Related
Problem:
Company just upgraded to Exchange 2007 which requires SSL
IT dept gave me a certificate and set us up for wireless sync.
Those with WM5 devices imported cert and are off and running
I tried to install the cert and it installed as an intermediate and activesync told me the server certificate was invalid and cannot sync.
Found a way to make it a cab file and install as a root certificate... made no difference.
Anyone can help?
no one else experience this?
There is a couple of Microsoft programs available for importing certs, however just ask your company to use a real cert instead of a self signed, there cheap as chips nowadays (have a look at godaddy.com, $19.99 a year). for that sort of money it's not worth messing about with selfcerts...... just do it properly. Oh any you dont NEED to have SSL turned on with OWA 2007, if you used to run OWA unsecured, then ask the IT guys to disable the force ssl on the IIS sites.
But not recomended as all your data/passwords cross the network in the clear.
Verify that the date on your phone is set properly. It will state that the certificate is not valid, if the date isn't set up properly.
Man.. still no luck.
This is insanely difficult - We WM6 appears to not handle this well - I've managed to get the cert stored int he root tab (and the intermediate tab) and it still wont work.
Though i can view OWA via PIE
What format is your IT department using to deliver the Certificate to you? WM6 supports PFX, P12, CER, and P7B certs. TechNet refers to the IT department creating a CAB file to do this, so if you're getting a "*.cer" file that may be the issue.
Take a gander at this MS KB article and see if it (and the link to the app it includes) helps any.
You are problaly using a self signed cert.....lucky for you its a quick fix
have you your IT dept give you the .cer file from the CAroot server and thats it. copy it to your phone and double click it it will then install the cert on your phone, your phone now trusts your exchange server!!!!!!
Does any one know if there is a way to use your WM6 device on a secured WPA, TKIP, PEAP network when you have your own user name and password to access regular pc.
I'm trying to use my TILT at work and everytime i try to log in it tells me that i need "personal certificate" to positively identify me.
Would it possible to retreive my personal certificate from my work loptop and transfering it somehow to my Tilt?
I really need some help with that, i've been trying this forever.
THanks in advnace
There is a solution here: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2434968&SiteID=1
seattleweb said:
There is a solution here: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2434968&SiteID=1
Click to expand...
Click to collapse
Did you try this? It sounds like a similar issue but I've never seen some of the screens they are mentioning for login credentials. I tried the registry key but still get the message that I need a personal certificate.
I'm going to try Odyssey's Access client, which is now Juniper I guess.
Juniper Odyssey Access Client works just fine with the Tilt/WM6.
I was able to connect to my company's PEAP/MS-CHAP-V2 network.
If you do a google search with keywords "p12imprt.exe pocketpc" you will find a smal program that allows you to import personal certificates in your Windows mobile.
I hope this helps.
thanks guys, i'll try all the suggestions and'll let you know
I've set up a RADIUS auth server w/WPA-TKIP @ home.... not too hard to config PEAP. I'll try it out this evening and report back the details.
careful if you try the odyssey client, maybe wait to see seattle's results. Odyssey really grabs a hold of the registry. Do an image backup before installing.
FYI...I checked that thread, and checked my registry, and I have that setting they suggest. I am getting the personal certificate error anyway.
The import certificate sounds interesting. Actually I had been told a while ago I needed to do that, and I thought I saw a way natively on my Tilt to do that, but I have no idea how to get the certificate to import. I asked our admins at my office about that, and they had no clue.
Any thoughts on how/where to get teh certificate to import? (Someone said it woudl be on my laptop that I login with, but don't know whre it is there either).
Why not just export your personal certificate from the PC and run it on the handheld, the first time you try to enroll it will ask for credentials.
Works for me anyway.
nybom said:
Why not just export your personal certificate from the PC and run it on the handheld, the first time you try to enroll it will ask for credentials.
Works for me anyway.
Click to expand...
Click to collapse
Nybom...if you can give me any hints on how to do that it would be great. That was my point in my last statements re: the laptop - I don't know how to export it nor does my admins here.
I use Windows Vista at work. WMDC has a feature that allows you to import various certificates from your corporate network. If you are using ActiveSync on XP, I would suggest looking at options there. I don’t have ActiveSync right now or I would look. I have successfully connected my Tilt to our corporate wireless, which is WPA, AES, PEAP. Hope this helps.
Exporting Personal Certificates
Export a Certificate
To export a certificate, follow these steps:
1. From the computer where the certificate was installed, start Microsoft Management Console (MMC). Start>Run>MMC
2. Add the Certificates snap-in to the console.(Ctrl M) When you are prompted, click My user account as the account to be managed.
3. In the MMC console, double-click Certificates – Current User, double-click Personal, and then click Certificates.
4. In the right pane, right-click the certificate that you want to export, point to All Tasks, and then click Export.
5. When the Certificate Export Wizard starts, click Next.
6. On the Export Private Key page, click Yes, export the private key.
The private key is required for the encrypted messages to be read from the computer where the key will be imported.
7. On the Export File Format page, leave the default settings, and then click Next.
8. On the Password page, type password for the private key.
9. On the File to Export page, type the path and the name for the exported certificate file, and then click Next. (save it to your storage card for future use)
The file name has a .pfx extension. This file is the .pfx file that is imported to other computers.
10. Click Finish.
The export certificate file is saved with the name that you specified and a .pfx extension.
To import, use File Explorer, find where you saved it to, and click on it. It will automatically place it in the correct certificate store.
Thank you so much. I was so excited.
But alas, I apparently do not have any certificates on my laptop. ( I say that because when I DClick on Personal, it says "There are no items to show in this view" ). My method of authentication to the wireless here is via AD, and past discussions everyone thought it would have pushed a cert to my PC, but that seems to not be the case.
Although there are a lot of other certificates, a couple of which are issued by my company, in the Trusted Root Certificate Authorities/Certificates folder. Should I try one of them?
ewingr said:
Thank you so much. I was so excited.
But alas, I apparently do not have any certificates on my laptop. ( I say that because when I DClick on Personal, it says "There are no items to show in this view" ). My method of authentication to the wireless here is via AD, and past discussions everyone thought it would have pushed a cert to my PC, but that seems to not be the case.
Although there are a lot of other certificates, a couple of which are issued by my company, in the Trusted Root Certificate Authorities/Certificates folder. Should I try one of them?
Click to expand...
Click to collapse
Yes, absolutely. However, when you ADD the cert in the MMC, it will have to be as a computer>local computer account rather than a personal account. Choose the Base64 option to save as a .CER. Import to your device the same way. You may also want to explore the Intermediate Certificate Authority folder on the MMC for more that relate to your company. Doesn't hurt to grab all that you think relate to your company. Mine ended up having 2 Roots and 4 Intermediates.
Thanks!
Next issue: I have no export private keys page come up, and wehn I get to the final page, keys is set to NO.
In case it makes any difference, my laptop is Windows XP Pro.
I wonder if it could be because somethign is 'locked down' by admins here.
ewingr said:
Nybom...if you can give me any hints on how to do that it would be great. That was my point in my last statements re: the laptop - I don't know how to export it nor does my admins here.
Click to expand...
Click to collapse
I also have the certificate pushed out from the AD. But if you do not have any personal certificates listed in the personal tab I don't know what to do.
In my case I went to "Internet options", tab "Content", chose "Certificates", in tab "Personal" marked the certificate with my AD account name and chose "Export". Then "Next", "Next", "Next"... all without changing anything and then saving the file.
Delta_flyer said:
Yes, absolutely. However, when you ADD the cert in the MMC, it will have to be as a computer>local computer account rather than a personal account. Choose the Base64 option to save as a .CER. Import to your device the same way. You may also want to explore the Intermediate Certificate Authority folder on the MMC for more that relate to your company. Doesn't hurt to grab all that you think relate to your company. Mine ended up having 2 Roots and 4 Intermediates.
Click to expand...
Click to collapse
but how do you import it in windows mobile, aboviously it's not the same way as xp, i got my company's .cer file now how do i install in on my tilt. Also i couldn't find any personal certificates even thouh i use my desk pc and my work loptop.
thanks
ok i installing a certificate on a WM devisce is easy just click on the cert once you transfer it to the phone.
BUt can someone telll me why i don't have my own personal certificate on my work pc and loptop. I log in to both using the same network username and pass with the company's domain selected from the drop down menu.
thanks
I can't answer your question since I've seen the same thing on both of my PCs. One had a personal cert, the other did not. I don't think a personal cert. is necessary. If you have the proper root(s) and intermediates, you should get a log on screen when it tries to connect. Once you login the first time, your set.
I've been messing with direct push but haven't gotten it working yet, and I'm basically curious if it's even possible with my company's setup. Our IT group will not assist in any way or alter any certificates.
My company uses a wildcard cert on our OWA. The signer is in the root store on my Tilt. The CN on the cert is *.mycompany.com which obviously does NOT match the OWA address which is webmail.mycompany.com. I've read in another thread that this is required but I wasn't sure if this is true. I can't even get to our OWA in PIE. It just throws "The page cannot be displayed because the Web site cannot be authenticated". It works fine in Opera mobile. When I set up direct push, ActiveSync fails with the support code 0x80072F7D. If I intentionally botch my username or password I still get the same error, so I'm assuming it is happening due to cert issues before the connection can even be made.
Is direct push even possible with my company's cert setup or am I just poked?
If you can get the the .cer file copy it to your kaiser and open it. You should get a message saying its been successfully installed. That should be enough to get it working as long as the server is set up correctly.
if you can't login to OWA or OMA through PIE then it won't work through direct push. They have to be accessible via the browser without any prompts about certs or whatnot. The issue here seems to be a funky cert. setup.
Thanks for the responses. The cert is/was already installed on the device. Looks like the CN matching the OWA address might really be true and I'm poked. I've gone to SEVEN as a workaround. Well written (unlike the emoze OWA app which brought my phone to a screeching halt), but sometimes emails have a delay of up to 30 minutes . All well. And damn the kaiser forums are busy, I was already page 7 news
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
To the best of my knowledge and extensive frustration, you can't use a self-signed cert. If you aren't using a self-cert, you should be ok, HOWEVER, getting it set up right is extremely tricky. Once we got it up, I tried to help a customer a little, never got it working properly - we got the cert working but the folders wouldn't sync.
My experience is it is very easy as long as you install the private cert on everything that is goign to connect.
Later, Lew
lewcamino said:
Are you trying to access OWA using https? Also, *.mycompany.com does match webmail.mycompany.com. That is the point of the wildcard. ipodzsuck.mycompany.com would also match.
It could be a private certificate. Hell, exchaneg maynot be setup to allow activsync.
Try using a browser and going to https://webmail.mycompany.com/certsrv
There is probably a certificate server that was used to generate the private cert.
It is not neccacarilly the same as the webmail server but is worth a shot. Also if you know any other server names you can try those with a "/certsrv" at the end.
Good Luck, Lew
Click to expand...
Click to collapse
Thanks Lew. I can indeed hit the OWA at /certsrv on any desktop, but not PIE. And yes, it's using https. I kind of doubt the exchange server is even set up to allow it. Is there any way I can tell for sure short of logging into the server? Also, I'm not sure if this has anything to do with my problems, but if you hit our OWA inside of our corp. network the cert is a different one and is self signed.
self signed certificates
I have been trying to resolve this same issue with my tilt. I have set up a self signed certificate for my exchange server. This certificate works on any pc inside or outside the local network; however, the certificate will not install as a root certificate on my tilt. After installing the certificate it appears as an intermediate certificate, but not a root certificate.
I think that att has blocked the software so that self signed certificates will not install in the root directory. Not sure of the motivation for this other than to force users to use their express mail service which costs $5 per month.
Are there any work arounds for this? Can applications be unlocked?
Hello,
My company uses Exchange server 2003 sp2. I've tried to sync my TyTN II several times but I always get this message: "The security certificate on the server is invalid. Contact your system administrator or ISP to install a valid certificate on the server and try again".
I'm actually able to access https://myserver.com/OMA (not http) using my nickname and password, but I don't even know what that means. I talked to the IT guys and they just sent me to a Microsoft page where it says: "This problem may occur because the device manufacturer locked the Windows Mobile 5.0-based device. This lock prevents you from installing Secure Sockets Layer (SSL) certificates correctly".
So, their only answer was: contact your manufacturer to see if the device is locked (??). (Although they also said I didn't need a SSL certificate)
¿Could anybody please help me to understand this? ¿Do I have to install a certificate? ¿Do the IT guys have to do it? I really need to solve this so any information is welcome
thanks a lot.
If it is a "self-signed" certificate (and not an official one bought f.e. via verisign.com), than you have to install it on your device to make it "valid". Additionally the Hostname provided in the certificate must exactly match the hostname of your exchange-server otherwise it won't work either. HTH
PS.: you can find out both when you access your companys exchange server via OWA (OutlookWebAccess). Once you're logged on you can examin the certificate and look if the hostname matches, if the certificate is still valid (every certificate has an expiration date) and who the "certification authority" is.
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
I'd be curious if anyone would know how to rip the public key from Firefox or something so it can be imported to the phone to make it work.
I have been told if you can get your exchange admin to send you the .CERT file from the IIS webserver you can run that on your phone and get it to work. However, I believe that has the public and private key pairs, which is a security risk to your entire organization if you have the private pair!
jon_k said:
You can still use OWA if the company allows you to use it unencrypted. Just uncheck use SSL during setup.
Click to expand...
Click to collapse
domain credentials over unsecured channel, bad mojo man
Your IS guys should have a certificate for you to install which will resolve the problemI have a root ca certificate for my company installed on my phone so I have no problem using any certificate they sign.
As already said, check the hostname matches extacly and check the expiry date of the certificate.
Hey Guys, thanks for all your answers!
I'm logged on the OWA server and the certificate says "Equifax Secure global eBusiness CA-1". The expiration date is 24/02/2010. Does anybody know how can I install this on my device? I checked the hostname and it matches perfectly
If it is like the certificate I have to use to get my Tilt/Office Exchange to work, then you just double click on it and it should say "Installed" or something like that. After that, assuming you have everything else setup, it should work like a charm.
thanks a lot to all you guys! Had some problems because the certificate would install in the "intermediate" store, instead of the root store, but I found this site and followed the instructions:
http://www.confusedamused.com/notebook/installing-windows-mobile-60-root-certificates/
It's synchronizing right now and it's way faster than activesync!
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
WeldingRod said:
Well I was able to save, and copy the certificate by going to my companies OWA site.
I copied it via memory card, and was able to install it. Upon installing it I'm not asked for an option of where to install it (root vs. intermediate, etc)
Unfortunately by default it is going to intermediate.
I hope that this will fix it once I figure out how to install it into root.
For now it has not fixed my problem, still get an error synchronizing with the server.
Edit:
Strange, I re-installed the certificate, to make sure it was from the "head" title branch (my company has an extra level to the branch so I tried both), and this time instead of soft-reset, I completely shut-down the phone.
Powering it back up, it now sync's fine, and there is a 2nd verisign cert with a different expiration installed in the root store. My poor outlook is still syncing data as it catches up for the last couple weeks!
Doh.
Click to expand...
Click to collapse
I also had this problem, and the sync. still does not work... if someone has some idea
Thank you
hello everyone,
I got this to work by installing the .cer certificate from the self signed website certificate AND installing a .cer from the server's self signed ROOT CERTIFICATE. The root certificate is usually located on the C: drive of the server with certificate services installed. Your IT guy should know where this is. You just copy the root cert to a file just as you would the website cert. Install both on the phone...the website cert will go to "intermediate" and the rott cert will go into the "root" store. Once I did this, no more error codes and my activesync shows "connected" instead of the last time it was synced.
Hi
Had the same problem and it's solved thanks to this solution mentioned by oscarsalgar
It's working perfect !!!
Thank you very much
K'uvo man, gracias puesh hermano, me salvaste la vida puesh. Triple hijueputa q me ayudo este post man. Gracias pelado!!
I have received a HTC TYTN II from my company, which currently is synching with our mailserver so that I can read my email wherever I am.
Since I'm curious, I tried to get my old Wizard to do the same. I did the same install as with the Kaiser, but I get the dreaded "0x85010004". I scanned thru the Kaisers registry and took all root-certificates under "HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates" and imported them into the Wizard and rebooted, but no luck. I am assuming it's a certificate of some kind that is missing, but I can't find where else it could be? Does Exchange install a hidden certificate on the phone in order to identify it, and if so - why isn't it shown in the certificates menu?
Any help is appreciated.
BR
Fredrik
activesync cert with exchange
hi fredrik,
activesync accessing exchange on a mobile device uses OWA (outlook web access) to access your email through SSL. the best way to get the cert you need is to log into your OWA (probably something like https://webmail.yourcompanyname.com) or whatever it is (it's the same address you use when you put in when confiigure exchange with activesync) from a desktop pc. than, right click on a blank portion of the page and go to properties. you should see a button that says certificates, click on that, than click on the details tab. than click on the "copy to file" button and the cert export wizard will start. click next, than select base64 as the type of cert, than hit next, name it, save it, put it on a memory card or bluetooth the file to your phone and install it. sometimes, during the install, your phone will error out when installing it, just soft reset, and then install it again. you should get a message that says it was installed successfully. than configure for activesync for exchange on your phone and you should be all good. let me know if that works for you.
Thanks for the help!
Tried that and got the same problem. The original phone has Pointsec installed in it, but I do not think that it gerenates any certificates (at least not any I have found in the registry). Is the ACU version important?
/F
Talked to my IT department and they told me that Pointsec decodes a certificate in order to communicate with our mailservers. Anyone any good at pointsec and knows if it puts a crypto on the Registry or if it is purly file based? If the file is decrypted each time I punch in my code, it should register the time when the file is being decrypted... What programs can search files in WM and search for the time stamp?
BR
Fredrik
I have an AT&T Tilt. I had Direct Push from Exchange Server working perfectly with no effort - was working for months. Then, I had a hardware problem with that phone and was given a replacement from AT&T. After replacing it I am unable to configure the direct push any more. I wrote down all the settings and carefully reapplied them on the new phone.
What I am seeing now is when manually invoking a send/receive, ActiveSync reports the following:
------
Result:
The server you are synchronizing with is not an Exchange Server, or is running incompatible
software. Choose Configure Server on the ActiveSync menu to specify the correct server.
Support Code: 0x85030022
------
I've been on the line with the hosted exchange server folks and there's no change on their end...
I installed the certificate as suggested above - seemed like it was worth a shot. No difference.
Any ideas?
sorry for the late reply.
I'm not too sure about your pointsec fredrick, as we don't use it on our mobile devices at work, but we do use it on our computers. as far as i know, pointsec is supposedly suppose to be transparent encrypt/decrypt after you first turn on your device and enter a passcode, heck, windows mobile should operate like pointsec isn't even on the device, so it shouldn't be a cert issue, but who knows, i never liked pointsec anyway. sorry i can't be more helpful.
ubetchya,
that error message is pretty straight forward, either the OWA address is wrong or your certificate isn't installed correctly. i know this sounds lame, but if you can, borrow a friend's Windows Mobile phone and config it with activesync to verify your settings are correct. for the owa address, try adding "/exchange" without the quotes at the end, maybe their redirect isn't working correctly. so if your server address is "https://webmail.hostedexchange.com", make it look like "https://webmail.hostedexchange.com/exchange" (that should take you to directly to the exchange server without using their redirect). if you want, you can also try downloading the certificate directly from your hosted exchange guys, if they have the cert page up that is (most exchange admins leave it up, i know we do =P ) to get to the cert page, go to a desktop pc...
1. type in your webmail server address and add "/certsrv" at the end without the quotes (ie; "https://webmail.hostedguys.com/certsrv"
2. it will prompt you for a username, it should be in the following format "domain\username", so if my domain was microsoft, and my username was bill, than my username would be "microsoft\bill" without the quotes
3. enter your password.
4. click on the last link, "download a certificate, certificate chain, etc"
5. select the base 64 encoding method and than click download CA certificate.
6. save it to a memory card or bluetooth it over to your phone and install it.
hope that helps!
oh... and one more thing about your server address, it could be different than adding "/exchange" at the end, to verify, just to your webmail and see wear it redirects, when you get to your login page (if using forms based authentication), use that address, if not using forms based, (small popup window for login) just log in and than use that address.
UBetchYa said:
I have an AT&T Tilt. I had Direct Push from Exchange Server working perfectly with no effort - was working for months. Then, I had a hardware problem with that phone and was given a replacement from AT&T. After replacing it I am unable to configure the direct push any more. I wrote down all the settings and carefully reapplied them on the new phone.
What I am seeing now is when manually invoking a send/receive, ActiveSync reports the following:
------
Result:
The server you are synchronizing with is not an Exchange Server, or is running incompatible
software. Choose Configure Server on the ActiveSync menu to specify the correct server.
Support Code: 0x85030022
------
I've been on the line with the hosted exchange server folks and there's no change on their end...
I installed the certificate as suggested above - seemed like it was worth a shot. No difference.
Any ideas?
Click to expand...
Click to collapse
I got it working. The error message was pretty close to telling me that it's an invalid server "name". My hosted exchange provider uses owa3.... I was missing the all-important 3.
No matter how hard they try, programmers can't make it completely idiot proof...
All is working now beautifully. Thanks much for the suggestsions.
Tytn II
Hi there,
I'm trying to connnect my Tytn II to my work's exchange server so I can use it instead of having to use a Crackberry however I'm getting the following message in ActiveSync:
Support code # 0x85030022
The server you are synchronizing with is not an exchange sever, or is running incompatible software. Choose Configure Server on the ActiveSync menu to specify the correct server.
Can anyone help ?
Hi Smooth,
Have you tried all the steps in this thread already? make sure you have installed the correct certificate, have the correct server address and ask your administrator if activesync is enabled on the exchange server. post back with your results to the tricks in this thread and we'll see what else you can try.