Dual https on same server not working

IIS 6.0 on MS Exchange Front-end server.
Two sites (mail.domain.com and mail2.domain.com) each listening on its own
IP address. mail for OWA and mail2 for OMA/ActiveSync
Two certs are imported into the local store.
If I "view certificate" on each of the web sites, the correct certificate
show up. Both sites are using port 443 for SSL.
mail works fine, but when i go to mail2 (using it's name or the IP), IIS
seems to be feeding up the cert associated with "mail.", causing the browser
to report an unmatched certificate.

the only thing I can think of is that the cert for mail2 was assigned to the
web site and I later deleted the entire site because it was set up wrong. I
then imported the cert again without generating a new cert request and
getting the cert authority to re-issue it. Is this my problem?

Re: Dual https on same server not working

Use SSLDiag to troubleshoot.

http://blogs.msdn.com/david.wang/archive/2006/01/18/IIS-Diag nostics-Toolkit-January-2006-Released.aspx

Your steps are fine because you don't need to regenerate cert requests
nor re-issue certificates. You just need to make sure you have the
Server Certificate and its private key and that both are imported to
the right Secure Store. All the wizards and other steps simply ensure
you do the right things.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


Norm wrote:
> IIS 6.0 on MS Exchange Front-end server.
> Two sites (mail.domain.com and mail2.domain.com) each listening on its own
> IP address. mail for OWA and mail2 for OMA/ActiveSync
> Two certs are imported into the local store.
> If I "view certificate" on each of the web sites, the correct certificate
> show up. Both sites are using port 443 for SSL.
> mail works fine, but when i go to mail2 (using it's name or the IP), IIS
> seems to be feeding up the cert associated with "mail.", causing the browser
> to report an unmatched certificate.
>
> the only thing I can think of is that the cert for mail2 was assigned to the
> web site and I later deleted the entire site because it was set up wrong. I
> then imported the cert again without generating a new cert request and
> getting the cert authority to re-issue it. Is this my problem?

Re: Dual https on same server not working

Seems as though somewhere along the way my SSL port for mail2 got blanked out
and this was caught with the ssldiag tool. Now i'm in the situation where
IIS complains that the port is in use when starting mail2 site. Can one not
have iis listen on port 443 on two ports simultaneously or is there a
"special" way to make this work.





"David Wang" wrote:

> Use SSLDiag to troubleshoot.
>
> http://blogs.msdn.com/david.wang/archive/2006/01/18/IIS-Diag nostics-Toolkit-January-2006-Released.aspx
>
> Your steps are fine because you don't need to regenerate cert requests
> nor re-issue certificates. You just need to make sure you have the
> Server Certificate and its private key and that both are imported to
> the right Secure Store. All the wizards and other steps simply ensure
> you do the right things.
>
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> Norm wrote:
> > IIS 6.0 on MS Exchange Front-end server.
> > Two sites (mail.domain.com and mail2.domain.com) each listening on its own
> > IP address. mail for OWA and mail2 for OMA/ActiveSync
> > Two certs are imported into the local store.
> > If I "view certificate" on each of the web sites, the correct certificate
> > show up. Both sites are using port 443 for SSL.
> > mail works fine, but when i go to mail2 (using it's name or the IP), IIS
> > seems to be feeding up the cert associated with "mail.", causing the browser
> > to report an unmatched certificate.
> >
> > the only thing I can think of is that the cert for mail2 was assigned to the
> > web site and I later deleted the entire site because it was set up wrong. I
> > then imported the cert again without generating a new cert request and
> > getting the cert authority to re-issue it. Is this my problem?
>
>

Re: Dual https on same server not working

Norm wrote on Wed, 13 Dec 2006 15:43:01 -0800:

> Seems as though somewhere along the way my SSL port for mail2 got blanked
> out and this was caught with the ssldiag tool. Now i'm in the situation
> where IIS complains that the port is in use when starting mail2 site. Can
> one not have iis listen on port 443 on two ports simultaneously or is
> there a "special" way to make this work.

You cannot have them on the same IP address - I have 3 sites all using their
own SSL certs on IIS6, each one is on it's own IP address.

Dan

Re: Dual https on same server not working

Perhaps I had misleading info in my reply. The two IIS instances are
listening on separate ip addresses as well. The fix: I changed one site
to to listen on all unassigned interfaces / stopped started iis / changed it
back to listening on only the single ip and voila. Now, on to better
things...


"Daniel Crichton" wrote:

> Norm wrote on Wed, 13 Dec 2006 15:43:01 -0800:
>
> > Seems as though somewhere along the way my SSL port for mail2 got blanked
> > out and this was caught with the ssldiag tool. Now i'm in the situation
> > where IIS complains that the port is in use when starting mail2 site. Can
> > one not have iis listen on port 443 on two ports simultaneously or is
> > there a "special" way to make this work.
>
> You cannot have them on the same IP address - I have 3 sites all using their
> own SSL certs on IIS6, each one is on it's own IP address.
>
> Dan
>
>
>

Re: Dual https on same server not working

Norm wrote on Thu, 14 Dec 2006 05:29:00 -0800:

> Perhaps I had misleading info in my reply. The two IIS instances are
> listening on separate ip addresses as well. The fix: I changed one
> site
> to to listen on all unassigned interfaces / stopped started iis / changed
> it back to listening on only the single ip and voila. Now, on to better
> things...

Sorry, missed the original post info that mentioned they were on separate IP
addresses.

Dan

RE: Dual https on same server not working

Solved.
Wan't fun trying to do it the way i was trying, which was trying to set up a
second owa site from scratch over and over and still having it fail the OMA
part on the second instance. I tried something else. I simply exported my
working OWA site and imported it again, changed the name, the IP and the cert
and all works. That took 5 minutes to do.
I DO know how to set up OWA, really. I set up the first instance that i
ended up copying. Once again I am humbled at the vast mysteries within
Windows.
BTW the reason I need two instances is to run forms-based owa and oma over
ssl thru ISA.


"Norm" wrote:

> IIS 6.0 on MS Exchange Front-end server.
> Two sites (mail.domain.com and mail2.domain.com) each listening on its own
> IP address. mail for OWA and mail2 for OMA/ActiveSync
> Two certs are imported into the local store.
> If I "view certificate" on each of the web sites, the correct certificate
> show up. Both sites are using port 443 for SSL.
> mail works fine, but when i go to mail2 (using it's name or the IP), IIS
> seems to be feeding up the cert associated with "mail.", causing the browser
> to report an unmatched certificate.
>
> the only thing I can think of is that the cert for mail2 was assigned to the
> web site and I later deleted the entire site because it was set up wrong. I
> then imported the cert again without generating a new cert request and
> getting the cert authority to re-issue it. Is this my problem?
>
>
>