Related
Problem:
Company just upgraded to Exchange 2007 which requires SSL
IT dept gave me a certificate and set us up for wireless sync.
Those with WM5 devices imported cert and are off and running
I tried to install the cert and it installed as an intermediate and activesync told me the server certificate was invalid and cannot sync.
Found a way to make it a cab file and install as a root certificate... made no difference.
Anyone can help?
no one else experience this?
There is a couple of Microsoft programs available for importing certs, however just ask your company to use a real cert instead of a self signed, there cheap as chips nowadays (have a look at godaddy.com, $19.99 a year). for that sort of money it's not worth messing about with selfcerts...... just do it properly. Oh any you dont NEED to have SSL turned on with OWA 2007, if you used to run OWA unsecured, then ask the IT guys to disable the force ssl on the IIS sites.
But not recomended as all your data/passwords cross the network in the clear.
Verify that the date on your phone is set properly. It will state that the certificate is not valid, if the date isn't set up properly.
Man.. still no luck.
This is insanely difficult - We WM6 appears to not handle this well - I've managed to get the cert stored int he root tab (and the intermediate tab) and it still wont work.
Though i can view OWA via PIE
What format is your IT department using to deliver the Certificate to you? WM6 supports PFX, P12, CER, and P7B certs. TechNet refers to the IT department creating a CAB file to do this, so if you're getting a "*.cer" file that may be the issue.
Take a gander at this MS KB article and see if it (and the link to the app it includes) helps any.
You are problaly using a self signed cert.....lucky for you its a quick fix
have you your IT dept give you the .cer file from the CAroot server and thats it. copy it to your phone and double click it it will then install the cert on your phone, your phone now trusts your exchange server!!!!!!
I've been messing with direct push but haven't gotten it working yet, and I'm basically curious if it's even possible with my company's setup. Our IT group will not assist in any way or alter any certificates.
My company uses a wildcard cert on our OWA. The signer is in the root store on my Tilt. The CN on the cert is *.mycompany.com which obviously does NOT match the OWA address which is webmail.mycompany.com. I've read in another thread that this is required but I wasn't sure if this is true. I can't even get to our OWA in PIE. It just throws "The page cannot be displayed because the Web site cannot be authenticated". It works fine in Opera mobile. When I set up direct push, ActiveSync fails with the support code 0x80072F7D. If I intentionally botch my username or password I still get the same error, so I'm assuming it is happening due to cert issues before the connection can even be made.
Is direct push even possible with my company's cert setup or am I just poked?
If you can get the the .cer file copy it to your kaiser and open it. You should get a message saying its been successfully installed. That should be enough to get it working as long as the server is set up correctly.
if you can't login to OWA or OMA through PIE then it won't work through direct push. They have to be accessible via the browser without any prompts about certs or whatnot. The issue here seems to be a funky cert. setup.
Thanks for the responses. The cert is/was already installed on the device. Looks like the CN matching the OWA address might really be true and I'm poked. I've gone to SEVEN as a workaround. Well written (unlike the emoze OWA app which brought my phone to a screeching halt), but sometimes emails have a delay of up to 30 minutes . All well. And damn the kaiser forums are busy, I was already page 7 news
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
To the best of my knowledge and extensive frustration, you can't use a self-signed cert. If you aren't using a self-cert, you should be ok, HOWEVER, getting it set up right is extremely tricky. Once we got it up, I tried to help a customer a little, never got it working properly - we got the cert working but the folders wouldn't sync.
My experience is it is very easy as long as you install the private cert on everything that is goign to connect.
Later, Lew
lewcamino said:
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
Click to expand...
Click to collapse
Thanks Lew. I can indeed hit the OWA at /certsrv on any desktop, but not PIE. And yes, it's using https. I kind of doubt the exchange server is even set up to allow it. Is there any way I can tell for sure short of logging into the server? Also, I'm not sure if this has anything to do with my problems, but if you hit our OWA inside of our corp. network the cert is a different one and is self signed.
self signed certificates
I have been trying to resolve this same issue with my tilt. I have set up a self signed certificate for my exchange server. This certificate works on any pc inside or outside the local network; however, the certificate will not install as a root certificate on my tilt. After installing the certificate it appears as an intermediate certificate, but not a root certificate.
I think that att has blocked the software so that self signed certificates will not install in the root directory. Not sure of the motivation for this other than to force users to use their express mail service which costs $5 per month.
Are there any work arounds for this? Can applications be unlocked?
Hello,
My company uses Exchange server 2003 sp2. I've tried to sync my TyTN II several times but I always get this message: "The security certificate on the server is invalid. Contact your system administrator or ISP to install a valid certificate on the server and try again".
I'm actually able to access https://myserver.com/OMA (not http) using my nickname and password, but I don't even know what that means. I talked to the IT guys and they just sent me to a Microsoft page where it says: "This problem may occur because the device manufacturer locked the Windows Mobile 5.0-based device. This lock prevents you from installing Secure Sockets Layer (SSL) certificates correctly".
So, their only answer was: contact your manufacturer to see if the device is locked (??). (Although they also said I didn't need a SSL certificate)
¿Could anybody please help me to understand this? ¿Do I have to install a certificate? ¿Do the IT guys have to do it? I really need to solve this so any information is welcome
thanks a lot.
If it is a "self-signed" certificate (and not an official one bought f.e. via verisign.com), than you have to install it on your device to make it "valid". Additionally the Hostname provided in the certificate must exactly match the hostname of your exchange-server otherwise it won't work either. HTH
PS.: you can find out both when you access your companys exchange server via OWA (OutlookWebAccess). Once you're logged on you can examin the certificate and look if the hostname matches, if the certificate is still valid (every certificate has an expiration date) and who the "certification authority" is.
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
I'd be curious if anyone would know how to rip the public key from Firefox or something so it can be imported to the phone to make it work.
I have been told if you can get your exchange admin to send you the .CERT file from the IIS webserver you can run that on your phone and get it to work. However, I believe that has the public and private key pairs, which is a security risk to your entire organization if you have the private pair!
jon_k said:
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
Click to expand...
Click to collapse
domain credentials over unsecured channel, bad mojo man
Your IS guys should have a certificate for you to install which will resolve the problemI have a root ca certificate for my company installed on my phone so I have no problem using any certificate they sign.
As already said, check the hostname matches extacly and check the expiry date of the certificate.
Hey Guys, thanks for all your answers!
I'm logged on the OWA server and the certificate says "Equifax Secure global eBusiness CA-1". The expiration date is 24/02/2010. Does anybody know how can I install this on my device? I checked the hostname and it matches perfectly
If it is like the certificate I have to use to get my Tilt/Office Exchange to work, then you just double click on it and it should say "Installed" or something like that. After that, assuming you have everything else setup, it should work like a charm.
thanks a lot to all you guys! Had some problems because the certificate would install in the "intermediate" store, instead of the root store, but I found this site and followed the instructions:
http://www.confusedamused.com/notebook/installing-windows-mobile-60-root-certificates/
It's synchronizing right now and it's way faster than activesync!
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
WeldingRod said:
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
Click to expand...
Click to collapse
I also had this problem, and the sync. still does not work... if someone has some idea
Thank you
hello everyone,
I got this to work by installing the .cer certificate from the self signed website certificate AND installing a .cer from the server's self signed ROOT CERTIFICATE. The root certificate is usually located on the C: drive of the server with certificate services installed. Your IT guy should know where this is. You just copy the root cert to a file just as you would the website cert. Install both on the phone...the website cert will go to "intermediate" and the rott cert will go into the "root" store. Once I did this, no more error codes and my activesync shows "connected" instead of the last time it was synced.
Hi
Had the same problem and it's solved thanks to this solution mentioned by oscarsalgar
It's working perfect !!!
Thank you very much
K'uvo man, gracias puesh hermano, me salvaste la vida puesh. Triple hijueputa q me ayudo este post man. Gracias pelado!!
Good morning everybody,
i updated my Nexus One 2 days ago from 85B to 91.
Since the update my phone cannot connect to my exchange server :-(
Does anybody know something about this problem?
Thx for your answers
I have the same problem. :-(
Sent from my Nexus One using XDA App
Sorry, no problems here with FRF91 and Exchange...
best,
das_spektakel
i have the same problem.
after the update my exchange setup had gone.
resetting it backup just comes up with "unable to open connection to server"
if i untick accept all SSL certificates i get "unable to open connection to server due to security error." so it must be communicating, and ticking that accept all ssl should then mean it passes?
exchange: 2007 SP1 standard on Win2003 standard x64 sp2.
OK i think i have it.
i changed our exchange certificate on the server to a SAN certificate. (subject alternative name).
my explanation won't be the best, but it certifies the servers different DNS names. such as its internal name, external name (eg. internal.company.local, externalmail.company.com.au)
Maybe with this update it broke the 'accept all ssl' which is suppose to let it communicate if the ssl cert comes back with the rong name, or expired.
if you have access to the exchange server you are trying to setup then give this a burl.
..ok i can't post a url. so if you want to give it ago shoot me an email and ill link you up and give you a hand if need be.
let me know if this helps any of you!?
Mick
any way around this other than swapping out certificates? i don't have access to do that at my company and i doubt they'll do that just because one phone has an issue...
I recieved my new Nokia Lumina 920. I was some what disgruttled to find that i was unable to add, my companies email account using a self signed certificate. On my Android mobile using the same certificate, everything is added and works perfect.
What is so diffierent using Windows phone 8, using self signed certificate. And if there is a fix, can you let me know how to install it correctly.
The following error message appears when sync takes place
"There is a problem with the certificate for (domain name) contact your support person or your service provider. Last tried 5 minutes error code 80048888"
Exchange version : Exchange 2010
Sent from my GT-N7100 using xda app-developers app
I know this will not help but, I did this myself to setup an Exchange 2003 server with a Self signed cert, I had no problem installing it (downloaded it via a hotmail account and just touched it to open it/install it)
I have done this on 7.5 and 8.0 with no problems at all. A problem with your cert ? Is it expired ?
Make sure you reboot your phone after you install the Cert, I had that issue with 7.5, it would not see it till a reboot...
DavidinCT said:
I know this will not help but, I did this myself to setup an Exchange 2003 server with a Self signed cert, I had no problem installing it (downloaded it via a hotmail account and just touched it to open it/install it)
I have done this on 7.5 and 8.0 with no problems at all. A problem with your cert ? Is it expired ?
Make sure you reboot your phone after you install the Cert, I had that issue with 7.5, it would not see it till a reboot...
Click to expand...
Click to collapse
Hi David
Thanks for coming back to me, I have tried what you have suggested however I'm still not getting my exchange 2010 to sync with my Nokia 920. Just wondering, your CERT was it a paid version or was it a self cert. Mine is a self cert does that make a difference. Please help me.
Thanks in advance..
John
Dafluxman said:
Hi David
Thanks for coming back to me, I have tried what you have suggested however I'm still not getting my exchange 2010 to sync with my Nokia 920. Just wondering, your CERT was it a paid version or was it a self cert. Mine is a self cert does that make a difference. Please help me.
Thanks in advance..
John
Click to expand...
Click to collapse
Your phone should honor the Exchange CAS Server's certificate if you install the certificate of the CA which issued the certificate for the server.
And keep in mind that the principle name in the certificate should match the DNS name that your are using to connect to the server.
You will have to install the public key certificate of the CA issuing your self signed certificate. The certificate itself won't be enough as it can't be verified as when the phone checks up the path of trust it won't recognize the signing certificate. Hope that makes sense?
StevieBallz said:
You will have to install the public key certificate of the CA issuing your self signed certificate. The certificate itself won't be enough as it can't be verified as when the phone checks up the path of trust it won't recognize the signing certificate. Hope that makes sense?
Click to expand...
Click to collapse
Hi Guys, you have solved my problems. Excellent support keep it up. I eventually exported the public key and installed it directly into the phone now my Nokia 920 works beautifly. One more question, I did get an error 85030028 and googling this said to go into IIs, click on active sync, then select SSL and tick ignore client certs... is that the correct way to active sync.. well the main thing is the phone is syncing as normal.
Thanks again
John
Dafluxman said:
Hi David
Thanks for coming back to me, I have tried what you have suggested however I'm still not getting my exchange 2010 to sync with my Nokia 920. Just wondering, your CERT was it a paid version or was it a self cert. Mine is a self cert does that make a difference. Please help me.
Thanks in advance..
John
Click to expand...
Click to collapse
Mine was a self-signed cert, Not paid. One of the free tools from Microsoft or a 3d party... This is from my own personal exchange server.
Glad to see you got it working...
DavidinCT said:
Mine was a self-signed cert, Not paid. One of the free tools from Microsoft or a 3d party... This is from my own personal exchange server.
Glad to see you got it working...
Click to expand...
Click to collapse
Im running a Small Business Server 2011 and im using a free SSL Certificat from https://cert.startcom.org/?lang=de
Maybe this is an option for you
Dafluxman said:
One more question, I did get an error 85030028 and googling this said to go into IIs, click on active sync, then select SSL and tick ignore client certs... is that the correct way to active sync.. well the main thing is the phone is syncing as normal.
Thanks again
John
Click to expand...
Click to collapse
Haven't dealt with this myself but I guess it is possible that the phone tried to authenticate using one of the certificates you installed previously instead of using the credentials you provided but it's really just a guess. As long as SSL is still enabled the encryption should work and I see no issues with the setup.
If the setting causes ActiveSync to sync over HTTP instead of HTTPS that would be a concern so I would check if that is the case.