Link to home
Create AccountLog in
Avatar of David Williams
David WilliamsFlag for Australia

asked on

Getting push mail to work between Exchange 2007 and Windows Mobile 5 smartphone edition

I have a new Microsoft Exchange 2007 installation. I'd like to try out the pish-mail facilities. I have a Samsung Blackjack smartphone (running Windows Mobile 5).

I understand the process is to start ActiveSync on the handheld and tell it the address of the Exchange server. However, when I do this, the handheld simply reports it cannot connect.

The smartphone can connect to the Internet, and ports 80 and 443 (as well as 25) are open in the firewall to the Exchange server. I can access OWA on the server from out on the Internet.

Any help is much appreciated.
Avatar of kprestage
kprestage

Can you access OMA from the internet?  Are you using a ssl certificate on your mail server?  Who issued the cert?  Not all ssl certificates are trusted by windows mobile.  I know we use instantssl (comodo) for our certs, and we have to specifically request that they issue from a CA trusted by Windows Mobile.  Otherwise, activesynch will not work.
There can be lots of reasons for this.
SSL certificate support - or the lack of it is one of the most common problems.

The common questions have already been asked...

Can you access OMA? If you do, do you get an SSL prompt? Are you using SSL?

When you enter the URL in to the device, are you entering just host.domain.com ?
There should be no https, / anything or anything other than just the host name, which should match the SSL certificate.

Simon.
Avatar of David Williams

ASKER

I cannot access OMA; I assume by this you mean http(s)://www.company.com/oma - that simply brings up "page not found".

I am not using an SSL certificate. So, I guess the first step is to obtain a certificate - and, as kprestage advised, to be sure to purchase one specifically truested by Windows Mobile. Is there any CA more recommended than another? The only one I really know of is Verisign.

Mikal613: thanks for the link. I'll check it out now.
I looked in IIS and there is no virtual directory for OMA. There is one for "Microsoft-Server-ActiveSync" however. If I open that URL from a web browser I do get prompted to login (but then get error 403.2 - read access is denied).

Is it possible "OMA" is an Exchange 2003 feature and it has been renamed in 2007? Or is OMA something I need to set up?
Missed that it was Exchange 2007.
OMA was dropped in Exchange 2007.

You may not be using an SSL certificate that you supplied, by there will be an SSL certificate in place as Exchange uses one.

Logging in to the Microsoft-Server-ActiveSync directory has generated the failure I would expect.

Simon.
Verisign certs are pretty much trusted everywhere, but they are pricy.  If you want to save money, you can go with an intermediate certificate authority like comodo and save a lot of money.  The only issue with them is that they are not as globally trusted as verisign or thwarte certs.  The major borwsers trust them, but some smaller ones may not by default.  
If the Microsoft-Server-ActiveSync directory gives the error you expect, then does this mean the server is configured correctly?

Could the problem be that Windows Mobile 5 can't communicate with Exchange 2007 (perhaps it is looking for OMA)?
Does activesync provide an error code?  something like 0x80045 or something along those lines?
Sorry, I should have provided the error code originally but I had put the SIM card back in my normal phone. I've just tried the BlackJack again and got this error. I had remembered the error sounding more sinister, this is actually fairly positive. Perhaps something I've tweaked has helped.

The error is Your account in Microsoft Exchange Server does not have permission to synchronise with your current settings.

The support code is 0x85010004.

To me this suggests a permissions issue somewhere.
I've just looked to check and Microsoft ActiveSync is enabled under my mailbox properties - as is OWA, which does work as expected.

However, I noticed that the URL for ActiveSync was specified as https and that IIS was set to require SSL.

I went back to the BlackJack and set the flag to enable SSL. This time I got a different error: "Synchronisation could not be completed. Try again later" with support code 0x80072F17.
in active sycn, just enter the domain name of the exhchange server.  No need to enter https://.  
The error you are getting now is becuase of the ssl certificate.

http://www.futurehardware.in/430562.htm

You either need to disable the cert check, or get a cert that is trusted by Windows Mobile 5
0x80072F17 appears to indicate a certificate error. Before obtaining a certificate I'd like to make sure everything is working properly.

I thus disabled the SSL requirement in IIS and in the Exchange Management Console and on the handheld - and it went back to 0x85010004.

Looking at the virtual directory settings for IIS I notice that only Log Visits and Index this Resource were ticked for Microsoft-Server-ActiveSync. I ticked the "Read" box and now my error on the handheld is 0x85010006.
You don't necessarily want to disable ssl on iss, in fact, I wouldn't recommend it!  Here is a good reference for all the active sync error codes.

http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php

Is ssl required on your OWA instance?  If I remember correctly, just disabling ssl on the active-synch directory does not cut it since all that does is access OWA on the backend using ssl.
Here is a liink that might help to get your untrusted cert loaded onto your device.

http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx
Thanks guys for all your help. After looking up the error codes I think SSL is definitely the way to go. What I was hoping to do was make sure it was set up ok and then apply a certificate - but it doesn't seem that simple; it seems there's more work involved in a non-SSL version than the other way around!

I'll check out the link above and try to get the untrusted cert loaded.
Thanks, kprestage, for all your help. We're definitely getting much closer.

I've installed the certificate successfully on the BlackJack. The folder synchronisation looked like it might have been going to succeed; it took longer to fail.

This time the error is "You have an incorrect SSL certificate common name in the Host Name field. For example, you may have entered www.tailspintoys.com when the common name on the certificate is actually www.wingtiptoys.com. Make sure the server name is entered correctly."

Support code: 0x80072F06.

Now, I expect this is because the certificate is in the name of the server, i.e. "server1" as opposed to "mail.company.com"

Am I able to get Exchange to re-issue the certificate in the public name?
You are definately on the right track.  The name for the certificate needs to match the external name of the server.  I am not sure what your setup is internally, so make sure you read this first to make sure you do not mess up anyone who happens to use outlook 2007 internally.

http://www.sembee.co.uk/archive/2007/01/21/34.aspx

We're definitely getting close.

On the Exchange Management Console's Welcome page I clicked the "Configure SSL for your Client Access Server" link. Step 1 tells how to use the Exchange console to create a certificate request with the domain names I want. Unfortunately, to convert this to a .cer file, it says you submit it to a CA.

It did give the thumbnail, so I could follow the details in the web site you linked to and make a new certificate for the handheld, but presumably (surely?) I have to import the certificate into Exchange first?
ASKER CERTIFIED SOLUTION
Avatar of kprestage
kprestage

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Oh my, that looks saddeningly complex :(

It would be nice if I could just add "mail.company.com" to the Exchange-generated certificate. The link above advocates either a commercial SSL certificate or a process that requires Outlook Anywhere, an additional IP address and so forth.

Nevertheless, I think it's pretty clear the solution is to use a proper SSL certificate. You've certainly helped me get an understanding of the issues and the problem, and you've given me full confidence this can work and that it's not just, say, Windows Mobile 5 is incompatible.

I appreciate all your help, Kprestage. I think the way from here for me is to get the authentic SSL certificate.
Cool, just read your last post about creating my own .cer file ... I'll check that out right now.
Kprestage, I am in your debt :)
I hope that means you got it working!