Problems with Exchange ActiveSync on HTC Touch Pro 2

1. Run a test on https://exrca.com and post the results.
P.S: You will need to select the box 'Ignore Trust for SSL' if you are using an internal certificate.

2. It seem's to be an issue with certificate itself. You can use SSL chainsaver tool and check if you are able to get the root certificate. If 'Yes' then install the cab file generated on the mobile device. If 'No' then get  anew certificate.

Let us know how it goes.

0x80072f17 is explained as ERROR_INTERNET_SEC_CERT_ERRORS, which means
certificate that was issued to your web site cannot be used for ActiveSync.

It looks like your company is using a self signed cert which is just a certificate that was issued by your company which trusts the certificate but other places don't trust the cert.  For you to sync you device you will need to install your companies "root certificate" onto your device.  A quick way to do this using your desktop/laptop is to open internet explorer and go toTools>Internet Options>Content>Certificates>Trusted Root Certificate Authorities and select your companies root certificate then clickExport.  Follow through the menus and save the certificate to your desktop.  Then you can use WMDC to copy the file to your device.  Once the file is on your device you can use the file browser on your device to find the cert then tap on the cert to install it.
--------------------------------------------------------------------------------

lastlostlast
I tried that website but I can't get it to come up.  Is it the right site?

zcrammond:
I exported the domains root certificate and copied to the to the phone and it imported it but I still get the same error.

Any other ideas??

Thanks!

is there a second certificate which you need to download i.e a sub domain certificate? When I was playing with this I had two different certificates to download and install before it would begin to work

I have imported all the certificates related to the domain and it still says the samething.

try https://testexchangeconnectivity.com

Here are the results.  I checked the box to ignore trust for SSL.  It looks to be the certificate.  

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail.computerlandottumwa.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 69.18.39.20
 
 Testing TCP port 443 on host mail.computerlandottumwa.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
 
 
 
 
 

Your certificate is the original Self-Issued certificate and it ends in .local.

There are no Subject Alternative Names on the certificate, so the name mail.computerlandottumwa.com will never happily resolve on the certificate as it isn't contained within the certificate.

You need to create a new SSL certificate with the following names:

mail.computerlandottumwa.com (or remote.computerlandottumwa.com)
autodiscover.computerlandottumwa.com
lsiserver.computerland.local
lsiserver
sites

Your best option is to buy a 3rd party SSL certificate (SAN / UCC - Multi Name) from somewhere like GoDaddy.com as these are trusted and will cause you less hassle down the road.

Is it possible to create self assigned certificates with those names?

In my experience - I have always used a 3rd party SSL certificate because it is much less hassle in the long run.  I am not saying you can't - I just have never done so and cannot guide you on the relevant steps.

A 1 year 5 Name SAN / UCC certificate from GoDaddy costs about $90

Bearing in mind this question has been open for a week now and you have no doubt spent plenty of time trying to resolve the issue - which would have cost time / money - I would have thought that $90 would be money well spent as it will fix your problems.

Obviously - it is your call and I understand if money is tight at the moment.

According to Microsoft in the following article - you need a 3rd Party Certificate (check the Limitations of Self-Signed Certificate section):

http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

alanhardisty,
Your right.  It just alway worked with Exchange 03 so I want to try to make it work with 07.  So If you don't mind me asking, I will need the 5 name SSL instead of the single SSL?  I want to make sure I do it right the first time.

Thanks!

Ryan

Alanhardisty - I went throught the steps and I'm waiting for the Domain Verification.  I ordered the certificate from you since you have been so helpful. (it was cheaper to!)  Thanks!

What is up with creating the DNS record?

Also I'll need to figure out how to install the certificate in the Exchange Shell, but will it need installed on my mobile device?  I thought I saw on your website that it wouldn't need to be.

Thanks again for all your help.

Ryan

Cheaper!  Damn!  Thank you : )

If you buy a 3rd party SSL certificate - there is no need to install it on any device - mobile or otherwise.

To install the certificate - simply copy the cert to the server in question and run the following:

Import-ExchangeCertificate -Path c:\certificates\import.p7b (change the path / cert file name to match accordingly).

then

Enable-ExchangeCertificate -Thumbprint randomlongstringofnumbersandlettersthatmakenosense -Services "POP, IMAP, SMTP, IIS"

What DNS records are you referring to?

In your post above you said:
which might need you to create a DNS record to verify ownership

Ah - to verify the ownership of the domain - Godaddy will possibly require you to create a new DNS record in the domain with a special code that once added - you can click a link on the site and verify the DNS record, which proves that you own / manage the domain for the certificate you are requesting.

It's a bit of a pain, but it works!

The process usually takes a few hours - so don't keep pressing F9 in Outlook to see if you have received a new email!

alanhardisty - I ran the first command and got this:
[PS] C:\Windows\system32>Import-ExchangeCertificate -Path c:\certificates\sf_iis
_intermediates.p7b
WARNING: An unexpected error has occurred and debug information is being
generated: The requested property value is empty. (Exception from HRESULT:
0x80094004)
Import-ExchangeCertificate : The requested property value is empty. (Exception
from HRESULT: 0x80094004)
At line:1 char:27
+ Import-ExchangeCertificate <<<<  -Path c:\certificates\sf_iis_intermediates.p
7b
    + CategoryInfo          : NotSpecified: (:) [Import-ExchangeCertificate],
   COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Micr
   osoft.Exchange.Management.SystemConfigurationTasks.ImportExchangeCertifica
  te

Any ideas?

Wrong certificate - you dont want to install the intermediate certificate, you want the one with your domain name on it.

alanhardisty - I just wanted to say thank you very much for all the help!  The certificate works like a charm!

You are very welcome.  I am glad it is working happily now and hope it continues that way for you from now on.

Thanks for stopping by my cert site too : )

Alan