Solved

Problems with Exchange ActiveSync on HTC Touch Pro 2

Posted on 2010-11-23
21
1,603 Views
Last Modified: 2012-05-10
I'm having issues with getting my phone to Sync with Exchange 2007.  This used to work just fine on my SBS 2003 Box.  I installed a new server running Windows Server 2008 R2 with Exchange 2007.  My OWA is working fine.  I get a certificate warning everytime I try OWA but I still can get in.  I've tried creating a new certificate in IIS and import it on my phone but I get the error:
Exchange ActiveSync has encountered an error.  Contact your Exchange Admin.
Support Code: 0x80072F17

I've searched and searched and tried changing settings that I've found but I can't get it to work.  I'm stumped.  Please Help!

Thanks!!!
0
Comment
Question by:ryanthompson
  • 9
  • 8
  • 2
  • +1
21 Comments
 
LVL 13

Expert Comment

by:lastlostlast
ID: 34200609
1. Run a test on https://exrca.com and post the results.
P.S: You will need to select the box 'Ignore Trust for SSL' if you are using an internal certificate.

2. It seem's to be an issue with certificate itself. You can use SSL chainsaver tool and check if you are able to get the root certificate. If 'Yes' then install the cab file generated on the mobile device. If 'No' then get  anew certificate.

Let us know how it goes.
0
 
LVL 4

Expert Comment

by:zcrammond
ID: 34200638
0x80072f17 is explained as ERROR_INTERNET_SEC_CERT_ERRORS, which means
certificate that was issued to your web site cannot be used for ActiveSync.

It looks like your company is using a self signed cert which is just a certificate that was issued by your company which trusts the certificate but other places don't trust the cert.  For you to sync you device you will need to install your companies "root certificate" onto your device.  A quick way to do this using your desktop/laptop is to open internet explorer and go toTools>Internet Options>Content>Certificates>Trusted Root Certificate Authorities and select your companies root certificate then clickExport.  Follow through the menus and save the certificate to your desktop.  Then you can use WMDC to copy the file to your device.  Once the file is on your device you can use the file browser on your device to find the cert then tap on the cert to install it.
--------------------------------------------------------------------------------
0
 

Author Comment

by:ryanthompson
ID: 34202288
lastlostlast
I tried that website but I can't get it to come up.  Is it the right site?

zcrammond:
I exported the domains root certificate and copied to the to the phone and it imported it but I still get the same error.

Any other ideas??

Thanks!
0
 
LVL 4

Expert Comment

by:zcrammond
ID: 34213496
is there a second certificate which you need to download i.e a sub domain certificate? When I was playing with this I had two different certificates to download and install before it would begin to work
0
 

Author Comment

by:ryanthompson
ID: 34219426
I have imported all the certificates related to the domain and it still says the samething.
0
 
LVL 13

Expert Comment

by:lastlostlast
ID: 34229752
0
 

Author Comment

by:ryanthompson
ID: 34230327
Here are the results.  I checked the box to ignore trust for SSL.  It looks to be the certificate.  

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail.computerlandottumwa.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 69.18.39.20
 
 Testing TCP port 443 on host mail.computerlandottumwa.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
 
 
 
 
 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34231056
Your certificate is the original Self-Issued certificate and it ends in .local.

There are no Subject Alternative Names on the certificate, so the name mail.computerlandottumwa.com will never happily resolve on the certificate as it isn't contained within the certificate.

You need to create a new SSL certificate with the following names:

mail.computerlandottumwa.com (or remote.computerlandottumwa.com)
autodiscover.computerlandottumwa.com
lsiserver.computerland.local
lsiserver
sites

Your best option is to buy a 3rd party SSL certificate (SAN / UCC - Multi Name) from somewhere like GoDaddy.com as these are trusted and will cause you less hassle down the road.
0
 

Author Comment

by:ryanthompson
ID: 34242792
Is it possible to create self assigned certificates with those names?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34242928
In my experience - I have always used a 3rd party SSL certificate because it is much less hassle in the long run.  I am not saying you can't - I just have never done so and cannot guide you on the relevant steps.

A 1 year 5 Name SAN / UCC certificate from GoDaddy costs about $90

Bearing in mind this question has been open for a week now and you have no doubt spent plenty of time trying to resolve the issue - which would have cost time / money - I would have thought that $90 would be money well spent as it will fix your problems.

Obviously - it is your call and I understand if money is tight at the moment.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34242959
According to Microsoft in the following article - you need a 3rd Party Certificate (check the Limitations of Self-Signed Certificate section):

http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
0
 

Author Comment

by:ryanthompson
ID: 34244795
alanhardisty,
Your right.  It just alway worked with Exchange 03 so I want to try to make it work with 07.  So If you don't mind me asking, I will need the 5 name SSL instead of the single SSL?  I want to make sure I do it right the first time.

Thanks!

Ryan
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34246196
Yes - you need a minimum of 5 names.  2003 was a different beast and you could buy a single name cert, but Exchange 2007 / 2010 requires a SAN / UCC certificate.

Make sure you add the names I mentioned earlier (adjust the first name to match your environment).

You should use the SBS Wizard to generate a certificate signing request, but I often use the following site to get the Syntax and then copy / paste in the Exchange Shell:

https://www.digicert.com/easy-csr/exchange2007.htm

Then take the CSR to www.GoDaddy.com (or my GoDaddy Reseller site - www.exchange-certificates.com [he says cheekily]) and buy a 5 name SAN / UCC certificate and then request the certificate, pasting the CSR into the relevant box and request the certificate.

You then have to wait for domain verification, which might need you to create a DNS record to verify ownership, plus you will get an email for the internal domain names which requires confirmation too.

Then you should be emailed the certificate link where you can choose IIS7 and download the relevant format.

Take the certificate to your server, install the certificate via the Exchange Shell then enable the certificate for IIS / SMTP / POP3 / IMAP and you should be closer / at the finish line.
0
 

Author Comment

by:ryanthompson
ID: 34248826
Alanhardisty - I went throught the steps and I'm waiting for the Domain Verification.  I ordered the certificate from you since you have been so helpful. (it was cheaper to!)  Thanks!

What is up with creating the DNS record?

Also I'll need to figure out how to install the certificate in the Exchange Shell, but will it need installed on my mobile device?  I thought I saw on your website that it wouldn't need to be.

Thanks again for all your help.

Ryan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34248916
Cheaper!  Damn!  Thank you : )

If you buy a 3rd party SSL certificate - there is no need to install it on any device - mobile or otherwise.

To install the certificate - simply copy the cert to the server in question and run the following:

Import-ExchangeCertificate -Path c:\certificates\import.p7b (change the path / cert file name to match accordingly).

then

Enable-ExchangeCertificate -Thumbprint randomlongstringofnumbersandlettersthatmakenosense -Services "POP, IMAP, SMTP, IIS"

What DNS records are you referring to?
0
 

Author Comment

by:ryanthompson
ID: 34248936
In your post above you said:
which might need you to create a DNS record to verify ownership
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34249108
Ah - to verify the ownership of the domain - Godaddy will possibly require you to create a new DNS record in the domain with a special code that once added - you can click a link on the site and verify the DNS record, which proves that you own / manage the domain for the certificate you are requesting.

It's a bit of a pain, but it works!

The process usually takes a few hours - so don't keep pressing F9 in Outlook to see if you have received a new email!
0
 

Author Comment

by:ryanthompson
ID: 34251267
alanhardisty - I ran the first command and got this:
[PS] C:\Windows\system32>Import-ExchangeCertificate -Path c:\certificates\sf_iis
_intermediates.p7b
WARNING: An unexpected error has occurred and debug information is being
generated: The requested property value is empty. (Exception from HRESULT:
0x80094004)
Import-ExchangeCertificate : The requested property value is empty. (Exception
from HRESULT: 0x80094004)
At line:1 char:27
+ Import-ExchangeCertificate <<<<  -Path c:\certificates\sf_iis_intermediates.p
7b
    + CategoryInfo          : NotSpecified: (:) [Import-ExchangeCertificate],
   COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Micr
   osoft.Exchange.Management.SystemConfigurationTasks.ImportExchangeCertifica
  te

Any ideas?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34251332
Wrong certificate - you dont want to install the intermediate certificate, you want the one with your domain name on it.
0
 

Author Closing Comment

by:ryanthompson
ID: 34253879
alanhardisty - I just wanted to say thank you very much for all the help!  The certificate works like a charm!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34253893
You are very welcome.  I am glad it is working happily now and hope it continues that way for you from now on.

Thanks for stopping by my cert site too : )

Alan
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now