Exchange Account with untrusted Certificate

Hi,

I've got a question about windows phone 7 and an exchange account. I've got a corporate exchange from work. First we had our exchange server activesync service only working local in our corporate network. What I did was configuring my exchange account on my windows phone to use as server mail.domain.com. In addition, I need to say that we have a self-signed certificate. I installed that certificate on my phone, rebooted and then it worked.

Now we opened our firewall for the activesync service. That means that I access the exchange server by a public IP adress. If I enter this public IP adress in my windows phone in the exchange account settings, I'm getting an error message: Error 80072F06 "There is a problem with the certificate for <ip adress>" (where <ip-adress> is my public ip). If I reinstall that certificate from the public IP, it does not change anything, still not working. I already tried to reboot, but that didn't help either. Does anyone have a solution?

Thanks,
zoidi
LVL 1
zoidiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

a1rh0pperVP of Technical ServicesCommented:
If you are not using a third-party certificate (GoDaddy, Verisign, etc) you'll need to enable access over HTTP as opposed to HTTPS. Less secure. Some phones will allow you to ignore the certificate error and continue anyway.

The best thing to do would be to install a trusted third-party certificate so that the mobile devices or any other remote user can utilize that certificate.

Assuming your using Exchange 2010 for example:
http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm
zoidiAuthor Commented:
Hello,

Thank you for your answer. We are you using Exchange 2007. So there is no other possibility as using a third-party ssl certificate? HTTP is not secure, I won't do that. Why did it work in the local network then?

Zoidi
AkhaterCommented:
yes the solution is that you have to create in your EXTERNAL DNS a record for mail.domain.com pointing to your real IP.

you cannot make "real ip" since a certificate is bound to a specific name and in yur case it is mail.doamin.com
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

IanMurphyCommented:
Its not necessary to use http and its much better to stick with https. You need to trust the cert on your phone.

It should be possible to open https://yourdomain/owa and not get any cert warning.

Just take a copy of the cert and copy it onto the phone. Open the file explorer and click on the certificate. It should ask you if you want to install it.

Once done try syncing again. It should just work.

If you have sbs then there is all automated. There is a little tool in \\server\public\downloads\ which installs the cert onto a phone which is connected via usb.

If you have problems copying the cert by cable then email it to hotmail and open it from there via web on the phone.
AkhaterCommented:
a1rh0pper / IanMurphy

the problem is not trusting the certificate the OP clearly said that it is working internally using mail.domoain.com

zoidi

as per my previous post all you need to do is add a dns record in your External dns zone to make mail.domain.com resolvable to the real IP you have and not put the real IP in activesync config
IanMurphyCommented:
The problem you may encounter is with the type of cert you have in exchange.

Some certs (weak ones) can be installed by just opening the website and clicking on the certificate symbol to install it as a root cert.

The one which comes by default in 2007 is a two part self signed cert. The client facing part is installed on the iis site, while the signing part is on the server.
Exporting this is a rather complex process but can be done. I've done it a couple of times but don't have the steps documented.

buying a $99 godaddy cert is the easy way round your problem - you can do this without any official certs.
Almost none of my clients have them and we sync winmo5 & 6, Nokias, iphones and ipads without problems.

zoidiAuthor Commented:
@Akhater: Isn't this a little unsecure to use it like that? The problem is that our exchange server is "servername.domain.com" and not "mail.domain.com".
AkhaterCommented:
zoidi no it is not unsecure anyway you can change generate another certificate so you can use mail.domain.com

I would recommend you to buy a 3rd party one but the problem you are facing in this particular question is that the name you are using (ip address) does not match one of the certificate that is servername.domain.com

I would suggest as a start to create the dns record for servername.domain.com to point to the real IP so you can see it working and then decide how to proceed
zoidiAuthor Commented:
Ok, I will try to do that. Anyway, if I understand right, we have to create a DNS entry for servername.domain.com to make it work, even with a third-party cert.
IanMurphyCommented:
The certificate makes no difference to you from a security perspective.

Https is encrypted - ergo https is better than http.
The encryption is done using a signature file (a certificate)
The certificate contains details of the addresses which can be used validly with that cert, thus the end user can be sure that when they open mail.domain.com and speak to a server that the server is indeed the correct one and that they haven't been redirected to mail.d0main.com

Windows checks that the cert has been signed by someone it trusts (because it has a root cert installed for verisign or godaddy who then sign the web pages cert which you receive when you connect) .. which is why you have to install a root cert to be able to trust the cert returned by exchange when using a self signed cert.

When you create a certificate you have to specify which addresses will be used to connect to the service. You can specify multiple addresses when creating the certificate.
In a normal self signed cert I would specify

exchsrv.localdomain.local
exchsrv
autodiscover.localdomain.local
mail.publicdomain.com
publicdomain.com
autodiscover.publicdomain.com

http://soheltechlib.wordpress.com/2011/01/12/exchange-server-2007-renewing-the-self-signed-certificate/

if you want to add more domains the new-exchangecertificate cmdlet can be used to add new ones.

Ian


DarinTCHSenior CyberSecurity EngineerCommented:
I'll concur with 'buying a third party 'trusted' cert
we could not work around this bug and finally bought an asterisk cert $6-700 from godaddy
(cheaper than an exchange cert - and got it to work)
the self signed never really worked for everyone
IanMurphyCommented:
Anyway, if I understand right, we have to create a DNS entry for servername.domain.com to make it work, even with a third-party cert.

don't create one for the real server name. Make up an alias. for example if your server is called srv01.privatedomain.local *don't* create a dns entry for  srv01.publicdomain.com. Make up a new one like mail.publicdomain.com.

It doesn't matter if you do use the real name but the dns address doesn't have to match the windows node name. Make up something which is easy to remember.

One day you'll change this server for another and the public address will be the same while the node name will have changed.
zoidiAuthor Commented:
Ok, but if I create a dns name like mail.domain.com and the cert is for servername.domain.com, would it work or do I have to add the mail.domain.com to the cert?
zoidiAuthor Commented:
It would be really great if someone could just tell me if it would work if I make a dns entry mail.domain.com without adding mail.domain.com to the cert?
AkhaterCommented:
no making a dns entry mail as long as the certificate is servername it will not work.

Do your dns entry servername and stop worrying about security, the servername is in each email you send out anyway

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zoidiAuthor Commented:
Ok, so I will try that and report back.

Thank you.
zoidiAuthor Commented:
Thank you for your help. It worked as you said.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Smartphone Programming

From novice to tech pro — start learning today.