Need help with cert issues and direct push - Tilt, TyTN II, MDA Vario III General

I've been messing with direct push but haven't gotten it working yet, and I'm basically curious if it's even possible with my company's setup. Our IT group will not assist in any way or alter any certificates.
My company uses a wildcard cert on our OWA. The signer is in the root store on my Tilt. The CN on the cert is *.mycompany.com which obviously does NOT match the OWA address which is webmail.mycompany.com. I've read in another thread that this is required but I wasn't sure if this is true. I can't even get to our OWA in PIE. It just throws "The page cannot be displayed because the Web site cannot be authenticated". It works fine in Opera mobile. When I set up direct push, ActiveSync fails with the support code 0x80072F7D. If I intentionally botch my username or password I still get the same error, so I'm assuming it is happening due to cert issues before the connection can even be made.
Is direct push even possible with my company's cert setup or am I just poked?

If you can get the the .cer file copy it to your kaiser and open it. You should get a message saying its been successfully installed. That should be enough to get it working as long as the server is set up correctly.

if you can't login to OWA or OMA through PIE then it won't work through direct push. They have to be accessible via the browser without any prompts about certs or whatnot. The issue here seems to be a funky cert. setup.

Thanks for the responses. The cert is/was already installed on the device. Looks like the CN matching the OWA address might really be true and I'm poked. I've gone to SEVEN as a workaround. Well written (unlike the emoze OWA app which brought my phone to a screeching halt), but sometimes emails have a delay of up to 30 minutes . All well. And damn the kaiser forums are busy, I was already page 7 news

Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew

To the best of my knowledge and extensive frustration, you can't use a self-signed cert. If you aren't using a self-cert, you should be ok, HOWEVER, getting it set up right is extremely tricky. Once we got it up, I tried to help a customer a little, never got it working properly - we got the cert working but the folders wouldn't sync.

My experience is it is very easy as long as you install the private cert on everything that is goign to connect.
Later, Lew

lewcamino said:
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
Click to expand...
Click to collapse
Thanks Lew. I can indeed hit the OWA at /certsrv on any desktop, but not PIE. And yes, it's using https. I kind of doubt the exchange server is even set up to allow it. Is there any way I can tell for sure short of logging into the server? Also, I'm not sure if this has anything to do with my problems, but if you hit our OWA inside of our corp. network the cert is a different one and is self signed.

self signed certificates
I have been trying to resolve this same issue with my tilt. I have set up a self signed certificate for my exchange server. This certificate works on any pc inside or outside the local network; however, the certificate will not install as a root certificate on my tilt. After installing the certificate it appears as an intermediate certificate, but not a root certificate.
I think that att has blocked the software so that self signed certificates will not install in the root directory. Not sure of the motivation for this other than to force users to use their express mail service which costs $5 per month.
Are there any work arounds for this? Can applications be unlocked?

Related

Tilt invalid certificate problem with OTA exchange sync

Problem:
Company just upgraded to Exchange 2007 which requires SSL
IT dept gave me a certificate and set us up for wireless sync.
Those with WM5 devices imported cert and are off and running
I tried to install the cert and it installed as an intermediate and activesync told me the server certificate was invalid and cannot sync.
Found a way to make it a cab file and install as a root certificate... made no difference.
Anyone can help?
no one else experience this?
There is a couple of Microsoft programs available for importing certs, however just ask your company to use a real cert instead of a self signed, there cheap as chips nowadays (have a look at godaddy.com, $19.99 a year). for that sort of money it's not worth messing about with selfcerts...... just do it properly. Oh any you dont NEED to have SSL turned on with OWA 2007, if you used to run OWA unsecured, then ask the IT guys to disable the force ssl on the IIS sites.
But not recomended as all your data/passwords cross the network in the clear.
Verify that the date on your phone is set properly. It will state that the certificate is not valid, if the date isn't set up properly.
Man.. still no luck.
This is insanely difficult - We WM6 appears to not handle this well - I've managed to get the cert stored int he root tab (and the intermediate tab) and it still wont work.
Though i can view OWA via PIE
What format is your IT department using to deliver the Certificate to you? WM6 supports PFX, P12, CER, and P7B certs. TechNet refers to the IT department creating a CAB file to do this, so if you're getting a "*.cer" file that may be the issue.
Take a gander at this MS KB article and see if it (and the link to the app it includes) helps any.
You are problaly using a self signed cert.....lucky for you its a quick fix
have you your IT dept give you the .cer file from the CAroot server and thats it. copy it to your phone and double click it it will then install the cert on your phone, your phone now trusts your exchange server!!!!!!

SOLVED: Exchange sync error 0x80072F0D

Hello,
My company uses Exchange server 2003 sp2. I've tried to sync my TyTN II several times but I always get this message: "The security certificate on the server is invalid. Contact your system administrator or ISP to install a valid certificate on the server and try again".
I'm actually able to access https://myserver.com/OMA (not http) using my nickname and password, but I don't even know what that means. I talked to the IT guys and they just sent me to a Microsoft page where it says: "This problem may occur because the device manufacturer locked the Windows Mobile 5.0-based device. This lock prevents you from installing Secure Sockets Layer (SSL) certificates correctly".
So, their only answer was: contact your manufacturer to see if the device is locked (??). (Although they also said I didn't need a SSL certificate)
¿Could anybody please help me to understand this? ¿Do I have to install a certificate? ¿Do the IT guys have to do it? I really need to solve this so any information is welcome
thanks a lot.
If it is a "self-signed" certificate (and not an official one bought f.e. via verisign.com), than you have to install it on your device to make it "valid". Additionally the Hostname provided in the certificate must exactly match the hostname of your exchange-server otherwise it won't work either. HTH
PS.: you can find out both when you access your companys exchange server via OWA (OutlookWebAccess). Once you're logged on you can examin the certificate and look if the hostname matches, if the certificate is still valid (every certificate has an expiration date) and who the "certification authority" is.
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
I'd be curious if anyone would know how to rip the public key from Firefox or something so it can be imported to the phone to make it work.
I have been told if you can get your exchange admin to send you the .CERT file from the IIS webserver you can run that on your phone and get it to work. However, I believe that has the public and private key pairs, which is a security risk to your entire organization if you have the private pair!
jon_k said:
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
Click to expand...
Click to collapse
domain credentials over unsecured channel, bad mojo man
Your IS guys should have a certificate for you to install which will resolve the problemI have a root ca certificate for my company installed on my phone so I have no problem using any certificate they sign.
As already said, check the hostname matches extacly and check the expiry date of the certificate.
Hey Guys, thanks for all your answers!
I'm logged on the OWA server and the certificate says "Equifax Secure global eBusiness CA-1". The expiration date is 24/02/2010. Does anybody know how can I install this on my device? I checked the hostname and it matches perfectly
If it is like the certificate I have to use to get my Tilt/Office Exchange to work, then you just double click on it and it should say "Installed" or something like that. After that, assuming you have everything else setup, it should work like a charm.
thanks a lot to all you guys! Had some problems because the certificate would install in the "intermediate" store, instead of the root store, but I found this site and followed the instructions:
http://www.confusedamused.com/notebook/installing-windows-mobile-60-root-certificates/
It's synchronizing right now and it's way faster than activesync!
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
WeldingRod said:
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
Click to expand...
Click to collapse
I also had this problem, and the sync. still does not work... if someone has some idea
Thank you
hello everyone,
I got this to work by installing the .cer certificate from the self signed website certificate AND installing a .cer from the server's self signed ROOT CERTIFICATE. The root certificate is usually located on the C: drive of the server with certificate services installed. Your IT guy should know where this is. You just copy the root cert to a file just as you would the website cert. Install both on the phone...the website cert will go to "intermediate" and the rott cert will go into the "root" store. Once I did this, no more error codes and my activesync shows "connected" instead of the last time it was synced.
Hi
Had the same problem and it's solved thanks to this solution mentioned by oscarsalgar
It's working perfect !!!
Thank you very much
K'uvo man, gracias puesh hermano, me salvaste la vida puesh. Triple hijueputa q me ayudo este post man. Gracias pelado!!

Problems with synching exchange mail - Kaiser and Wizard...

I have received a HTC TYTN II from my company, which currently is synching with our mailserver so that I can read my email wherever I am.
Since I'm curious, I tried to get my old Wizard to do the same. I did the same install as with the Kaiser, but I get the dreaded "0x85010004". I scanned thru the Kaisers registry and took all root-certificates under "HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates" and imported them into the Wizard and rebooted, but no luck. I am assuming it's a certificate of some kind that is missing, but I can't find where else it could be? Does Exchange install a hidden certificate on the phone in order to identify it, and if so - why isn't it shown in the certificates menu?
Any help is appreciated.
BR
Fredrik
activesync cert with exchange
hi fredrik,
activesync accessing exchange on a mobile device uses OWA (outlook web access) to access your email through SSL. the best way to get the cert you need is to log into your OWA (probably something like https://webmail.yourcompanyname.com) or whatever it is (it's the same address you use when you put in when confiigure exchange with activesync) from a desktop pc. than, right click on a blank portion of the page and go to properties. you should see a button that says certificates, click on that, than click on the details tab. than click on the "copy to file" button and the cert export wizard will start. click next, than select base64 as the type of cert, than hit next, name it, save it, put it on a memory card or bluetooth the file to your phone and install it. sometimes, during the install, your phone will error out when installing it, just soft reset, and then install it again. you should get a message that says it was installed successfully. than configure for activesync for exchange on your phone and you should be all good. let me know if that works for you.
Thanks for the help!
Tried that and got the same problem. The original phone has Pointsec installed in it, but I do not think that it gerenates any certificates (at least not any I have found in the registry). Is the ACU version important?
/F
Talked to my IT department and they told me that Pointsec decodes a certificate in order to communicate with our mailservers. Anyone any good at pointsec and knows if it puts a crypto on the Registry or if it is purly file based? If the file is decrypted each time I punch in my code, it should register the time when the file is being decrypted... What programs can search files in WM and search for the time stamp?
BR
Fredrik
I have an AT&T Tilt. I had Direct Push from Exchange Server working perfectly with no effort - was working for months. Then, I had a hardware problem with that phone and was given a replacement from AT&T. After replacing it I am unable to configure the direct push any more. I wrote down all the settings and carefully reapplied them on the new phone.
What I am seeing now is when manually invoking a send/receive, ActiveSync reports the following:
------
Result:
The server you are synchronizing with is not an Exchange Server, or is running incompatible
software. Choose Configure Server on the ActiveSync menu to specify the correct server.
Support Code: 0x85030022
------
I've been on the line with the hosted exchange server folks and there's no change on their end...
I installed the certificate as suggested above - seemed like it was worth a shot. No difference.
Any ideas?
sorry for the late reply.
I'm not too sure about your pointsec fredrick, as we don't use it on our mobile devices at work, but we do use it on our computers. as far as i know, pointsec is supposedly suppose to be transparent encrypt/decrypt after you first turn on your device and enter a passcode, heck, windows mobile should operate like pointsec isn't even on the device, so it shouldn't be a cert issue, but who knows, i never liked pointsec anyway. sorry i can't be more helpful.
ubetchya,
that error message is pretty straight forward, either the OWA address is wrong or your certificate isn't installed correctly. i know this sounds lame, but if you can, borrow a friend's Windows Mobile phone and config it with activesync to verify your settings are correct. for the owa address, try adding "/exchange" without the quotes at the end, maybe their redirect isn't working correctly. so if your server address is "https://webmail.hostedexchange.com", make it look like "https://webmail.hostedexchange.com/exchange" (that should take you to directly to the exchange server without using their redirect). if you want, you can also try downloading the certificate directly from your hosted exchange guys, if they have the cert page up that is (most exchange admins leave it up, i know we do =P ) to get to the cert page, go to a desktop pc...
1. type in your webmail server address and add "/certsrv" at the end without the quotes (ie; "https://webmail.hostedguys.com/certsrv"
2. it will prompt you for a username, it should be in the following format "domain\username", so if my domain was microsoft, and my username was bill, than my username would be "microsoft\bill" without the quotes
3. enter your password.
4. click on the last link, "download a certificate, certificate chain, etc"
5. select the base 64 encoding method and than click download CA certificate.
6. save it to a memory card or bluetooth it over to your phone and install it.
hope that helps!
oh... and one more thing about your server address, it could be different than adding "/exchange" at the end, to verify, just to your webmail and see wear it redirects, when you get to your login page (if using forms based authentication), use that address, if not using forms based, (small popup window for login) just log in and than use that address.
UBetchYa said:
I have an AT&T Tilt. I had Direct Push from Exchange Server working perfectly with no effort - was working for months. Then, I had a hardware problem with that phone and was given a replacement from AT&T. After replacing it I am unable to configure the direct push any more. I wrote down all the settings and carefully reapplied them on the new phone.
What I am seeing now is when manually invoking a send/receive, ActiveSync reports the following:
------
Result:
The server you are synchronizing with is not an Exchange Server, or is running incompatible
software. Choose Configure Server on the ActiveSync menu to specify the correct server.
Support Code: 0x85030022
------
I've been on the line with the hosted exchange server folks and there's no change on their end...
I installed the certificate as suggested above - seemed like it was worth a shot. No difference.
Any ideas?
Click to expand...
Click to collapse
I got it working. The error message was pretty close to telling me that it's an invalid server "name". My hosted exchange provider uses owa3.... I was missing the all-important 3.
No matter how hard they try, programmers can't make it completely idiot proof...
All is working now beautifully. Thanks much for the suggestsions.
Tytn II
Hi there,
I'm trying to connnect my Tytn II to my work's exchange server so I can use it instead of having to use a Crackberry however I'm getting the following message in ActiveSync:
Support code # 0x85030022
The server you are synchronizing with is not an exchange sever, or is running incompatible software. Choose Configure Server on the ActiveSync menu to specify the correct server.
Can anyone help ?
Hi Smooth,
Have you tried all the steps in this thread already? make sure you have installed the correct certificate, have the correct server address and ask your administrator if activesync is enabled on the exchange server. post back with your results to the tricks in this thread and we'll see what else you can try.

Exchange account constantly asking for password

I've searched high and low for an answer to this issue.
I have an AT&T Tilt currently running NATF 5 Loaded ROM. My phone keeps asking me for the password to my mail server. I can enter it, click the save password box, and it still will ask for my password after some time. It may happen in 5 minutes or 5 hours. No real rhyme or reason as to why.
Anyone else seen this or know of a fix?
TIA!
does it actually connect to the exchange server when you enter the password?
Yes, sir. It certainly does.
Also, this happens no matter what ROM I use. My guess is that there's something server side going on. I'd like to know what so I can get it fixed.
If you're connecting to a server with an SSL certificate chain that doesn't directly lead to a trusted root one built into the phone you'll get that. At least it happened to me where I run my own exchange server with a self-signed certificate.
Check out this page:
http://blogs.msdn.com/windowsmobile/archive/2008/05/18/sslchainsaver-v2-released.aspx
And install all of the certificates in the chain onto your device. When you run the program it will make some XML files that I couldn't get to work right, but just copy the actual certificate files (from the folder it makes with your mailserver's name) onto your device and run them to install. Reboot your device and see if the problem goes away. If it doesn't, it's probably a server-side issue.
Nopple,
Thanks for the insight, man! I'm testing it now. We have a self-signed certificate. When I ran SSL Chain Saver it told me it could not get the root but grabbed what it could. I originally exported a certificate from the OWA server but I guess you need more than that when you are self-signed.
Anyway, I'm testing now and will post back once I'm done.
Thanks!
try this
use pocket ie and go to:
http://yourexchangeserver.com/oma (replace yourexchangeserver.com with the correct address of your exchange server)
Log in to your email and see if you are asked for your password.
This should tell you if your exchange server is setup for outlook mobile access. If it isn't, then you won't be able to log in. I used this quite a bit when getting our corp exchange server setup for my mobile users.
Nopple,
That did the trick!! I'll document appropriately for our internal network.
Thanks a TON for your help!

[Q] How to add self signed certificats to my WP8?

Hi guys,
I have a HTXC 8x but I think my question applies to all WP8 devices. I have an open source groupware (Zarafa) running on my own hardware at home which provides me with an Exchange ActiveSync interface. Currently I use this without any encryption (only in local wifi, not over 3g) but I do plan to rout this to the internet in order to be able to sync on the go. Now I do have my own self signed SSL certificate and securing the webaccess worcs like a charm. Anyway I can't seem to find any information on how to add this certificate to my WP8 device in order to accept the encrypted Active Sync API. Is this possible at all? Am I just blind? How do I do this?
Thanks for your help allready and cheers,
derliebewolf
I have no idea, if this info helps.
Im using RDP Gateway to my work network with 2 certificates - the one with cer suffix and the one pfx with suffix and with password. I can add it from Skydrive via Skymanager without problems...
derliebewolf said:
Hi guys,
I have a HTXC 8x but I think my question applies to all WP8 devices. I have an open source groupware (Zarafa) running on my own hardware at home which provides me with an Exchange ActiveSync interface. Currently I use this without any encryption (only in local wifi, not over 3g) but I do plan to rout this to the internet in order to be able to sync on the go. Now I do have my own self signed SSL certificate and securing the webaccess worcs like a charm. Anyway I can't seem to find any information on how to add this certificate to my WP8 device in order to accept the encrypted Active Sync API. Is this possible at all? Am I just blind? How do I do this?
Thanks for your help allready and cheers,
derliebewolf
Click to expand...
Click to collapse
You export the public key of your CA (Certificate Authority - the Key that was used to sign you self signed certificate) to a *.cer file. You then send that to yourself via E-Mail, open it on the phone and install it. Then connecting to your server using the self signed certificate should work.
StevieBallz said:
You export the public key of your CA (Certificate Authority - the Key that was used to sign you self signed certificate) to a *.cer file. You then send that to yourself via E-Mail, open it on the phone and install it. Then connecting to your server using the self signed certificate should work.
Click to expand...
Click to collapse
Well, that sounds easy. Gonna give it a try over the weekend, thanks a lot!
Note: that process assumes that you used a self-signed CA cert and then used it to sign your SSL cert, rather than just self-signing the SSL cert (the first approach is better but the second may be simpler). In either case, though, there should be a cert with key usage info specifying that it can be used to verify authenticity (the cert whose private key was used to create the signature). Export that as a .cer (or similar) file and email it to your phone or post it on a web server that you visit using your phone, and you'll be asked if you want to install it.
Do not export the private key unless you're using a client cert for authentication (if you aren't sure, then you aren't). The most common formats for cert export don't even permit including a private key.

Categories

Resources