aconway
asked on
ActiveSync error 80072f0d - Invalid security certificate
Working with a Motorola Q Smartphone and trying to get ActiveSync working wirelessly to our SBS2003 Exchange Server (Exchange Service 2003 Pack 2).
I was first having major issues importing the sbscer.cer file to the Smartphone. The VZW_AddCert program was telling me the Certificate file was "not a valid file". So I found an alternate method of creating a .CAB file from a .XML file (I don't have the URL handy). I imported the SSL cert into the XML file, generated the .CAB file then I copied the .CAB file to the phone and installed it from there. It recognized the file, installed it and appears to accept the certificate through this method. It didn't complain at the time, at least.
So I try to run active sync again on the phone and I get: ActiveSync error 80072f0d - Invalid security certificate
This is the same error I've been getting all along, even before the SSL cert was imported into the device.
I am pretty sure the certificate is valid. I installed the certificate on the workstation that syncs with the phone and it says it's valid, it matches and reports OK in Internet Explorer. I can login to Exchange Web Access via SSL with no problem from any workstation on the network, but the phone is still giving me this error..??
It's a personally generated certificate from the SBS Internet Setup Wizard, by the way.
Is there possibly a firmware upgrade that's needed for the phone? Something else? I found this and might try it later tonight... http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm
I was first having major issues importing the sbscer.cer file to the Smartphone. The VZW_AddCert program was telling me the Certificate file was "not a valid file". So I found an alternate method of creating a .CAB file from a .XML file (I don't have the URL handy). I imported the SSL cert into the XML file, generated the .CAB file then I copied the .CAB file to the phone and installed it from there. It recognized the file, installed it and appears to accept the certificate through this method. It didn't complain at the time, at least.
So I try to run active sync again on the phone and I get: ActiveSync error 80072f0d - Invalid security certificate
This is the same error I've been getting all along, even before the SSL cert was imported into the device.
I am pretty sure the certificate is valid. I installed the certificate on the workstation that syncs with the phone and it says it's valid, it matches and reports OK in Internet Explorer. I can login to Exchange Web Access via SSL with no problem from any workstation on the network, but the phone is still giving me this error..??
It's a personally generated certificate from the SBS Internet Setup Wizard, by the way.
Is there possibly a firmware upgrade that's needed for the phone? Something else? I found this and might try it later tonight... http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm
ASKER
So when I try to go to the URL you listed, I get:
"There is a problem with this websites security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server."
I can continue and login. Then I get:
"A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator."
So even if OWA SSL works, the Smartphone still has a beef with the cert because it's a self-generated cert?
"There is a problem with this websites security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server."
I can continue and login. Then I get:
"A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator."
So even if OWA SSL works, the Smartphone still has a beef with the cert because it's a self-generated cert?
ASKER
Oh and I noticed you said "use Pocket IE" to browse to that site.. I didn't catch that part.. I don't have the phone handy, but I just tried to hit it with my PDA and it says the
Cert was issued by a company I have not chosen to trust.
The Cert date is valid.
The Cert has a valid Name.
Do I want to proceed?
But I am guessing I will need to test that page on the Smartphone's PocketIE?
Cert was issued by a company I have not chosen to trust.
The Cert date is valid.
The Cert has a valid Name.
Do I want to proceed?
But I am guessing I will need to test that page on the Smartphone's PocketIE?
You have the problem right there.
The certificate is not trusted. Where did the certificate install on to the Windows Mobile device? Getting the certificates in to the right place on Windows Mobile is a pain, which is why I always use commercial SSL certificates and install their root certificate using a cabinet file (if required).
Simon.
The certificate is not trusted. Where did the certificate install on to the Windows Mobile device? Getting the certificates in to the right place on Windows Mobile is a pain, which is why I always use commercial SSL certificates and install their root certificate using a cabinet file (if required).
Simon.
ASKER
According to Motorola, the cert needs to be copied to a directory called "Storage" off the root folder of the device - which I did. I installed the cert using the CAB file method. It's the home grown SBS2003 cert, which is why it's "not trusted", I assume.
Do you know a public cert company that is 110% trusted by Verizon/Motorola Q?
So if I do set up a new (public) cert, will I need to remove the old cert that I just installed? How do I do that? I am assuming so, since the old cert and the new cert will have the same "mail.company.com" name.
Do you know a public cert company that is 110% trusted by Verizon/Motorola Q?
So if I do set up a new (public) cert, will I need to remove the old cert that I just installed? How do I do that? I am assuming so, since the old cert and the new cert will have the same "mail.company.com" name.
I don't have access to either Verizon or Moto Qs. Neither are available here in the UK.
My preferred certificate supplier for Windows Mobile devices is Go Daddy. However I don't think their root certificate (Starfield or ValuCert) is in the Moto Qs.
The root certificates in the devices actually have no bearing on the name of the certificate supplier - as the root certificates change hands.
Simon.
My preferred certificate supplier for Windows Mobile devices is Go Daddy. However I don't think their root certificate (Starfield or ValuCert) is in the Moto Qs.
The root certificates in the devices actually have no bearing on the name of the certificate supplier - as the root certificates change hands.
Simon.
ASKER
Does anyone have any idea what SSL certs are supported by the Motorola Q?
I can't buy a cert then find out it "isn't compatible". Motorola seems to be incompetent on the issue. One of their "engineers" was suppose to call me back last week about the SSL problem and never did.
I can't buy a cert then find out it "isn't compatible". Motorola seems to be incompetent on the issue. One of their "engineers" was suppose to call me back last week about the SSL problem and never did.
ASKER
So Motorola called back (I wasn't there) and had someone turn off SSL on the Default Website in IIS...
Now, of course, it works.. is it OK for SSL to be disabled on the default website? I assume it's enabled on the OMA folder in IIS (I have not checked yet)? Or did they just disable SSL for everything by making that change?
Now, of course, it works.. is it OK for SSL to be disabled on the default website? I assume it's enabled on the OMA folder in IIS (I have not checked yet)? Or did they just disable SSL for everything by making that change?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you use Pocket IE to browse to https://host.domain.com/OMA (where host.domain.com is the name that you connect to the server on from outside the network) if there is a problem with the certificate then it will flag it to you along with the element that is causing the problem.
It will either be name or trust.
In my personal opinion your best option is to ditch the self generated SBS certificate and purchase a certificate. If the purchased certificate is not supported by Windows Mobile (there are only a few that are - even less for the Moto Q as some root certificates have been removed) then you need to import the certificate issuers root certificate. The cabinet file method has never failed for me yet. http://www.amset.info/pocketpc/certificates.asp
Simon.