iPhone Exchange access stops working following replacement of self-signed SSL certificate with a 3rd party certificate


I manage an SBS 2003 Premium system that has Exchange 2003 and ISA 2004.  The problem relates to iPhones that used to be able to get email from the Exchange mailbox but now cannot.  The problem arose when I replaced the self-signed certificate with an SSL (standard) certificate from GoDaddy.  I believe the GoDaddy SSL certificate is installed correctly because now Outlook Web Access and  Remote Web Workplace no longer complains about the site's security when the server is accessed from outside.

The certificate that I had was for secure.mydomain.org and the certificate I requested was for secure.mydomain.org.

The iPhone Exchange-connecting account previously had been working through my yearly (on the server) renewal of certificate secure.mydomain.org through http://<server>/certsrv and then moving it to the iPhone where clicking on it installed it on the iPhone.

I followed the directions in the article http://www.smallbizserver.net/Default.aspx?tabid=266&Id=283, i.e. using IIS 6 Manager to create a dummy new web site (at the same level as Default Web Site) called secure.mydomain.org and using that website to create the request for new certificate secure.mydomain.org.  This may be significant:  At the time I requested the certificate for the dummy web site the iPhone access stopped working.

On the next day I finished the process, i.e. actually requesting and receiving and then installing the GoDaddy-provided certificate into that dummy site and then updating the Web Listener in ISA 2004 with that new certificate.

Now, nothing that I try on the iPhone will make it actually get the email.  What happens is that the iPhone apparently validates to the server OK but when you try to sync the email using that Exchange account, it briefly says "Updating" and then stops, with no error message but no content actually downloaded.

We have tried removing the previously installed secure.mydomain.org "profile" from the Networks on the iPhone, and resetting the Network properties, redefining the Exchange email account on the iPhone, with no success.  We have installed a copy of the new secure.mydomain.org certificate exported from the Personal store in the Certificates mmc on the server -- no luck.

Question:  I now have several secure.mydomain.org certificates in my Personal store on the server, the last self-signed one will expire on 4/23/10, and the most recent of course being the one issued by GoDaddy.  Do these conflict at all?  

Question:  Is it necessary to export any GoDaddy intermediate certificates from the Certificates mmc on the server, and install them?  It is really not clear to me.  The article http://www.smallbizserver.net/Default.aspx?tabid=266&Id=283 discusses the need with some phones to have intermediate certificates and says how to export them but never says where you need to import them.

I have not yet deleted the dummy website secure.mydomain.com.  I know I need to do that but since not all is OK, I have not done it yet.  I cannot see how the existence of that site can be affecting this.

I am hopeful that you can give some guidance to how to get my iPhone users happy again.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

augwestDirector of Information TechnologyCommented:
Did you apply the cert to all the exchange levels? Imap and so on

Also do you not use active sync on the iphones?

Try complete deleting the email account and readding fresh
rwwilcoxAuthor Commented:
Hello, augwwest,
Thank you for your post.
No, I did not add the certificate to anything else besides what the link I mentioned said to do.  The certificate that is "relayed" (I'll call it) from ISA to IIS is called Publishing.mydomain.internal, and that is the certificate that is mentioned in Directory Security of the Default Web Site.

I am not an iPhone user myself and not too "up" on it (probably shows), but I believe it is Active Sync that it uses.

I have tried deleting the email account on the iPhone and re-creating it fresh.  The people at the Genius Bar at an Apple store did this for me and they also took care to make sure that the old certificate was not cached.
rwwilcoxAuthor Commented:
I have also just (4/22/10) discovered this: The server's Application Log is full of the application error Source Server ActiveSync, Event ID 3005.  Description:  "Unexpected Exchange mailbox server error: Server [<my FQ server name>] User <myuser>@<mydomain>.org] HTTP Status code [501].  Verify that the Exchange mailbox Server is working correctly"

I have 3 iPhone users and these errors are getting thrown often enough to fill the Application log, ever since the new certificate request was made, probably.

Does this give you any additional info that could be helpful to me?

So far my searches on this error are not giving me what I can understand or that I yet find helpful for my particular situation.

Glad for any additional help you could offer

augwestDirector of Information TechnologyCommented:
On the iphone itself, there is an option under the account to use SSL or not use

Check to see which they have set.

Like i said you may have to completely erase their mail connection on the IPHONE, and reset it up now that your new cert is in place.

Also Iphones dont have to connect with active sync they can also connect using Imap or Pop accounts depending on how your email server is setup
rwwilcoxAuthor Commented:
I worked with a Microsoft engineer to figure out this problem.  Basically the issue/resolution was this:
In the previous scenario, where we were using a self-signed certificate, with a matching certificate installed on the iPhone, there was no need for HTTP traffic, and in fact the router we used was not set up to forward HTTP to the server.  So the new scenario calls for HTTP traffic, and the issue was not solved until we had the idea to check any external firewall for this blockage.  We made a change to allow the forwarding and it worked then.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.