Link to home
Start Free TrialLog in
Avatar of robinsonbud
robinsonbudFlag for United States of America

asked on

ActiveSync Autodiscover fails with security certificate issue, but Autodiscover works in Outlook & passes Microsoft Remote Connectivity Analyzer

I've just configured the necessary certificates and autodiscover records and it works great in Outlook Anywhere, but not on my Samsung S5.  The goal is to have ActiveSync setup in Outlook Anywhere and mobile devices to flow through using just email and password (autodiscover, without the need to do a manual setup).  

Outlook Anywhere setup works without a hitch.  I did have to enter the user credentials once more after going through the initial wizard, but no manual setup required, no certificate warnings, etc.

I've run the MIcrosoft Remote Connectivity Analyzer for Autodiscover and it passes with one warning: "The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."

The problem is on my Samsung S5, the only mobile device I currently have at hand to test.  I add the Exchange account, enter the email address and password and then get "Security Warning - There are problems with the security certificate for this site."  I click Continue and then get: "Setup could not finish - Unable to open connection to server. Security error occurred."

If Outlook Anywhere setup works fine and it passes the Microsoft Remote Connectivity Analyzer for Autodiscover, then why won't it work on the Samsung S5?  How can I troubleshoot this?
Avatar of Jamie McKillop
Jamie McKillop
Flag of Canada image

Hello,

Did you purchase a commercial UC certificate or are you using an internal certificate authority?

-JJ
Avatar of robinsonbud

ASKER

I'm using a 5 domain UCC from GoDaddy with mail.contoso.com, autodiscover.contoso.com.  This is a single Exchange 2010 with all roles on one 2008 R2 Std server.  Autodiscover.contoso.com is a CNAME to mail.contoso.com which in turn points to the Exchange server with port 443 open.

I have set up the alternate UPN to match the domain, but the username does not match the primary email & alias.  For example, user account UPN johndoe@contoso.com has a primary email & alias of jdoe@contoso.com.  I also have johndoe@contoso.com as an additional email address.  When setting up Outlook Anywhere, I enter jdoe@contoso.com and the password, but then when it prompts for credentials, I switch user to johndoe@contoso.com to use the UPN.  Also, I have not configured a Default Domain in IIS for Autodiscover & Microsoft-Server-ActiveSync. Do I need to?

When I set up an Exchange account on the Samsung S5 I do something similar, where I enter the email & password, it gives the security certificate error and then I have to manually provide the correct domain\username (contoso.local\johndoe) and the correct mail server (mail.contoso.com) and then it works.

So do I need to change the Exchange Alias or primary email, or change the account username to make them all match?  What is the requirement so that it flows through?  

But the error ("Security Warning - There are problems with the security certificate for this site.") on the Samsung S5 is related to the certificate, so not sure if the username match is the issue?  

Note that I also ran the Remote Connectivity Analyzer for ActiveSync and it passes with the following warnings:
 - The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
 - The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled

Does this indicate an issue with the certificate?
ASKER CERTIFIED SOLUTION
Avatar of Jamie McKillop
Jamie McKillop
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What does LHS stand for?
Left hand side.

-JJ