Related
I'm trying to synchronizise with the exchange server at my work.
But for some reason it doesn't work. I've filled in everything in the right way (address, domein etc.) the fault code is 80070002.
Can somebody help me with this?
same here at home (no firewalls)
Works fine for me. Exchange server needs just some configuration.
Priit said:
Works fine for me. Exchange server needs just some configuration.
Click to expand...
Click to collapse
What kind of configuration?
First, your Outlook Web Access (yes, OWA!) can not use forms based authentication nor SSL encryption. If you don want to use these (you most probably want to use SSL) then you need to create another virtual OWA directory without SSL and force ActiveSync (and Outlook Mobile Access) to use it.
More information at
http://support.microsoft.com/default.aspx?scid=kb;en-us;817379
Check if you can access OMA (Outlook Mobile Access) using http://yourserver/oma and check also Exchange server logs.
I thought this wasn't supported on WM5 until AKU 2.0 comes out (hopefully soon)
So ur saving I have to turn Forms authentication off and ssl off on OWA for my mobile device to work ?
sounds a bit of a poor show.
I need Forms based auth ideally as it goes through firewalls where as the other type does not.
Ours works here and we use SSL.
For the server name make sure you are using the fully qualified domain name that you use from the internet. IE: mail.domain.com. You don't have to put the /exchange on the end.
username, password and domain are all the same as what you use to log in.
OH, and the certificate you use on the server should be for mail.domain.com and not servername.
Hope this helps.
@spartanrob: DirectPush needs AKU2.0. You have always had possibility to sync manually. Or if your operator provides e-mail to SMS then you have the same functionality already today.
@Karzi:
No, I'm not saying you have to turn off SSL and/or forms-based auth., but you need to create another virtual OWA directory, which does not require SSL and forms-based authentication. You can limit access to this directory to localhost only so there will be no security concerns.
@MrHappy:
Your server is probably set up in that way.
Please go read this it helped me with the same error
http://hardware.mcse.ms/archive35-2005-11-248477.html
Basicly says that you have to download the cert from https://server.domain.com/certsrv then install the certificate on your desktop and your handheld then activesync will work....
I was hesitant but it worked for me.... it changed the path in the cert from my ip to my server.domain.com
I have an 8125 with Summiter's 2.3 Rom installed. I am trying to establish a connection to my exchange server which is hosted. When I enter the server, user ID, password and Domain info correctly, activesync keeps prompting me with "Please correct your Exchange Server password"
My provider insists that the settings were correct on their side and their crack tech support staff told me that WM5 has problems storing the password. They said that the only thing to do is to keep deleting the server connection on the device and recreating it.
Through this persistence, I was able to get it configured once. It was syncing (with push email) for most of the day... until I connected the device to the PC with the USB cable to charge it. Then Activesync on the PC kicked in and the password prompts began.
I have deleted and reconfigured the server on the device in excess of 20 times now with every combination of soft resets in between to try to get this resolved.
Any thoughts? Your help is greatly appreciated!
***EDIT***
email host needed to create a pre-NT4 alias for the userid due to the naming convention ues by our company in their provisioning console. Therefore once I found out the alias the config was a snap. working perfectly now! Thanks.
What tech support for your host meant to tell you is that they do not have a clue what they are talking about. I support numerous WM implementations using AUTD and Push email with WM devices of all flavors that support one of those options (2003, 2003se, 2005) and NONE of my customers have to continually put in ANY information to keep syncing.
It is true that using the special sms tickle method of pull on 2003 devices does sometimes hang up and have to be restarted manually but even then you should not be asked for information you already saved about the connection.
Find a new mail host.
Well, since you have no problems setting up "WM implementations using AUTD and Push email with WM devices", I would love to hear your thoughts on why I keep getting a password prompt over and over again with the message "Please corrrect your exchange Server password".
Using Cingluar 8125 with stock 2.25 ROM.
Mobile services are enabled under ESM
Pre-2k alias is set in the username
SSL is installed on the server with front end virtual directory
I have disabled certificate checking on the device itself by hacking the registry on the device since I'm using self singed cert
Exchange SP2 is installed
Activesync on the PC with USB works like a charm
But, trying to sync over GPRS/EDGE with the exchange server it keeps prompting me to correct exchange server password which I know it's correct since I administer the server myself.
I've seen NUMEROUS posts about this issue but no one seems to have the answer.
This is driving completely bonkers
You say you can sync while connected via USB to a computer but you do not specify whether that computer is INSIDE or OUTSIDE your network. So I am going to assume it is INSIDE, and bet that were you to try the same test from OUTSIDE your network it would fail just as it does using GPRS. If so the indications point to incorrectly putting in your user name/domain information and not the password itself.
I assure you, the domain\username and password combinations are quite right. It's DOMAIN\username and then the password. I mean you can't really get away from that format when you enter the information in the pocket pc or activesync on your pc since it asks you for the domain and the username and the password. I can however login to webmail and oma through the web browser using the exact username and password.
Any more thoughts?
I have no more thoughts until you answer the question I asked. Can you sync while connected to a computer that is OUTSIDE your network?
When putting in your information on the mobile device, in the username field if you are putting domain\user you are wrong. That box is USER NAME ONLY.
Let me start over again. No, usb or gprs outside doesn't work. And yes, the username is put in as just the username with no domain\ in front of it. Activesync substitutes the domain from the domain field as domain\ is what I meant.
So it doesn't work from outside no matter what the connection. Again, the problem is the domain reference. We just have to figure out what is wrong with it.
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
I'm using https://servername/exchange
I can also user https://servername/oma from the phone and it works too.
I would really like to see https://servername/exchange work from outside your network. I am interested to know how you got a NETBIOS name to resolve from outside your DNS zone over the internet.
Please read the question asked before answering so I can stop asking you the same thing twice. I asked you:
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
Click to expand...
Click to collapse
Your answer might work inside your network but no way will it work outside. And if you are afraid that advertising your domain name will compromise your Exchange box you should just shut it down anyway.
Ok,
I'm REALLY trying to be tolerant here. Unfortunately, I'm starting to reach the end of my patience. You and I BOTH know that I'm not advertising my NETBIOS name on the Internet. We BOTH know EXACTLY what I mean when I say https://servername/exchange. It means a URL accessible from the outside which points to the server via NAT on our firewall and then /exchange. So, here's the URL:
https://mail.glaucomaexpert.com/exchange
When I say that webmail works, I REALLY REALLY mean that it works. I'm not making it up. If you don't know the answer or if you are not sure of the answer, just let me know. That's no problem. I'm really starting to think that this issue is due to the registry hack on the phone to remove certificate checking.
Unfortunately, I'm using a self generated cert and I've tried using the .cab method to import the cert, that didn't work. I simply copied into a file (DER encoded) and tried to import it no workie either. I tried copying as a Base-64 encoded, copied to the phone and when I tried to import it said it was unable to access certificate. Before I disabled certificate checking, it wouldn't accept the certificate. So, now it accepts it but it keeps asking for the password.
I have gone over the exchange settings over and over and over again and I'm simply not seeing anything wrong.
So....here's where I am.
Great. Thanks for answering the question. So in your server configuration fields you are filling in those blanks like this:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name which may or may not be the same as your FQDN
Does all of that sound like what you are using? If you feel more comfortable PMing the information then thats fine. But your settings should resemble what I wrote.
Are you forcing users to use SSL for Outlook Web Access? If so, you might try turning it off TEMPORARILY and test syncing without requiring SSL to eliminate the self signed cert possibility. I won't be much use troubleshooting that as I get my customers fo flip for a Thawte certificate to avoid untrusted root cert authorities.
That's exactly what I'm using:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name
Under secure communications I do not have require secure channel checked.
I just enabled http(port 80) access to the exchange server and it's working like a charm.
So I guess it's still a certificate issue. I guess disabling certificate checking is not doing the trick but instead cause more problems.
I really wish I could import the self signed certificate. This really sucks. Your help is appreciated. Thanks. I should had tried this before. I just assumed this registry hack wouldn't have any bearing on it originally.
@deeztech - I'm also suspicious of the registry hack to disable the certificate checking. This worked for me in the 2003 days with my client's Blue Angels but I've never been able to get it to work with WM5. I have numerous Exchange 2003 servers that I maintain here in So. Fla and they all have self generated certs. I use MMC and add the Certificates snap-in. From the Trusted Root Authorities I'll right click my certificate - all tasks and then export to a Der encoded x.509. Copy to my storage card and execute it from there.
Of course it sounds like your certificate is installed correctly as your logon to OWA and OMA are working which is why I suspect that reg hack you mentioned.
I did read on exchange-experts to check the authentication on the webserver....
Curious if it's just your PDA or are there others with the same issue?
Glad you narrowed it down. Unfortunately I don't have a magic bullet for the self signed certificate piece but I do have some suggestions for you.
1) Enable forms based authentication: http://support.microsoft.com/kb/830827/
2) Require SSL for access
3) Unless you intend to offer services you might turn off the default website at https://mail.glaucomaexpert.com/
If you are interested in a cert from a trusted CA check out Thawte, where you can get an SSL123 certificate in just a few minutes for as little as $149: https://www.thawte.com/process/retail/new_ssl123?language=en&productInfo.productType=fssl2
Hi all, im kind of new to this but i just read about push email with exchange server and i was wondering how i could use it with my mda vario. I've already installed an updated rom with push email but i dont know how to use it. can any one fill me in on this? thanks for any help.
You need a Exchange 2003 server with at least SP2 installed. Also a UMTS/GPRS connection because is not working over WIFI.
Bitfrotter 8)
Go to www.mail2web.com, sign up there. Than put the settings from the website in the Exchange Server settings in Active Sync on your PPC. Set your current email address to automatically forward your email to your mail2web email address. Enable GPRS and enable push email from the Comm Manager and bingo, push email is yours.
Ok, ive already signed up with mail2web but i want to automatically retrieve hotmail emails. i don't see an option on hotmail to forward all my emails to mail2web. am i missing something here? sorry, im inexperienced and all and these are probably lame questions and all. but please help me out. after reading that article i got hyped up in doing this. thanks for any replies.
Bitfrotter said:
You need a Exchange 2003 server with at least SP2 installed. Also a UMTS/GPRS connection because is not working over WIFI.
Bitfrotter 8)
Click to expand...
Click to collapse
I've gotten DirectPush to work over WiFi... Maybe that was an earlier ROM version though... I don't recall the circumstances under which I got it to work.
MS says that Direct Push does not work over WiFi. WiFi does not allow disconnected connections (in other words, a connection that allows for the data stream to be suspended). If WiFi did it, it would require a continuous connection that would drain the batteries at a very rapid pace.
Setting up Exchange for Direct Push is pretty easy. I set up ours in about 5 minutes.
One of the coolest things you can do with a correctly configured Exchange 2003 system is with the Mobile Admin pack (free download from MS). It allows you to tell the PDA that it needs to "self-destruct" in case the phone is stolen. A remote wipe will do a hard-reset on the phone, deleting all data not stored on an external SD.
I usually get my email on the MDA faster than Outlook on my desktop.
If any Exchange admins are out there, I can post how to set it up if anyone needs help.
exchange/activesync
Yes please!
Hotmail has deleted the possibility of forwarding mail automatically a few years ago in the free version, only Hotmail Plus subscribers can use this option. With gmail however it is still free. So a basic hotmail account will not be able to use Push over Exchange. You can however sign in to MSN Messenger on your device and will then be notified as soon as an email arrives on the hotmail server. This will cost you extra data charges though, since contacts coming online will also result in data transfer to your device.
Romp said:
MS says that Direct Push does not work over WiFi. WiFi does not allow disconnected connections (in other words, a connection that allows for the data stream to be suspended). If WiFi did it, it would require a continuous connection that would drain the batteries at a very rapid pace.
Setting up Exchange for Direct Push is pretty easy. I set up ours in about 5 minutes.
One of the coolest things you can do with a correctly configured Exchange 2003 system is with the Mobile Admin pack (free download from MS). It allows you to tell the PDA that it needs to "self-destruct" in case the phone is stolen. A remote wipe will do a hard-reset on the phone, deleting all data not stored on an external SD.
I usually get my email on the MDA faster than Outlook on my desktop.
If any Exchange admins are out there, I can post how to set it up if anyone needs help.
Click to expand...
Click to collapse
that would be awesome if you know of a tutorial anywhere on this..
so by creating an exchange server as romp said, you can sync any email including hotmail? well that's really a bummer that microsoft disabled forwarding on hotmail. Its mainly my primary email which all my friends/family know. so it would be a miracle if anyone knew how to sync hotmail without subscribing to their hotmail plus.
Well, getting outside emails are a bit more complex. This is usually for a business, but there are plenty of POP-to-Exchange plug ins that would allow getting Hotmail emails. Of course, you would need the Hotmail Plus for the POP.
http://www.slipstick.com/exs/popconnect.htm
My answer was more concerning the Exchange Direct push question, not the hotmail one.
Where I work (yes, I did set up the Exchange system) we have GFI spam filtering and virus filtering (www.gfi.com) and they have a POP2Exchange bridge included. It just checks the account, downloads any POP emails, and drops it in the right mailbox.
Exchange is a complete system, not just mail. It has webmail, Windows Mobile direct push, calendar, contacts, and more. Unless you are in a company with Exchange or Small Business Server, its not a cheap thing to do for a home network.
If you DO have Exchange at your office, run to the IT guy and hurt him until he sets your phone up on it. Its all the functionality of Blackberry and more, built into Exchange.
I'll write that tutorial, g0nk.
ok so if we go the mail2web route... i dont need to install exchange 2003 on a pc myself? does it only work on windows server 2003?
im interested in doing this at my job but i want to make sure it is not too difficult
edit.. well we have our own domain email addresses so the [email protected] is not an option..
any suggestions?
Romp said:
Exchange is a complete system, not just mail. It has webmail, Windows Mobile direct push, calendar, contacts, and more.
If you DO have Exchange at your office, run to the IT guy and hurt him until he sets your phone up on it. Its all the functionality of Blackberry and more, built into Exchange.
I'll write that tutorial, g0nk.
Click to expand...
Click to collapse
1) Agreed
2) I am the IT guy and it don't work on our server - the rootcertificate won't install to the PPC - an MS acknowledged problem............
3) Please forward ASAP !! Thanks !! :lol:
Is it a self published cert? Because you CAN get any externally issued cert to work just fine. We use a $15 GoDaddy cert with no problems.
The big screw up most people have with the cert (myself included) is that the cert is not correctly installed, even though it says it is.
Cheaper certs are called "Chained" certs. All certs need a path back to one of the big cert companies. So, companies like GoDaddy get approved to be second level cert issuers. IE on the PC will look at the cert and track it back to the main cert issuer. For example, the cert on GoDaddy goes from GoDaddy, to Starfield, to VeriCert. The VeriCert certificate is installed on all PCs.
Anyway, the problem is that the PC can follow an undefined cert path, the PPC can't. If you install the cert on the server, IE on the PC can figure out the whole path, PPC can't. So, the big thing is to make sure the MIDDLE CERTS are installed on the server. Even though everything seems fine, chances are that the middle ones are not (in this case STARFIELD)
The easiest way to find out if the cert is valid or not is try to get to your webmail on PIE. If you get a message about the cert, your server is not set up completely.
For my server, I had no luck until I found the Intermediary Cert and installed it. https://certificates.starfieldtech.com/Repository.go
Once that was done, my GoDaddy cert worked on the PPC and syncs went perfectly. Once the server has all the certs in the cert path installed, the PPC can validate each level. Until then, its clueless. Most people think you need to install the cert on the PPC. Its the server that needs it.
Does the self published cert only cause problems with direct push? I've got the "old" polling method working. I created a root CA on my server to sign the cert created for the web server and then turned that root CA into a CAB which was installed on the PPC. I should say that my phone doesn't have an AKU 2.xx rom on yet so I've not tested push mail.
This is all outlined in the following doc :
http://www.microsoft.com/technet/itsolutions/mobile/deploy/msfpdepguide.mspx
Also look at http://support.microsoft.com/kb/817379 if you are running a non sbs2003 exchange server in a configuration that doesn't have a front end/back end exchange server configuration. As there are some minor tweeks needed to the registry and to the default web server setup.
If you can do a remote Activesync, then DirectPush will work just fine.
A newbie Direct Push question:
I upgraded my 8125 ROM to the official Cingular June 19 version, and direct push SEEMS to be working great my my Hosted Exchange provider. When new email comes in to my Exchange server and/or a task / calendar / contact is changed on the desktop Outlook client, those get pushed quickly to the 8125.
Problem is, it doesn't seem to work in reverse. For example, IF I get an email pushed to me on my PDA, I read it and delete it on my PDA.....that deletion action is NOT getting syncronized back to my Exchange server. Is that by design, or is indeed something wrong?
Thanks in advance!
not sure if it helps, but you can change when pocket outlook deletes mail, there are 3 options:
on connect/disconnect
immediately
manually
I dunno if changing that will help you at all, but its in the pocket outlook options.
I'll shut up now, in case I misunderstood
jmel said:
not sure if it helps, but you can change when pocket outlook deletes mail, there are 3 options:
on connect/disconnect
immediately
manually
I dunno if changing that will help you at all, but its in the pocket outlook options.
I'll shut up now, in case I misunderstood
Click to expand...
Click to collapse
I appreciate your reply, but my question is beyond that......it centers around Driect Push.....my thinking is, regardless of that setting you referred to, once the email is deleted on the PDA, the PDA should "reverse-push" that deletion to the Exchange server, and mine does not seem to be doing that.
I hope that is a little clearer?
No, his answer was right. The reverse of the Push is not the same. You have to set the options as Jmel suggested. Its basically to save data.
This allows you to go through your mail, delete all your spam and crap, then update the server. Doing so immediately would be a waste. Recieving/sending emails is considered vital, deleting them...not so much.
Hi all,
I am new to the HTC (just got one this week , and would love to get push email working from my Exchange 2003 server.
I have used the reg hack to stop WM5 from requiring a valid SLL cert, and installed my Exchange 2003 server's SSL certificate on my device.
However, when I try to connect, the device keeps prompting me for my password, and does not accept it when I enter it.
I have seen this on other forums, but never seen a solution to it. I would be very grateful for any advice.
Great site btw!
first of al .. you don`t need a reghack to get ssl working..
just look at this site.. for your server..
http://www.visualwin.com/SelfSSL/
follow these steps.. remember.. if your server is avalible under
https://blabla.com/exchange name your ssl certificate: blabla.com
After this go to https://blabla.com/exchange install the certificate in youre IE on your pc..
then in IE tools -- options --- content --certificates -- trusted..
find your certificate and export this on your desktop. now with active sync transport your certificate to your mobile and install it, just with clicking on it.
Now the problem that you have is the auth part on your IIS on microsoft-active-sync virtual directory..
On the default directory set plain , ntlm, and windows intergrated
auth options on..
on the microsoft-active-sync only the plain text and ntml.
If this wont work play around with auth settings on microsoft-active-sync virtual dir.. trial and error.. but somewhere there is your answer and youre problem.
IMPORTANT turn of : require secure channel (ssl) on your server
Windows mobile cannot work with that
Yeah SSL needs to be enabled and setup on the exchange server. Also check your user policys to make sure they are set up correctly. We set up exchange systems daily at work and the most common problem we see is someone has messed up their policys in exchange.
Thanks for the reply's
I have had another crack, but am now getting an error on Activesync when sync'ing:
Support Code: 0x85010014
I am not sure what this points to....
I am still a little confused with my IIS6 authentication settings.
My "Exchange" vdir is set to Integrated and Basic authentication.
My "Microsoft-Server-Activesync" app is set to basic only.
My "OMA" app is set to basic only.
The "Exchange" vdir is the only one set to require ssl connections.
Thanks again for your time.
Fixed it! Followed this guide from Microsoft that helps create an oma directory especially for use by Activesync without using SSL:
http://support.microsoft.com/default.aspx?kbid=817379
Trying to set up ActiveSync on my Telus P4000 (Titan), although the issue should be the same with an WM6.1 phone...
I can't for the life of my figure the right server settings to enter in the Configure Server section, and I have yet to find a definitive "this is how you do it" procedure for it. As near as I've been able to glean, for the "Server address" section, you give it JUST the domain name of the Exchange server, without an http:// or a /exchange or /oma or anything... correct so far? But the catch in my particular instance is that Exchange web access is on port 8080, rather than 80 or 433.
I've tried adding a :8080 to the server address, I've tried adding the http:// and/or https://, I've tried adding the /oma and /exchange to the end, and all combinations of the above, with no luck... when I go back into the settings, it's reverted to JUST the domain name. Is there somewhere else I can tell it to use a non-standard port? Registry key, maybe?
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Soundy106 said:
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Click to expand...
Click to collapse
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
playerkiller said:
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Click to expand...
Click to collapse
I've searched everywhere for info on using non-standard ports for activesync, and I haven't found anything, and I couldn't get it to work.
jeen said:
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
Click to expand...
Click to collapse
Yeah, did that... still not helping
Go to first new post ActiveSync config for Exchange
Exchange ActiveSync cannot access the server if SSL is set to be required. For
information about how to correctly configure Exchange virtual directory
jeen is right. Unless the certificate is issued form a Trusted Certificate Authority, you will need to import the issuing CA in the Root Certification Authority store of your Phone.
If it's a self signed cert, just export it from exchange server (without Private key) and copy it to your phone. Then, double click it from File Manager. This should be enough.
^Yeah, I did that right off the top (see my reply to jeen). Still no joy.
Perhaps Tendulkar can finish his thought...
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Win2008 (IIS7)
Open IISManager.
Navigate through site, default website, hilight Microsoft-Server-ActiveSync.
Make sure you have the features view selected (should be by default).
Choose SSL Settings.
Unflag "Remove SSL".
Obviusly click Accept.
playerkiller said:
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Click to expand...
Click to collapse
Hmmm... "require SSL" was already un-checked. I've re-checked it, let's see what happens with that.
OK lemme know.
make sure you have the same root certificate installed also. you have to trust the same certificate authority as the certificate that you have on your exchange server.
Did anyone find solution
I am having same problem. Certificate installed and tried all connection settings that can find on internet. Cannot get ActiveSync to syn with my server (same certificate error, but hosting company states tested with WM6.1 that all is working fine on their end) and also cannot get Windows Live Messenger to work, states there's a connectivity problem. Funny thing is MMS, surfing net with IE, and Google Maps with GPRS work fine. Only Microsoft network products are not working. My phone is Palm Treo Pro with WM6.1 Professional. Vodaphone version but bought in China and have since added A4 Chinese text editor, which I think could be problem, but need to hard reset phone to check. Any ideas? Better yet, any solutions?
One tip for getting this working in my case (same certificate errors) was that I had to get the certificate off the internally facing OWA server, rather than the externally facing version. Although they're both the same server, the external one goes through an IAS box which seems to be presenting its own certificate rather than the one on the exchange server. Don't ask me - I don't run the system.
As soon as I add the Internal version of the cert, Exchange, OTA Sync and ActiveSync spring into life.