Related
Problem:
Company just upgraded to Exchange 2007 which requires SSL
IT dept gave me a certificate and set us up for wireless sync.
Those with WM5 devices imported cert and are off and running
I tried to install the cert and it installed as an intermediate and activesync told me the server certificate was invalid and cannot sync.
Found a way to make it a cab file and install as a root certificate... made no difference.
Anyone can help?
no one else experience this?
There is a couple of Microsoft programs available for importing certs, however just ask your company to use a real cert instead of a self signed, there cheap as chips nowadays (have a look at godaddy.com, $19.99 a year). for that sort of money it's not worth messing about with selfcerts...... just do it properly. Oh any you dont NEED to have SSL turned on with OWA 2007, if you used to run OWA unsecured, then ask the IT guys to disable the force ssl on the IIS sites.
But not recomended as all your data/passwords cross the network in the clear.
Verify that the date on your phone is set properly. It will state that the certificate is not valid, if the date isn't set up properly.
Man.. still no luck.
This is insanely difficult - We WM6 appears to not handle this well - I've managed to get the cert stored int he root tab (and the intermediate tab) and it still wont work.
Though i can view OWA via PIE
What format is your IT department using to deliver the Certificate to you? WM6 supports PFX, P12, CER, and P7B certs. TechNet refers to the IT department creating a CAB file to do this, so if you're getting a "*.cer" file that may be the issue.
Take a gander at this MS KB article and see if it (and the link to the app it includes) helps any.
You are problaly using a self signed cert.....lucky for you its a quick fix
have you your IT dept give you the .cer file from the CAroot server and thats it. copy it to your phone and double click it it will then install the cert on your phone, your phone now trusts your exchange server!!!!!!
I've been messing with direct push but haven't gotten it working yet, and I'm basically curious if it's even possible with my company's setup. Our IT group will not assist in any way or alter any certificates.
My company uses a wildcard cert on our OWA. The signer is in the root store on my Tilt. The CN on the cert is *.mycompany.com which obviously does NOT match the OWA address which is webmail.mycompany.com. I've read in another thread that this is required but I wasn't sure if this is true. I can't even get to our OWA in PIE. It just throws "The page cannot be displayed because the Web site cannot be authenticated". It works fine in Opera mobile. When I set up direct push, ActiveSync fails with the support code 0x80072F7D. If I intentionally botch my username or password I still get the same error, so I'm assuming it is happening due to cert issues before the connection can even be made.
Is direct push even possible with my company's cert setup or am I just poked?
If you can get the the .cer file copy it to your kaiser and open it. You should get a message saying its been successfully installed. That should be enough to get it working as long as the server is set up correctly.
if you can't login to OWA or OMA through PIE then it won't work through direct push. They have to be accessible via the browser without any prompts about certs or whatnot. The issue here seems to be a funky cert. setup.
Thanks for the responses. The cert is/was already installed on the device. Looks like the CN matching the OWA address might really be true and I'm poked. I've gone to SEVEN as a workaround. Well written (unlike the emoze OWA app which brought my phone to a screeching halt), but sometimes emails have a delay of up to 30 minutes . All well. And damn the kaiser forums are busy, I was already page 7 news
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
To the best of my knowledge and extensive frustration, you can't use a self-signed cert. If you aren't using a self-cert, you should be ok, HOWEVER, getting it set up right is extremely tricky. Once we got it up, I tried to help a customer a little, never got it working properly - we got the cert working but the folders wouldn't sync.
My experience is it is very easy as long as you install the private cert on everything that is goign to connect.
Later, Lew
lewcamino said:
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
Click to expand...
Click to collapse
Thanks Lew. I can indeed hit the OWA at /certsrv on any desktop, but not PIE. And yes, it's using https. I kind of doubt the exchange server is even set up to allow it. Is there any way I can tell for sure short of logging into the server? Also, I'm not sure if this has anything to do with my problems, but if you hit our OWA inside of our corp. network the cert is a different one and is self signed.
self signed certificates
I have been trying to resolve this same issue with my tilt. I have set up a self signed certificate for my exchange server. This certificate works on any pc inside or outside the local network; however, the certificate will not install as a root certificate on my tilt. After installing the certificate it appears as an intermediate certificate, but not a root certificate.
I think that att has blocked the software so that self signed certificates will not install in the root directory. Not sure of the motivation for this other than to force users to use their express mail service which costs $5 per month.
Are there any work arounds for this? Can applications be unlocked?
Hello,
My company uses Exchange server 2003 sp2. I've tried to sync my TyTN II several times but I always get this message: "The security certificate on the server is invalid. Contact your system administrator or ISP to install a valid certificate on the server and try again".
I'm actually able to access https://myserver.com/OMA (not http) using my nickname and password, but I don't even know what that means. I talked to the IT guys and they just sent me to a Microsoft page where it says: "This problem may occur because the device manufacturer locked the Windows Mobile 5.0-based device. This lock prevents you from installing Secure Sockets Layer (SSL) certificates correctly".
So, their only answer was: contact your manufacturer to see if the device is locked (??). (Although they also said I didn't need a SSL certificate)
¿Could anybody please help me to understand this? ¿Do I have to install a certificate? ¿Do the IT guys have to do it? I really need to solve this so any information is welcome
thanks a lot.
If it is a "self-signed" certificate (and not an official one bought f.e. via verisign.com), than you have to install it on your device to make it "valid". Additionally the Hostname provided in the certificate must exactly match the hostname of your exchange-server otherwise it won't work either. HTH
PS.: you can find out both when you access your companys exchange server via OWA (OutlookWebAccess). Once you're logged on you can examin the certificate and look if the hostname matches, if the certificate is still valid (every certificate has an expiration date) and who the "certification authority" is.
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
I'd be curious if anyone would know how to rip the public key from Firefox or something so it can be imported to the phone to make it work.
I have been told if you can get your exchange admin to send you the .CERT file from the IIS webserver you can run that on your phone and get it to work. However, I believe that has the public and private key pairs, which is a security risk to your entire organization if you have the private pair!
jon_k said:
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
Click to expand...
Click to collapse
domain credentials over unsecured channel, bad mojo man
Your IS guys should have a certificate for you to install which will resolve the problemI have a root ca certificate for my company installed on my phone so I have no problem using any certificate they sign.
As already said, check the hostname matches extacly and check the expiry date of the certificate.
Hey Guys, thanks for all your answers!
I'm logged on the OWA server and the certificate says "Equifax Secure global eBusiness CA-1". The expiration date is 24/02/2010. Does anybody know how can I install this on my device? I checked the hostname and it matches perfectly
If it is like the certificate I have to use to get my Tilt/Office Exchange to work, then you just double click on it and it should say "Installed" or something like that. After that, assuming you have everything else setup, it should work like a charm.
thanks a lot to all you guys! Had some problems because the certificate would install in the "intermediate" store, instead of the root store, but I found this site and followed the instructions:
http://www.confusedamused.com/notebook/installing-windows-mobile-60-root-certificates/
It's synchronizing right now and it's way faster than activesync!
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
WeldingRod said:
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
Click to expand...
Click to collapse
I also had this problem, and the sync. still does not work... if someone has some idea
Thank you
hello everyone,
I got this to work by installing the .cer certificate from the self signed website certificate AND installing a .cer from the server's self signed ROOT CERTIFICATE. The root certificate is usually located on the C: drive of the server with certificate services installed. Your IT guy should know where this is. You just copy the root cert to a file just as you would the website cert. Install both on the phone...the website cert will go to "intermediate" and the rott cert will go into the "root" store. Once I did this, no more error codes and my activesync shows "connected" instead of the last time it was synced.
Hi
Had the same problem and it's solved thanks to this solution mentioned by oscarsalgar
It's working perfect !!!
Thank you very much
K'uvo man, gracias puesh hermano, me salvaste la vida puesh. Triple hijueputa q me ayudo este post man. Gracias pelado!!
Hi, id appreciate any help. JUST UNBOXED MY htc hd7, and tried to set up my outlook account, which is based on ms exchange server. I have it running without any issue on iphone, and i just copied the setting of the iphone. However, i keep getting a certificate error for my server. I have remote acess to the server via citrix, and i tried to copy a few certs using mmc, and mailed them via a gmail account. They installed correctly, but it didnt work. Can anyone help?
Hi guys,
I have a HTXC 8x but I think my question applies to all WP8 devices. I have an open source groupware (Zarafa) running on my own hardware at home which provides me with an Exchange ActiveSync interface. Currently I use this without any encryption (only in local wifi, not over 3g) but I do plan to rout this to the internet in order to be able to sync on the go. Now I do have my own self signed SSL certificate and securing the webaccess worcs like a charm. Anyway I can't seem to find any information on how to add this certificate to my WP8 device in order to accept the encrypted Active Sync API. Is this possible at all? Am I just blind? How do I do this?
Thanks for your help allready and cheers,
derliebewolf
I have no idea, if this info helps.
Im using RDP Gateway to my work network with 2 certificates - the one with cer suffix and the one pfx with suffix and with password. I can add it from Skydrive via Skymanager without problems...
derliebewolf said:
Hi guys,
I have a HTXC 8x but I think my question applies to all WP8 devices. I have an open source groupware (Zarafa) running on my own hardware at home which provides me with an Exchange ActiveSync interface. Currently I use this without any encryption (only in local wifi, not over 3g) but I do plan to rout this to the internet in order to be able to sync on the go. Now I do have my own self signed SSL certificate and securing the webaccess worcs like a charm. Anyway I can't seem to find any information on how to add this certificate to my WP8 device in order to accept the encrypted Active Sync API. Is this possible at all? Am I just blind? How do I do this?
Thanks for your help allready and cheers,
derliebewolf
Click to expand...
Click to collapse
You export the public key of your CA (Certificate Authority - the Key that was used to sign you self signed certificate) to a *.cer file. You then send that to yourself via E-Mail, open it on the phone and install it. Then connecting to your server using the self signed certificate should work.
StevieBallz said:
You export the public key of your CA (Certificate Authority - the Key that was used to sign you self signed certificate) to a *.cer file. You then send that to yourself via E-Mail, open it on the phone and install it. Then connecting to your server using the self signed certificate should work.
Click to expand...
Click to collapse
Well, that sounds easy. Gonna give it a try over the weekend, thanks a lot!
Note: that process assumes that you used a self-signed CA cert and then used it to sign your SSL cert, rather than just self-signing the SSL cert (the first approach is better but the second may be simpler). In either case, though, there should be a cert with key usage info specifying that it can be used to verify authenticity (the cert whose private key was used to create the signature). Export that as a .cer (or similar) file and email it to your phone or post it on a web server that you visit using your phone, and you'll be asked if you want to install it.
Do not export the private key unless you're using a client cert for authentication (if you aren't sure, then you aren't). The most common formats for cert export don't even permit including a private key.