iPhone Exchange access stops working following replacement of self-signed SSL certificate with a 3rd party certificate
Hello,
I manage an SBS 2003 Premium system that has Exchange 2003 and ISA 2004. The problem relates to iPhones that used to be able to get email from the Exchange mailbox but now cannot. The problem arose when I replaced the self-signed certificate with an SSL (standard) certificate from GoDaddy. I believe the GoDaddy SSL certificate is installed correctly because now Outlook Web Access and Remote Web Workplace no longer complains about the site's security when the server is accessed from outside.
The certificate that I had was for secure.mydomain.org and the certificate I requested was for secure.mydomain.org.
The iPhone Exchange-connecting account previously had been working through my yearly (on the server) renewal of certificate secure.mydomain.org through http://<server>/certsrv and then moving it to the iPhone where clicking on it installed it on the iPhone.
I followed the directions in the article http://www.smallbizserver.net/Default.aspx?tabid=266&Id=283, i.e. using IIS 6 Manager to create a dummy new web site (at the same level as Default Web Site) called secure.mydomain.org and using that website to create the request for new certificate secure.mydomain.org. This may be significant: At the time I requested the certificate for the dummy web site the iPhone access stopped working.
On the next day I finished the process, i.e. actually requesting and receiving and then installing the GoDaddy-provided certificate into that dummy site and then updating the Web Listener in ISA 2004 with that new certificate.
Now, nothing that I try on the iPhone will make it actually get the email. What happens is that the iPhone apparently validates to the server OK but when you try to sync the email using that Exchange account, it briefly says "Updating" and then stops, with no error message but no content actually downloaded.
We have tried removing the previously installed secure.mydomain.org "profile" from the Networks on the iPhone, and resetting the Network properties, redefining the Exchange email account on the iPhone, with no success. We have installed a copy of the new secure.mydomain.org certificate exported from the Personal store in the Certificates mmc on the server -- no luck.
Question: I now have several secure.mydomain.org certificates in my Personal store on the server, the last self-signed one will expire on 4/23/10, and the most recent of course being the one issued by GoDaddy. Do these conflict at all?
Question: Is it necessary to export any GoDaddy intermediate certificates from the Certificates mmc on the server, and install them? It is really not clear to me. The article http://www.smallbizserver.net/Default.aspx?tabid=266&Id=283 discusses the need with some phones to have intermediate certificates and says how to export them but never says where you need to import them.
I have not yet deleted the dummy website secure.mydomain.com. I know I need to do that but since not all is OK, I have not done it yet. I cannot see how the existence of that site can be affecting this.
I am hopeful that you can give some guidance to how to get my iPhone users happy again.
Rob
I manage an SBS 2003 Premium system that has Exchange 2003 and ISA 2004. The problem relates to iPhones that used to be able to get email from the Exchange mailbox but now cannot. The problem arose when I replaced the self-signed certificate with an SSL (standard) certificate from GoDaddy. I believe the GoDaddy SSL certificate is installed correctly because now Outlook Web Access and Remote Web Workplace no longer complains about the site's security when the server is accessed from outside.
The certificate that I had was for secure.mydomain.org and the certificate I requested was for secure.mydomain.org.
The iPhone Exchange-connecting account previously had been working through my yearly (on the server) renewal of certificate secure.mydomain.org through http://<server>/certsrv and then moving it to the iPhone where clicking on it installed it on the iPhone.
I followed the directions in the article http://www.smallbizserver.net/Default.aspx?tabid=266&Id=283, i.e. using IIS 6 Manager to create a dummy new web site (at the same level as Default Web Site) called secure.mydomain.org and using that website to create the request for new certificate secure.mydomain.org. This may be significant: At the time I requested the certificate for the dummy web site the iPhone access stopped working.
On the next day I finished the process, i.e. actually requesting and receiving and then installing the GoDaddy-provided certificate into that dummy site and then updating the Web Listener in ISA 2004 with that new certificate.
Now, nothing that I try on the iPhone will make it actually get the email. What happens is that the iPhone apparently validates to the server OK but when you try to sync the email using that Exchange account, it briefly says "Updating" and then stops, with no error message but no content actually downloaded.
We have tried removing the previously installed secure.mydomain.org "profile" from the Networks on the iPhone, and resetting the Network properties, redefining the Exchange email account on the iPhone, with no success. We have installed a copy of the new secure.mydomain.org certificate exported from the Personal store in the Certificates mmc on the server -- no luck.
Question: I now have several secure.mydomain.org certificates in my Personal store on the server, the last self-signed one will expire on 4/23/10, and the most recent of course being the one issued by GoDaddy. Do these conflict at all?
Question: Is it necessary to export any GoDaddy intermediate certificates from the Certificates mmc on the server, and install them? It is really not clear to me. The article http://www.smallbizserver.net/Default.aspx?tabid=266&Id=283 discusses the need with some phones to have intermediate certificates and says how to export them but never says where you need to import them.
I have not yet deleted the dummy website secure.mydomain.com. I know I need to do that but since not all is OK, I have not done it yet. I cannot see how the existence of that site can be affecting this.
I am hopeful that you can give some guidance to how to get my iPhone users happy again.
Rob
ASKER
Hello, augwwest,
Thank you for your post.
No, I did not add the certificate to anything else besides what the link I mentioned said to do. The certificate that is "relayed" (I'll call it) from ISA to IIS is called Publishing.mydomain.intern
I am not an iPhone user myself and not too "up" on it (probably shows), but I believe it is Active Sync that it uses.
I have tried deleting the email account on the iPhone and re-creating it fresh. The people at the Genius Bar at an Apple store did this for me and they also took care to make sure that the old certificate was not cached.
Rob
Thank you for your post.
No, I did not add the certificate to anything else besides what the link I mentioned said to do. The certificate that is "relayed" (I'll call it) from ISA to IIS is called Publishing.mydomain.intern
I am not an iPhone user myself and not too "up" on it (probably shows), but I believe it is Active Sync that it uses.
I have tried deleting the email account on the iPhone and re-creating it fresh. The people at the Genius Bar at an Apple store did this for me and they also took care to make sure that the old certificate was not cached.
Rob
ASKER
Hi,
I have also just (4/22/10) discovered this: The server's Application Log is full of the application error Source Server ActiveSync, Event ID 3005. Description: "Unexpected Exchange mailbox server error: Server [<my FQ server name>] User <myuser>@<mydomain>.org] HTTP Status code [501]. Verify that the Exchange mailbox Server is working correctly"
I have 3 iPhone users and these errors are getting thrown often enough to fill the Application log, ever since the new certificate request was made, probably.
Does this give you any additional info that could be helpful to me?
So far my searches on this error are not giving me what I can understand or that I yet find helpful for my particular situation.
Glad for any additional help you could offer
I have also just (4/22/10) discovered this: The server's Application Log is full of the application error Source Server ActiveSync, Event ID 3005. Description: "Unexpected Exchange mailbox server error: Server [<my FQ server name>] User <myuser>@<mydomain>.org] HTTP Status code [501]. Verify that the Exchange mailbox Server is working correctly"
I have 3 iPhone users and these errors are getting thrown often enough to fill the Application log, ever since the new certificate request was made, probably.
Does this give you any additional info that could be helpful to me?
So far my searches on this error are not giving me what I can understand or that I yet find helpful for my particular situation.
Glad for any additional help you could offer
On the iphone itself, there is an option under the account to use SSL or not use
Check to see which they have set.
Like i said you may have to completely erase their mail connection on the IPHONE, and reset it up now that your new cert is in place.
Also Iphones dont have to connect with active sync they can also connect using Imap or Pop accounts depending on how your email server is setup
Check to see which they have set.
Like i said you may have to completely erase their mail connection on the IPHONE, and reset it up now that your new cert is in place.
Also Iphones dont have to connect with active sync they can also connect using Imap or Pop accounts depending on how your email server is setup
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also do you not use active sync on the iphones?
Try complete deleting the email account and readding fresh