Multiple errors after SSL install

There's been no response.   If we ignore the SSL install as being any part of the cause of these errors (since even a second Cert install seems to have worked OK) and just treat this as "What's causing these errors?", does that change things?  

Where did you install the certificate?  These errors
Did you delete the self signed certificate you had?  Did you setup your SBS as an Enterprise CA?
Do you have backup of the self signed certificate to restore?

http://www.eventid.net/display.asp?eventid=8026&eventno=3492&source=MSExchangeAL&phase=1
http://support.microsoft.com/kb/272552

who did you purchase the SSL cert from?  GoDaddy by chance?

Arnold:

Where did you install the certificate?    I don't understand what you're askiing.  Where?  Default Web Server under IIS if I recall.

Did you delete the self signed certificate you had?  I was mistaken about the self signed.  There are 4 items.  3 have the words "self cert" somewher in the file name.  But highlighting and viewing shows they are each Godaddy's.   I must have been confusing these with self certs that existed before I had to reformal and reinstall.  

Did you setup your SBS as an Enterprise CA?  Huh?  (Third grader, remember.)  Very small network.  I doubt it.

Do you have backup of the self signed certificate to restore?  Yes, I've save the .crt files

ChrisHanna:  Yup.  Are there problems with those.

Both:  I'm doubting that the problems between the errors above and the SSL may not be related at all.  Various test results follow.  

Testing 24.249.206.138 (SSL, On LAN):

Communications:
      Doing DNS lookup on      xxx.xxx ....... OK
      Testing TCP to xxx.xxx port 443 ... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... FAIL
ActiveSync:
      Checking for application ................. FAIL

Result:
      ActiveSync detected, but access denied. [HTTP 403: Disabled for this user]

But following their articles shows that Activesync is enable globally and for users.


TestExchangeConnectivity.com reports:

ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name mail.XXXXXX.net in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: XXX.XXX.XXX.XXX

Testing TCP port 443 on host mail.XXXXXX.net to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name mail.XXXXXX.net was found in the Certificate Subject Common name.

Validating certificate trust for Windows Mobile devices.
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.

Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 5/13/2011 10:24:28 PM, NotAfter = 5/13/2012 10:24:28 PM



Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.

Testing HTTP Authentication Methods for URL https://mail.XXXXXX.net/Microsoft-Server-Activesync/.
 The HTTP authentication test failed.
 Additional Details
 An HTTP 403 forbidden response was received. The response appears to have come from IIS6. Body of the response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
</ul>
<h2>HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>About Security</b>, <b>Limiting Access by IP Address</b>, <b>IP Address Access Restrictions</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

you can run dcdiag to check AD integrity,
What did you reformat/reinstall?
Check the exchange configuration.

The was a reformat of the entire drive, a new install of SBS 2003 with a domain name change and then a recovery of all data and Exchange .ebd's items.  The SSL's are for this new domain name, not the old.

Dcdiag?
Check the exchange configuration. ?

Sorry,I'm an experience end user, not a pro.  Talk to a 3rd grader. <g>

Ok, install Tools, ran DCdiag:  Hope it tells you something:
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DDDDDDD
      Starting test: Connectivity
         ......................... DDDDDDD passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DDDDDDD
      Starting test: Replications
         ......................... DDDDDDD passed test Replications
      Starting test: NCSecDesc
         ......................... DDDDDDD passed test NCSecDesc
      Starting test: NetLogons
         ......................... DDDDDDD passed test NetLogons
      Starting test: Advertising
         Warning: DDDDDDD is not advertising as a time server.
         ......................... DDDDDDD failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... DDDDDDD passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... DDDDDDD passed test RidManager
      Starting test: MachineAccount
         ......................... DDDDDDD passed test MachineAccount
      Starting test: Services
            IsmServ Service is stopped on [DDDDDDD]
            w32time Service is stopped on [DDDDDDD]
         ......................... DDDDDDD failed test Services
      Starting test: ObjectsReplicated
         ......................... DDDDDDD passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... DDDDDDD passed test frssysvol
      Starting test: frsevent
         ......................... DDDDDDD passed test frsevent
      Starting test: kccevent
         ......................... DDDDDDD passed test kccevent
      Starting test: systemlog
         ......................... DDDDDDD passed test systemlog
      Starting test: VerifyReferences
         ......................... DDDDDDD passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : xxxxxx
      Starting test: CrossRefValidation
         ......................... xxxxxx passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... xxxxxx passed test CheckSDRefDom

   Running enterprise tests on : xxxxxx.local
      Starting test: Intersite
         ......................... xxxxxx.local passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
         A Good Time Server could not be located.
         ......................... xxxxxx.local failed test FsmoCheck

D:\temp>

I started the Windows time service, set it to Automatic, so the FsmoCheck now passes.  So that not it.

Next?

This is the problem, your exchange setting seem to refer to an old set of credentials/data. i.e. the old AD domain.

I don't understand what you're suggesting.  My understanding is that my exchange settings would have been completely wiped out when I reformated the drive and reinstalled SBS 2003 from scratch.  I had to recreate all users, mailboxes, etc.  The only thing that was restored was "data" such as PDF, etc.  PLUS the individual Exchange contacts, notes, etc. ITEMS that were extracted from .edb files using OnTrack Powercontrols.  How COULD my exchange settings refer to ANYTHING old?  Nothing else (to my knowledge) was brought forward.

My email is working fine.  I can also connect to Mail.mydomain.net.  I just can't connect from an Droid PDA which used to be able to do so.  Two different mail apps on the droid have the same trouble whether I tell them to ignore SSL or not.  Both go fail when trying to connect with Activesync.

Again, I don't know if the errors listed originally are related to this PDA problem or not, but I'm providing what info I can if it helps.

Not sure why/what lead you to reformat.  I have no idea what the restore you made did to the AD.
Did you configure IIS to restrict access to the site to a specific set of IPs?

ID 27017576 is the beginning of the problem.  Nothing worked to restore the IIS folders, etc.  Acronis system drive backups were corrupted, so I had to wipe and reinstall.  Luckily, the backups of the data drive were OK as were the .mdb's from which I was able to create and backup the .edb's.  (I hope my terminology is correct.)

anyway, I did a completely new install of SBS 2003.  Created new users, etc.  Everything working ok except for the ability of my PDA's to connect/push etc.  I see the errors above in event log and so started this inquiry.  Either they are related to the PDA problem or not.  Either way, I need to correct them and the PDA problem.

I did not restrict anything.  

The problem I am not able to based on the errors you posted, to translate what those errors or how those errors affect the operation of your server.  Access to the PDA, you have to check whether the component that the PDA relies on is setup and running as well as that the PDA has the correct parameters.
I am also uncertain whether the format/restore you went through while leaving the information as it was on the PDA are not in conflict now and that leads to the issue between the PDA and the server.

I just ran testexchangeconnectivity again:

Does this clarify the activesync problem at all and how to fix it

ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name mail.XXXXXX.net in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: iiiiiiiiiiiippppppppppppppp

Testing TCP port 443 on host mail.XXXXXX.net to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name mail.XXXXXX.net was found in the Certificate Subject Common name.

Validating certificate trust for Windows Mobile devices.
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.

Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 5/13/2011 10:24:28 PM, NotAfter = 5/13/2012 10:24:28 PM



Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.

Testing HTTP Authentication Methods for URL https://mail.XXXXXX.net/Microsoft-Server-Activesync/.
 The HTTP authentication test failed.
 Additional Details
 An HTTP 403 forbidden response was received. The response appears to have come from IIS6. Body of the response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
</ul>
<h2>HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>About Security</b>, <b>Limiting Access by IP Address</b>, <b>IP Address Access Restrictions</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

check the IIS configuration to see what IPs you are restricting the site to a specific set of IPs from which a connection can be made..  

I checked IIS folders exchange, exchance-oma, oma, exadmin, and anything else that looked related.  I did find that exchange was restricted to the NAT address of the server NIC itself and to 127.something.  I changed Exchange to Access Granted.  I did an ISSreset.  But the Droid still gets the same error.

Run the check again and see what the effect of the changes you made is.
Do you have access to the net outside the location where the server is?  Can you access the OMA website? Double check that your router's open ports point to the IP of the server.

The prior"You are not authorized to view this page" error is gone now.  An SSL warning is still present.

Testing 24.249.206.138 (SSL, On LAN):

Communications:
&#9;Doing DNS lookup on 24.249.206.138 ....... OK (mail.foo.net)
&#9;Testing TCP to 24.249.206.138 port 443 ... OK
SSL Certificate:
&#9;Receiving ................................ OK
&#9;Ensuring not Self-Signed ................. OK
&#9;Verifying certificate .................... FAIL
ActiveSync:
&#9;Checking for application ................. FAIL

Result:
&#9;ActiveSync detected, but access denied. [HTTP 403: Disabled for this user]

QUESTION!
In IIS folders, the Security Tabs of each folder, the Authentication Methods dialog, there are the Default Domain and Realm fields at the bottom.

If I click the Edit button,I'm given a choice of ONLY my XXXXXX.local name.  
On the phone, I'm entering "mail.XXXXXX.net" per instructions on the phone.
Should the Default Domain Fields in IIS folders exchange, exchance-oma, oma, exadmin have "mail.XXXXXX.net" typed in rather than XXXXXX.net which, in fact, has a separate SSL cert (even tho' I currently don't have a website).

In other words, is there a conflict currently?  I'm about to try that but I'm concerned that some of the IIS folders exchange, exchance-oma, oma, exadmin  might need to stay the way they are and don't want to mess things up more.

checking basic terminology:
When entering credentials on my Droid, a screen asks for userid, domain (if required), password, and server.
I'm entering:
my login name
xxxxxx (without .local or .net)
my password
mail.xxxxxx.net

I ask because in some other program on a workstation, server was referring to the name given to the COMPUTER on which the SBS 2003 resides, rather than xxxxxx.  I even tried to put THAT into the server field, but was told its format was incorrect.  
sorry, but I'm checking everything given my level of knowledge.

I changed the Default domain in IIS folders exchange, exchance-oma, oma, exadmin to mail.xxxxxx.net.  I left Realm as XXXXXX (I only have the one computer).  Still no connection.  Should I switch them back?  To xxxxxx or xxxxx.local?

The log file from the Android app has the following in it:

15 May 11:47:[24]:Making request to :https://mail.xxxxxx.net/Microsoft-Server-ActiveSync
15 May 11:47:[24]:Request returned :HTTP/1.1 401 Unauthorized
15 May 11:47:[24]:AUTHENTICATION FAILURE provisioning ActiveSync: Check your credentials

I went into IIS and check the Security for the MSA folder.  What should the entry be for the Domain at the bottom.
Is it xxxxxx,  xxxxxx.local, xxxxxx.net , or mail.xxxxxx.net or something else?

And does Realm enter into this at all for a one server setup?

In addition to the previous info:

Should I be able to login into
https://mail.xxxxxx.net/Microsoft-Server-ActiveSync

from a workstation on the same domain like I CAN  TO

https://mail.xxxxxx.net/exchange     ???

Because while I get the login dialog for both, the MSA returns:  The website is unable to display the webpage HTTP 501/HTTP 505 whereas the OWA lets me in.

Is that what SHOULD BE occurring from within the same little network here?  Or does that indicate tha the IIS for MSA needs to changed somehow?

Check whether your IIS security setting require the PDA to have a preauthorized Certificate as a means of authenticating the device.
When you configured the SITE does not bind to a specific IP or do you use host header in the binding/advanced section of the site configuration?

Need more detailed instructions to answer the previous questions.

Check the IIS the site, security tab.  Check whether you have set there that the client Must provide a certificate.

For which portion of the question do you need instructions?

I just ran the Analyzer.  Tells me updates are necessary.  Will do that first.

"Check whether your IIS security setting require the PDA to have a preauthorized Certificate as a means of authenticating the device."  How do I check?  What am I looking for?

"When you configured the SITE does not bind to a specific IP ?  How do I check?  What am I looking for?


or do you use host header in the binding/advanced section of the site configuration? How do I check?  What am I looking for?

When you open IIS manager (administrative tools), right click on the web site and select properties.Under web site tab, IP is showing all unassigned or is there a specific IP??
Click the advanced tab, there you should see whether you have an IP port 80 or you have a host header mail.yourdomain.com port 80.

The SSL can only be tied to a single IP so host headers here make no difference.


SSL certificate requirements. Directory security tab.Ip address and domain restrictions, what do you have here? Grant access with nothing below, or do you have deny access and a list of IP/ that are permitted to connect?
Within the same tab, under the secure communication, click the edit button and see what your settings here are, require SSL? Client certificate, require or ignore? Client certificate Maping, client certificate trust, Etc.
What about the Authentication method? Do you have allow anonymous access or do you have Integrated Windows Authentication checked??

Multiple errors after SSL install
 

SBS 2003. Purchased and installed an SSL Cert.  System reported it successful.  Still couldn't sync with PDA.  PDA reported invalid cert and ID's the self cert that remained from before.  So I rebooted.  I now get multiple errors listed below upon a reboot.

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8026
Date:            5/13/2011
Time:            7:43:32 AM
User:            N/A
Computer:      DELL1420
Description:
LDAP Bind was unsuccessful on directory dell1420.xxxxxx.local for distinguished name ''. Directory returned error:[0x34] Unavailable.    

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2102
Date:            5/13/2011
Time:            7:43:32 AM
User:            N/A
Computer:      DELL1420
Description:
Process MAD.EXE (PID=2952). All Domain Controller Servers in use are not responding:
dell1420.xxxxxx.local
 
Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2104
Date:            5/13/2011
Time:            7:43:32 AM
User:            N/A
Computer:      DELL1420
Description:
Process MAD.EXE (PID=2952). All the DS Servers in domain are not responding.

Event Type:      Information
Event Source:      ESENT
Event Category:      General
Event ID:      101
Date:            5/13/2011
Time:            7:43:34 AM
User:            N/A
Computer:      DELL1420
Description:
lsass (544) The database engine stopped.

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8026
Date:            5/13/2011
Time:            7:43:38 AM
User:            N/A
Computer:      DELL1420
Description:
LDAP Bind was unsuccessful on directory dell1420.xxxxxx.local for distinguished name ''. Directory returned error:[0x51] Server Down.    

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      LDAP Operations
Event ID:      8026
Date:            5/13/2011
Time:            7:43:39 AM
User:            N/A
Computer:      DELL1420
Description:
LDAP Bind was unsuccessful on directory dell1420.xxxxxx.local for distinguished name ''. Directory returned error:[0x51] Server Down.    

Event Type:      Error
Event Source:      MSExchangeAL
Event Category:      Service Control
Event ID:      8250
Date:            5/13/2011
Time:            7:43:39 AM
User:            N/A
Computer:      DELL1420
Description:
The Win32 API call 'DsGetDCNameW' returned error code [0x862] The specified component could not be found in the configuration information.  The service could not be initialized.  Make sure that the operating system was installed properly.

The prior"You are not authorized to view this page" error is gone now.  An SSL warning is still present.

Testing 24.249.206.138 (SSL, On LAN):

Communications:
      Doing DNS lookup on 24.249.206.138 ....... OK (mail.xxxxxx.net)
      Testing TCP to 24.249.206.138 port 443 ... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... FAIL
ActiveSync:
      Checking for application ................. FAIL

Result:
      ActiveSync detected, but access denied. [HTTP 403: Disabled for this user]

QUESTION!
In IIS folders, the Security Tabs of each folder, the Authentication Methods dialog, there are the Default Domain and Realm fields at the bottom.

If I click the Edit button,I'm given a choice of ONLY my XXXXXX.local name.  
On the phone, I'm entering "mail.XXXXXX.net" per instructions on the phone.
Should the Default Domain Fields in IIS folders exchange, exchance-oma, oma, exadmin have "mail.XXXXXX.net" typed in rather than XXXXXX.net which, in fact, has a separate SSL cert (even tho' I currently don't have a website).

In other words, is there a conflict currently?  I'm about to try that but I'm concerned that some of the IIS folders exchange, exchance-oma, oma, exadmin  might need to stay the way they are and don't want to mess things up more.

If you can post the URL, I need to see what the issue with the CErtificate might be.
You may need to add the Certificate chain from the vendor from whom you purchased the certificate.  Go to windowsupdate and see whether you need to optional root certificate update.  There was an intermediate Verisign certificate that expired in 2004/8 which is in the path of the certificates versising was signing with a subordinated CA.
Verising
Intermediate verisigb (expired on your system)
Verisign (class subordinated CA)
mail.xxxxxxxxx.com.

When the chain is checked by your system, the expired intermediate causes the fault.
Others accessing your site who've since updated the root certificates will not experience this issue since the version of the intermediate they have is valid through 2015/25 but it is valid now.
Check the certificate store for the computer/service/user to see whether there is an expired certificate in the trusted CA location. If there is, check on the vendor's site for an updated one if windows update route is not for you.

http://support.microsoft.com/kb/931125

The prior"You are not authorized to view this page" error is gone now.  An SSL warning is still present.

Testing xxx.xxx.xxx.xxx (SSL, On LAN):

Communications:
      Doing DNS lookup on xxx.xxx.xxx.xxx ....... OK (mail.xxxxxx.net)
      Testing TCP to xxx.xxx.xxx.xxx port 443 ... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... FAIL
ActiveSync:
      Checking for application ................. FAIL

Result:
      ActiveSync detected, but access denied. [HTTP 403: Disabled for this user]

QUESTION!
In IIS folders, the Security Tabs of each folder, the Authentication Methods dialog, there are the Default Domain and Realm fields at the bottom.

If I click the Edit button,I'm given a choice of ONLY my XXXXXX.local name.  
On the phone, I'm entering "mail.XXXXXX.net" per instructions on the phone.
Should the Default Domain Fields in IIS folders exchange, exchance-oma, oma, exadmin have "mail.XXXXXX.net" typed in rather than XXXXXX.net which, in fact, has a separate SSL cert (even tho' I currently don't have a website).

In other words, is there a conflict currently?  I'm about to try that but I'm concerned that some of the IIS folders exchange, exchance-oma, oma, exadmin  might need to stay the way they are and don't want to mess things up more.

I do not know whether the PDA you use handles the Basic Authentication prompt.
When you use a browser to access the site, after you get there is there a application based prompt for username/password?

From the information here, I can not determine what leads to the Failure of the certificate validation.

As far as the PDA getting the 403 means that if you have basic authentication only on, the PDA does not understand what it is being asked, or does not have a way to prompt the user for the credentials needed to gain access to the site.  In the absence of the response from the PDA to the Authorization request by IIS, the browser gets the message that you are not authorized to access this site as a guest.  Enable the anonymous_user or make sure that machine_IUSR has read access to where the activesync app is, and see if the behavior as far as access changes while the certificate, you have to determine whether this system has an expired certificate which is in the chain of signatures of your mail.xxxxxxx.com domain/host.

Arnold,
I think you missed my previous post:
I found that certain SP's had NOT been applied.  I've done all now and, lo and behold, the connection and syncing with ACTIVESYNC seems to be working just fine.
That's why I asked for this thread to be closed.

This whole thread got sidetracked into an unrelated issue.  I am going to repost.