Solved

Activesync wont work over SSL - Qtek 9100 WM5 exchange 2003 sp2

Posted on 2006-11-09
6
781 Views
Last Modified: 2010-05-18
Hi,
I'm trying to get Activesync to work from my Qtek 9100 with my Echange 2003 sp2 server.

If i disable SSL on the server and on the device, the PDA will sync straight away.

I have installed the original home grown certificate from the server onto the Qtek (as root and personal), and also have installed a Thawte certificate on the server and onto the Qtek - under root and personal too, but I'm still faced with:

"the security certificate on the server is invalid. contact your exchange server administrator... 0x80072F0D"

I have followed KB817379.  I can browse https://webmailserver/OMA just fine.

I have tried turning off the ssl just on the oma and exchange-oma virtual directories, and then on the phone (leaving the root of the web with ssl enabled) and them i'm faced with what appears to be a user permissions problem:
"your account in MS Exchange Server does not have permission to synchronize with your current settings.  Support code 0x85010004"

I have checked system manager and unchecked all the mobile device authentication checks, and besides, i made the user a domain admins / administrator to test, and still the same error.

Does anyone else have this issue??  I refuse to resign myself to turning off ssl, but need to get the thing working too!
0
Comment
Question by:wanstor
6 Comments
 
LVL 48

Expert Comment

by:Mikal613
ID: 17905985
0
 
LVL 1

Author Comment

by:wanstor
ID: 17906184
thanks... I've seen that kb (as listed in my description of the problem)

Any other idea's?
0
 
LVL 9

Expert Comment

by:ParadiseITS
ID: 17914977
I've had to do this once, and it does work (from the KB), putting a front-end server in is a MUCH better idea as the article describes.  The bottom line is, it does not work with straight SSL... but this allows you to keep SSL for your non-BB clients....

Method 2
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Important Method 2 should be used only in an environment that has no Exchange Server 2003 front-end server. The registry changes should be made only on the server on which the mailboxes are located.

Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory. You must use Internet Information Services (IIS) Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these instructions:

Note These steps affect both Outlook Mobile Access connections and Exchange ActiveSync connections. After you follow these steps, both Outlook Mobile Access and Exchange ActiveSync connections use the new virtual directory that you create.1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is the following:
Web Sites\Default Web Site\Exchange
3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
7. Under Select a configuration to import , click Exchange, and then click OK.

A dialog box will appear that states that the "virtual directory already exists."
8. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.  
9. Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.
10. Click the Directory Security tab.
11. Under Authentication and access control, click Edit.  
12. Make sure that only the following authentication methods are enabled, and then click OK: • Integrated Windows authentication
• Basic authentication
 
13. Under IP address and domain name restrictions, click Edit.  
14. Click Denied access, click Add, click Single computer, type the IP address of the server that you are configuring, and then click OK.
15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.  
16. Click OK, and then close the IIS Manager.  
17. Click Start, click Run, type regedit, and then click OK.
18. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters
19. Right-click Parameters, click to New, and then click String Value.  
20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.

NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.  
21. In the Value data box, type the name of the new virtual directory that you created in step 8 preceded by a forward slash (/). For example, type /exchange-oma. Click OK.
22. Quit Registry Editor.  
23. Restart the IIS Admin service. To do this, follow these steps:a.  Click Start, click Run, type services.msc, and then click OK.
b.  In the list of services, right-click IIS Admin service, and then click Restart.
 
Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma.

The integrated setup of Microsoft Windows Small Business Server 2003 creates the exchange-oma virtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-oma during the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.
0
 
LVL 1

Author Comment

by:wanstor
ID: 17931562
Thanks... As I had mentioned in the question, I had already followed KB817379 and followed the method.

However, I have solved the problem myself, here's how.

Downloaded IIS6.0 resource kit.
Made the existing certificate (self-generated) also into a self-signed certificate.  From the command prompt:

selfssl /T /N:cn=servername /V:365 /P:443

Then I exported this certificate and added it to the PDA's root certificate store and now ActiveSync across SSL works.
0
 
LVL 1

Accepted Solution

by:
kodiakbear earned 0 total points
ID: 17975426
Closed, 500 points refunded.
kb
Experts Exchange Moderator
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Are you looking to clear some space on your phone for the latest iOS 8 update? Did you switch to Spotify so you no longer need to keep music native on your phone? Run out of space for taking photos while in the middle of vacation? Sometimes the quic…
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now