Configuring iPhone with SBS 2003 Server

I want to setup my iPhone to work with my sbs2003 server. iPhone 3G with the updates.

I have forwarded 443 on my router and I can access https://mail.mycompany.com/exchange and use the OWA facilities.

But when I try to configure my iphone with the settings it doesn't work.

It fails to connect to server.

Should my exchange be using activesync to communicate with the iPhone?

I believe it maybe a problem with Certificates. Can someone advise me how to install the certificate and apply it to the phone.
LVL 1
unrealone1Asked:
Who is Participating?
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Please have a read of my Exchange 2003 / Activesync article that should help get you up and running:
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2003-Activesync-Connection-Problems-FAQ.html
If you get stuck - please shout.
0
 
victornegriCommented:
You'll probably need to purchase an SSL Certificate from a trusted certificate authority (generating your own doesn't work). The cheapest one I've found is GoDaddy: http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979. A "Standard SSL" Cert is good enough.

Follow the instructions on the GoDaddy site to install it on IIS on the server and your iPhone should be able to connect. If you have multiple websites hosted on that server, make sure it's linked to the site that hosts your Exchange Web Access.
0
 
Alan HardistyCo-OwnerCommented:
Exchange 2003 works hapilly with a Self-Signed certificate and an iPhone does not care too much about who created the certificate as the certificate is not as strict as a Windows Mobile phone.
As long as you have a certificate of some description and it is configured (named) properly, you will be fine.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Alan HardistyCo-OwnerCommented:
Sorry - above should read:
Exchange 2003 works hapilly with a Self-Signed certificate and an iPhone does not care too much about who created the certificate as the iPhone is not as strict as a Windows Mobile phone.
0
 
unrealone1Author Commented:
Went into IIS on sbs2003 server.

Websites > Default websites > right click properties > directory secuirty and the certificate is correct.

*All the settings I am applying to the phone are correct.

I read about, you need to email the certificate to the iPhone?

When I add the mailbox to the phone. I get: Unable to verify certificate The certificate from "mail.company.com" for account info@company.com could not be verified.

So I select Accept.
0
 
Alan HardistyCo-OwnerCommented:
Please have a read of my article more carefully.  The settings on the Virtual Directories are the important ones, which you have not mentioned.
You just have to click Accept on the iPhone - as long as the certificate is correct.
The tests on https://testexchangeconnectivity.com need to be run and the output poste dhere (if it fails the test).
0
 
unrealone1Author Commented:
"Please check and mirror the settings below (Open up IIS, expand the default website then expand the relevant Virtual Directory, right-click on the Virtual Directory and choose properties, then click on the Directory Security Tab)"

What is my relevant directory?
0
 
Alan HardistyCo-OwnerCommented:
You should see a list of directories under Default Website.  Two of them should be Exchange and Microsoft-Server-Activesync.  The settings for which should be as per the following:
Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked

0
 
unrealone1Author Commented:
Ok, I applied the suggested settings to:
Exchange Virtual Directory
Microsoft-Server-Activesync Virtual Directory
Exchange-oma Virtual Directory

Ran the exchange test again:
 Testing Exchange ActiveSync  
  Exchange ActiveSync test Failed
   Test Steps
   Attempting to resolve the host name mail.mycompany.org in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 84.565.56.129  (edited)
 
 Testing TCP Port 443 on host mail.mycompany.org to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The SSL Certificate failed one or more certificate validation checks.
   Test Steps
   Validating certificate name
  Successfully validated the certificate name
   Additional Details
  Found hostname mail.mycompany.org in Certificate Subject Common name  
 
 Validating certificate trust for Windows Mobile Devices
  Certificate trust validation failed
 


0
 
Alan HardistyCo-OwnerCommented:
Not sure exactly what is wrong as you have only reported part of the output from the, but I would imagine you need to install the following file (download from the link below) on your server:
http://support.microsoft.com/kb/931125 
0
 
unrealone1Author Commented:
The rest of it:
Additional Details
  The certificate chain did not end in a trusted root. Root = CN=mail.mycompany.org, CN=companyweb, CN=myserver, CN=localhost, CN=myserver.mydomain.local  
0
 
Alan HardistyCo-OwnerCommented:
Yep - I thought so - please download the update from the link above (on the server) and install it.  Then re-test on the test site and fingers crossed.
Alan
0
 
unrealone1Author Commented:
Ok I have downloaded on to my server, do I just run the exe? (rootsupd.exe) As I have ran it but nothing happens.
0
 
Alan HardistyCo-OwnerCommented:
Yep - just run it - nothing very exciting happens.  Then re-run the Activesync test on the website - it should get past the certificate error.
0
 
unrealone1Author Commented:
Really appreciate your help Alan, but I ran that exe twice and nothing appears to happen on the server (This maybe right). So I run the exchange test and get the same results. Just wondering if that exe runs properly.
0
 
unrealone1Author Commented:
I just looked at
http://support.microsoft.com/kb/931125 

It doesnt list sbs 2003 server, which mine is?

This the right file?
0
 
Alan HardistyCo-OwnerCommented:
SBS 2003 is a merged Windows Server 2003 and Exchange Server 2003, thus the file is applicable to you.
It should update the Root certificates and resolve the issue.  Can you run iisreset just in case and try again please on the test site.
0
 
unrealone1Author Commented:
command prompt
and type
Iisreset /noforce

That correct?
0
 
Alan HardistyCo-OwnerCommented:
Yes but I would just do iisreset.
0
 
unrealone1Author Commented:
Ran the file again, and tested it again but no luck, still brings the same error

"he certificate chain did not end in a trusted root. Root = CN=mail.mycompany.org, CN=companyweb, CN=myserver, CN=localhost, CN=myserver.mydomain.local  "
0
 
unrealone1Author Commented:
Did the iis reset after applying the update. ANd then tested but no luck.
0
 
Alan HardistyCo-OwnerCommented:
Sorry - the certificate is a self-signed certificate thus it won't end in a trusted root authority and thus you should tick the ignore trust for SSL - as per the suggestion in my article.
Too much multi-tasking going on for me today!
0
 
unrealone1Author Commented:
You mean this:
"
Self-Certified SSL Certificate:
Check the "Ignore Trust for SSL" checkbox."

Where is this congifured, where do I check this box?

Update:
Exchange account is verfiried on iphone, but fails to connect to server.
0
 
Alan HardistyCo-OwnerCommented:
On https://testexchangeconnectivity.com website, choose Exchange Activesync test and specify manual server settings, then tick the "Ignore Trust for SSL" check box and the test will ignore your sefl-signed certificate.
0
 
unrealone1Author Commented:
Ok.
"Attempting FolderSync command on ActiveSync session
  FolderSync command test failed
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body> "
 
So going to check this part, which you mentioned in your article and will post back:

HTTP 403 Error:
Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab).  If it is -- read http://support.microsoft.com/kb/817379

I have had Activesync work despite seeing "An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>" at the end of the test above.  To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.
0
 
unrealone1Author Commented:
Ok I did this:
"Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab)" (It was so I turned it off)
AND
"please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list."

But still getting:
Attempting FolderSync command on ActiveSync session
  FolderSync command test failed
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>  
 
0
 
Alan HardistyCo-OwnerCommented:
Please run through method 2 of KB817379 - which should resolve your 403 Error.
0
 
unrealone1Author Commented:
Thanks Alan alot, appreciate your help. Played around with security on the activesync virtual directory, which seemed to get it working, Many Thanks
0
All Courses

From novice to tech pro — start learning today.