Activesync, Exchange SSL errors on Windows Mobile

Posted on 2008-11-19
Last Modified: 2013-12-05
I am trying to setup the new Global Data Centre for a client, most of which has already been done. The final part to setup is migrating OWA and Activesync, both of which use the same URL with obviously the part after the forward slash defining which service the client wishes to use.

From testing we have proved that works fine on the new systems and there are no SSL certificate errors, to test this I simply changed my host file to point to the new systems. We also tested this live by changing live DNS, however at this time we were not made aware of the number of activesync users and as such didnt put too much emphasis on testing activesync, incorrectly assuming that because OWA works and its the same URL and SSL then Activesync would also work (we did test OMA and it worked). However when we migrated over the activesync devices stopped working (some after several days due to DNS propagation times on the mobile operator networks taking around 4 days  and the same length of time to revert). There were various errors depending on the version of mobile in use but all of them were concerning invalid/out of date certificates, so we had to revert the change, so for the moment activesync and OWA both point back to the old data centre.

Now obviously devices which use OWA are typically PCs and as such they have a lot more intermediate and root certificates on them than the Activesync windows mobile devices which typically have very few if any intermediates. We did notice that on the front end exchange and ISA servers the intermediate certificate which was in the certificate chain for the certificate expired in 2004, so as per instructions on (error 1 is the error we receive) I updates the certificates on all front end and ISA exchange servers for the intermediates as well as the root certificates, I also use SSL Chain Saver from Microsoft to ensure the chain presented to the device was the correct chain of SSL certs, and it was, indeed it was the same chain of certs provided by the old setup.

It is my understanding, and id like corrected if im wrong, that if the mobile device doesnt have the correct intermediate or root certs then the exchange/ISA servers will provide them in the chain and present them to the mobile device so that it can verify the certs, however this does not appear to be happening, the only time I have been able to get activesync to work is via my iphone by importing the certs manually, but this is not really an option for the users scattered around the globe, also the fact that it works on the old setup with the same certs baffles me.

For info my testing method has been to setup a virtual server with the DNS zone and an A record pointing www to the new servers and then configuring a wireless network for the iphone, Windows mobile 6.1 device emulator and windows mobile to use and spoof them in to going to the new location, my only success so far as Ive said is by importing the certs to the iphone, but im pretty sure that as the certificates are not internal (they are issued by verisign) then certs shouldnt need to be imported. We are using ISA 2006 and it validates all the certificates fine as well as providing access to OWA with no certificate errors.

Any input or experience with SSL/Activesync, ISA and Exchange would be much appreciated.
Question by:garykane
    LVL 5

    Expert Comment

    Are the certificates you are using purchased from a third party, or are you running your own certificate authority?

    Try manually installing the certificate onto a mobile device by copying it onto the device via USB or using a memory card. If it is a Windows Mobile device, load up File Explorer, navigate to the .cer file and tap on it. It should come up with a message saying its been installed.

    Also, if the new server uses a different cert to the old server, the mobile devices may complain because it doesnt match the cert they were expecting. In which case, you'll need to delete the old cert from the device. In Windows Mobile, you can find the old certs in Start>Settings>System>Certificates.

    Author Comment

    Hi DanJourno

    We are using a Verisign Certificate so the CA is verisign. The certificate path goes like this:

    1. 25/08/2008 to 30/08/2011
    2. Ref. LIABILITY LTD.(c)97 VeriSign 17/04/1997 to 24/10/2016 (this is the intermediate)
    3. Class 3 Public Primary Certification Authority 29/01/1996 to 01/08/2008

    So all the certs are availible on the internet.

    I tried manually installing on my iphone and it worked fine, no certificate errors, so that suggests to me the problem is certificate related. However Because the certs are public the mobile devices should be able to download them from exchange/isa and just work, at least that is what suggests.

    I will ask a user to check if any other certs have been installed on the device and get back to you.
    LVL 5

    Expert Comment

    If the cert is a Verisign cert then its either that the root cert is too new and therefore not installed on the mobile devices, or there is an existing cert on the devices which is conflicting.

    In WM, there are three tabs in Settings>System>Certificates.

    Make sure they check all three.
    If they find anything, to delete, hold the pen down on that item, then the context menu will appear with an option to View or Delete.


    Author Comment

    There were no out of date certs, but when I installed the valid intermediate cert it worked, but this is no use as we need it to go out automatically, which is how it should work.

    Incidentally I have just found out that our network uses Cisco CSS load balancers 11501's i beleive. I have found this article which states that these devices also hold certificates, to be honest i didnt have a clue that network devices held certificates.

    So I am currently waiting on a response from the network team and will let yous know how i get on.
    LVL 3

    Accepted Solution

    I know its not much help but I have always had to install the certs manually on mobile devices. I have sent the cert via email and instructed users to connect thre mobile to the their PC copy the cert and theninstall from mobile. I know this is not the answer you wanted but it may give you another option.
    LVL 5

    Assisted Solution

    You shouldnt need to install them manually if you purchase it from a trusted third party.
    (as long as the root cert is on the device)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now