1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apple based browser causing schannel errors on Exchange CAS

Discussion in 'Software' started by LukeP, Feb 24, 2011.

  1. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Exchange 2010 SP1

    I'm getting loads and loads of schannel errors (see pic). I've traced it down to IIS logs and cross checked the times. Seems to be a Mac web client triggering it. The error is bit vague and reads:

    The following fatal alert was generated: 20. The internal error state is 960.

    The IIS logs show:

    2011-02-24 16:14:11 192.168.10.5 POST /owa/ev.owa oeh=1&ns=ReadConversation&ev=ExpIP&cpc=432328;C0:11;C1:159023;C2:10;C3:9;C4:1;C5:1;C6:0;C7:0;C8:0;C9:0;C10:0&pfmk=M40:1298563815126;M5:1298563815163 443 - XX.XXX.XXX.XX Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10_6_6;+en-us)+AppleWebKit/533.19.4+(KHTML,+like+Gecko)+Version/5.0.3+Safari/533.19.4 500 0 64 249

    2011-02-24 16:15:06 192.168.10.5 POST /owa/ev.owa oeh=1&ns=PendingRequest&ev=FinishNotificationRequest&UA=0 443 - XX.XXX.XXX.XX Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10_6_6;+en-us)+AppleWebKit/533.19.4+(KHTML,+like+Gecko)+Version/5.0.3+Safari/533.19.4 500 0 64 328

    I XXX'ed out IP of the user.

    schannel is apparently related to TLS. We have valid third party certs in place and no other browsers cause anything like that. Because it's webmail and not a company owned machine I can't really do anything on the client side myself but can ask the user to make some changes (or maybe even run TeamViewer for me so I can get in)

    Any thoughts? I'd like the errors to go.
     

    Attached Files:

    Last edited: Feb 24, 2011
    WIP: Uhmm... not sure
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    What cert are you using mate?

    Edit: should have put more detail, which third party issued it...
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    GoDaddy :oops:

    Extended Key Usage:
    TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
    TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
     
    WIP: Uhmm... not sure
  4. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Don't Mac's just "work"? :twisted:

    Sorry, couldn't resist. :P

    I'd recommend checking the client-side computer certificate... maybe request a new one.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Ahh, thought so.

    I *think* the CA isnt in the trusted third party certificate authority list in the browser (Safari). Noticed this when hooking up some iPhones and got "certificate has not come from a trusted CA" when configuring email on an Exchange 2007 environment using a godaddy cert.

    Might be related to the problem you are having...

    Edit: I havent seen the problem in the web browser on a Mac but only from email settings on the iPhone - an apple thing perhaps?
     
    Last edited: Feb 24, 2011
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    They do, don't they!?!

    Will try to get on the machine tomorrow. Not sure if I'll be able to as it's a private machine.

    Could be. Weird thing is that we have 8 iPhones 4 and no errors are logged against Active-Sync requests.
     
    WIP: Uhmm... not sure
  8. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Thanks for the link Sparky. I'll check the intermediate certificates. Brb :biggrin
     
    WIP: Uhmm... not sure
  9. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  10. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Nope. Intermediates are fine. Digicert SSL Tester shows it's all good too.
     
    WIP: Uhmm... not sure
  11. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Hmm, might be worth seeing if they get any cert errors at their end.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  12. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Will ask the user tomorrow. Pollutes my otherwise nearly perfect logs :biggrin.

    Thanks Sparky
     
    WIP: Uhmm... not sure
  13. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    No probs mate. If all else fails just ban the user from using a Mac - company policy ya know? :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  14. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    This is a no-go. Why do you think we have company iPhones? :D It surely wasn't my idea.
     
    Last edited: Feb 24, 2011
    WIP: Uhmm... not sure
  15. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Ahh, another IT department bullied by users to get iPhones - Apple must be loving this! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  16. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Yep! That's us! :D

    You can always tweak Active-Sync policies to make iPhones 'more challenging' for the users though! :twisted: :biggrin
     
    WIP: Uhmm... not sure
  17. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I'd rep this if that's what rep was intended for. :twisted:
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...