?
Solved

Exchange 2003 SSL cert errors - wont sync with android phones

Posted on 2012-08-24
8
Medium Priority
?
620 Views
Last Modified: 2012-09-17
I have an 03 exchange box (actually sbs2003) that had a self-signed cert and not able to get android phones working on it.  I decided to get a standard cert from godaddy and I got that installed.  It looks like my cert isnt the correct one being used - when doing a testexchangeconnectivity.com I get a lot of ssl failures:
Certificate name validation failed. - referencing *.ipower.com (which is the dns host for this site)
None of the autodiscover is working either.  How can I verify what cert its using - going to the website mail.domain.com I click the ssl icon and see godaddy.com - as in IIS properties/directory security for default website (including exchange), shows the right cert.
0
Comment
Question by:rhwimmers
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38331754
Try OWA with SSL and see if you get same errors?

Please upload the screenshot here.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38331757
Huh?  Try owa with ssl?  I can login to owa just fine with ssl (it redirects me automatically from http to https.  Note that I do need to type mail.domain.com/exchange to get to owa, it doesnt auto redirect me to there.
There is no autoconfigure deal in 03 is there?  Thought that was an 07+ thing?

I made a change do default website to require SSL and 128bit and now testexchange gives this

The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

I just ran it again after a reboot (IIS started acting up after doing the above - the service wouldnt start) here is what I am getting now

ExRCA is attempting to obtain the SSL certificate from remote server domainname.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=*.ipower.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT54361831, O=*.ipower.com, C=US, SERIALNUMBER=QUnNCHEImAP-b0sVK1xZgonhN8KLveyV, Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US.

NOTE - I AM NOT USING IPOWER.  They are just hosting dns for the A record
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38332204
Autodiscover is an Exchange 2007 and higher feature.
As you are using Exchange 2003 it doesn't apply for you.
On the test site you need to choose the option to manually enter the details. Then you enter the host name that you put on to SSL certificate.
The same will apply to any mobile devices, you cannot use any of the automated tools to configure them, you need to choose to manually enter things.

Simon.
0
 
LVL 4

Expert Comment

by:TI2Heaven
ID: 38332740
Just in case you miss this point. When you self-signed  your certificate you need to install your CA certificate in all your clients (mobiles). Most mobiles have only installed a few CA so it might be that your chosen CA is not the one installed on your mobiles.
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 38332998
Right, which is why I switched them to a godaddy cert so you dont have to mess with putting certs on phones.  
I used testexchangecon manually and that worked MUCH better!  Trying the setup on a phone now to confirm.  I believe the user did mess with putting certs on the phone manually, but that shouldnt mess anything up right, just having more certs in your CA is nbd?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38333881
Depends how they did the certificates. It can screw things up if they put the personal certificate (the certificate issued to your server) in as the root certificate - the device gets confused and cannot complete the chain of trust correctly.

Simon.
0
 
LVL 4

Accepted Solution

by:
TI2Heaven earned 1360 total points
ID: 38349693
It depends, if two CAs have signed different signatures for the same entity one of the entity signatures should be canceled.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question