Exchange 2010 ActiveSync

New Exchange 2010 server installed.  Now all of our windows mobile devices (Palms) will not sync.  The error is 0x85010004.  I am not certain, but I think this is because we do not have a SSL certificate for our server.  I understand that it is preferred to have a SSL certificate, and I may do that.  But right now, I just want to get it working.  What do I need to do in Exchange 2010 do get these devices to sync without any SSL certificate(s)?

Thank you.
David BarmanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Not much you can do without buying and installing an SSL certificate, so I would do that and then see if Activesync works.
If you are not convinced - visit https://testexchangeconnectivity.com and run the Exchange Activesync test.
Specify Manual server settings and see what the results are with or without the "Ignore Trust for SSL".
I bet it fails at the SSL (Certificate) stage.
David BarmanAuthor Commented:
I assume, I need a wildcard certificate.  They seem to be pricey - $300-$400 per year.  Any advice to a cheaper solution?
Alan HardistyCo-OwnerCommented:
I would not suggest a Wildcard certificate unless you absolutely need one.
Regular 2010 hosting a single domain should work happily with a 5 name SAN / UCC certificate.  If you are planning on hosting, then you will need more names / a wildcard cert.
GoDaddy are offering a 5 Domain SAN / UCC certificate for $89.99 for 1 year.  www.godaddy.com - probably the cheapest price around.
You will need to include the following names in your certificate (as a minimum):
mail.yourdomain.com
autodiscover.yourdomain.com
internalservername
internalservername.internaldomain.local

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

Satya PathakLead Technical ConsultantCommented:
Suppose we want to create a UCC self-signed certificate. We will require the following names:

#NETBIOS name of Exchange: EX-2k7 (example)
#Internal FQDN: EX-2k7.abc.local (example)
#External FQDN (Public name): webmail.abc.com (example) (use nslookup/ping to verify the external FQDN)
#Autodiscover name: autodiscover.abc.com (example)
#SubjectName: cn=webmail.abc.com (example)

In EMS, run the following command to generate the new self-signed certificate:

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "cn=webmail.abc.com" -DomainName EX-2k7,EX-k7.abc.local,webmail.abc.com,autodiscover.abc.com -PrivateKeyExportable $True

Next enable the certificate with Enable-ExchangeCertificate cmdlet. Enable atleast IIS and SMTP.

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxx -Services POP,IMAP,SMTP,IIS

Next verify certificate has been installed using EMS/IIS Manager or both. (Sometimes you may have to remove the certificate and then install/enable certificate again).
David BarmanAuthor Commented:
I am having trouble finding the ucc certificates on godaddy.  Could you give me a link?
Alan HardistyCo-OwnerCommented:
Here you go:
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039
Click on the Multiple Domain (UCC) option.
David BarmanAuthor Commented:
alanhardisty mentioned a minimum domain list of:

mail.yourdomain.com
autodiscover.yourdomain.com
internalservername
internalservername.internaldomain.local

Are there other's that I should consider?
Is there any reference or proceedure you would recommend for submitting for the certificate?
David BarmanAuthor Commented:
Ok.  I purchased a UCC SSL from godaddy, when I try to provide the csr from the server, the godaddy site gives me an problem:
It says "You can not enter subject alt names that are the same as the primary domain name"

These are the Subject alt names that I have provided in the CSR:
server.leidalandhart.local
mail.leidalandhart.com
autodiscover.leidalandhart.local
autodiscover.leidalandhart.com
server

What does it not like about this?
Alan HardistyCo-OwnerCommented:
You should have them in the following order:
mail.leidalandhart.com - important this is first
autodiscover.leidalandhart.com
server
server.leidalandhart.local
You don't need to add autodiscover.leidalandhart.local
 
David BarmanAuthor Commented:
Ok.  I got the certificate from godaddy, and I have installed it into Exchange server.  I have used the https://www.testexchangeconnectivity.com/ website to verify the certificate.
However, the Palm windows mobile 6.1 devices still will not sync.  They are still giving the same activesync error message.
So, maybe the certificate was not the problem.  What is the next step to figuring out why these devices will not sync?
Alan HardistyCo-OwnerCommented:
On the test site, run the Exchange Activesync test and specify manual server settings.
Please output the results.
David BarmanAuthor Commented:
When I run the test, here are the results: (the OPTIONS command seems to fail)
 
 Testing Exchange ActiveSync  
  Exchange ActiveSync test Failed
   Test Steps
   Attempting to resolve the host name mail.leidalandhart.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 69.129.84.50  
 
 Testing TCP Port 443 on host mail.leidalandhart.com to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The certificate passed all validation requirements.
   Test Steps
   Validating certificate name
  Successfully validated the certificate name
   Additional Details
  Found hostname mail.leidalandhart.com in Certificate Subject Common name  
 
 Validating certificate trust for Windows Mobile Devices
  The test passed with some warnings encountered. Please expand additional details.
   Additional Details
  Certificate is only trusted on Windows Mobile 6.0 and later. Windows Mobile 5.0 and 5.0 + MSFP devices will not be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US  
 
 Testing certificate date to ensure validity
  Date Validation passed. The certificate is not expired.
   Additional Details
  Certificate is valid: NotBefore = 4/14/2010 11:08:29 PM, NotAfter = 4/14/2011 5:45:46 PM"  
 
 
 
 Testing Http Authentication Methods for URL https://mail.leidalandhart.com/Microsoft-Server-Activesync/ 
  Http Authentication Methods are correct
   Additional Details
  Found all expected authentication methods and no disallowed methods. Methods Found: Basic  
 
 Attempting an ActiveSync session with server
  Errors were encountered while testing the ActiveSync session
   Test Steps
   Attempting to send OPTIONS command to server
  Testing the OPTIONS command failed. See Additional Details for more info
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from IIS7  
 
 
 
 
 
David BarmanAuthor Commented:
Any further advice would be appreciated.
David BarmanAuthor Commented:
Even though after purchasing and installing the certificate, the https://www.testexchangeconnectivity.com/ site did not pass on all tests.  However, the mobile phones were still able to sync via exchange activesync.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.