal name。 當用CAS internal name 去 用EWS。係會兩個site用晒。

相信係有幾多個EWS 都會用晒,因為所有Exchange Virtual Directory確實係under同一部機。

所以係呢種設定下AutoDiscover嘅DNS record轉成Host (A) Point 死 Default WebSite EWS 嘅IP…

但原本問題仍然未解決……

To be Continue….

Refernce site:

https://forums.iis.net/t/1230097.aspx?http+500+0+64+IIS+with+Client+Certificate+Required

Quote:

500 = Internal Server Error

64 = The specified network name is no longer available.

https://support.microsoft.com/en-us/help/940726/outlook-2007-security-warning-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site

Quote:

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:

  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as “mail.contoso.com.”

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

Exchange 2013 – Web Service(EWS) Virtual Directory Creation

 

 

 

 

 

Microsoft EWS Virtual Directory,比create ActiveSync Virtual Directory更古怪,更小人討論

絕對會諗所有creation可以係Exchange Management Shell做到,但係”偉大”嘅M$再一次俾Surprise我哋。。。

最後我試出黎嘅結果係。。。。

EWS Virtual Directory Creation – 係用普通PowerShell ,再用”AddPSSnapin Microsoft.Management.PowerShell.E2010″
睇到呢到,你無睇錯。。係2010 Module
點解我知?就係因為錯誤哋create左多一個PowerShell VirtualDirectory 係Default Web Site,但係又remove唔到…….
最後搵到expect exchange有人講同一問題……

Create PowerShell vDir – Exchange Managment PowerShell

Remove PowerShell vDir – Normal PowerShell + PSSnapin (E2010)

Create – Web Services vDir – Normal PowerShell + PSSnapin (E2010)

Remove Web Service vDir – Exchange Managment PowerShell

Reference site

https://www.experts-exchange.com/questions/26813020/remove-powershellvirtudirectory-not-working.html

http://hkeylocalmachine.com/?p=180

Microsoft ActiveSync – New EAS Website with Certificate Base Authentication(CBA) in same server

為左唔使起多部CAS,但又可以試CBA, 只係用加多一張NIC,多一粒IP。 絕對係快靚正。

但係,係deployment嘅過程,係絕對俾Exchange/IIS玩死。

呢下Website嘅步驟絕對無錯(推薦第一個)
遇到問題如下
1。同一張NIC用二粒IP,係setup時會衍生Host 錯IP問題,所以唔建議
2。當中避免用IIS去Set,特別係Step 11開clientCertificateMappingAuthentication,同埋最尾enable “Require Client Certificate”

雖然係IIS都會改到,但係偉大嘅M$話Exchange 野應該返Exchange Admin Center(EAC)做,同SharePoint 一樣……

唔相信….我自己得到嘅代價,就係唔同嘅IIS Error。。
可能係403.7 ,接403.16……..
再唔係,出Error 500。。恭喜~GameOver。。。 遇過好幾次,要delete site,由頭再嚟…..

3。EWS IIS Error 413, 唔Fix, Notification亦會停唔work

需要改以下

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\web.config
2. Replace the value “uploadReadAheadSize” of 0 to 1048576 (bytes) in both files

4。最後,亦係最奇怪。 話Server Local Machine Trust Root Authority 太多Cert,最後係用條 filter script 搵返啲 Intermediate Cert,再搬反走佢。。。。

而Client Device用嘅Cert,可以係有AD Enrolment Policy 由GPO落。 Domain Member PC 係Login 時自動安落PC….
又或者由MDM,從SCEP Profile 落Cert都可以。
最重要係Cert既Subject 係User Email Address, Cert 入面SAN 有User DN, UPN就會認得到

Filter Script…

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”

https://support.microsoft.com/en-hk/help/2802568/internet-information-services-iis-8-may-reject-client-certificate-requests-with-http-403.7-or-403.16-errors

https://support.microsoft.com/en-hk/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012

Reference

Step 11. Enabled cba on the ActiveSync website from elevated command prompt.
a. APPCMD.EXE set config “EAS_CBA/Microsoft-Server-ActiveSync” -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True” /commit:apphost

Additional EAS vDir creation

In Exchange Mgmt shell:

Command: New-ActiveSyncVirtualDirectory -WebSiteName “EAS_CBA” -ExternalUrl https://mailcba.domain.com/Microsoft-Server-ActiveSync -Server servername -InternalURL https://mailcba.domain.com/Microsoft-Server-ActiveSync

Setup Procedure Reference

http://www.o-xchange.com/p/configuring-exchange-active-sync-for.html

https://blogs.technet.microsoft.com/exchange/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync/

http://i-evgeny.blogspot.hk/2015/09/exchange-2013-413-request-entity-too.html