Microsoft Exchange server 2007 does not have permission to synchronise with PDA?

have you tried Set-CASMailbox -Identity  -ActiveSyncEnabled $true

Also, are you using the default activesync policy that shipped with SP1? i've found that deleting that and creating a new default activesync policy releives a lot of headaches.

hi

i have already created an active sync policy, however i ran the above command and ran succesfully. I have created a policy for my mailbox, so i guess it would be using that policy...

i cant understand why i am getting this error.. i have tried syncing without SSL as well

Are you the Exchg Admin? EAS is enabled on the server by default, but this service may have been disabled temporarily. We did that until we set up policy for mobile users. Also, here is an article that may be of use:
http://www.amset.info/exchange/mobile-85010014.asp 

Regards.
~coolsport00

hi coolsport00

does the article apply to exchange 07 as well? the majority of that article is self explainatory and seems to be in place -  see attached for my IIS setup

can someone tell me what options i should have ticked for each of these virtual directories e.g. integrated windows authentication, ssl, etc.. i rekon it is a problem within one of these directories
IIS.doc

the microsoft-server-activesync vdir should require SSL and be set for basic authentication only

this is the setup i have.... am i missing any virtual directories? -  i dont think i am...

the cert if on the PDA as well, i am browse to OWA without any cert prompts (yes/no)

if you browse here:

https://OWAFQDN.company.com/microsoft-server-activesync

does it prompt you for authentication, successfully auth, then give you a 501?

when i browse to that URL it says There is a problem with this website's security certificate, continue, close etc.. when i click on continue i get a HTTP 404 page not found... i tried this on my laptop and pda...

???

its an SSL issue for sure then; EAS is very picky about certs, no chance in using a valid 3rd party SAN cert eh? godaddy.com has one for 90 bux.

you sure?? how do you know?
is there a website you know which allows me to trial a 3rd party cert?

positive, because when you hit the site with the browser or PDA its giving you SSL errors. I'm not aware of any trial for a cert but if you purchase the godaddy.com ucc cert, they have free support that will help you get it installed and working correctly.

john

sorry i didnt test that link properly, when i browse to the link i entered my credentials then i get the 501 error....

https://apple.romgroup.com/microsoft-server-activesync
 

ok, then SSL may not be the issue, but I'd still review it; maybe have a look at this article and a few of the links therein:
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

i will have a more detailed look into this article, but i think the problem is alot simpler.. surely it cant be anything really complicated...

do you think the cert needs to be based around the following syntax:

New-Exchangecertificate -domainname mail.contoso.com, contoso.com, contoso.local, autodiscover.contoso.com, server01.contoso.local, server01 -Friendlyname contosoinc -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true subjectname "c=US o=contoso inc, CN=server01.contoso.com"

but its a permissions issue...!!?

it could be, but last time i got this code it was SSL related; the CAS server needed the intermidiery trust cert installed, but that was a 3rd party issue.

ok, i will work on it and let you know thanks.

hi

I dont want to purchase a 3rd party SAN a find it doesnt solve this, surely it should work with a self assigned cert.... has anyone else come across this error?

hi ilantz

Thanks for your help.

i'm using a windows mobile 6 device (HTC S710) i purchased it new.
I have exported the cert from exchange server, and installed it succesfully into the root store of the device... but i still get the permissions error....

higher up you can see my IIS virtual directories... maybe it is a permissions setting in one of these?

"I have exported the cert from exchange server" << this must be the root CA certificate , not the server certificate..
root-ca.jpg

see attached for the view i get, when i go into IIS...also the mmc certificate console

i dont see where it says 'root' or have the option to 'view certificate' like yours above:
cert-root2.doc

is apple your Certificate Authority server ? if so you can easly download the CA certificate from the http://apple/certsrv site , last option on the first page.

apple is our CA server...

i browsed to http://apple/certsrv  from IIS
clicked on Download a CA certificate, certificate chain, or CRL
Then clicked on install this CA certificate chain.

what i have noticed now is in mmc certificates console (See attached) a certificate for 'ALL' purposes has appeared, for 'Root certificate authority' with a different date - is this correct? shall i use this cert? i still cant see the view you got above with the root label....
certsrv.doc

yes !
this certificate your mobile should trust.

make sure you did made the certificate to the server from this CA.
try it.

did you set the correct url in the external url in the client access, Active-sync ?

ilantz

i just replaced the certificate in the default web site with the new one, now OWA is not working? https://apple.romgroup.com/owa

also reset iis ...?

?? why did you did that?
ofcourse it doesnt work.

were talking only mobile here. you should have not touched the server settings.

i thought i had to replace the cert on the server with the new one first then the one on the mobile....

OWA is saying page cannot be displayed.... what should i do here?

ok i created another cert on the server with selfssl, OWA is now working... appologies..

so this time i should just export the root CA cert from the server and install it in the mobile....?

i've installed the new cert on the mobile, now im getting 'The security cert on the server is not valid. Contact your Exchange server administrator to install a valid certificate on the server'

support code - 0x80072F0D

isnt this because the cert's are different. The one on the mobile is the new ROOT cert download from the CA and the one on the server is a self assigned cert for server authentication..?

ilantz

so it boils down to the cert on the server now being the problem.... so i'm guessing the cert on the mobile is now correct; being a ROOT cert... so when i change the cert on the server to be a ROOT cert, will this cert need to changed on the mobile as well so they match.....?

i've tried to submit  a request using the CA but i'm getting an error (See attched) ... or if you can provide me with the syntax for creating the apple.romgroup.com cert using the command shell...?

were nearly there :-)
submit-a-cert-request.doc

when i select "create and submit a service request to this CA" - it says an unexpected has occured?

well the concept is as if your ca is a 3rd party ca..
http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

about the error , rather check the browser settings..add the address to trusted sites.

i re-installed the certificate service on the server, so i no longer had the unexpected error. I created a new cert req using the below syntax; which worked:

[PS] C:\Documents and Settings\bossman\Desktop>New-ExchangeCertificate -DomainName apple.romgroup.com, -FriendlyName -GenerateRequest:$True -Keysize 1024 -path c:\romgroup.req -privatekeyExportable:$true -subjectName "c=uk, o=ROM, CN=romgroup.com"

Followed by:
Import-ExchangeCertificate Path c:\certnew.p7b | Enable-ExchangeCertificate Services IIS

But the cert in IIS is still pointing to the old cert, its not a ROOT cert... plus it is no longer in the mmc certificates console / not viewable in the trusted root store....

i believe I need the new cert i just created using the CA to be in IIS, yesterday when i replaced the cert in IIS, OWA stopped working... is there another way this should be done?

i cant get the cert from the CA which appears in the trusted roots, into IIS....?
if i manually click on default website, directory security, server certificate, and replace current certificate OWA stops working....

i really would like to get this last thing working, then the exchange project will be complete. + i know i'm very close....

once the certificate is sorted, i know it will work and i shouldnt need to buy a 3rd party cert from go daddy... please let me know (step-by-step) how i can solve this? hopefully it isnt too much work...Thank you ilantz..

ilantz

how can i progress with this? i've currently left it as it is... i know how to fix OWA which is by assigning a new selfssl cert to IIS, but i know this is not the way forward, i need to use the CA...

hope you can help... - i will check this space tommorrow evening...

i just submitted a request using the certsrv (CA) and imported the request into IIS, but i dont think this created a root cert...? i'm still getting the same error on the pda...

i created a free SSL certificate using this link:  http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html  and imported it into IIS to eliminate whether it was the selfssl i assigned which was the problem...

but i'm still getting the same error?  its a permissions error somewhere...

please help.

hi ilantz
Good to hear from you. i've had battle with this!!

i understand the structure.

using CERTSRV i just submitted/imported a cert request for apple.romgroup.com which i use for internal/external access to OWA. The root cert appears as a 'Root certification authority' in the trusted roots, but i dont think the one in IIS is corret... (see attached for the two certificates, first one being the one in IIS and the second is the ROOT cert)

at the moment i am getting the certificate on the server is not valid.....

let me know, thanks

certs.bmp

The certificate that IIS should use should be put only in the Personal store in Local computer...
you should make sure the correct certificate is installed by using the IIS gui.

confirm that please.

there are no certificates in the personal store on the server....?

how do i know if the correct cert is installed? i've made several attempts at creating the same cert over and over again using the IIS GUI, i've submitted requests and imported the cert into the default website (certnew.cer)... i'm just lost... yet i know i'm close..

currently the device is saying 'The security certificate on the server is not valid...'

did you get the points for the last post? :-)

mmc , add snapin, select certificates, select LOCAL COMPUTER.

then you will see them ;)

sorry yes the certificate in IIS is in the personal store, and the ROOT cert is in the trusted root store...

i restarted the device, i'm getting the same error
"Your account in Microsoft Exchange does not have permission to synchronise with your current settings. Contact your Exchange server administrator. View support code 0x85010004"

surely it must be the way the cert is installed or i must have a tick box which should/ or should not be there e.g. integrated windows authentication, anonymous authentication...

well any chance you could try another device , or a diffrent mailbox ?
because all the sings shows you did the correct instructions..

ilantz

i have tried another device also...

there is a root cert which is in the trusted root, this cert has a different expiry date to the front facing cert in IIS, so there are definately two certificates and one being the ROOT. i think the mobile is not trying to sync with the ROOT cert, but the one in the default website? - this is not a ROOT cert...

the permissions error still lurks....

the clients should support only the ROOT CA.
so any certificated issued by it will be trusted always.

ok thats fine:

i have been given this link:
http://forums.msexchange.org/m_1800435566/mpage_1/key_/tm.htm#1800447757

and to try:
Set-CASMailbox -Identity  -ActiveSyncEnabled $true

even though active sync is enabled...?

.. i bet it is..
are you manipulating host headers on the IIS server sites ??
or using isa server or any manipulating proxy/reverse proxy ?

I ran:
Set-CASMailbox -Identity  -ActiveSyncEnabled $true   and per the link above it said "no settings of 'domain/OU/user' have been modified" but for them it seemed to work. Mine did not work.

how do you mean host headers in IIS?  we have a proxy server not ISA server...

?

i've also read the error could be related to the port 443 and port 80

i've just had port 80 open inbound, now i'm getting a different error 'The server could not be reached. please verify the server name'.. view support code 0x80072EE7

wonder if it is related...

??

i dont think it is to do with the port, i've had inbound port 80 closed.... also apparently it is potentially quite dangerous to have this open... without using a DMZ

ilantz - SORTED!!!!!!!!! it's working!

the last two things i did was in EMC, client access, make my policy the default policy; THIS then prompted me to download the server settings to the device, and secondly remove the old partnership with the device from my mailbox in Recipient configuration.

However i'm not getting external mail to the device, only mail sent internally; could this be we are still using POP to download the mail into our inbox's? email is not yet being sent straight through to Exchange yet. When i click on send/recieve in Outlook and the external mail is downloaded into the inbox, when i then do a sync with the mobile, it then appears in the mobile as well.

or should all mail be sent to the device? (this would be ideal at this point)
direct push is enabled and working....

glad you sorted it !
well the mailflow is a diffrent issue.
if its not delived to mailboxes , so ya you should make it arrive to the exchange server , insted to the pop3 mailserver....

empower your exchange! :)
all the best.