Unable to synchronize T-Mobile MDA with Exchange 2003

Device: T-mobile MDA, Windows Mobile 5.0 - OS 5.1.70 Build 14410.1.1.3

Server # 1: SBS 2003 Premium, SP1. Domain ABC.COM
                 Guess that Exchange SP2 is installed because we have Notifications and Push options under
                 Mobile Services Properties (Exchange Version: 6.5.7638.1)
                 SSL Certificate issued by Geotrust

Server # 2: SBS 2003 Premium, SP1. Domain XYZ.COM
                  Guess we DO NOT have Exchange SP2 because we do not have Notifications/Push options
                 (Exchange Version: 6.5.7226.0)
                  Self-signed SSL Certificate

Both Servers have a Mobile Carrier entry under Mobile Services - Global settings for T-mobile with t-mobile.com as the SMTP Domain. Servers have OWA, OMA, User initiates sync and Up-to-date notifications enabled.

When SYNCing from MDA to any of the servers we got:
"The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP ..."
Support Code: 0x80072FOD

Access to DOMAIN/OMA from both the PC and MDA pops a LOGIN Box and then generates an error --> A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.

Any advice will be highly appreciated
phermiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SembeeCommented:
The mobile carrier options don't apply if you are using the push technology. I would suggest that you SP the other machine so that the machines are on the same service pack level.

The self generated SSL certificate will be a problem with the trust.

Stock answer #1 - does OMA work on the device? If you browse to the OMA does it throw any SSL errors? Pocket IE is more forgiving and will show the errors.
EAS cannot cope with the SSL errors, so you have to resolve them.

Anything in the event logs when you try to sync?

Simon.
phermiAuthor Commented:
Simon,

Thanks for your reply. What was the mobile carrier used ofr (just curiosity)?
Yes, we will SP Server # 2 after hours today. We are concentrating tests on # 1

OWA works perfect. The frist time we got the SSL Warning, proceed iwth YES and works.

I have no certificate issues with OWA users on Server 2. So why the selfsigned will be a problem?

Browsing to from the device or any PC to OMA, generates the error -->A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.

When typeing the OMA address in the device, it gets changed to OWA.

On APP Logs for server # 1, we see a Server Active Sync event 3012 for the IUSR_sever user. The description is:
An error occurred while accessing the Active Directory for user [Internet Guest Account]. Information cannot be retrieved from Active Directory due to an unknown error. Verify that the Exchange ActiveSync Server can communicate with Active Directory, and that the user has a valid account.

We accept both Anonymous access and Integrated Windows authentication to the defaul web site.

How a certificate can be installed on the windows mobile device?

Thanks
SembeeCommented:
The carrier information was how sync was done in the past. It was part of a feature called "Always up to date" (AUTD). However it was practically useless outside of the USA as it relied upon the handheld having an email address. Email to SMS gateways are unheard of outside of the US. Here in the UK I have to pay around 20c for every text message I send.
Microsoft then changed the technology to use http traffic instead.
As such that setting is almost useless now.

The SSL Certificate warning is an issue. You cannot have any warnings. You need to get rid of the warnings. Using a commercial certificate usually works, although you do need to ensure that it is trusted by the Windows mobile device.

You must have made a change to the server configuration for a redirect to take place. That isn't normal behaviour. Whatever you have done for that needs to be undone. If you have put one of the options to redirect http to https traffic (which relies on the "require SSL" setting) needs to be removed due to the technical behaviour of the OMA/EAS feature. It makes internal calls on port 80.

The error you are showing in the event viewer indicates that the anonymous account is enabled somewhere that it shouldn't. Either on the /oma, /Microsoft-Server-ActiveSync or /exchange virtual directly. Check in the IIS Manager. None of those should have anonymous authentication enabled.

Simon.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

phermiAuthor Commented:
Simon .. thanks again.

The SSL warning is the normal popup you got when pointing the broweser to a SSL secured site for the first time. On a PC, you have the option to install the certificate right there. I do not know is that available also for the device. That's the warning I refered to.
phermiAuthor Commented:
staying with server # 1, for whcihh we have the geotrust cert, the error message doesn't seem to be logical -->
When SYNCing from MDA to any of the servers we got:
"The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP ..."
Support Code: 0x80072FOD
SembeeCommented:
The fact that you are getting the warning is not good for sync. You need to get rid of the warning.
If this is a commercial certificate that is by installing the root certificate on to the device. I have a couple of techniques for doing that on my web site:
http://www.amset.info/pocketpc/certificates.asp

However you need to see which error it is. There are three that it can be - invalid name (so you are using server.domain.local to access the server but the certificate is in the name of mail.domain.com) - not trusted (needs the root - self generated certificates will untrusted) - invalid dates (expired or the dates on the device are wrong).

You cannot install the certificate in the same way on the Windows mobile device, it is better to install the root certificate.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
phermiAuthor Commented:
Simon,

Thanks. Regarding Server # 1, tests will take some time so I won't be able to provide you feedback right away.

Regarding Server # 2, it was patched and it is working with its self-signed certificate.

Regards,

Pedro
phermiAuthor Commented:
Dear Simon,

I gave created another post for a related but different problem. PLease take a look to it -->
http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21984339.html

Thanks and regards,

Pedro
phermiAuthor Commented:
Simon

Forgot to mention that the posting is related to Server # 1.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.