Solved

iPhone no longer syncing with exchange mailbox - ExRCA testing failed

Posted on 2010-08-25
15
740 Views
Last Modified: 2012-05-10
Hi there,

I have an SBS2008 server, I was receiving emails on my iPhone 3G with no problems, it was syncing with my exchange mailbox fine. It has now stopped working.

I ran the exchange connectivity test and receive the following results:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.companyname.co.uk in DNS.
       Host successfully resolved
       
      Additional Details
      Testing TCP Port 443 on host mail.companyname.co.uk to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      The certificate name is being validated.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name mail.companyname.co.uk does not match any name found on the server certificate CN=localhost.localdomain, OU=Systems Engineering, O=N-able Technologies, L=Ottawa, S=ON, C=CA
0
Comment
Question by:unrealone1
  • 7
  • 6
  • 2
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33526158
Did your Server Certificate expire recently and get replaced with the wrong one?
It certainly sounds like a certificate problem to me. It seems the certificate was re-issued / replaced with a localhost.localdomain certificate and not one with mail.companyname.co.uk.
That will kill Activesync stone dead in seconds.
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33526378
No one has touched our server recently - I go SBS Console > add a trusted certificate > "I want to use a certificate that is already installed on my server" > select next

Issued to: mail.mycompany.co.uk
Issued by: domain-SERVERNAME-CA
Expiration Date: 16-03-2011
Type: Self issued

 It fails to import the trusted certificate

"The imported certificate does not match your website, verify you have selected the correct certificate and try again" etc
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33526492
If nothing had changed, how has the iPhone been synching before now?

If the certificate has not changed, have you changed the handset to use SSL when it wasn't using it before?

Ideally, you would be better off buying a 3rd party SAN / UCC certificate and installing it.  GoDaddy sell them for about £40 for a year.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 33526577
I'm with AlanHardisty on this. Things rarely change for no reason, and a 3rd-party certificate would be the easiest to manage.
But, I reply not simply to agree, but to also explain what you are seeing. The Trusted Certificate wizard does two thiings. first, it generates the private key for a certificate and generates the CSR for a public key to be created. Then, if you choose, you can self-issue a certificate and then complete the wizard, or you can submit the CSR to a 3rd-party and then return to the wizard later to import the public key they issue.
Either way, when you choose the option to import a certificate, that option only imports the public key. That publc key must be matched with a private key already in the certificate store (which is *never* submitted to a 3rd-party, or it'd defeat the purpose of the key being private.)
If you attempt to import a public key that the wizard cannot find a matching private key for, you will receive the error you described in your follow-up post.
So, in short, the private key for the certificate you are now trying to select has been removed from your certificate store at one time or another. The only option now is to create a new certificate; whether you choose to go self-signed or go 3rd-party is up to you, but you cannot simply import the existing certificate (as you already discovered) for the reasons I covered above.
-Cliff
 
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33537939
Thanks for the info,

How would I go about creating another certificate?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33538023
Well, as mentioned above, ideally you would purchase one (which I strongly recommend. The "add trusted certificate wizard" will walk you through that process.
If, however, you are dead-set on using an internally signed certificate, the "add trusted certificate wizard" is not the proper tool. As the name implies, that tool is for "trusted" certificates (which is more explicitly meant to mean globally trusted...aka 3rd-party...)
An internal certificate is created when you run the Internet Addres Management Wizard. Rerunning that wizard will reset your DNS entries and create a new certificate with its deployment package. That should resolve your issue.
-Cliff
 
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33539916
Thanks, why is it recommended to purchase a certificate over creating one? You say its easier to manage?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 33539965
3rd party ones are much easier to support.  You don't need to install certificates on devices, they will stop causing you issues with Certificate warnings etc and for the cost, you will save time and money fixing issues associated with a self-signed certifictae.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33539989
Visit www.godaddy.com (or my reseller site via my profile if you wish ; )  ) and buy a multi-name SSL certificate (SAN / UCC).
You will need the following names in your certificate:
mail.yourdomain.com (or whatever you want to use that points to your server in DNS)
autodiscover.yourdomain.com
internalservername.internaldomain.local
internalservername
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33540788
If I got to
http://www.exchange-certificates.com/ I get the option of standard or deluxe?

If I got to godaddy, http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039

I can choose between standard and premuim, these the right certificate I need to purchase? Which one?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33540928
Standard Multi-Domain one from the first link should be all you need, or Standard Multi-Domain is fine on the GoDaddy link.
5 names should be sufficient unless you plan on expanding the domain names in the near future.
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33541334
Thanks I purchased the standard multidomain  certificate from godaddy, paid and logged in.

I followed the instructions so far, but its asking me to enter:

Where is the certificate going to be hosted, I selected thridparty.
Then it askes for:
Enter your Certificate Signing Request (CSR) below:
Make sure the CSR you generate uses a 2048-bit or greater key length

What is this?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541401
The CSR is generated on your server (Certificate Signing Request).
Open up the Windows SBS Console and on the Home Page click on the "Add a trusted Certificate" link.
Follow the prompts.
Alternatively, use the Exchange Management Shell by reading the following:
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx
Or generate the CSR on this site:
http://www.tachytelic.net/2010/03/new-exchangecertificate-cmdlet-syntax-generator/
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33578128
Thanks, well that was painful. I purchased certificate, then placed a CNAME on my website to prove I own the domain etc. Godaddy have now sent me the certificate.

I have imported it into the sbs console.  
I select the godaddy certificate and click next, it imports it and then says.
"The imported certificate does not match your website. verify that you selected the correct certificat file, and then try again"
In the certificate I have mail.mycompany.co.uk and my website is mycompany.co.uk

0
 
LVL 1

Author Closing Comment

by:unrealone1
ID: 33594830
Thanks - will open another question for the next part
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Let me explain this picture a little bit.  First, in case you haven't already guessed, you are looking at my 2 phones, an Android Samsung Galaxy S5 on the left and an iPhone 5 on the right.  They are on their respective cradles on my desk.  But, you…
Are you having trouble connecting or getting your iPhone / Samsung device(s) to sync with Microsoft Exchange Server?   What have you tried?   What haven't you tried?
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now