Activesync wont work over SSL - Qtek 9100 WM5 exchange 2003 sp2

wanstor used Ask the Experts™
I'm trying to get Activesync to work from my Qtek 9100 with my Echange 2003 sp2 server.

If i disable SSL on the server and on the device, the PDA will sync straight away.

I have installed the original home grown certificate from the server onto the Qtek (as root and personal), and also have installed a Thawte certificate on the server and onto the Qtek - under root and personal too, but I'm still faced with:

"the security certificate on the server is invalid. contact your exchange server administrator... 0x80072F0D"

I have followed KB817379.  I can browse https://webmailserver/OMA just fine.

I have tried turning off the ssl just on the oma and exchange-oma virtual directories, and then on the phone (leaving the root of the web with ssl enabled) and them i'm faced with what appears to be a user permissions problem:
"your account in MS Exchange Server does not have permission to synchronize with your current settings.  Support code 0x85010004"

I have checked system manager and unchecked all the mobile device authentication checks, and besides, i made the user a domain admins / administrator to test, and still the same error.

Does anyone else have this issue??  I refuse to resign myself to turning off ssl, but need to get the thing working too!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


thanks... I've seen that kb (as listed in my description of the problem)

Any other idea's?
I've had to do this once, and it does work (from the KB), putting a front-end server in is a MUCH better idea as the article describes.  The bottom line is, it does not work with straight SSL... but this allows you to keep SSL for your non-BB clients....

Method 2
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Important Method 2 should be used only in an environment that has no Exchange Server 2003 front-end server. The registry changes should be made only on the server on which the mailboxes are located.

Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory. You must use Internet Information Services (IIS) Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these instructions:

Note These steps affect both Outlook Mobile Access connections and Exchange ActiveSync connections. After you follow these steps, both Outlook Mobile Access and Exchange ActiveSync connections use the new virtual directory that you create.1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is the following:
Web Sites\Default Web Site\Exchange
3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
7. Under Select a configuration to import , click Exchange, and then click OK.

A dialog box will appear that states that the "virtual directory already exists."
8. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.  
9. Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.
10. Click the Directory Security tab.
11. Under Authentication and access control, click Edit.  
12. Make sure that only the following authentication methods are enabled, and then click OK: • Integrated Windows authentication
• Basic authentication
13. Under IP address and domain name restrictions, click Edit.  
14. Click Denied access, click Add, click Single computer, type the IP address of the server that you are configuring, and then click OK.
15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.  
16. Click OK, and then close the IIS Manager.  
17. Click Start, click Run, type regedit, and then click OK.
18. Locate the following registry subkey:
19. Right-click Parameters, click to New, and then click String Value.  
20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.

NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.  
21. In the Value data box, type the name of the new virtual directory that you created in step 8 preceded by a forward slash (/). For example, type /exchange-oma. Click OK.
22. Quit Registry Editor.  
23. Restart the IIS Admin service. To do this, follow these steps:a.  Click Start, click Run, type services.msc, and then click OK.
b.  In the list of services, right-click IIS Admin service, and then click Restart.
Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma.

The integrated setup of Microsoft Windows Small Business Server 2003 creates the exchange-oma virtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-oma during the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.


Thanks... As I had mentioned in the question, I had already followed KB817379 and followed the method.

However, I have solved the problem myself, here's how.

Downloaded IIS6.0 resource kit.
Made the existing certificate (self-generated) also into a self-signed certificate.  From the command prompt:

selfssl /T /N:cn=servername /V:365 /P:443

Then I exported this certificate and added it to the PDA's root certificate store and now ActiveSync across SSL works.
Closed, 500 points refunded.
Experts Exchange Moderator

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial