iPhone 7 not connecting to SBS2011 Exchange 2010 after Self-Issued cert was reissued/renewed

I have a client with SBS2011 with Exchange 2010.  They have 6 users with iPhone 7’s.   All the phones were able to connect with their Exchange accounts and send/receive e-mail until the server self-issued cert was reissued/renewed.  Now 3 of them are not able to send or receive.   In an attempt to get the owner’s working, I used Safari to get the new cert by going to the domain https (didn’t work), deleted the Exchange account and re-created the account (also didn’t work).   I keep getting an error (Cannot Verify Server Identity : The identity of “server.mydomain.com” cannot be verified by Exchange.) – only two choices are presented “Details” and “Cancel”, there is no third choice to continue anyway.

Do I need to download the certificate to the phone or will it just come down by itself?   Or what is the correct procedure to get the cert on the phone?

I have tried several times to enter and reenter but can’t seem to get this to work.   I have tried googleing to find information but haven’t been successful so far, so I decided to go the “Experts”.   On the owner’s account, I also deleted the phone partnership in the Exchange Management Console.   Also the internal domain has a .local extension so I can’t use a third party trusted certificate (thanks Microsoft).

Below is all the information for this account with their domain redacted as “mydomain”.
Please help me: what is the correct settings for these iphones?

Redacted Information:
Full server computer name: SERVER.mydomain.local
Internal domain: mydomain.local
Server: server.mydomain.com

UID: MYDOMAIN\JSmith
PWD: <password>

Certificate
Issuer: mydomain-SERVER-CA
Subject: server.mydomain.com
Subject Alternative Name:
DNS Name=mydomain.com
DNS Name=server.mydomain.com
DNS Name=SERVER.mydomain.local
Valid from: ‎Sunday, ‎February ‎18, ‎2018
Valid to: ‎Tuesday, ‎February ‎18, ‎2020
CannotVerifyServerIdentity.jpg
Randall SeilerOwnerAsked:
Who is Participating?
 
Dmitri FarafontovLinux Systems AdminCommented:
Yeah lets try that.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Are you using a self-signed certificate? Or have you purchased it from somewhere like Entrust/Digicert?
If you press on Details, you will likely find out what exactly is wrong with your SSL certificate.
0
 
Randall SeilerOwnerAuthor Commented:
It is a self-signed cert; the internal domain is .local, so I can't buy a purchased cert.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Dmitri FarafontovLinux Systems AdminCommented:
If the cert is self-signed you have to manually add it to each iPhone as it does not trust it by default (and that is a good thing):

1) Export CRT in your browser and email to yourself and open it on iPhone
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/

2) You might have to go to Settings and manually have it show up and set it to trusted
https://discussions.apple.com/thread/7738477
0
 
Randall SeilerOwnerAuthor Commented:
Thanks Dmitri, I will make note of your suggestions and read over those sites.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
3) Once you have everything setup correctly you should have something like this (where each custom self-signed cert is installed and listed)
https://support.apple.com/en-ca/HT204477

Let me know if you get stuck on something.
0
 
Randall SeilerOwnerAuthor Commented:
What is the best way to get the correct certificate?
The certificate in [https:/server.mydomain.com/public/downloads] is different than the one that is in a browser.
I can go to the cert authority on the SBS2011 and export the cert that matches the one that shows up in a browser, is that a good way to get it for download to a phone?

[https:/server.mydomain.com/public/downloads]:
Issued to: mydomain-SERVER-CA
Issued by: mydomain-SERVER-CA
Valid from 2/18/2018 to 2/18/2023

exported from cert authority & in a browser:
Issued to: server.mydomain.com
Issued by: mydomain-SERVER-CA
Valid from 2/18/2018 to 2/18/2020
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Yeah that sounds like a plan. Although I am confused why a different certificate is being served..
0
 
Randall SeilerOwnerAuthor Commented:
It's a Microsoft conspiracy to give us all migraine headaches!
0
 
Randall SeilerOwnerAuthor Commented:
Should I just install both of them?
0
 
Randall SeilerOwnerAuthor Commented:
Thanks Dmitri for all your help.

Here is what worked for me:
On iPhone that was connecting and e-mail was working, but the SBS2011 self-signed certificate was reset or renewed, I just download and install the new cert. and the phone just start working.

On the iPhone that was new, fresh setup, I download the certificate and then proceed to setting up the Exchange account on the phone.

To get the RWA certificate:
* With a browser, go to the secure site [i.e. https://server.mydomain.com]
* Login to Remote Web Access
* Navigate to Shared Folders -> Public -> Downloads -> Certificate Distribution Package
* Download and install the SBSCertificate.cer

Note: Make sure the user name is entered EXACTLY as it is in the AD.
Example: User = Harry Smith, UID in AD = HSmith, Username entered in iPhone = HSmith
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Glad you got it sorted! The idea is to always get the right CRT imported.
0
 
Randall SeilerOwnerAuthor Commented:
Dmitri - thanks for you help.  
https://blogs.technet.microsoft.com/sbs/2011/04/19/how-to-obtain-the-certificate-distribution-package-in-sbs-2011-standard-through-remote-web-access/

When I get some time, I would like to put together a tutorial with screen shots and full instructions for renewing the certs and how to get them out of the server.   It doesn't seem all that complicated, but finding correct information has been a task.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Great! Thanks for FYI.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.