Configure SSL certificate on Exchange 2003 for active sync

BeerTime
BeerTime used Ask the Experts™
on
Hi everyone,

We have an Exchange 2003 Standard, SP2 configured to use Active Sync for iPhone.  We also have OWA enabled on the same Exchange server to use SSL certificate from VeriSign.  Please see the Default, Exchange and Microsoft-Server-Activesync virtual directory IIS configurations below.

Exchange Default Web Site
•      Secure Communications = Require SSL NOT ticked

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL NOT ticked

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked
•      Client certificate = Ignore client certificates

The Verisign SSL certificate is installed on the IIS default folder and OWA is using the certificate without a problem.

Question: When I configure iPhone with Exchange, it is not giving me a prompt to accept the certificate on the iPhone.  But it only authenticate  if SSL is enabled on the iPhone.  How do I confirm if the VeriSign                                                 certificate is used on the iPhone when connecting to Exchange? Am i missing any steps?

Thanks you so much for all you help in advance!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Justin DurrantSr. Engineer - Windows Server/Virtualization

Commented:
What model iOS and iPhone? iOS 3.1 and above enables device encryption with does not work well with Exchange 2003. You will need to modify your Activesync policy/policies to not require encryption

Commented:
The certificate is definitely being used on the phone. Otherwise you would get a certificate error when trying to connect.

Author

Commented:
Thanks, I am using iPhone 4G and iPad2.  Is there any way I can tell the SSL certificate is being used on the iPhone.  Sorry, a question was asked and I am trying to prove them the certificate is being used...that's all.

Thank you!
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Justin DurrantSr. Engineer - Windows Server/Virtualization
Commented:
Yeah.. it is being used. However, the issue may still be with the ActiveSync policy and not SSL itself. Disable device encryption and see what happens.

Commented:
There is know way to see it but if you connect without any cert errors you are using the cert no question.
Justin DurrantSr. Engineer - Windows Server/Virtualization

Commented:

Author

Commented:
Thanks guys.  I've downloaded a "activesync tester" on the iPhone and it passed all tests including certificate.  I get an error message if the "enforce password on device" activesync policy is enabled.  One of the user mentioned that when he used iPhone from another organization, he used to get a prompt to accept the certificate on the device upon setting up Exchange mailbox wirelessly, do you know if he refers to server based certificate as suppose to 3rd party like VeriSign?

Please see the attached document from Apple, Certificate-based Authentication section and tell me if this makes any sense.  
Sorry for trouble but I really appreciate all your help!!
iPhone-Business.pdf

Commented:
I have never had to except a certificate on an iPhone or iPad and I have setup hundreds.

Author

Commented:
Thanks again.  Based on your feedback, is it safe to assume then you only need to download selft generated certificate on the iPhone manually.  Any third party SSL certificate like the one from VeriSign will not be prompted to get install on the iPhone?

Thanks!
Sr. Engineer - Windows Server/Virtualization
Commented:
That is correct

Author

Commented:
Appreciate all your help on this!

Author

Commented:
Thanks for all your help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial