Solved

ActiveSync Autodiscover fails with security certificate issue, but Autodiscover works in Outlook & passes Microsoft Remote Connectivity Analyzer

Posted on 2015-02-17
5
58 Views
Last Modified: 2016-03-18
I've just configured the necessary certificates and autodiscover records and it works great in Outlook Anywhere, but not on my Samsung S5.  The goal is to have ActiveSync setup in Outlook Anywhere and mobile devices to flow through using just email and password (autodiscover, without the need to do a manual setup).  

Outlook Anywhere setup works without a hitch.  I did have to enter the user credentials once more after going through the initial wizard, but no manual setup required, no certificate warnings, etc.

I've run the MIcrosoft Remote Connectivity Analyzer for Autodiscover and it passes with one warning: "The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."

The problem is on my Samsung S5, the only mobile device I currently have at hand to test.  I add the Exchange account, enter the email address and password and then get "Security Warning - There are problems with the security certificate for this site."  I click Continue and then get: "Setup could not finish - Unable to open connection to server. Security error occurred."

If Outlook Anywhere setup works fine and it passes the Microsoft Remote Connectivity Analyzer for Autodiscover, then why won't it work on the Samsung S5?  How can I troubleshoot this?
0
Comment
Question by:robinsonbud
  • 3
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Hello,

Did you purchase a commercial UC certificate or are you using an internal certificate authority?

-JJ
0
 

Author Comment

by:robinsonbud
Comment Utility
I'm using a 5 domain UCC from GoDaddy with mail.contoso.com, autodiscover.contoso.com.  This is a single Exchange 2010 with all roles on one 2008 R2 Std server.  Autodiscover.contoso.com is a CNAME to mail.contoso.com which in turn points to the Exchange server with port 443 open.

I have set up the alternate UPN to match the domain, but the username does not match the primary email & alias.  For example, user account UPN johndoe@contoso.com has a primary email & alias of jdoe@contoso.com.  I also have johndoe@contoso.com as an additional email address.  When setting up Outlook Anywhere, I enter jdoe@contoso.com and the password, but then when it prompts for credentials, I switch user to johndoe@contoso.com to use the UPN.  Also, I have not configured a Default Domain in IIS for Autodiscover & Microsoft-Server-ActiveSync. Do I need to?

When I set up an Exchange account on the Samsung S5 I do something similar, where I enter the email & password, it gives the security certificate error and then I have to manually provide the correct domain\username (contoso.local\johndoe) and the correct mail server (mail.contoso.com) and then it works.

So do I need to change the Exchange Alias or primary email, or change the account username to make them all match?  What is the requirement so that it flows through?  

But the error ("Security Warning - There are problems with the security certificate for this site.") on the Samsung S5 is related to the certificate, so not sure if the username match is the issue?  

Note that I also ran the Remote Connectivity Analyzer for ActiveSync and it passes with the following warnings:
 - The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
 - The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled

Does this indicate an issue with the certificate?
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
Comment Utility
OK, you problem is that ActiveSync autodiscover will not work unless the LHS of the email address matches the username. If you want autodiscover to work, you will either need to change your usernames or your email addresses.

You certificate is likely fine. The error you are receiving only relates to older devices. The older devices don't have the new root authority.

-JJ
0
 

Author Comment

by:robinsonbud
Comment Utility
What does LHS stand for?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Left hand side.

-JJ
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now