• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 172
  • Last Modified:

ActiveSync Autodiscover fails with security certificate issue, but Autodiscover works in Outlook & passes Microsoft Remote Connectivity Analyzer

I've just configured the necessary certificates and autodiscover records and it works great in Outlook Anywhere, but not on my Samsung S5.  The goal is to have ActiveSync setup in Outlook Anywhere and mobile devices to flow through using just email and password (autodiscover, without the need to do a manual setup).  

Outlook Anywhere setup works without a hitch.  I did have to enter the user credentials once more after going through the initial wizard, but no manual setup required, no certificate warnings, etc.

I've run the MIcrosoft Remote Connectivity Analyzer for Autodiscover and it passes with one warning: "The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."

The problem is on my Samsung S5, the only mobile device I currently have at hand to test.  I add the Exchange account, enter the email address and password and then get "Security Warning - There are problems with the security certificate for this site."  I click Continue and then get: "Setup could not finish - Unable to open connection to server. Security error occurred."

If Outlook Anywhere setup works fine and it passes the Microsoft Remote Connectivity Analyzer for Autodiscover, then why won't it work on the Samsung S5?  How can I troubleshoot this?
0
robinsonbud
Asked:
robinsonbud
  • 3
  • 2
1 Solution
 
Jamie McKillopCommented:
Hello,

Did you purchase a commercial UC certificate or are you using an internal certificate authority?

-JJ
0
 
robinsonbudAuthor Commented:
I'm using a 5 domain UCC from GoDaddy with mail.contoso.com, autodiscover.contoso.com.  This is a single Exchange 2010 with all roles on one 2008 R2 Std server.  Autodiscover.contoso.com is a CNAME to mail.contoso.com which in turn points to the Exchange server with port 443 open.

I have set up the alternate UPN to match the domain, but the username does not match the primary email & alias.  For example, user account UPN johndoe@contoso.com has a primary email & alias of jdoe@contoso.com.  I also have johndoe@contoso.com as an additional email address.  When setting up Outlook Anywhere, I enter jdoe@contoso.com and the password, but then when it prompts for credentials, I switch user to johndoe@contoso.com to use the UPN.  Also, I have not configured a Default Domain in IIS for Autodiscover & Microsoft-Server-ActiveSync. Do I need to?

When I set up an Exchange account on the Samsung S5 I do something similar, where I enter the email & password, it gives the security certificate error and then I have to manually provide the correct domain\username (contoso.local\johndoe) and the correct mail server (mail.contoso.com) and then it works.

So do I need to change the Exchange Alias or primary email, or change the account username to make them all match?  What is the requirement so that it flows through?  

But the error ("Security Warning - There are problems with the security certificate for this site.") on the Samsung S5 is related to the certificate, so not sure if the username match is the issue?  

Note that I also ran the Remote Connectivity Analyzer for ActiveSync and it passes with the following warnings:
 - The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
 - The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled

Does this indicate an issue with the certificate?
0
 
Jamie McKillopCommented:
OK, you problem is that ActiveSync autodiscover will not work unless the LHS of the email address matches the username. If you want autodiscover to work, you will either need to change your usernames or your email addresses.

You certificate is likely fine. The error you are receiving only relates to older devices. The older devices don't have the new root authority.

-JJ
0
 
robinsonbudAuthor Commented:
What does LHS stand for?
0
 
Jamie McKillopCommented:
Left hand side.

-JJ
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now