No way to disable Server Certificate Validation in 802.1x! - Networking

Hi,
I want to connect my qtek 9100 on the 802.1x WLAN of my school (ETHZ). It has not been possible yet, although i spent an hour with a person from the tech support of the school.
The problem comes from the very specific configuration that I cannot set on the Qtek 9100!
I need to uncheck the "validate server certificate" option, which is by default for PEAP authentication, something easy to do on a normal windows machine. But the problem is, there is no way to disable this on the qtek 9100 in any "properties" tab, and it therefore complains that the server certificate is not valid, and then refuses to connect!
HOW could I disable "validate server certificate"?? using the registry??
With the person from the tech support we managed to find somehow the registry keys linked to this option in Windows. But of course these keys dont exist on the qtek 9100 in Windows Mobile 5...
Please, is there some expert with some better idea?
Thanks
Fabrice

I havent found a way to do it so far. No various configurations nor random 3rd party software worked on WM5 properly.
This issue is more interesting when consider that htc universal offers LEAP ( which would do work as well ) and wizard dont!

http://forum.xda-developers.com/viewtopic.php?t=42664
From what I can gather you will need a root certificiate. Still trying to get to the bottom of this though.

it seems that AKU2 allows us to use LEAP which already would do the thing! I'll test in on friday and let you know!

i found some useful info on the net, but have not yet tested them on my MDA Vario:
there seem to be 3 possibilities:
1: you retrieve the root certificate from your techie friend at your university and place it in the designated folder on your ppc.
Click to expand...
Click to collapse
2: you add a DWORD 0 at HKLM\Comm\EAP\Extension\25\ValidateServerCert (http://www.modaco.com/How_to_set_a_wifi_network_to_use_a_certificatel-t237261.html)
Click to expand...
Click to collapse
3: Hkey_Current_User\Software\Microsoft\ActiveSync\Partners
Here you should notice 2 sub-keys, both with a unique UID. One is set up for the ActiveSync Partnership with your PC, the other is set up for the partnership with your Exchange server. Fortunately, it is fairly easy to distinguish between the two. Simply highlight one of them, and look at the different values. You'll see pretty quickly which one is for your Exchange server. While the partner key for your Exchange server is highlighted, create a new value with the following parameters
Type: DWORD
Name: secure
Value: 0 (http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.html)
Click to expand...
Click to collapse
authors of points 2 and 3 differ from opinion, but I cannot say which is best, perhaps someone else has an opinion?

predo said:
it seems that AKU2 allows us to use LEAP which already would do the thing! I'll test in on friday and let you know!
Click to expand...
Click to collapse
Hi Predo,
Have you been able to get LEAP to work using AKU2??
Lot of inquiries present on the net, but no clear answers.....
Thx,
Mak

This is what I would do.
This can be easily done from a PC, because you can get a temporary trust from the authentication server which gives you the option to install the root on your PC. Export the root cert from your laptop/PC and copy it over to your mobile device. Once the root.cer is on the wizard just open up file explorer and double tap it the cert will auto install.
Problem solved
I wouldn't use LEAP or even PEAP without validating the server cert. Especially in a hostel environment like a university, which is full of hacks. Associating to an AP without validating certs sets you up for man in the middle.
The only advantage LEAP or Fast EAP (if it were supported) is for roaming. The wizard would also have to support CCX v3. You can get this CCX v3 support by purchasing Funk (now Juniper) Odyssey client, which is $50. When using LEAP or Fast EAP it allows the use of CCKM (fast roaming).
Oh yeah, the odyssey client supports PEAP with the option to not validate the server cert.

hi, i dont know why is that but after upgrading software to new aku2.0 rom ( imate afair ) i started to be able to connect to my university wlan with no problems. Only thing is there i have nothing added in leap tab in network properties.
Anyway, it works so i'm not playing with settings anymore ;-)

Related

80072fd Push with SBS2003

My IT guys have been trying to get this push email thing working and it seems to be one difficulty after another and is not as simple as pressing "push email" in the connection icon....
Our latest error appears on my device with the above error code stating
"the security certificate on teh server is invalid. contact your exchange server administrator or ISP to install a valid certificate to the server".
I have read that I need to buy a public certificate from a public authority (CA) or similar such as Verizon or Thawte. Is this the case, or is there a simpler way to get this push email working using the existing configuration and setup of the server?
We use exchange SP2, with outlook 2003 all around. Internet based webmail works correctly with full access, and activesync via PC works perfectly, but push email encounters the above error.
Any suggestions.
are you sure it's 80072fd or 80072efd ?
I don't have a solution, but the problem is described in M$ knowledgebase article: 915438 - see attached Acrobat .PDF.
I had already tried the suggestion in KB915840 to import the certificate from my sbs2k3-domain, but this had failed with "cannot access the certificate" - even with them on the device. However, certificates from my clients' servers, both sbs2k and sbs2k3, import without problems. This happened both before and after o2's AKU2 ROM update - so AKU2 is not the problem. In addition, I spent Easter *totally* reinstalling sbs2k3 and tested it immediately afterwards. All the sbs2k3/Exch2k3-Sp2 boxes are fully patched. The certificate itself is correct/working, since it works for Outlook Web Access via the web with laptops and even the Exec (Universal).
Whilst sync'ing from the workstation via ActiveStink/USB, if you turn off the SSL requirement the sync suceeeds, but that's obviously not a working solution via the 'Net.
Update:
Just had a thought, and checked the various certificates in a hex-editor. The one from my sbs2k3 box is a completely different format. :? I'll see what I can find out.....
maybe not related, but here's a list of all ActiveSync Server Error Codes: http://blogs.flaphead.dns2go.com/archive/2005/11/21/3202.aspx
80072f0d
Sorry, the correct code is 80072f0d.
I know your pains astage, but there is no way we are pulling the box down and putting it back up again, our server hosts 30 + staff simultaneously and I cant take it down just to fix my one desire to have push email.
But I do find it painful and frustrating that microsoft do not adequately support their own platforms and systems dont integrate as they should and as they are promoted.
M$ sks.
Re: 80072f0d
simon_darley said:
....I know your pains astage, but there is no way we are pulling the box down and putting it back up again, our server hosts 30 + staff simultaneously and I cant take it down just to fix my one desire to have push email.....
Click to expand...
Click to collapse
I'm not sure if it was clear from my reply - too tired - but rebuilding the server did not help at all.
Yeh, the pains of rebuilding SBS and having it all configured and running correctly when the staff arrive in the morning is not something I do willingly - hence the use of the holiday. It was done only as a last ditch attempt to solve this and another problem that had Micro$oft totally stumped - not related.
There is a difference in the certificate formats, so that's where I'm concentrating my efforts now. Will let you know what I find.
80072f0d error - the fix!
Just spent the past hour kicking and calling myself an £$%&* idiot.:x
Anyway, to cut the story short, the problem *is* indeed the damn format of the SSL certificate exported by sbs2k3. For the WM5 device to import it, it needs to be in DER X509 format.
If you have imported it into your PC/laptop for OWA/OMA/RWW, then you can easily export it from IE's Internet Options into DER format.
From Internet Options:
- go to Content-tab
- click Certificates-button
- find and highlight your certificate - I had imported mine into Trusted Root Authorities
- click Export-button
- click Next on wizard page
- enable the "DER encoded binary X.509 (.CER)" radio-button, and click Next
- enter a suitable path & filename, e.g.: "myserver.cer"
- click Next, click Finish, click Ok.
- Now copy the certificate to your PDA via ActiveSync.
- Open File Explorer on the PDA,
- Find the certificate file and launch it.
- click Yes to import it and you're done!
I think the reason why my sbs2000 certificates worked was that I had installed Certificate Services on those boxes and exported those certificate from there. I don't understand why some of my client's sbs2003 certificates were in DER-format, and others weren't, but we are talking about Microsoft software, so what else should I expect......
msfp and 80072f0d
After testing a few different certificate variations, the engineers that maintain our servers was able to send me two alternative certificates, one or bother of them appear to ahve worked effective.
So it imported, and now my active sync works for receiving these emails, now I need to look at these heartbeat pings and find out how I set the periodic checking.
Just wondering, normally if you dial a gprs/3g connection, you pay once, and stay connected all day. Does this now mean that it connects, downloads, disconnects, then 5 minutes later reconnects, downloads, and disconnects, thus paying a much larger reconnect fee everytime?
I am playing with this as a new toy, but I can see the costs are going to go ballistic....
and... perhaps for all those that are already experienced here, how does one send an email that remote wipes the device?
is there a command, or a key word or something that makes the system realise the remote wipe command....
sorry, I know this is off the topic of my original post, but thought you might know.
if not, I can start a new topic....!!!
The certificates that I was given was a server.cer and a root.cer.
If anybody needs to know, I can ask the engineers how they did what they gave me to get it to work.
The remote wipe is done from the sbs2k3 box - or rather the box running Exchange2k3Sp2. Your admin needs to install a small tool that he (Domain Administrator credentials needed) then accesses via IE.
Microsoft has published a new white paper (Feb 2006) that describes the whole procedure - just a shame they missed the need for the certificate to be in DER format. The white paper is: "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003".

how do you guys switch smtp server?

Hello,
This may be a strange question, but how do you guys switch SMTP servers? I'd like to access the same mailbox over different connections (gprs, 2 different wifi). Reading mails is not an issue.
But for sending them, I need a different SMTP server for each of the connections (as I suspect everybody does). On my symbian phone, I could change the sending options of a mail, and one of the options is the mail-account used to send it. But this is not possible on the built in Outlook.
How do you guys do it?
(I'm planning to use QMail, which does support changing the account by which a mail is sent; but to make it more comfortable I also am working on a MortScript to change account settings when I want. There were some certificate issues in configuring QMail, but I think I solved it. The reason switching is important to me, is that my GPRS subscription has a volume limit, above which I have to pay extra. So if I can use an alternate connection, I prefer this.)
Jörg
V J said:
Hello,
This may be a strange question, but how do you guys switch SMTP servers? I'd like to access the same mailbox over different connections (gprs, 2 different wifi). Reading mails is not an issue.
But for sending them, I need a different SMTP server for each of the connections (as I suspect everybody does). On my symbian phone, I could change the sending options of a mail, and one of the options is the mail-account used to send it. But this is not possible on the built in Outlook.
How do you guys do it?
(I'm planning to use QMail, which does support changing the account by which a mail is sent; but to make it more comfortable I also am working on a MortScript to change account settings when I want. There were some certificate issues in configuring QMail, but I think I solved it. The reason switching is important to me, is that my GPRS subscription has a volume limit, above which I have to pay extra. So if I can use an alternate connection, I prefer this.)
Jörg
Click to expand...
Click to collapse
Exactly the same q was aksed either here or some other PPC forum some days ago.
My answer (I pretty much know everything about mailer clients and internal database / file formats - see http://www.pocketpcmag.com/blogs/index.php?blog=3&p=569&more=1&c=1&tb=1&pb=1 ) is as follows: just switch your Qmail config files (the one that contains the SMTP server) from, say, a Mort script and restart Qmail.
If your mail server supports SMTP Auth, u don't need to do anything.
In the config pages, click on "my outgoing server requires authentication" then click on "use same settings as incomming"
Should solve the problem IF the smtp supports authentication.
Menneisyys:
Yes, that was my post (sorry, I should have linked to that particular thread). I'm just wondering if I'm the only one finding this a huge issue. Either way, I'm writing scripts as we speak (couldn't have done it without you referring to QMail). I also like to show on the today-screen which "smtp-profile" is active (found some ways of doing this too), and while I'm at it the script will also change PIE settings (not load images on gprs, load images on wifi). I'll make the necessary steps (along with the scripts and required softwares) in some tutorial, for reference.
(I had some issues with QMail, but I needed to add the certificate for my servers first).
armedmetallica said:
If your mail server supports SMTP Auth, u don't need to do anything.
Click to expand...
Click to collapse
Yes, but neither my mobile operator, nor my work, nor my analog dialup provider (still need it) support smtp authoring... Come to think of it, I could always set up a VPN to my work, which will allow me to use their mail server (but the VPN is also traffic limited, and sometimes VERY slow)...
Jörg
V J said:
Menneisyys:
Yes, that was my post (sorry, I should have linked to that particular thread). I'm just wondering if I'm the only one finding this a huge issue. Either way, I'm writing scripts as we speak (couldn't have done it without you referring to QMail). I also like to show on the today-screen which "smtp-profile" is active (found some ways of doing this too), and while I'm at it the script will also change PIE settings (not load images on gprs, load images on wifi). I'll make the necessary steps (along with the scripts and required softwares) in some tutorial, for reference.
(I had some issues with QMail, but I needed to add the certificate for my servers first).
Yes, but neither my mobile operator, nor my work, nor my analog dialup provider (still need it) support smtp authoring... Come to think of it, I could always set up a VPN to my work, which will allow me to use their mail server (but the VPN is also traffic limited, and sometimes VERY slow)...
Jörg
Click to expand...
Click to collapse
Did you finally manage to achieve with something useful ... ? I'm in the same situation and looking for something easy to use to switch from one SMTP to another depending on the channel used (3g or Wifi).
Unfortunately, no...
My current solution is to use my work server: it requires me to set up a VPN first and then log on to it. When doing so, I can use it from anywhere; it works but is far from efficient (starting the VPN takes some time).
I thought of using a windows mobile program to have the equivalent of the hosts file in Windows (this is a small hackers trick: configure the software with a dummy name, and use the hosts file to have this resolve to the IP address you want), but it doesn't allow for easy switching, particularly as I needed a logon for one server. If you need this hosts utility, I should search for it (let me know if you need it); but it doesn't make switching that much easier from changing the settings in the mail client.
A possibility could be to use QMail as the mail client, but this is not possible for me due to some security settings I need (it never could download the mail bodies).
Jörg
Did the Mortscript avenue not pan out? I would of thought this would be something that it could easily solve.
Yes, but apparently the SMTP server settings are not stored in the registry, but in the outlook file which holds the account settings.
Editing this file is possible (founds some references on it), but generally not recommended as it easily is corrupted.
Jörg
gmail's servers?
V J said:
Yes, but apparently the SMTP server settings are not stored in the registry, but in the outlook file which holds the account settings.
Editing this file is possible (founds some references on it), but generally not recommended as it easily is corrupted.
Jörg
Click to expand...
Click to collapse
can't you just setup a gmail account, enable it for POP access, and use their provided SMTP server with your gmail username/password? leave incoming via POP on your existing one...
V J said:
Unfortunately, no...
My current solution is to use my work server: it requires me to set up a VPN first and then log on to it. When doing so, I can use it from anywhere; it works but is far from efficient (starting the VPN takes some time).
I thought of using a windows mobile program to have the equivalent of the hosts file in Windows (this is a small hackers trick: configure the software with a dummy name, and use the hosts file to have this resolve to the IP address you want), but it doesn't allow for easy switching, particularly as I needed a logon for one server. If you need this hosts utility, I should search for it (let me know if you need it); but it doesn't make switching that much easier from changing the settings in the mail client.
A possibility could be to use QMail as the mail client, but this is not possible for me due to some security settings I need (it never could download the mail bodies).
Jörg
Click to expand...
Click to collapse
Well ... no thanks ... I'd like very much to have something easy to use ...
It is like to make sure that when wifi is available than use wifi and drop GPRS.
We can then easily imagine that knowing about an available existing Wifi network, the soft should be able to automatically modify the smtp server accordingly, switching back to "normal" when out of the coverage of the WIFI network ... not really a big deal for good programmer, a trip to the moon for me ...
thanks anyway for your proposal ... wait and see what clever people will bring to us
landwomble said:
can't you just setup a gmail account, enable it for POP access, and use their provided SMTP server with your gmail username/password? leave incoming via POP on your existing one...
Click to expand...
Click to collapse
That wasn't an option for me: my incoming mailserver requires a VPN connection (when using the wifi at work). I think that some internet traffic over the VPN is blocked, preventing me from accessing another SMTP server.
DR400 said:
We can then easily imagine that knowing about an available existing Wifi network, the soft should be able to automatically modify the smtp server accordingly, switching back to "normal" when out of the coverage of the WIFI network ... not really a big deal for good programmer, a trip to the moon for me ...
thanks anyway for your proposal ... wait and see what clever people will bring to us
Click to expand...
Click to collapse
Hehe...
The easiest thing would be something more userfriendly that exploits the possibiliy of using the "hosts" file to alter the IP address of the SMTP server (this is how most of the network switching tools on laptops do it). The downside to this approach is that you cannot change logon settings. In order to do this, they need to be able adjust the settings in the mailclient; either via some interface (not sure this is available), or by altering the configuration file.
Jörg
The gmail route absolutely works for me - no mucking about with scripts etc. I followed this link (http://lifehacker.com/software/email-apps/how-to-use-gmail-as-your-smtp-server-111166.php)
only difference is that the smtp is [email protected]. Follow the instructions to set up gmail with your primary address and bingo.
Robert

ActiveSync config for Exchange

Trying to set up ActiveSync on my Telus P4000 (Titan), although the issue should be the same with an WM6.1 phone...
I can't for the life of my figure the right server settings to enter in the Configure Server section, and I have yet to find a definitive "this is how you do it" procedure for it. As near as I've been able to glean, for the "Server address" section, you give it JUST the domain name of the Exchange server, without an http:// or a /exchange or /oma or anything... correct so far? But the catch in my particular instance is that Exchange web access is on port 8080, rather than 80 or 433.
I've tried adding a :8080 to the server address, I've tried adding the http:// and/or https://, I've tried adding the /oma and /exchange to the end, and all combinations of the above, with no luck... when I go back into the settings, it's reverted to JUST the domain name. Is there somewhere else I can tell it to use a non-standard port? Registry key, maybe?
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Soundy106 said:
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Click to expand...
Click to collapse
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
playerkiller said:
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Click to expand...
Click to collapse
I've searched everywhere for info on using non-standard ports for activesync, and I haven't found anything, and I couldn't get it to work.
jeen said:
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
Click to expand...
Click to collapse
Yeah, did that... still not helping
Go to first new post ActiveSync config for Exchange
Exchange ActiveSync cannot access the server if SSL is set to be required. For
information about how to correctly configure Exchange virtual directory
jeen is right. Unless the certificate is issued form a Trusted Certificate Authority, you will need to import the issuing CA in the Root Certification Authority store of your Phone.
If it's a self signed cert, just export it from exchange server (without Private key) and copy it to your phone. Then, double click it from File Manager. This should be enough.
^Yeah, I did that right off the top (see my reply to jeen). Still no joy.
Perhaps Tendulkar can finish his thought...
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Win2008 (IIS7)
Open IISManager.
Navigate through site, default website, hilight Microsoft-Server-ActiveSync.
Make sure you have the features view selected (should be by default).
Choose SSL Settings.
Unflag "Remove SSL".
Obviusly click Accept.
playerkiller said:
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Click to expand...
Click to collapse
Hmmm... "require SSL" was already un-checked. I've re-checked it, let's see what happens with that.
OK lemme know.
make sure you have the same root certificate installed also. you have to trust the same certificate authority as the certificate that you have on your exchange server.
Did anyone find solution
I am having same problem. Certificate installed and tried all connection settings that can find on internet. Cannot get ActiveSync to syn with my server (same certificate error, but hosting company states tested with WM6.1 that all is working fine on their end) and also cannot get Windows Live Messenger to work, states there's a connectivity problem. Funny thing is MMS, surfing net with IE, and Google Maps with GPRS work fine. Only Microsoft network products are not working. My phone is Palm Treo Pro with WM6.1 Professional. Vodaphone version but bought in China and have since added A4 Chinese text editor, which I think could be problem, but need to hard reset phone to check. Any ideas? Better yet, any solutions?
One tip for getting this working in my case (same certificate errors) was that I had to get the certificate off the internally facing OWA server, rather than the externally facing version. Although they're both the same server, the external one goes through an IAS box which seems to be presenting its own certificate rather than the one on the exchange server. Don't ask me - I don't run the system.
As soon as I add the Internal version of the cert, Exchange, OTA Sync and ActiveSync spring into life.

Connect to schoolNetwork

Hi, I am from Sweden and this is my first post here at XDA.
I got a HTC p3600, it´s upgraded to WM 6.5 and it works awesome.
Now the problem. The WLAN works great at home and other open networks/ if i got the key.
In my school we got WLAN but i can´t connect to it. I find it in the WLAN-list but there it ends. My friend with an Iphone just select the network and then he can insert his username and password, and woila! He´s in.
When i try to connect the server wants a "Certifikat" in swedish. I have tried to do a "Domain enroll" to get it But it always fail.
I think they use Windows Server 2003.
Does anybody understand my bad language? If you wanna know any more, just tell me.
Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...
FlyBy_1 said:
Same problem here, trying for some weeks to find a solution and so far all attempts with different clients failed. I`m sure it`s not a windows server but a cisco concentrator that let`s You access wlan and it seems there is no free client that can communicate correctly with cisco hardware for winmobile. Iphones have a vpn client directly from cisco integrated and can pass without problems. Try to ask Your computer center what concentrator they use and if they know of a client that supports winmobile.
Some forums mention a registry hack that deactivates certificate authentication but just setting it didn`t help. We`re still trying if this might work in conjunction with a locally installed certificate. Try to get the root certificate of Your CA and import it to Your device. Might help. Somehow they screwed up PEAP on mobile clients cause it`s supposed to work without local certificates but alas...
Click to expand...
Click to collapse
Thanks for the answer!
Would it be possible to to install some kind of program from cisco to make it work?
Unfortunately Cisco doesn`t do any winmo clients, they licensed it to other companies. Tried with Root CA yesterday but that didn`t work, maybe we need a valid client cert too. Have to get a personal one from our uni CA the days.
Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.
Thanks for the suggestion. I tried with various clients, none of them worked, securew2 was among them. But maybe it works with fiddyboy.
A page mentioned some older hardware may not cope with mixed wpa modes, maybe P3600 is among them but I really don`t think so...
MAsterokki said:
Try installing secureW2
http://www.securew2.com/node/3
This is a program specifically designed to work with wpa2 networks offered through a radius server. Most schools and universities use a radius server. You will need a local login and password though.
When installed, you can select securew2 in the certificate window of wifi settings, when you try to connect to the wireless network.
Click to expand...
Click to collapse
I am downloading now, will test it tomorrow. Thanks!
Edit: I am not getting it to work. Can someone help me with the settings?
I am sorry, but I don't know what settings to use in your specific case... These settings should be made available by your school or company, most of the time the settings for laptops will give enough information too
which rom do you use to upgrade to windows mobile 6.5
Finally got it to work. We have different WLANs here at our university. I had no luck connecting to our VPN-network so I tried our eduroam WLAN. Eduroam is a roaming network for educational purposes. If You have a login from Your uni/school/whatever You should be able to access the internet from any eduroam network worldwide.
As You said You were asked for a certificate I think Your network relies on the same technologies as ours because I had the same error before. Following explanation:
Our eduroam RADIUS server is certified.
This means our uni gave it a certificate. Our uni was certified by and got a certificate from the DFN (german research net). The DFN was certified by and got a certificate from the german Telekom.
This is called a certificate chain with the DFN as intermediary and Telekom as root certificate authority.
What I had to do is import just the root certificate (from Telekom) to my mobile device by downloading it from our unis webpage, transferring it to the Trinity and just click on it. It confirmed installation and the root ca is listed under the Settings>System>Certificates>Root.
Edit : Normal certs are with *.crt ending. MinMo wants *.cer-files. If You only can get Your hands on *.crt import them into Your PC browser, export from there with DER-encoding and rename *.der to *.cer. That`s it.
Our eduroam RADIUS server authentication is via PEAP.
So I configured the network connection like this:
connects to : internet
authentication : wpa2
data encryption : aes
eap type : PEAP
Connect. When prompted put in Your uni account credentials.
This worked on WinMo 6.1 and 6.5 Without the ValidateServerCert reghack or any other other special program.
WinMo5 failed! Also tried the ValidateServerCert reghack but it`s of no use. Think it`s because WM5 has no wpa2-aes support. If Your RADIUS allows wpa and tkip it may work.
Maybe if this doesn`t work Your server it uses something other than wpa2 or aes. Try different options. Maybe it`s not using PEAP. Ask Your admin but try with a certificate first.
The strange thing is that PEAP was used to avoid handling of certificates; it`s especially there to NOT have to fiddle with them. Anyway, this works here, hope this is the solution for Your location...
you should just buy a protable harddrive or a flash drive and transfer your files onto that and then onto your computer.
Hi, I have same problem, trying to use eduroam on CTU, my Notebook/Laptop WiFi work ok, but I can't connect with TD2 Topaz. I have instaled required certificate, but in options I have no way to set concrete RADIUS server to connect (which is required to be specified in settings on Notebook). Any ideas please? I Also installed securew2, but I can't add Cesnet CA in securew2 options, even it is installed in system (I is present in setings-certificates in WM).
When You have WinMo 6.1 You shouldn`t need securew2 and there is no need to explicitly set RADIUS IP. Have You tried eap-type : PEAP ? What`s the error message if any ?

HTC HD2 the network requires a personal certificate

Hi all,
I have bought HD2 yesterday and today when I try to connect to wifi of my office it asks me to "the network requires a personal certificate to identify you", while I have done some research and followed below threads, but there seems to be no clear solution. Please can somebody help with a patch to disable network certificate check.
Thanks
followed threads
http://forum.xda-developers.com/showthread.php?t=344087
http://forum.xda-developers.com/showthread.php?t=264781:confused:
I have been struggeling with this also for quite a while.
The suggestion you mention is probably not worth while investigating.
The certificate is required by the access point so you should change it there is you do not want to cahnge the phone.
My solution was the following.
The HD2 comes with a base set of certificates and our corporate network requires one that is not in there.
I managed to find out which certificate I needed and was able to Google it.
Then just copy it to the phone, run the cert file and you're done!
watnuweer said:
I have been struggeling with this also for quite a while.
The suggestion you mention is probably not worth while investigating.
The certificate is required by the access point so you should change it there is you do not want to cahnge the phone.
My solution was the following.
The HD2 comes with a base set of certificates and our corporate network requires one that is not in there.
I managed to find out which certificate I needed and was able to Google it.
Then just copy it to the phone, run the cert file and you're done!
Click to expand...
Click to collapse
I could not get one for my corporate network is there any patch to disable it, i had tattoo and iphone which never required such certificate
neitin said:
I could not get one for my corporate network is there any patch to disable it, i had tattoo and iphone which never required such certificate
Click to expand...
Click to collapse
You cannot patch your device to disable this.
It is a requirement of YOUR network.
You need to find out which base certificate it is you need and then install to your phone.
Hi. Sorry to bring up an oldie, but I'm having this issue as well with the exception that my network doesn't require a certificate. I've confirmed this with my IT department. Any ideas as to how this can be disabled? It only seems to happen when I connect my phone to my PC (which is only done to install software, not sync with exchange; that's done wirelessly).
GrandAdmiral said:
Hi. Sorry to bring up an oldie, but I'm having this issue as well with the exception that my network doesn't require a certificate. I've confirmed this with my IT department. Any ideas as to how this can be disabled? It only seems to happen when I connect my phone to my PC (which is only done to install software, not sync with exchange; that's done wirelessly).
Click to expand...
Click to collapse
The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
I have personally tried this and works like a charm, please let me know if doesn't
Greetings from India
PS: remember to reboot your device once you have added the registry
neitin said:
The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
I have personally tried this and works like a charm, please let me know if doesn't
Greetings from India
PS: remember to reboot your device once you have added the registry
Click to expand...
Click to collapse
Nice!!!! Thanks for the information . I will give this a try as my work wireless network presents the same problem.
It may be tied into the following info I found out there on the web, problem as described by someone else with the same or similar issue:
"the wireless controller was sending out EAP-Identity-Request packet very quickly (1 per second), so the time I typed my pass on the PDA, it has already received 5+ EAP-Requests and when I pressed OK, it was sending my Identity with Request-ID=1 and was rejected because the controller was already expecting a greater Request-Id.
I adjusted the timeout and voilà !!! Here is the command line for Cisco Wireless Controller 4402 (the value was set to 1s !) :
"
This info relates to WM EAP and Cisco's implementation of EAP.
I will try the regedit and see if this fixes things for me.
i tried doing this by entering a dword via regedit but i am still facing the same issue...please help

Categories

Resources