Link to home
Start Free TrialLog in
Avatar of mancoi
mancoi

asked on

Iphone does not work with SSL exchange

I am having a hard time setting up my Iphone with SSL exchange.

I have the ssl certificates through godaddy. I have the .crt and .p7b files that I used for OWA on exchange.

I have created .cer files from the installed godaddy intermediate files above too.

On the Iphone, I am able to access OWA through Safari, but unable to "get mail" on my iphone from the SSL exchange.

All settings for my email account are propely set.

I tried installing the .crt and .cer files using safari on my iphone. They always say the certificate cannot be verified. I do see the certificate under "profiles" but as not verified.
I am at a loss and have tried for many days now.

Thank-you in advance
Avatar of Mestha
Mestha
Flag of United Kingdom of Great Britain and Northern Ireland image

You shouldn't need to install anything on the iPhone at all. I believe the GoDaddy certificates are trusted natively by the iPhone. Therefore if you have attempted to install certificates you should remove them, as they will simply cause problems.

Simon.
Avatar of mancoi
mancoi

ASKER

Yes, I have tried to clear the certificates under "profiles".

Is there another place where I can "clean out" other certificates?
The easy way to get rid of the certificates (and be sure about it) is to do a restore.. Then as Simon has pointed out you should be able to connect to active sync without problems..!
If not then we are here to help..!
Avatar of mancoi

ASKER

I cannot restore this Iphone to original state b/c I am helping a user. ( not my phone)
I would at least soft reset the device, so that the memory is flushed.
I can only suggest browsing to the server using the built in browser and confirming that you do not get any certificate prompts. If you do, then something still isn't correct with the certificates.

Simon.
Restoring is the only way to be really sure that the phone has forgotten about the certificate.
You could try a network reset under Settings => General => Reset if that doesn't work then you could try a full reset (without erasing data)..
Avatar of mancoi

ASKER

Would I lose any information like settings, bookmarks, mail configurations, installed applications and/or contacts?

This is my main concern. If I lose those for the user, I will be screwed.
Does the user not have a backup?
When it comes to this argument I simply turn round and ask the user what would happen if it was stolen, lost or damaged. If the user is in a position where they cannot recover the device then they have bigger problems to worry about.

Simon.
Avatar of mancoi

ASKER

Can I create a backup? Where does it store? So I am guessing that a reset will clear out all user settings like installed apps, contacts and everything else?
mancoi,
There are a number of different resets that you can do with the iPhone. Not all of them wipe data (well actually the only one that does in the one that says, Reset all settings and erase data!)
You can always do a backup by plugging the the iPhone into a computer with iTunes, then you can right click on the iPhone and choose backup. This is always a good idea anyway. When I am working on any phone that I get in, I take a backup first, saves you having trouble in the future.
Avatar of mancoi

ASKER

Ok. I called Apple today and the person really could not help me too much besides resetting all the network connections and deleting/recreating the exchange account.  He was unable to help with the certificate issue. I have deleted everything and started over from scratch and the certificate still reads "not verified" but it will allow me to install it.
Do you think we should be looking at what certificate is needed? I am importing a .crt file (the one I go directly from godaddy)
Can you run the active sync test @ www.testexchangeconnectivity.com?
and post the results. We can then see what is going on...? Do you have any other devices successfully connected?
Avatar of mancoi

ASKER

I think we are on to something......

Copy to Clipboard      Expand/Collapse       
      Testing Exchange Activesync for host 208.253.29.13
       Exchange Activesync test Failed
      Test Steps
       
      Attempting to Resolve the host name 208.253.29.13 in DNS.
       Host successfully Resolved
      Additional Details
       IP(s) returned: 208.253.29.13
      Testing TCP Port 443 on host 208.253.29.13 to ensure it is listening/open.
       The port was opened successfully.
      Testing SSLCertificate for validity.
       The SSLCertificate failed one or more certificate validation checks.
       
      Tell me more about this issue and how to resolve it
      Additional Details
Avatar of mancoi

ASKER

Wait a minute.....


I used the IP address on the test above.

This time I used the name.

This is the error I got....


Copy to Clipboard      Expand/Collapse       
      Testing Exchange Activesync for host owa.btx.com
       Exchange Activesync test Failed
      Test Steps
       
      Attempting to Resolve the host name owa.btx.com in DNS.
       Host successfully Resolved
      Additional Details
       IP(s) returned: 208.253.29.13
      Testing TCP Port 443 on host owa.btx.com to ensure it is listening/open.
       The port was opened successfully.
      Testing SSLCertificate for validity.
       The certificate passed all validation requirements.
      Additional Details
       Subject: CN=owa.btx.com, OU=Domain Control Validated, O=owa.btx.com, Issuer SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
      Testing Http Authentication Methods for URL https://owa.btx.com/Microsoft-Server-Activesync/
       Http Authentication Methods are correct
      Additional Details
       Found all expected authentication methods and no disallowed methods Methods Found: Basic realm="owa.btx.com"
      Attempting an Activesync session with server
       Errors were encountered while testing the ActiveSync session
      Test Steps
       
      Attempting to send OPTIONS command to server
       Testing the OPTIONS command failed. See Additional Details for more info
      Additional Details
       A Web Exception occured because an HTTP 401 - Unauthorized response was received from Unknown
Ok, I dont think that your certificate is the problem.
Can you confirm if you are using forms based authentication for your outlook web access..?
Avatar of mancoi

ASKER

Forms based authentication is not configured.
Avatar of mancoi

ASKER

Hi John,

Does the Iphone work with OMA? or is that only for Windows Mobile phones?

(OMA is disabled)

Ok, good nes about forms based auth, we can rule that out...
OMA should be enabled...
Avatar of mancoi

ASKER

I will enable and test with OMA enabled, but do you think I should look into the Active Sync Exchange settings?

It is all too weird how when I do not require SSL within IIS on the exchange server, the Iphone works perfectly.

(I enable SSL on the /Exchange directory within IIS, that is the only place where I require SSL)
Err, Sorry I must have missed this.. You shouldn't not tick "require SSL" on the virtual directory else acrive sync won't work properly.
Avatar of mancoi

ASKER

Update....

Enabling OMA did not help, but I notice that the Iphone is set up using SSL and works. But when I go to IIS and "require SSL" on the /Exchange virtural directory with 128-bit encryption, the Iphone will not sync and prompts me with "cannot get mail"

I do need to "require ssl" for all traffic. HOpe this helps the cause.

Opps double negative..! Meant that you should not tick require SSL else on the Excahnge Virtual directory else active sync won't work..
 Have a read of this...
http://support.microsoft.com/kb/817379 
Avatar of mancoi

ASKER

wow, we are getting close....

The Iphone is working but without a secure (require SSL) OWA....

so if SSL is required on the /Exchange virtural directory the Active Sync will not work. But how do I require all traffic to use SSL for OWA access and have my Iphone work too?

I also noticed that I can "require SSL"  using IIS /Microsoft-Server-ActiveSync virtural directory. This is where I can regulate the Iphone's SSL, but still leaves OWA in an unsecure state.

You should be able to tick the "require SSL" for the root directory. users dont access the other virtual dirs directly...
Also would recommend that you only allow port 443 through the FW to that server..
Avatar of mancoi

ASKER

My users access https://owa.domain.com/exchange

When accessing the above link to OWA, don't they access the /Exchange virtual directory?
Avatar of mancoi

ASKER

Enabling SSL to the root directory will break my RPC connections. Right?
If they are setup to go over http and https set up is not correct, Yes.
Are you RPC connections connecting via http or https?
Avatar of mancoi

ASKER

My RPC is configured to go over HTTPS.

The concern now is how to get both OWA and Activesync to use SSL.

I have been investigating another experts-exchange article at: https://www.experts-exchange.com/questions/23629611/Configure-Exchange-2003-ActiveSync-with-iPhone-3G.html

I have done the regristry and copy of the virtural directory and still nothing.

Avatar of mancoi

ASKER

Hi John, Thanks for the persistence!

Here is an updated status of my issue...

SSL required for both OWA and Iphone mail access.
 
The /Microsoft-Server-ActiveSync virtual directory requires SSL.
 
Iphone will receive mail using SSL when the /Exchange virtual directory is does not require SSL.
 
So this means, the Iphone accepts the certificate in order to accept mail using SSL configured on the Iphone.
 
But when I turn on "require SSL" on the /Exchange virtural directory, the Iphone will not receive mail.
 
I know these two virtual directories are tied together somehow, there must be a workaround.

mancoi,
Let me check exactly what config I have, I have a similiar setup..
Avatar of mancoi

ASKER

Ok Thanks, This is still burning my butt.
I am most certain that after I have worked on this for weeks, that there is something little that needs to be tweaked.

Thanks for your persistence!!
Sorry, had a busy couple of days (again!) will try and look tonight...
ASKER CERTIFIED SOLUTION
Avatar of mancoi
mancoi

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have checked, I have the same as you... Although I don't allow access on port 80..
Have a read of this Q, Simon explains well.
http://www.experts-exchange.com/Q_22738119.html