Solved

Iphone does not work with SSL exchange

Posted on 2009-05-04
34
1,747 Views
Last Modified: 2012-05-06
I am having a hard time setting up my Iphone with SSL exchange.

I have the ssl certificates through godaddy. I have the .crt and .p7b files that I used for OWA on exchange.

I have created .cer files from the installed godaddy intermediate files above too.

On the Iphone, I am able to access OWA through Safari, but unable to "get mail" on my iphone from the SSL exchange.

All settings for my email account are propely set.

I tried installing the .crt and .cer files using safari on my iphone. They always say the certificate cannot be verified. I do see the certificate under "profiles" but as not verified.
I am at a loss and have tried for many days now.

Thank-you in advance
0
Comment
Question by:mancoi
  • 18
  • 13
  • 3
34 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24295430
You shouldn't need to install anything on the iPhone at all. I believe the GoDaddy certificates are trusted natively by the iPhone. Therefore if you have attempted to install certificates you should remove them, as they will simply cause problems.

Simon.
0
 

Author Comment

by:mancoi
ID: 24295490
Yes, I have tried to clear the certificates under "profiles".

Is there another place where I can "clean out" other certificates?
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24296403
The easy way to get rid of the certificates (and be sure about it) is to do a restore.. Then as Simon has pointed out you should be able to connect to active sync without problems..!
If not then we are here to help..!
0
 

Author Comment

by:mancoi
ID: 24296627
I cannot restore this Iphone to original state b/c I am helping a user. ( not my phone)
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24299957
I would at least soft reset the device, so that the memory is flushed.
I can only suggest browsing to the server using the built in browser and confirming that you do not get any certificate prompts. If you do, then something still isn't correct with the certificates.

Simon.
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24301829
Restoring is the only way to be really sure that the phone has forgotten about the certificate.
You could try a network reset under Settings => General => Reset if that doesn't work then you could try a full reset (without erasing data)..
0
 

Author Comment

by:mancoi
ID: 24304077
Would I lose any information like settings, bookmarks, mail configurations, installed applications and/or contacts?

This is my main concern. If I lose those for the user, I will be screwed.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24304304
Does the user not have a backup?
When it comes to this argument I simply turn round and ask the user what would happen if it was stolen, lost or damaged. If the user is in a position where they cannot recover the device then they have bigger problems to worry about.

Simon.
0
 

Author Comment

by:mancoi
ID: 24304766
Can I create a backup? Where does it store? So I am guessing that a reset will clear out all user settings like installed apps, contacts and everything else?
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24308505
mancoi,
There are a number of different resets that you can do with the iPhone. Not all of them wipe data (well actually the only one that does in the one that says, Reset all settings and erase data!)
You can always do a backup by plugging the the iPhone into a computer with iTunes, then you can right click on the iPhone and choose backup. This is always a good idea anyway. When I am working on any phone that I get in, I take a backup first, saves you having trouble in the future.
0
 

Author Comment

by:mancoi
ID: 24308949
Ok. I called Apple today and the person really could not help me too much besides resetting all the network connections and deleting/recreating the exchange account.  He was unable to help with the certificate issue. I have deleted everything and started over from scratch and the certificate still reads "not verified" but it will allow me to install it.
Do you think we should be looking at what certificate is needed? I am importing a .crt file (the one I go directly from godaddy)
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24311518
Can you run the active sync test @ www.testexchangeconnectivity.com?
and post the results. We can then see what is going on...? Do you have any other devices successfully connected?
0
 

Author Comment

by:mancoi
ID: 24313632
I think we are on to something......

Copy to Clipboard      Expand/Collapse       
      Testing Exchange Activesync for host 208.253.29.13
       Exchange Activesync test Failed
      Test Steps
       
      Attempting to Resolve the host name 208.253.29.13 in DNS.
       Host successfully Resolved
      Additional Details
       IP(s) returned: 208.253.29.13
      Testing TCP Port 443 on host 208.253.29.13 to ensure it is listening/open.
       The port was opened successfully.
      Testing SSLCertificate for validity.
       The SSLCertificate failed one or more certificate validation checks.
       
      Tell me more about this issue and how to resolve it
      Additional Details
0
 

Author Comment

by:mancoi
ID: 24313667
Wait a minute.....


I used the IP address on the test above.

This time I used the name.

This is the error I got....


Copy to Clipboard      Expand/Collapse       
      Testing Exchange Activesync for host owa.btx.com
       Exchange Activesync test Failed
      Test Steps
       
      Attempting to Resolve the host name owa.btx.com in DNS.
       Host successfully Resolved
      Additional Details
       IP(s) returned: 208.253.29.13
      Testing TCP Port 443 on host owa.btx.com to ensure it is listening/open.
       The port was opened successfully.
      Testing SSLCertificate for validity.
       The certificate passed all validation requirements.
      Additional Details
       Subject: CN=owa.btx.com, OU=Domain Control Validated, O=owa.btx.com, Issuer SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
      Testing Http Authentication Methods for URL https://owa.btx.com/Microsoft-Server-Activesync/
       Http Authentication Methods are correct
      Additional Details
       Found all expected authentication methods and no disallowed methods Methods Found: Basic realm="owa.btx.com"
      Attempting an Activesync session with server
       Errors were encountered while testing the ActiveSync session
      Test Steps
       
      Attempting to send OPTIONS command to server
       Testing the OPTIONS command failed. See Additional Details for more info
      Additional Details
       A Web Exception occured because an HTTP 401 - Unauthorized response was received from Unknown
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24314271
Ok, I dont think that your certificate is the problem.
Can you confirm if you are using forms based authentication for your outlook web access..?
0
 

Author Comment

by:mancoi
ID: 24314468
Forms based authentication is not configured.
0
 

Author Comment

by:mancoi
ID: 24314697
Hi John,

Does the Iphone work with OMA? or is that only for Windows Mobile phones?

(OMA is disabled)

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24315010
Ok, good nes about forms based auth, we can rule that out...
OMA should be enabled...
0
 

Author Comment

by:mancoi
ID: 24315115
I will enable and test with OMA enabled, but do you think I should look into the Active Sync Exchange settings?

It is all too weird how when I do not require SSL within IIS on the exchange server, the Iphone works perfectly.

(I enable SSL on the /Exchange directory within IIS, that is the only place where I require SSL)
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24315551
Err, Sorry I must have missed this.. You shouldn't not tick "require SSL" on the virtual directory else acrive sync won't work properly.
0
 

Author Comment

by:mancoi
ID: 24315622
Update....

Enabling OMA did not help, but I notice that the Iphone is set up using SSL and works. But when I go to IIS and "require SSL" on the /Exchange virtural directory with 128-bit encryption, the Iphone will not sync and prompts me with "cannot get mail"

I do need to "require ssl" for all traffic. HOpe this helps the cause.

0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24315733
Opps double negative..! Meant that you should not tick require SSL else on the Excahnge Virtual directory else active sync won't work..
 Have a read of this...
http://support.microsoft.com/kb/817379
0
 

Author Comment

by:mancoi
ID: 24315839
wow, we are getting close....

The Iphone is working but without a secure (require SSL) OWA....

so if SSL is required on the /Exchange virtural directory the Active Sync will not work. But how do I require all traffic to use SSL for OWA access and have my Iphone work too?

I also noticed that I can "require SSL"  using IIS /Microsoft-Server-ActiveSync virtural directory. This is where I can regulate the Iphone's SSL, but still leaves OWA in an unsecure state.

0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24316713
You should be able to tick the "require SSL" for the root directory. users dont access the other virtual dirs directly...
Also would recommend that you only allow port 443 through the FW to that server..
0
 

Author Comment

by:mancoi
ID: 24316779
My users access https://owa.domain.com/exchange

When accessing the above link to OWA, don't they access the /Exchange virtual directory?
0
 

Author Comment

by:mancoi
ID: 24317046
Enabling SSL to the root directory will break my RPC connections. Right?
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24318122
If they are setup to go over http and https set up is not correct, Yes.
Are you RPC connections connecting via http or https?
0
 

Author Comment

by:mancoi
ID: 24319259
My RPC is configured to go over HTTPS.

The concern now is how to get both OWA and Activesync to use SSL.

I have been investigating another experts-exchange article at: http://www.experts-exchange.com/Apple/Hardware/iPhone/Q_23629611.html

I have done the regristry and copy of the virtural directory and still nothing.

0
 

Author Comment

by:mancoi
ID: 24325828
Hi John, Thanks for the persistence!

Here is an updated status of my issue...

SSL required for both OWA and Iphone mail access.
 
The /Microsoft-Server-ActiveSync virtual directory requires SSL.
 
Iphone will receive mail using SSL when the /Exchange virtual directory is does not require SSL.
 
So this means, the Iphone accepts the certificate in order to accept mail using SSL configured on the Iphone.
 
But when I turn on "require SSL" on the /Exchange virtural directory, the Iphone will not receive mail.
 
I know these two virtual directories are tied together somehow, there must be a workaround.

0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24344633
mancoi,
Let me check exactly what config I have, I have a similiar setup..
0
 

Author Comment

by:mancoi
ID: 24365037
Ok Thanks, This is still burning my butt.
I am most certain that after I have worked on this for weeks, that there is something little that needs to be tweaked.

Thanks for your persistence!!
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24374503
Sorry, had a busy couple of days (again!) will try and look tonight...
0
 

Accepted Solution

by:
mancoi earned 0 total points
ID: 24374797
Ok Thanks, let me know if you find anything, I am at a stand still over here.
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 24379365
I have checked, I have the same as you... Although I don't allow access on port 80..
Have a read of this Q, Simon explains well.
http://www.experts-exchange.com/Q_22738119.html
 
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Are you having trouble connecting or getting your iPhone / Samsung device(s) to sync with Microsoft Exchange Server?   What have you tried?   What haven't you tried?
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now