ActiveSync fails after certificate renewal
Hi Experts,
I recently renewed my certificate on my exchange 2003 server. Now I have two Palm Treo 700wx's that cannot sync (activesync). The new and old certificates are from Comodo and was a renewal (old one expired on 2/25/11).
The renewal didn't affect any of our "rpc over https" clients.
The Treo's CAN open the https://...../oma web page and read mail.
The error displayed on the Treo is: "The security cert. on the server is invalid. Contact...admin...to install a valid cert. on the server."
The error code is: 0x80072f0d
I'm following this article now and have confirmed that OWA opens on the device:
http://support.microsoft.com/kb/915438
Should I look somewhere else or am I on the right track?
Thanks!
I recently renewed my certificate on my exchange 2003 server. Now I have two Palm Treo 700wx's that cannot sync (activesync). The new and old certificates are from Comodo and was a renewal (old one expired on 2/25/11).
The renewal didn't affect any of our "rpc over https" clients.
The Treo's CAN open the https://...../oma web page and read mail.
The error displayed on the Treo is: "The security cert. on the server is invalid. Contact...admin...to install a valid cert. on the server."
The error code is: 0x80072f0d
I'm following this article now and have confirmed that OWA opens on the device:
http://support.microsoft.com/kb/915438
Should I look somewhere else or am I on the right track?
Thanks!
ASKER
I think I have a clue:
Basically while running the test this popped up:
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE.
The Treo is a 5.0 device. It just strikes me strange how the renewal seems to have caused the problem...unless the "new" cert simply isn't understood by WM 5.0.
Basically while running the test this popped up:
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE.
The Treo is a 5.0 device. It just strikes me strange how the renewal seems to have caused the problem...unless the "new" cert simply isn't understood by WM 5.0.
Was the cert 1024 bit or 2048 bit?
Sounds like that won't help if the Treo is WM5.0.
Thinking if there is a solution to keeping the new cert and having the Treo work.
Sounds like that won't help if the Treo is WM5.0.
Thinking if there is a solution to keeping the new cert and having the Treo work.
You can always resort to issuing your own SSL certificate and installing it on the Treo.
How many mobile devices does your server support? When is the handset due for an upgrade, or do you have a newer one handy in a drawer somewhere?
How many mobile devices does your server support? When is the handset due for an upgrade, or do you have a newer one handy in a drawer somewhere?
ASKER
I'm pretty sure it is 2048 bit.
Most of my mobiles devices are Blackberries and iphones.
I could issue my own cert for JUST the Treo's (or Activesync more specifically)...so long as it doesn't affect the Blackberries, iPhones, and outlook "RPC over Https" clients.
I don't mess with this stuff on an everyday basis so getting in there is sometimes a bit scary...
Is it possible to run a different cert for just the Activesync process?
Most of my mobiles devices are Blackberries and iphones.
I could issue my own cert for JUST the Treo's (or Activesync more specifically)...so long as it doesn't affect the Blackberries, iPhones, and outlook "RPC over Https" clients.
I don't mess with this stuff on an everyday basis so getting in there is sometimes a bit scary...
Is it possible to run a different cert for just the Activesync process?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's what I was thinking...
I think I'll make a call to Comodo and see if they can re-issue a cert that will work...but I expect they can't.
Otherwise it may be time for different phones - fortunately I have several.
I think I'll make a call to Comodo and see if they can re-issue a cert that will work...but I expect they can't.
Otherwise it may be time for different phones - fortunately I have several.
Not sure if this will work - but you might be able to install the Root Certificate for Comodo on the Treo which might get around the problem.
http://support.microsoft.com/kb/915840
http://support.microsoft.com/kb/915840
ASKER
I'll give that a go...
Otherwise we decided to ditch the Treo's for some BB "Tours" we have extra.
Otherwise we decided to ditch the Treo's for some BB "Tours" we have extra.
: ) At least the keyboard stays pretty much the same between the Treo and BB.
ASKER
I ended up taking the easy way out with this issue. The Treo's were abandoned in favor of some Blackberries that I had laying around. I did try installing the cert on the Treo but that also failed to fix the problem.
So...as far as I can tell there is no solid solution other than retiring the old phones.
So...as far as I can tell there is no solid solution other than retiring the old phones.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
Alan