[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2869
  • Last Modified:

Exchange Active Sync SSL Certificate Expired?

Just renewed a server certificate using a new common name. Server previously had GoDaddy SSL applied and had no problems in terms of OWA, OMA, or EAS w/ iPhones. With new GoDaddy certificate (and yes a new A record as well) OWA and OMA function properly but I cannot get the iPhone to sync. In hopes of getting a more verbose error I used a Windows Mobile 5 emulator to setup EAS. I get an error that states the certificate has expired. I have triple checked everything I can think of with no luck. The certificate is current, all other certs in the chain are current as well. The iPhone is able to verify Exchange settings but says "Failed to Connect to Server" when trying to sync. Any Ideas??
0
hookssystems
Asked:
hookssystems
1 Solution
 
tntmaxCommented:
Did you delete the expire cert? Is this 2003 or 2007?
0
 
Jamie McKillopCommented:
Have you changed the internalURL to match the new certificate. If not, follow these instructions: http://support.microsoft.com/kb/940726

JJ
0
 
MesthaCommented:
If you browse to the server using IE or Pocket IE on the device, then you should get a certificate prompt. That will tell you what is wrong. However do ensure that the time on the device is correct, along with the timezone!

Simon.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
hookssystemsAuthor Commented:
This is Exchange 2003. The cert is brand new and doesn't expire until 2012. I have followed MS's KB81739 and your version as well Simon. I also have gone as far as KB883380. Still no luck. OWA and OMA work without issue. no prompts regarding the certificate. I downloaded the Windows Mobile 6 Emulator and now I don't get the message that the cert has expired, I just get "ActiveSync encountered a problem on the server" with the ever so famous Support Code 0x85010014. The only thing I can think of is it having to due somehow with the name change. The company that owns this server changed names, therefore new default SMTP addresses for everyone (this happened when the old cert was in place and there were no problem syncing) as well as a different external FQDN for the server. Split DNS is configured and can resolve to the new name both internally and externally. The eventlog on the server is not logging any errors either. This is a single SBS2003 machine if that helps...I'm running out of ideas and the owner is running out of patience :)
0
 
hookssystemsAuthor Commented:
Using MS's Remote Connectivity Analyzer I get this as the error:

"The SSLCertificate failed one or more certificate validation checks."

"      A network error occurred while communicating with remote host: Exception Details: Message: No such host is known Type: System.Net.Sockets.SocketException Stack Trace: at System.Net.Dns.GetAddrInfo(String name) at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6) at System.Net.Dns.GetHostAddresses(String hostNameOrAddress) at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port) at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally() "
0
 
hookssystemsAuthor Commented:
Getting closer now I just get a HTTP 500 Error ..

 "Attempting FolderSync command on ActiveSync session
  FolderSync command test failed
   Tell me more about this issue and how to resolve it
 
 Additional Details
  Exchange Activesync returned an HTTP 500 response"
0
 
MesthaCommented:
500 is rather generic, it doesn't really say a great deal of any help. Is anything logged on the server at the time of doing the test?

Simon.
0
 
hookssystemsAuthor Commented:
No nothing is logged... Can I increase the logging level for EAS somehow??
0
 
MesthaCommented:
No, EAS is a web based system, so the only logging outside of the Windows logs is on the web site logs.
This feature either works, or it doesn't.

If you browse to OMA (https://host.example.com/oma) does that work?

Simon.
0
 
hookssystemsAuthor Commented:
Yes, OMA works, but I did have to modify some paths in IIS to get it to work after adding the new default SMTP addresses. Before the change I would get a message stating that my mailbox existed on a older version of Exchange... I followed a article that required me to change the paths in IIS on the /Exchange, /exchange-oma, and /Public virtual directories. The change was in the path Ex. \\.\BackOfficeStorage\domain.local\ to \\.\BackOfficeStorage\newsmtp.com\. After doing this OMA works.... It leads me to beleive there is something in the IIS metabase that is causing these sync issues....
0
 
MesthaCommented:
If you have had to play around with the virtual directories, then reset them.
http://support.microsoft.com/default.aspx?kbid=883380

That will get you back to the default settings, where it should work without any further changes.

Simon.
0
 
hookssystemsAuthor Commented:
I actually have already followed KB883380... but I finally had to call MS on this and it turned out that the setting "Enable HTTP Keep-Alives" on the Default Website had been unchecked. Soon as this was enabled ActiveSync worked properly. The MS tech said this is a known issue within IIS with any website, Exchange based or not. If this is not enabled it can lead to all sorts of unexplained errors........figures.........

Thanks for all the input though....
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now