Activesync, Exchange SSL errors on Windows Mobile

I am trying to setup the new Global Data Centre for a client, most of which has already been done. The final part to setup is migrating OWA and Activesync, both of which use the same URL with obviously the part after the forward slash defining which service the client wishes to use.

From testing we have proved that works fine on the new systems and there are no SSL certificate errors, to test this I simply changed my host file to point to the new systems. We also tested this live by changing live DNS, however at this time we were not made aware of the number of activesync users and as such didnt put too much emphasis on testing activesync, incorrectly assuming that because OWA works and its the same URL and SSL then Activesync would also work (we did test OMA and it worked). However when we migrated over the activesync devices stopped working (some after several days due to DNS propagation times on the mobile operator networks taking around 4 days  and the same length of time to revert). There were various errors depending on the version of mobile in use but all of them were concerning invalid/out of date certificates, so we had to revert the change, so for the moment activesync and OWA both point back to the old data centre.

Now obviously devices which use OWA are typically PCs and as such they have a lot more intermediate and root certificates on them than the Activesync windows mobile devices which typically have very few if any intermediates. We did notice that on the front end exchange and ISA servers the intermediate certificate which was in the certificate chain for the certificate expired in 2004, so as per instructions on (error 1 is the error we receive) I updates the certificates on all front end and ISA exchange servers for the intermediates as well as the root certificates, I also use SSL Chain Saver from Microsoft to ensure the chain presented to the device was the correct chain of SSL certs, and it was, indeed it was the same chain of certs provided by the old setup.

It is my understanding, and id like corrected if im wrong, that if the mobile device doesnt have the correct intermediate or root certs then the exchange/ISA servers will provide them in the chain and present them to the mobile device so that it can verify the certs, however this does not appear to be happening, the only time I have been able to get activesync to work is via my iphone by importing the certs manually, but this is not really an option for the users scattered around the globe, also the fact that it works on the old setup with the same certs baffles me.

For info my testing method has been to setup a virtual server with the DNS zone and an A record pointing www to the new servers and then configuring a wireless network for the iphone, Windows mobile 6.1 device emulator and windows mobile to use and spoof them in to going to the new location, my only success so far as Ive said is by importing the certs to the iphone, but im pretty sure that as the certificates are not internal (they are issued by verisign) then certs shouldnt need to be imported. We are using ISA 2006 and it validates all the certificates fine as well as providing access to OWA with no certificate errors.

Any input or experience with SSL/Activesync, ISA and Exchange would be much appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are the certificates you are using purchased from a third party, or are you running your own certificate authority?

Try manually installing the certificate onto a mobile device by copying it onto the device via USB or using a memory card. If it is a Windows Mobile device, load up File Explorer, navigate to the .cer file and tap on it. It should come up with a message saying its been installed.

Also, if the new server uses a different cert to the old server, the mobile devices may complain because it doesnt match the cert they were expecting. In which case, you'll need to delete the old cert from the device. In Windows Mobile, you can find the old certs in Start>Settings>System>Certificates.
garykaneAuthor Commented:
Hi DanJourno

We are using a Verisign Certificate so the CA is verisign. The certificate path goes like this:

1. 25/08/2008 to 30/08/2011
2. Ref. LIABILITY LTD.(c)97 VeriSign 17/04/1997 to 24/10/2016 (this is the intermediate)
3. Class 3 Public Primary Certification Authority 29/01/1996 to 01/08/2008

So all the certs are availible on the internet.

I tried manually installing on my iphone and it worked fine, no certificate errors, so that suggests to me the problem is certificate related. However Because the certs are public the mobile devices should be able to download them from exchange/isa and just work, at least that is what suggests.

I will ask a user to check if any other certs have been installed on the device and get back to you.
If the cert is a Verisign cert then its either that the root cert is too new and therefore not installed on the mobile devices, or there is an existing cert on the devices which is conflicting.

In WM, there are three tabs in Settings>System>Certificates.

Make sure they check all three.
If they find anything, to delete, hold the pen down on that item, then the context menu will appear with an option to View or Delete.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

garykaneAuthor Commented:
There were no out of date certs, but when I installed the valid intermediate cert it worked, but this is no use as we need it to go out automatically, which is how it should work.

Incidentally I have just found out that our network uses Cisco CSS load balancers 11501's i beleive. I have found this article which states that these devices also hold certificates, to be honest i didnt have a clue that network devices held certificates.

So I am currently waiting on a response from the network team and will let yous know how i get on.
I know its not much help but I have always had to install the certs manually on mobile devices. I have sent the cert via email and instructed users to connect thre mobile to the their PC copy the cert and theninstall from mobile. I know this is not the answer you wanted but it may give you another option.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You shouldnt need to install them manually if you purchase it from a trusted third party.
(as long as the root cert is on the device)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.