• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 704
  • Last Modified:

Need help pushing the Exchange 2010 to the iphone

Dear experts,

I am having trouble getting our iphones to work with the new exchange 2010 server. I paste the error message that I am getting from the https://www.testexchangeconnectivity.com/ site:

ExRCA is testing Exchange ActiveSync.  

The Exchange ActiveSync test failed.

Test Steps

Attempting to resolve the host name webmail.doamin.com in DNS.

The host name resolved successfully.

Additional Details

IP addresses returned: 98.X.X.X


Testing TCP port 443 on host webmail.domain.com to ensure it's listening and open.

The port was opened successfully.

Testing the SSL certificate to make sure it's valid.

The SSL certificate failed one or more certificate validation checks.

Test Steps

ExRCA is attempting to obtain the SSL certificate from remote server

webmail.domain.com on port 443.

ExRCA successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=DSS-server, Issuer: CN=DSS-server.

Validating the certificate name.

Certificate name validation failed.

 Tell me more about this issue and how to resolve it

Additional Details

Host name webmail.domain.com doesn't match any name found on the server certificate CN=DSS-server.

for your time and help many thanks! M
0
marceloNYC
Asked:
marceloNYC
  • 11
  • 6
  • 3
  • +1
3 Solutions
 
marceloNYCAuthor Commented:
The actual iphone is giving me "Exchange Account Unable to verify account information".
0
 
grahamnonweilerCommented:
The certificate must include the domain name you are using to access your OWA - ActiveSync works over HTTP/HTTPS and is therefore looking for "webmail.domain.com".

Change your certificate to include that domain name.
0
 
grahamnonweilerCommented:
You can also let the iPhone "ignore" the error in the certificate, but it is not recommended.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
marceloNYCAuthor Commented:
grahamnonweiler thank you, do you know where I go to do that?
0
 
grahamnonweilerCommented:
If you want to ignore the error on the iPhone you must disable SSL connectivty on the iPhone, which is done from the "account" settings on the iPhone.

The better option is to add the domain in to your certificate, which will mean that you do not have to tell all your users to disable SSL (which is a bit of security risk anyway).

It looks as though you "self signed" the certificate you are using, and if so just generate a new certificate with your main domain, and then all sub-domains underneath.

If it is a purchased UCC/SAN certificate then you can simply go to the certificate issuer and add the domain name and then reinstall the certificate.
0
 
marceloNYCAuthor Commented:
We want to keep it "self signed" certificate. I need to know how to reassign the certificate again. I am looking around but no luck understanding what to do.
0
 
Frosty555Commented:
marceloNYC - save yourself a lot of headache and fix your certificate issues. You should have a unified communications certificate (or a certificate that allows several different "subject alternative names" or SANs to be defined on the certificate). If you just have a basic certificate that only allows one name.... you have bought the wrong certificate. If you are using a self-signed certificate - you need to stop using that.

Follow the instructions here to get a proper certificate signing request from your exchange server:

http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

You should have ALL the names your server can be addressed by on the certificate as well as any webmail and autodiscover hostnames, and any hostnames used on the local network. Typically you end up with these names on the certificate:

DSS-server                                   <-- local network short name
DSS-server.yourdomain.local   <-- local network FQDN
webmail.domain.com                <-- webmail/owa URL
autodiscover.domain.com         <-- autodiscover URL

All sorts of things are flaky and don't work properly when you don't have the right certificate. Ignoring them works sometimes, but always causes headache and confusion.
0
 
Exchange_GeekCommented:
Follow the steps, outlined in the link where it guides you to select / avoid certificate issue by Exchange on IPhone.

Personally, I'd recommend you to re-issue the certificate from your Exchange box which includes the following names

autodiscover.domain.com
webmail.domain.com
CAS Server NETBIOS
CAS Server FQDN

Once done, you'll simply need to send the cert (exported from your Cert Auth Server) to your IPhone as an attachment using their personal email address, download install the cert and enjoy seamless secure connectivity with Exchange.

Regards,
Exchange_Geek
0
 
marceloNYCAuthor Commented:
Now that we fix the certificate situation I am getting this error:

ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
 
An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.

Attempting the FolderSync command on the Exchange ActiveSync session.
       The test of the FolderSync command failed.

This what I used to fix the self assign cert:

http://www.msexchange.org/player.asp?AYGl5HgC
0
 
Exchange_GeekCommented:
Perform the following test

Please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add the account (that you tested with) to the exceptions list.

Ref: link

Regards,
Exchange_Geek
0
 
marceloNYCAuthor Commented:
Hello Exchange Geek, this is an Exchange 2010 server....
0
 
Exchange_GeekCommented:
My bad :(

Regards,
Exchange_Geek
0
 
marceloNYCAuthor Commented:
How come in the exchange server 2010 I don't see in user and computers the exchange options in the user accounts? Before in exchange 2003 I had exchange options?
0
 
marceloNYCAuthor Commented:
Nevrmind I found it!!!! sorry guys... sight...
0
 
marceloNYCAuthor Commented:
I am getting this error now in the event viewer....

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Marcelo me,OU=OKC,OU=Users,OU=Domain,DC=is,DC=ad" container under Active Directory user "Active Directory operation failed on DSS-server.is.ad. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

http://support.microsoft.com/kb/2579075
0
 
Exchange_GeekCommented:
So, does the user have inherited permissions in Security tab?

Regards,
Exchange_Geek
0
 
marceloNYCAuthor Commented:
http://www.chicagotech.net/troubleshooting/eventid1053.htm

http://support.microsoft.com/kb/2579075

I am not sure wish one of this did it, but now I am all set now with the iphone!!!! Hurrayyy!!!!!
0
 
Exchange_GeekCommented:
Awesome, that is what i asked when i mentioned inherited permissions - Exchange groups should have drilled down to your account.

Great to hear - issue solved.

Regards,
Exchange_Geek
0
 
marceloNYCAuthor Commented:
Thank you guys so very much, you guys are awesome!!!! You certainly helped me a lot on this.
0
 
marceloNYCAuthor Commented:
I tell you guys for me this exchange job was pretty awesome!!!!! Thanks again for your help.
0
 
Exchange_GeekCommented:
Your most welcome :)

Regards,
Exchange_Geek
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 11
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now