ActiveSync Autodiscover fails with security certificate issue, but Autodiscover works in Outlook & passes Microsoft Remote Connectivity Analyzer

Posted on 2015-02-17
Medium Priority
Last Modified: 2016-03-18
I've just configured the necessary certificates and autodiscover records and it works great in Outlook Anywhere, but not on my Samsung S5.  The goal is to have ActiveSync setup in Outlook Anywhere and mobile devices to flow through using just email and password (autodiscover, without the need to do a manual setup).  

Outlook Anywhere setup works without a hitch.  I did have to enter the user credentials once more after going through the initial wizard, but no manual setup required, no certificate warnings, etc.

I've run the MIcrosoft Remote Connectivity Analyzer for Autodiscover and it passes with one warning: "The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."

The problem is on my Samsung S5, the only mobile device I currently have at hand to test.  I add the Exchange account, enter the email address and password and then get "Security Warning - There are problems with the security certificate for this site."  I click Continue and then get: "Setup could not finish - Unable to open connection to server. Security error occurred."

If Outlook Anywhere setup works fine and it passes the Microsoft Remote Connectivity Analyzer for Autodiscover, then why won't it work on the Samsung S5?  How can I troubleshoot this?
Question by:robinsonbud
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40616467

Did you purchase a commercial UC certificate or are you using an internal certificate authority?


Author Comment

ID: 40616963
I'm using a 5 domain UCC from GoDaddy with mail.contoso.com, autodiscover.contoso.com.  This is a single Exchange 2010 with all roles on one 2008 R2 Std server.  Autodiscover.contoso.com is a CNAME to mail.contoso.com which in turn points to the Exchange server with port 443 open.

I have set up the alternate UPN to match the domain, but the username does not match the primary email & alias.  For example, user account UPN johndoe@contoso.com has a primary email & alias of jdoe@contoso.com.  I also have johndoe@contoso.com as an additional email address.  When setting up Outlook Anywhere, I enter jdoe@contoso.com and the password, but then when it prompts for credentials, I switch user to johndoe@contoso.com to use the UPN.  Also, I have not configured a Default Domain in IIS for Autodiscover & Microsoft-Server-ActiveSync. Do I need to?

When I set up an Exchange account on the Samsung S5 I do something similar, where I enter the email & password, it gives the security certificate error and then I have to manually provide the correct domain\username (contoso.local\johndoe) and the correct mail server (mail.contoso.com) and then it works.

So do I need to change the Exchange Alias or primary email, or change the account username to make them all match?  What is the requirement so that it flows through?  

But the error ("Security Warning - There are problems with the security certificate for this site.") on the Samsung S5 is related to the certificate, so not sure if the username match is the issue?  

Note that I also ran the Remote Connectivity Analyzer for ActiveSync and it passes with the following warnings:
 - The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
 - The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled

Does this indicate an issue with the certificate?
LVL 37

Accepted Solution

Jamie McKillop earned 2000 total points
ID: 40617007
OK, you problem is that ActiveSync autodiscover will not work unless the LHS of the email address matches the username. If you want autodiscover to work, you will either need to change your usernames or your email addresses.

You certificate is likely fine. The error you are receiving only relates to older devices. The older devices don't have the new root authority.


Author Comment

ID: 40633371
What does LHS stand for?
LVL 37

Expert Comment

by:Jamie McKillop
ID: 40633445
Left hand side.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question