Link to home
Get AccessLog in
Avatar of stevensims
stevensimsFlag for United States of America

asked on

IPhone and Server 2003 Mobile ActiveSync with SSL-- need some help

I have had a hell of a time getting the IPhone 3G working with our Exchange Server. After finally doing many searches I have gotten it to work but at a cost. It seems that SSL has to be disabled on the Exchange virtual directory and the ActiveSync virtual Directory (If you automatically redirect the default Websiter to Exchange that has to have the SSL removed too). You also have to uncheck Web Authentication form under HTTP in ESM.

It appears that the IPhone ActiveSync is more geared towards companies that have a front end / back end exchange servers. The front end has the SSL enabled while the backend has no SSL. This willl allow the activesync and OWA to always be secure when going to the user or vice versa-- ActivSync does not have a problem if the frontend is using SSL.

So with that, my company only has one Exchange server. Currently, i have removed the SSL function from the Exchange virtual directory and unchecked the Web Authentication form since my Executives needed their emails to come in on their new IPhones. I dont plan on having SSL down for too long-- most employees dont use OWA all that much so the securty issue isnt huge--yet.

I have read that microsoft has a fix that the user creates a new Exchange virtual directory. with a modification to the Registry Activesync will not look at the original and only the newly created one. This will allow OWA to be secured and not conflict with Activesync.


http://support.microsoft.com/kb/817379


Has anyone had a chance to verify this fix? Is SSL the only way to secure OWA email?
Avatar of SecretWeapon
SecretWeapon

SSL is the only way to have a secure OWA email.... Do you not have a SSL setup right or what is causing the problem..... do not put in https:\\ in the iphone for telling what you address is for your server....you just need the address or MX record and have SSL on if using it.....
Avatar of stevensims

ASKER

I have a certificate for the server-- we made our own certificate. We have been using SSL with our OWA for many years now with no issues.

If you read link above it does mention that activesync will not work with SSL enable exchange virtual directory and web authenticated forms.  This is the error I was getting in my event viewer.

The mailbox server [Domain1.domain.com] has its [exchange] virtual directory set to require SSL.  Exchange ActiveSync cannot access the server if SSL is set to be required.  For information about how to correctly configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).

The mailbox server [domain1.domain.com] does not allow "Negotiate" authentication to its [exchange] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.  For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003"

If SSL is enabled on exchange the IPhone will not recieve mail. Remember that Activesync has to communicate with exchange. It seems that SSL being enabled prevents activesync form doing that.
I followed Microsofts instructions and made a new Exchange virtual directory. I have enabled SSL back on the original Exchange directory and all is well and secure with my OWA. I was also able to log in through OMA-- which before this change I had the SSL issue and could not log in. With this I know OMA is going through the new virtual directory. However, I am getting an ActiveSync error message in the Event Viewer.

Event Type:      Error
Event Source:      Server ActiveSync
Event Category:      None
Event ID:      3029
Date:            7/23/2008
Time:            11:42:37 AM
User:            Domain1\User
Computer:      Domain1
Description:
The mailbox server [Domain1.domain.us] has its [/ExchangeOMAActiveSync] virtual directory set to require SSL.  Exchange ActiveSync cannot access the server if SSL is set to be required.  For information about how to correctly configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The new virtual directory does not have SSL enabled. I dont understand why it is giving me this error message.  The new virtual directory is a copy of the original which did work with our IPhonesemail, contacts, calendar everything synced to the IPhone. The only difference this time is that the original directory has SSL back on it. Microsoft does say that once the new directory is created the user can add SSL and Form Based Authentication back to the original Exchange Virtual directory.  Since I added the registry entry that changes where OMA and ActivSync goes to it should not ever see the original Exchange directory. The event viewer shows the new name.

I also took a look in the MobileAdmin website. It does show the user phones last sync and status at OK. I am not for sure if this means the Phone had a successful sync or just the last time the IPhone pinged our server.

Anyone else getting simliar issues?
I am having similar trouble with SSL not working with iphone.  I read a few posts about people having trouble with self signed certificates, so I bought one from godaddy and still have the same trouble.

I do not get any errors in my event log, but when I enable SSL which works fine for OWA and if I log in via https://severname/oma the iphone stops working.  I can only get iphone to work by unchecking SSL as you described.  I almost wish I at least got errors like you see because then I would have something to go on.  For me it as if there is no communication at all when SSL is enabled.  Not in mobileadmin or event logs at least.

Sorry I am no help, but it seems we both have essentially the same trouble the iphone activesync wont work when SSL is enabled..
bjsvec,

Did you create a second virtual exchange directory? You should be having some kind of errors in the Applications in the Event Viewer.
I did not do that for the very reason that I don;t see the errors in my event log so therefor am not sure I am having the same trouble.  I have seen other examples that claim this has been configured without requiring the second virtual directory.

I can;t find the links now, but will try to find them

HI BJsvec,

I have searched the Net and as far as I know you cant do this without creating a virtual Exchange directory and or disabling SSL. The IPhone configuration was more desinged with the Front end Back end exhcange design. If I had a Front end Exchange server I wouldnt have had any issues right now.

Is your Exchange server using Service Pack 2? You have to have that or ActiveSync will not work. Have you gone to ESM>Global Settings>Mobile Services>General tab and selected Enable Outlook Mobile Access?
Interesting.  I may try that, but I noticed another trouble in the meantime is that besides not seeing event log errors I get max CPU from w3wp.exe process whenever I enable SSL now..  Activesync works fine without SSL, but I don't want to stay that way for long...  Activesync also used to work fine with WM5 when I was using that.
I havent tested yet with a phone but did not recieve any messeges with OMA when I enabled it. You can set both OMA and ActiveSync virtual directories to use SSL. As long as the new Exchange Virutal directory is not using this setting you will have a secure connection going to your IPhones. Also, if the user selects SSL on their phone they will have a secure connection to Active sync anyway.

I currently have an IPhone and my setting above are working. Just not for sure why i am getting the errors in the event viewer.
Okay figured out why I am getting the errors in the event viewer after making the changes. The users have to delete their exchange account on their IPhone and then recreate it. After this all works well.

It seems like the Iphones store the original virtual path which still points to the Exchange virtual directory, even though the error messeges I am seeing in the event veiwer are pointing to the new exchange virtual directory.
ASKER CERTIFIED SOLUTION
Avatar of ee_auto
ee_auto

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access