I have an 8125 and when I go to Start-->Settings-->System-->Certificates-->Root, I do not see Verisign in the list of trusted root certs. Is it just me or can anyone else with a Cingular 8125 confirm that they do not have Verisign listed in their trusted root certs? I list Thawte, GTE, and several other but no Verisign.
I am trying to authenticate with my corporate wifi using PEAP and keep getting an error - Cannot log on to the wireless network. This network requires a personal certificate to positively identify you. I get prompted for a username, password and domain and then it returns the error - The server certificate is issued by an unknown authority and since I purchased a Verisign WLAN cert, that is what lead me to check the root certs on the 8125 - no Verisign is listed.
Just need someone to confirm their Cingular root cert settings.
Thanks
Running the new ROM, not on my box either.
It appears that Class 3 Public Primary Certification Authority (VeriSign, Inc.) is the Verisign one. I Wonder why it doesnt work.
Related
I have an 8125 with Summiter's 2.3 Rom installed. I am trying to establish a connection to my exchange server which is hosted. When I enter the server, user ID, password and Domain info correctly, activesync keeps prompting me with "Please correct your Exchange Server password"
My provider insists that the settings were correct on their side and their crack tech support staff told me that WM5 has problems storing the password. They said that the only thing to do is to keep deleting the server connection on the device and recreating it.
Through this persistence, I was able to get it configured once. It was syncing (with push email) for most of the day... until I connected the device to the PC with the USB cable to charge it. Then Activesync on the PC kicked in and the password prompts began.
I have deleted and reconfigured the server on the device in excess of 20 times now with every combination of soft resets in between to try to get this resolved.
Any thoughts? Your help is greatly appreciated!
***EDIT***
email host needed to create a pre-NT4 alias for the userid due to the naming convention ues by our company in their provisioning console. Therefore once I found out the alias the config was a snap. working perfectly now! Thanks.
What tech support for your host meant to tell you is that they do not have a clue what they are talking about. I support numerous WM implementations using AUTD and Push email with WM devices of all flavors that support one of those options (2003, 2003se, 2005) and NONE of my customers have to continually put in ANY information to keep syncing.
It is true that using the special sms tickle method of pull on 2003 devices does sometimes hang up and have to be restarted manually but even then you should not be asked for information you already saved about the connection.
Find a new mail host.
Well, since you have no problems setting up "WM implementations using AUTD and Push email with WM devices", I would love to hear your thoughts on why I keep getting a password prompt over and over again with the message "Please corrrect your exchange Server password".
Using Cingluar 8125 with stock 2.25 ROM.
Mobile services are enabled under ESM
Pre-2k alias is set in the username
SSL is installed on the server with front end virtual directory
I have disabled certificate checking on the device itself by hacking the registry on the device since I'm using self singed cert
Exchange SP2 is installed
Activesync on the PC with USB works like a charm
But, trying to sync over GPRS/EDGE with the exchange server it keeps prompting me to correct exchange server password which I know it's correct since I administer the server myself.
I've seen NUMEROUS posts about this issue but no one seems to have the answer.
This is driving completely bonkers
You say you can sync while connected via USB to a computer but you do not specify whether that computer is INSIDE or OUTSIDE your network. So I am going to assume it is INSIDE, and bet that were you to try the same test from OUTSIDE your network it would fail just as it does using GPRS. If so the indications point to incorrectly putting in your user name/domain information and not the password itself.
I assure you, the domain\username and password combinations are quite right. It's DOMAIN\username and then the password. I mean you can't really get away from that format when you enter the information in the pocket pc or activesync on your pc since it asks you for the domain and the username and the password. I can however login to webmail and oma through the web browser using the exact username and password.
Any more thoughts?
I have no more thoughts until you answer the question I asked. Can you sync while connected to a computer that is OUTSIDE your network?
When putting in your information on the mobile device, in the username field if you are putting domain\user you are wrong. That box is USER NAME ONLY.
Let me start over again. No, usb or gprs outside doesn't work. And yes, the username is put in as just the username with no domain\ in front of it. Activesync substitutes the domain from the domain field as domain\ is what I meant.
So it doesn't work from outside no matter what the connection. Again, the problem is the domain reference. We just have to figure out what is wrong with it.
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
I'm using https://servername/exchange
I can also user https://servername/oma from the phone and it works too.
I would really like to see https://servername/exchange work from outside your network. I am interested to know how you got a NETBIOS name to resolve from outside your DNS zone over the internet.
Please read the question asked before answering so I can stop asking you the same thing twice. I asked you:
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
Click to expand...
Click to collapse
Your answer might work inside your network but no way will it work outside. And if you are afraid that advertising your domain name will compromise your Exchange box you should just shut it down anyway.
Ok,
I'm REALLY trying to be tolerant here. Unfortunately, I'm starting to reach the end of my patience. You and I BOTH know that I'm not advertising my NETBIOS name on the Internet. We BOTH know EXACTLY what I mean when I say https://servername/exchange. It means a URL accessible from the outside which points to the server via NAT on our firewall and then /exchange. So, here's the URL:
https://mail.glaucomaexpert.com/exchange
When I say that webmail works, I REALLY REALLY mean that it works. I'm not making it up. If you don't know the answer or if you are not sure of the answer, just let me know. That's no problem. I'm really starting to think that this issue is due to the registry hack on the phone to remove certificate checking.
Unfortunately, I'm using a self generated cert and I've tried using the .cab method to import the cert, that didn't work. I simply copied into a file (DER encoded) and tried to import it no workie either. I tried copying as a Base-64 encoded, copied to the phone and when I tried to import it said it was unable to access certificate. Before I disabled certificate checking, it wouldn't accept the certificate. So, now it accepts it but it keeps asking for the password.
I have gone over the exchange settings over and over and over again and I'm simply not seeing anything wrong.
So....here's where I am.
Great. Thanks for answering the question. So in your server configuration fields you are filling in those blanks like this:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name which may or may not be the same as your FQDN
Does all of that sound like what you are using? If you feel more comfortable PMing the information then thats fine. But your settings should resemble what I wrote.
Are you forcing users to use SSL for Outlook Web Access? If so, you might try turning it off TEMPORARILY and test syncing without requiring SSL to eliminate the self signed cert possibility. I won't be much use troubleshooting that as I get my customers fo flip for a Thawte certificate to avoid untrusted root cert authorities.
That's exactly what I'm using:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name
Under secure communications I do not have require secure channel checked.
I just enabled http(port 80) access to the exchange server and it's working like a charm.
So I guess it's still a certificate issue. I guess disabling certificate checking is not doing the trick but instead cause more problems.
I really wish I could import the self signed certificate. This really sucks. Your help is appreciated. Thanks. I should had tried this before. I just assumed this registry hack wouldn't have any bearing on it originally.
@deeztech - I'm also suspicious of the registry hack to disable the certificate checking. This worked for me in the 2003 days with my client's Blue Angels but I've never been able to get it to work with WM5. I have numerous Exchange 2003 servers that I maintain here in So. Fla and they all have self generated certs. I use MMC and add the Certificates snap-in. From the Trusted Root Authorities I'll right click my certificate - all tasks and then export to a Der encoded x.509. Copy to my storage card and execute it from there.
Of course it sounds like your certificate is installed correctly as your logon to OWA and OMA are working which is why I suspect that reg hack you mentioned.
I did read on exchange-experts to check the authentication on the webserver....
Curious if it's just your PDA or are there others with the same issue?
Glad you narrowed it down. Unfortunately I don't have a magic bullet for the self signed certificate piece but I do have some suggestions for you.
1) Enable forms based authentication: http://support.microsoft.com/kb/830827/
2) Require SSL for access
3) Unless you intend to offer services you might turn off the default website at https://mail.glaucomaexpert.com/
If you are interested in a cert from a trusted CA check out Thawte, where you can get an SSL123 certificate in just a few minutes for as little as $149: https://www.thawte.com/process/retail/new_ssl123?language=en&productInfo.productType=fssl2
HI guys,
Got my new TyTn out the box, set it up with some of my files, now i am trying to sync with my exchange server.
If I take off SSL, it tells me I don't have permission to initiate sync, which i know i do, cause i set it up on my account.
If i put SSL on, it says the server cannot be reached,
Could someone out there please help me. I have been trying for weeks, in the end i thought it was the unit, so this is my new unit now.
Be sure that the OWA folder (http://yourserver/exchange) has the "require SSL" unticked in security option of IIS, also check that integrated authentification is ticked.
Check that your tytn trust the CA and that the cert match the server name (with both internal/external DNS if possible).
If you want to go without SSL (which is far from being a good idea, everything will go through the network in plain text) have a check in the server log; there will be a critical event explaining you what is going on and what to do in that case
Hi man,
Thanks for the response, how do i issue the CA certificate for the Tytn from the server?
Is that maybe my problem that the relationship between the device and the server hasn't been established properly?
I just want to get my e-mail, why has microsoft made it such an issue?
Surely if you enter in all the correct details for the server and the user account it should work, just like setting up teh IMAP with the send and recieve schedule like u used to on the IIi's?
Appreciate the help mate
Thanks
Microsoft deny you to check your email if you don't trust the CA. This is normal and a part of the SSL security; SSL certs are used to cipher AND to auth.
If the certificat is not issue by a trusted root CA it won't be trusted by your device. You have to connect to http:/ca_server/certsrv and here select "download" CA cert. Just transfert the cert to your device and set it up. If you can not acces the CA web service that way you may be able to gather the certificate while surfing to te OWA with explorer: go to https://your_server/exchange click on the little lock, go to "certification's path" double click the certificat on the top of the "tree" go to detail and select save to file. Select *.cert format and then finaly send this file to your PPC.
No can't connect to the Cert page, and with the OWA page, if you mean the little lock that appears at the bottom of some web pages in one of the blocks, I don't get that with my OWA. I am a bit lost...
ruski said:
No can't connect to the Cert page, and with the OWA page, if you mean the little lock that appears at the bottom of some web pages in one of the blocks, I don't get that with my OWA. I am a bit lost...
Click to expand...
Click to collapse
use https://your/owa instead of http://your/owa. Using the OWA without cipher is far from being a good idea; your user/password (wich is in fact an active directory user, that a some power) goes in plain text through the internet.
aaw, man, Thanks so much, I see now... OK, I will get the certificate off tomorrow and copy it onto my Tytn. I really hope that works! Thanks for your help!
OK, now I have made the certificate and copied it onto the Tytn, Still says The server could not be reached! Support code: 0x80072EE2
Ok, just want to check, when setting up the server, under server name, I have the servers external IP address. SSL is ticked, the user name and password and domain should be correct, username is @domain.local
Other than that, not much complicated, i don't seem to be understanding microsofts issue here, i have searched for white papers, which seem to be very vague and no step by step on how to set it up.
Hooooaarg speaking english is giving me headache
You are only satisfying one of the requirement at now:
-Your tytn trust your CA
In IIS you have issued a certificat to a name, for instance server.domain.local; if you contact this server through a SSL connexion by another name you will get an error; the name you accessed doesn't match the name in the certificate; so for IE and your PPC the security may be compromised. In active sync, under server name, you have to enter the exact same name you entered when you issued the SSL certificat in IIS, if it is internal (server.domain.local) it will only work as long as you are on your network. There are several ways to solve that; you can revoque this certificat in IIS and issue a new one matching your external DNS, with this solution you will be able to setup your activesync to connect through the external name of your server, keep in mind that NAT forwarding must be configured to route the traffic from HTTP socket (80) to the exchange server.
You can also setup a VPN server (L2TP/IPSEC should work fine), so that you will always be on the internal network and so able to get your email. This should be the safest way to go, but I guess that it generate more traffic, thanks to the encapsulation; so if you are greedy and pay per byte, avoid this solution.
You could, at last, also disable the SSL encryption; but in my opinion this FAR from being the good way to go, it should only be used for testing purpose.
If you can speak afrikaans I will happily change! lol
OK, if I turn off SSL and connect to the server external IP, it says I don't have permission to synchronise,
If i turn on SSL it tells me the server can't be reached, wish it would make up it's mind.
I am not very good with IIS, I am staring at it now. I am not sure if i did the certificate thing right. As there are 2 options to export , DER encoded and Base-64, I used DER first time round.
If i try and access the server name ie. https://servername it says i cannot use my existing connection and must check properties.....
Thanks for your help man!
You may want to check that you are also forwarding port 443 or what ever port you are using for https access for external use at the server end.
You had to get ActiveSync permitted for your account (by administring it with "Active Directory users and computers" in one of the tab for your users) but you also need it activated on the Exchange "System Manager" under organisation settings (have a look at www.httpsync.net)
André
After reading many threads and websites, I am still unable to get a solution to my issue regarding specific Wi-Fi connections on my XV6800 / HTC Titan.
My college uses a WPA Enterprise/TKIP secured network using PEAP/EAP-MSCHAPv2 authentication. It is also required that the server's certificate is not checked against a CA for validity.
My problem is that I have been unable to connect to the network.
Using the settings (Authentication: WPA, Encryption: TKIP), I can choose PEAP for Network Authentication, but hitting Properties says "Cannot log on to the wireless network. This network requires a personal certificate to positively identify you."
It will never let me connect because of that.
Now, on the other hand, I tried SecureW2 TTLS as my authentication, and in SecureW2, I setup a profile with it setup to not check the server certificate, and EAP/PEAP for Authentication method/type respectively. As well as to prompt for user credentials.
With this method, I get nothing... Also, Properties near PEAP also says the same thing about the requirement of a personal certificate.
For reference, I'm using DCD's 3.2.0 ROM with Windows Mobile 6.1.
If anyone has any experience with this, please let me know ASAP.
Thank you.
Here's the problem.
When I try to connect to my University's network , the Galaxy S is able to connect JUST fine. However, when I open a browser it says the incoming certificate is not secure and then I have NO INTERNET on any page.
What the network is supposed to do is redirect me to the login page so that I can register the device to the network. My phone can't do that apparently and just sits connected to the network with NO INTERNET connectivity. How can I fix the problem?
This is the university network and the instructions how to get on it for Android devices:
http://www.colorado.edu/its/docs/wireless/androidwireless.html
I connect to it just fine but am UNABLE to get to that device registration/login page.
This is NOT just for my university. ANY public network which requires me to accept an "agreement" before it lets me have internet access, my phone KILLS ITSELF and CANNOT pull up the agreement page but instead tells me there is no internet. I'm SURE its a software problem or something with settings but can't figure out just what it is. Help?
Just about the only networks I can connect to on Wi-Fi are home networks. It SUCKS.
Are you manually trying to type the page address into the browser (https://dhcp.colorado.edu/Public/forceresponse.cgi?SelectAccessData=true)?
No. I tried other websites. The phone browser is IMMEDIATELY redirected to that page and after 0.5 seconds it says "Communication Failed" or something similar and loads NOTHING. Hence my problem is that it can't get to that registration page.
I am not sure then. I have had no issues connecting to public connections that require logins. Maybe call the tech # listed on the instructions page and see what they say. I did notice the screenshot in the guide seems to be 2.2 so maybe this has something to do with it (probably not but who knows)
Sigh
That's not good.
EDIT: The EXACT error I get is:
"There is a problem with the security certificate for this site. This certificate is not from a trusted authority." I get this AS it attempts to load the redirect login page (both university and at work now). Same issue. It's browser/certificate related. And its ANNOYING as hell.
EDIT 2: Found the problem. It's that stupid certificate.
"This is a result of your corporation using an in house Certificate Authority to provide SSL encryption on your mail server and clients.
Basically....the computer that issued the certificate isn't trusted by the android phone. I'm new to android so I'm not sure if you can add a trusted CA (I haven't seen any options for it).
I don't know about future updates like the above poster mentioned.
Most companies will purchase a certificate from one of the major Certificate Authorities on the internet, which are pre-programed into most operating systems to be trusted. Internal CA's are trusted by the domain environment at your work, but not by anyone else. External (Internet) CA's are trusted by everyone.
if you want an example, open up IE (gross I know) and go to your options. Click the content tab, then there should be a button label certificates. inside the certificates window select Trusted Root Certification Authorities.
That is a list of all the builtin trusted CA's provided by Microsoft and the companies that govern the internet. "
I STILL have no idea how to fix it and to make the phone accept the certificate though.
I have LG D800, and on certain websites I get a security warning saying "there are problems with the security certificate for this site" with options of go back, view certificate, continue.
Before I get ahead of myself the reason I want to fix this is because I want to connect to my work VPN through Junos Pulse, and I get a security certificate error there as well, and it won't allow it to connect (I can't change security options w/this app and I don't think other apps work for this vpn)
So I noticed through browsers (both native and chrome) that one some websites I get an https error through my phone and then when I try it on my computer it works fine! (the site I tried was my school's: myllu.llu.edu
For the certificate errors it says: this certificate isn't from a trusted authority. The issuing athority for myllu is listed as GeoTrust SSL CA, and for the VPN I want to connect to: VeriSign Class 3 Secure Server CA -G3.
Can anyone help me with this? I realllly would appreciate it
PS: time and date are correct on my phone, a difference was not made by getting network time, or manually inputting time and date
if you choose to trust those certificates, why don't you just go ahead and install them?