Exchange 2007 OWA and ActiveSync Certificate error

I have been transitioning our environment from 2003 to 2007.  I am at the point where I am trying to get our Droid users to be able to sync with our Exchange 2007.  They were all able to sync with our 2003 exchange FE using the same certificate.  When trying to connect to the 2007 exchange server, they get a error, "The certificate from the server is not validated."  If I uncheck, "Verify Certificate" it will sync.  

When I go to our OWA webpage at:  https://webmail.mydomain.com  I get no certificate error at all using a web browser.  I feel there is something I have over looked and haven't been able to find much from searching the web.  Thanks in advance,
RHNOCAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Boilermaker85Connect With a Mentor Commented:
Who is the cert issued from ? Verisign? Entrust? geotrust? or other? Like iendital1097 says, this sounds more and more like the droids do not trust the issuer of the cert. When you exported the cert from the old server, did you also export the root or intermediate CA cert that issued the original cert? I'll bet when you installed that original cert in 2003, you installed a root CA or intermediate CA cert also. When you exported, you die not export the chain, but just the server cert. I think you probably should check the old server cert, see who is in the chain, and then get those authorities on your new server.
0
 
JBond2010Commented:
You need to address the bindings in IIS. After that try restart the services for IIS. Go to the command prompt and type issreset and press enter.
0
 
endital1097Commented:
did you export the certificate (with private key) from the 2003 server, import the certificate on the exchange 2007 server, and run the Enable-ExchangeCertificate -Thumbpring <AFADFA11212> -Services IIS
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
RHNOCAuthor Commented:
I exported it from the 2003 FE and imported it on the 2007 server.  I am not sure what the "Enable-ExchangeCertificate -Thumbpring is...   I am pretty sure the certificate is setup correctly for at least OWA as I do not get any certificate errors when accessing the OWA both Internally and Externally.
0
 
Boilermaker85Commented:
Does your certificate have Subject Alternative Names(SANs)? This was introduced in OWA 2007. The Droids may not be using the same site name. Your certificate should have all the possible names that might be used. FOr example you night need webmail, autodiscover, and the FQDN of the server itself as SANs. You can check your cert using this link: _http://www.digicert.com/help/.

Remember if you use Outlook Anywhere or Exchange Active sync any Cert warnings will stop it working. And youll get them with out the SANs.
0
 
RHNOCAuthor Commented:
Here are the results of www.digicert.com.

DNS resolves 'webmail.mydomain.com' to x.x.x.x

HTTP Server Header: Microsoft-IIS/6.0

SSL certificate

Subject = webmail.mydomain.com
Subject Alternative Names = mydomain.com

This certificate does not use a vulnerable Debian key (this is good)

Certificate Name matches webmail.mydomain.com


Does that answer your question about it having SAN's?  I am not using autodiscover at this time.  I am not getting any errors on the 2007 server in the event log either.  Our 2003 FE server used to give warnings or errors about OWA and ActiveSync issues to aid in troubleshooting.  I am just not seeing anything to point me in a direction to research.  Thanks again,
0
 
JBond2010Commented:
Have you checked the permissions on the virtual directories in IIS.
0
 
RHNOCAuthor Commented:
What should I be looking for?  
0
 
endital1097Commented:
run the following on the 2007 server and verify the certificate with these subject names is being used by the iis service

Get-ExchangeCertificate | fl
0
 
RHNOCAuthor Commented:
Two certificates were listed.  The first one is the one created during the Exchange 2007 install.  The second is the third party one that I imported.  Should the one created by exchange still be listed or could that be the problem?
0
 
RHNOCAuthor Commented:
The one created by exchange is listed as being used by:  IMAP, POP and SMTP.  The third party one is listed as being used by IIS.
0
 
RHNOCAuthor Commented:
Also listed under "Subject" for the third party certificate the CN = webmail.mydomain.com.  Listed under "CertificateDomains" for the third part certificate the result = {webmail.mydomain.com, mydomain.com}

Thanks
0
 
endital1097Commented:
when you setup the device you should be using webmail.mydomain.com for the server value

have you tried testing your configuration with https://testexchangeconnectivity.com/
0
 
RHNOCAuthor Commented:
Yes I have.  https://testexchangeconnectivity.com/ passes all tests.  On the droid devices they are all configured to use webmail.mydomain.com.
0
 
endital1097Commented:
Then this sounds like an issue with the droid and its list of trusted cert authorities

They are connecting over the phone network and not using domain wifi?
0
 
JBond2010Commented:
Is Exchange fully updated?
0
 
RHNOCAuthor Commented:
That is exactly it Boilermaker85.  As soon as I read you post I remembered there was a cert from the issuer that I installed from their site as well as the webmail.mydomain.com cert.  When I exported it for the new server I must have missed that part.  I just jumped on their site and installed the root cert on the exchange 2007 server and I could then connect using the droids with the verify certificate option.  

Thanks everyone for all your assistance.    
0
 
Boilermaker85Commented:
:-D
0
All Courses

From novice to tech pro — start learning today.