jmelcher
asked on
Exchange 2007 and intermittent ActiveSync SSL errors
I have an Exchange 2007 Std install on a Windows 2003 R2 Std x64 server and I'm getting really weird behavior from ActiveSync. Here are the details:
1. Obtained SSL cert from GoDaddy.
2. Installed cert on Exchange.
3. Tested OWA. No errors. SSL cert is valid.
4. Ran the Microsoft Exchange Server Remote Connectivity Analyzer (https://www.testexchangeconnectivity.com/Default.aspx) and it says all is well with OWA and ActiveSync simulation.
5. Set up a WM5 device to sync via ActiveSync. Folders and mail sync'd just fine. All is well!
6. About three hours after setting up the WM device, push mail unexpectedly stops. Manual sync generates an "SSL cert not valid" error. WTF?
7. Rebooted WM device. No luck.
8. Rebooted Exchange server. No luck.
9. Upgraded WM device to WM6.1 and tried again. No luck.
10. Tried completely different phone (different carrier, different SIM). No luck.
11. Retried step #4. It says my cert is fine.
12. Retried OWA. It says cert is fine.
13. Retried WM6.1 device about a week later. It worked! Yay! Push email working again, although I have no idea why.
14. But only for about an hour. Then it stops and I get SSL error again. It's still not working after a week or so.
Folks, I'm stumped. If the SSL cert wasn't valid to begin with, I never would've gotten the initial sync to work. Yet it *did* sync and work fine, sometimes for almost a complete day. OWA shows the correct cert is being served and it's a valid cert. IIS shows the right cert. DNS is set up properly, otherwise it would have failed the initial sync attempt. Microsoft's Remote Connectivity Analyzer passes all five tests with no errors. The ActiveSync test in particular succeeds and even does the sync test. It accurately reports the proper number of folders in the mailbox and the proper number of messages waiting to be read, so it really is working. But no WM phone will sync anymore, and -- here's the really crazy part -- I haven't changed anything on this server in months. The server applog and syslog are clean and show no errors.
The entire Exchange/SSL/DNS setup was done in accordance with instructions taken from this website: http://www.sembee.co.uk/archive/2008/05/30/78.aspx. I ran through this same set of instructions on a test Exchange server (actually my home Exchange setup) before trying it in production. The test server is still working fine and syncs just fine, so the instructions work. The only difference between my home setup and the production server is (a) my home setup uses Win2K8 for the Exchange server and (b) work has a Cisco ASA firewall instead of the Linksys I have at home.
Can someone suggest what might be wrong? Is there a way I can get better diagnostics info from a WM device in order to troubleshoot this issue? I just can't seem to get any reasonable error logs that tell me anything useful and I'm out of ideas.
1. Obtained SSL cert from GoDaddy.
2. Installed cert on Exchange.
3. Tested OWA. No errors. SSL cert is valid.
4. Ran the Microsoft Exchange Server Remote Connectivity Analyzer (https://www.testexchangeconnectivity.com/Default.aspx) and it says all is well with OWA and ActiveSync simulation.
5. Set up a WM5 device to sync via ActiveSync. Folders and mail sync'd just fine. All is well!
6. About three hours after setting up the WM device, push mail unexpectedly stops. Manual sync generates an "SSL cert not valid" error. WTF?
7. Rebooted WM device. No luck.
8. Rebooted Exchange server. No luck.
9. Upgraded WM device to WM6.1 and tried again. No luck.
10. Tried completely different phone (different carrier, different SIM). No luck.
11. Retried step #4. It says my cert is fine.
12. Retried OWA. It says cert is fine.
13. Retried WM6.1 device about a week later. It worked! Yay! Push email working again, although I have no idea why.
14. But only for about an hour. Then it stops and I get SSL error again. It's still not working after a week or so.
Folks, I'm stumped. If the SSL cert wasn't valid to begin with, I never would've gotten the initial sync to work. Yet it *did* sync and work fine, sometimes for almost a complete day. OWA shows the correct cert is being served and it's a valid cert. IIS shows the right cert. DNS is set up properly, otherwise it would have failed the initial sync attempt. Microsoft's Remote Connectivity Analyzer passes all five tests with no errors. The ActiveSync test in particular succeeds and even does the sync test. It accurately reports the proper number of folders in the mailbox and the proper number of messages waiting to be read, so it really is working. But no WM phone will sync anymore, and -- here's the really crazy part -- I haven't changed anything on this server in months. The server applog and syslog are clean and show no errors.
The entire Exchange/SSL/DNS setup was done in accordance with instructions taken from this website: http://www.sembee.co.uk/archive/2008/05/30/78.aspx. I ran through this same set of instructions on a test Exchange server (actually my home Exchange setup) before trying it in production. The test server is still working fine and syncs just fine, so the instructions work. The only difference between my home setup and the production server is (a) my home setup uses Win2K8 for the Exchange server and (b) work has a Cisco ASA firewall instead of the Linksys I have at home.
Can someone suggest what might be wrong? Is there a way I can get better diagnostics info from a WM device in order to troubleshoot this issue? I just can't seem to get any reasonable error logs that tell me anything useful and I'm out of ideas.
ASKER
As I stated above, OWA works fine. Since OWA is being served from the same server using the same SSL cert, it appears the site is both accessible and has a correct cert. Also, the cert hasn't changed -- ever. If ActiveSync worked at all (which it did, twice) then the SSL *must* be correctly set up. ActiveSync won't work otherwise.
Now you see why I'm so confused.
Now you see why I'm so confused.
When you tested OWA, did you do so from the device or a full PC?
Have you tried another device, or the Windows Mobile emulator?
-M
Have you tried another device, or the Windows Mobile emulator?
-M
ASKER
Tested OWA from a PC, both inside and outside the firewall. Same results: it works fine and it's serving the right certificate.
I'm running Vista x64 so while I can run the WM emulator, I can't get any network connectivity. From what I've been able to find, the VPC network driver required by the emulator is not supported under 64-bit Vista.
I'm running Vista x64 so while I can run the WM emulator, I can't get any network connectivity. From what I've been able to find, the VPC network driver required by the emulator is not supported under 64-bit Vista.
A PC test of OWA isn't valid.
You need to test OWA from the device. The certificate acceptance is different. I have seen IE work and the device fail in the past.
I can't comment on the Vista x64 network driver issue. I have used the emulator on Vista x86, as it uses the driver from Virtual PC which is supported on Vista x86.
-M
You need to test OWA from the device. The certificate acceptance is different. I have seen IE work and the device fail in the past.
I can't comment on the Vista x64 network driver issue. I have used the emulator on Vista x86, as it uses the driver from Virtual PC which is supported on Vista x86.
-M
ASKER
Further update: I surfed to OWA using Opera on a WM6.1 device (AT&T Fuze with NATF ROM v4). Opera correctly reports the certificate with the right name (mail.mydomain.com) and shows the lock symbol on the URL bar. The OWA login page is correctly displayed. I pulled up the details on the certificate (in Opera Mobile) and it shows all the right stuff. The URL is right, the SAN is right...everything is correct as far as OWA goes.
Now, is it possible that somehow, somewhere, the Microsoft-Server-ActiveSyn
What's the deal with this "thumbprint" stuff with respect to SSL? Could that be incorrectly set?
Now, is it possible that somehow, somewhere, the Microsoft-Server-ActiveSyn
What's the deal with this "thumbprint" stuff with respect to SSL? Could that be incorrectly set?
SSL certificates are set on a per server basis, not a per virtual directory.
What about trying Pocket IE - as that uses the system certificate store, whereas I think Opera has its own.
If you suspect that the virtual directory could be wrong, then recreate it
Remove it: http://technet.microsoft.com/en-us/library/bb124752.aspx
Recreate it: http://technet.microsoft.com/en-us/library/aa998812.aspx
(The web site name on a default installation is "Default Web Site")
-M
What about trying Pocket IE - as that uses the system certificate store, whereas I think Opera has its own.
If you suspect that the virtual directory could be wrong, then recreate it
Remove it: http://technet.microsoft.com/en-us/library/bb124752.aspx
Recreate it: http://technet.microsoft.com/en-us/library/aa998812.aspx
(The web site name on a default installation is "Default Web Site")
-M
ASKER
Aha! Here's something interesting. When I try to view OWA using IE on the WM6.1 phone, I get an SSL warning. The warning says "The certificate was issued by company you have not chosen to trust." The other two items ("the certificate date is valid" and "the certificate has a valid name...") have green checks next to them.
Now here's the weird part: I have a cert *from the same CA* installed on my test server at home, and Pocket IE gives no cert warning at all when accessing my home OWA.
But wait, there's more! After surfing without error to my home OWA, I shut down IE and surfed back to my corporate OWA (the one that had just minutes earlier thrown an SSL error). Now there was no error! I logged into OWA using Pocket IE and at no point did it scream about an invalid SSL cert.
Is there some bizarre config that could cause different SSL certs to be served in some sort of round-robin fashion?
Now here's the weird part: I have a cert *from the same CA* installed on my test server at home, and Pocket IE gives no cert warning at all when accessing my home OWA.
But wait, there's more! After surfing without error to my home OWA, I shut down IE and surfed back to my corporate OWA (the one that had just minutes earlier thrown an SSL error). Now there was no error! I logged into OWA using Pocket IE and at no point did it scream about an invalid SSL cert.
Is there some bizarre config that could cause different SSL certs to be served in some sort of round-robin fashion?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Last item before I try to call GoDadd: we have a Barracuda web filter in place between the firewall and all internal hosts -- including the Exchange server. Have you ever heard of a Barracuda messing up SSL?
The one thing that still doesn't fit is why we never, ever, *ever* get any SSL errors using IE on a PC to access OWA. You'd think if the certs were in the wrong order that we'd get errors either randomly or all the time, but we *never* get any OWA SSL errors.
The one thing that still doesn't fit is why we never, ever, *ever* get any SSL errors using IE on a PC to access OWA. You'd think if the certs were in the wrong order that we'd get errors either randomly or all the time, but we *never* get any OWA SSL errors.
With regards to the Barracuda, as long as that isn't THE firewall, so the traffic has to go through that, then it shouldn't be the issue.
On the certificate issue, for some reason Internet Explorer (Desktop) appears to work no matter what is done to the certificates. Whether it is due to the fact that IE has more certificates in its store than a Windows Mobile device (about half a dozen on WM), I don't know. I have seen this before though.
I never call GoDaddy myself (probably because I am in the UK). I send an email and it gets immediately forwarded to the SSL support team. I usually have a reply about an hour later, no queueing required.
Remember it isn't GoDaddy doing support on SSL, it is Starfield.
-M
On the certificate issue, for some reason Internet Explorer (Desktop) appears to work no matter what is done to the certificates. Whether it is due to the fact that IE has more certificates in its store than a Windows Mobile device (about half a dozen on WM), I don't know. I have seen this before though.
I never call GoDaddy myself (probably because I am in the UK). I send an email and it gets immediately forwarded to the SSL support team. I usually have a reply about an hour later, no queueing required.
Remember it isn't GoDaddy doing support on SSL, it is Starfield.
-M
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I knew it was it something like that as I have had to do it myself in the past. I simply couldn't find what GoDaddy had sent to me in the past.
-M
-M
I have seen this happen when the server cannot be reached and something intercepts the SSL traffic and presents an error page. The SSL certificate isn't correct, so throws an error.
-M