Activesync, Exchange SSL errors on Windows Mobile

Posted on 2008-11-19
Medium Priority
Last Modified: 2013-12-05
I am trying to setup the new Global Data Centre for a client, most of which has already been done. The final part to setup is migrating OWA and Activesync, both of which use the same URL with obviously the part after the forward slash defining which service the client wishes to use.

From testing we have proved that https://www.companyname.net/exchange works fine on the new systems and there are no SSL certificate errors, to test this I simply changed my host file to point www.companyname.net to the new systems. We also tested this live by changing live DNS, however at this time we were not made aware of the number of activesync users and as such didnt put too much emphasis on testing activesync, incorrectly assuming that because OWA works and its the same URL and SSL then Activesync would also work (we did test OMA and it worked). However when we migrated over the activesync devices stopped working (some after several days due to DNS propagation times on the mobile operator networks taking around 4 days  and the same length of time to revert). There were various errors depending on the version of mobile in use but all of them were concerning invalid/out of date certificates, so we had to revert the change, so for the moment activesync and OWA both point back to the old data centre.

Now obviously devices which use OWA are typically PCs and as such they have a lot more intermediate and root certificates on them than the Activesync windows mobile devices which typically have very few if any intermediates. We did notice that on the front end exchange and ISA servers the intermediate certificate which was in the certificate chain for the www.companyname.net certificate expired in 2004, so as per instructions on http://support.microsoft.com/kb/927465 (error 1 is the error we receive) I updates the certificates on all front end and ISA exchange servers for the intermediates as well as the root certificates, I also use SSL Chain Saver from Microsoft to ensure the chain presented to the device was the correct chain of SSL certs, and it was, indeed it was the same chain of certs provided by the old setup.

It is my understanding, and id like corrected if im wrong, that if the mobile device doesnt have the correct intermediate or root certs then the exchange/ISA servers will provide them in the chain and present them to the mobile device so that it can verify the certs, however this does not appear to be happening, the only time I have been able to get activesync to work is via my iphone by importing the certs manually, but this is not really an option for the users scattered around the globe, also the fact that it works on the old setup with the same certs baffles me.

For info my testing method has been to setup a virtual server with the DNS zone companyname.net and an A record pointing www to the new servers and then configuring a wireless network for the iphone, Windows mobile 6.1 device emulator and windows mobile to use and spoof them in to going to the new location, my only success so far as Ive said is by importing the certs to the iphone, but im pretty sure that as the certificates are not internal (they are issued by verisign) then certs shouldnt need to be imported. We are using ISA 2006 and it validates all the certificates fine as well as providing access to OWA with no certificate errors.

Any input or experience with SSL/Activesync, ISA and Exchange would be much appreciated.
Question by:garykane
  • 3
  • 2

Expert Comment

ID: 23002246
Are the certificates you are using purchased from a third party, or are you running your own certificate authority?

Try manually installing the certificate onto a mobile device by copying it onto the device via USB or using a memory card. If it is a Windows Mobile device, load up File Explorer, navigate to the .cer file and tap on it. It should come up with a message saying its been installed.

Also, if the new server uses a different cert to the old server, the mobile devices may complain because it doesnt match the cert they were expecting. In which case, you'll need to delete the old cert from the device. In Windows Mobile, you can find the old certs in Start>Settings>System>Certificates.

Author Comment

ID: 23002350
Hi DanJourno

We are using a Verisign Certificate so the CA is verisign. The certificate path goes like this:

1. www.companyname.net 25/08/2008 to 30/08/2011
2. www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 17/04/1997 to 24/10/2016 (this is the intermediate)
3. Class 3 Public Primary Certification Authority 29/01/1996 to 01/08/2008

So all the certs are availible on the internet.

I tried manually installing on my iphone and it worked fine, no certificate errors, so that suggests to me the problem is certificate related. However Because the certs are public the mobile devices should be able to download them from exchange/isa and just work, at least that is what http://support.microsoft.com/kb/927465 suggests.

I will ask a user to check if any other certs have been installed on the device and get back to you.

Expert Comment

ID: 23002388
If the cert is a Verisign cert then its either that the root cert is too new and therefore not installed on the mobile devices, or there is an existing cert on the devices which is conflicting.

In WM, there are three tabs in Settings>System>Certificates.

Make sure they check all three.
If they find anything, to delete, hold the pen down on that item, then the context menu will appear with an option to View or Delete.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 23004225
There were no out of date certs, but when I installed the valid intermediate cert it worked, but this is no use as we need it to go out automatically, which is how it should work.

Incidentally I have just found out that our network uses Cisco CSS load balancers 11501's i beleive. I have found this article which states that these devices also hold certificates, to be honest i didnt have a clue that network devices held certificates.


So I am currently waiting on a response from the network team and will let yous know how i get on.

Accepted Solution

georgestark earned 1000 total points
ID: 23014450
I know its not much help but I have always had to install the certs manually on mobile devices. I have sent the cert via email and instructed users to connect thre mobile to the their PC copy the cert and theninstall from mobile. I know this is not the answer you wanted but it may give you another option.

Assisted Solution

DanJourno earned 1000 total points
ID: 23022107
You shouldnt need to install them manually if you purchase it from a trusted third party.
(as long as the root cert is on the device)

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question