Using PEAP on wireless - 8525, TyTN, MDA Vario II, JasJam General

Has anyone been able to setup ther TYTN to use PEAP under 802.1x, to use authication through AD, I get an error when trying it cannot log onto the wireless network. This network requires a personel certficate to positvely identify you, we don't use personel certs, its works fine from my pc.

shark1 said:
Has anyone been able to setup ther TYTN to use PEAP under 802.1x, to use authication through AD, I get an error when trying it cannot log onto the wireless network. This network requires a personel certficate to positvely identify you, we don't use personel certs, its works fine from my pc.
Click to expand...
Click to collapse
You might not know about your certificate, but you probably do have one. Your admin can set up auto enrollment for certain certificates, so the whole process would be invisible to you.
Depending on how much rights you have on your machine, you could try to export your personal cert and import it into your TyTN. Try doing this with "mmc.exe", then add the "certificates" snap in (choose user category) and have a look at your "personal" certificates.
Not sure how to proceed from then on, though - i.e. I don't know if it's possible to use a cert for wifi authentication with a WM5 device.

You might not know about your certificate, but you probably do have one. Your admin can set up auto enrollment for certain certificates, so the whole process would be invisible to you.
Depending on how much rights you have on your machine, you could try to export your personal cert and import it into your TyTN. Try doing this with "mmc.exe", then add the "certificates" snap in (choose user category) and have a look at your "personal" certificates.
Not sure how to proceed from then on, though - i.e. I don't know if it's possible to use a cert for wifi authentication with a WM5 device
Click to expand...
Click to collapse
Thanks for this, I got my Network admin to give me rights the get a personel cert, and now it works fine.

shark1 said:
You might not know about your certificate, but you probably do have one. Your admin can set up auto enrollment for certain certificates, so the whole process would be invisible to you.
Depending on how much rights you have on your machine, you could try to export your personal cert and import it into your TyTN. Try doing this with "mmc.exe", then add the "certificates" snap in (choose user category) and have a look at your "personal" certificates.
Not sure how to proceed from then on, though - i.e. I don't know if it's possible to use a cert for wifi authentication with a WM5 device
Click to expand...
Click to collapse
Thanks for this, I got my Network admin to give me rights the get a personel cert, and now it works fine.
Click to expand...
Click to collapse
Glad to hear that. Hm, that means that the TyTN can use a cert for WiFi authentication? Good to know

Related

No way to disable Server Certificate Validation in 802.1x!

Hi,
I want to connect my qtek 9100 on the 802.1x WLAN of my school (ETHZ). It has not been possible yet, although i spent an hour with a person from the tech support of the school.
The problem comes from the very specific configuration that I cannot set on the Qtek 9100!
I need to uncheck the "validate server certificate" option, which is by default for PEAP authentication, something easy to do on a normal windows machine. But the problem is, there is no way to disable this on the qtek 9100 in any "properties" tab, and it therefore complains that the server certificate is not valid, and then refuses to connect!
HOW could I disable "validate server certificate"?? using the registry??
With the person from the tech support we managed to find somehow the registry keys linked to this option in Windows. But of course these keys dont exist on the qtek 9100 in Windows Mobile 5...
Please, is there some expert with some better idea?
Thanks
Fabrice
I havent found a way to do it so far. No various configurations nor random 3rd party software worked on WM5 properly.
This issue is more interesting when consider that htc universal offers LEAP ( which would do work as well ) and wizard dont!
http://forum.xda-developers.com/viewtopic.php?t=42664
From what I can gather you will need a root certificiate. Still trying to get to the bottom of this though.
it seems that AKU2 allows us to use LEAP which already would do the thing! I'll test in on friday and let you know!
i found some useful info on the net, but have not yet tested them on my MDA Vario:
there seem to be 3 possibilities:
1: you retrieve the root certificate from your techie friend at your university and place it in the designated folder on your ppc.
Click to expand...
Click to collapse
2: you add a DWORD 0 at HKLM\Comm\EAP\Extension\25\ValidateServerCert (http://www.modaco.com/How_to_set_a_wifi_network_to_use_a_certificatel-t237261.html)
Click to expand...
Click to collapse
3: Hkey_Current_User\Software\Microsoft\ActiveSync\Partners
Here you should notice 2 sub-keys, both with a unique UID. One is set up for the ActiveSync Partnership with your PC, the other is set up for the partnership with your Exchange server. Fortunately, it is fairly easy to distinguish between the two. Simply highlight one of them, and look at the different values. You'll see pretty quickly which one is for your Exchange server. While the partner key for your Exchange server is highlighted, create a new value with the following parameters
Type: DWORD
Name: secure
Value: 0 (http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.html)
Click to expand...
Click to collapse
authors of points 2 and 3 differ from opinion, but I cannot say which is best, perhaps someone else has an opinion?
predo said:
it seems that AKU2 allows us to use LEAP which already would do the thing! I'll test in on friday and let you know!
Click to expand...
Click to collapse
Hi Predo,
Have you been able to get LEAP to work using AKU2??
Lot of inquiries present on the net, but no clear answers.....
Thx,
Mak
This is what I would do.
This can be easily done from a PC, because you can get a temporary trust from the authentication server which gives you the option to install the root on your PC. Export the root cert from your laptop/PC and copy it over to your mobile device. Once the root.cer is on the wizard just open up file explorer and double tap it the cert will auto install.
Problem solved
I wouldn't use LEAP or even PEAP without validating the server cert. Especially in a hostel environment like a university, which is full of hacks. Associating to an AP without validating certs sets you up for man in the middle.
The only advantage LEAP or Fast EAP (if it were supported) is for roaming. The wizard would also have to support CCX v3. You can get this CCX v3 support by purchasing Funk (now Juniper) Odyssey client, which is $50. When using LEAP or Fast EAP it allows the use of CCKM (fast roaming).
Oh yeah, the odyssey client supports PEAP with the option to not validate the server cert.
hi, i dont know why is that but after upgrading software to new aku2.0 rom ( imate afair ) i started to be able to connect to my university wlan with no problems. Only thing is there i have nothing added in leap tab in network properties.
Anyway, it works so i'm not playing with settings anymore ;-)

Activesync Exchange Server Password Prompt

I have an 8125 with Summiter's 2.3 Rom installed. I am trying to establish a connection to my exchange server which is hosted. When I enter the server, user ID, password and Domain info correctly, activesync keeps prompting me with "Please correct your Exchange Server password"
My provider insists that the settings were correct on their side and their crack tech support staff told me that WM5 has problems storing the password. They said that the only thing to do is to keep deleting the server connection on the device and recreating it.
Through this persistence, I was able to get it configured once. It was syncing (with push email) for most of the day... until I connected the device to the PC with the USB cable to charge it. Then Activesync on the PC kicked in and the password prompts began.
I have deleted and reconfigured the server on the device in excess of 20 times now with every combination of soft resets in between to try to get this resolved.
Any thoughts? Your help is greatly appreciated!
***EDIT***
email host needed to create a pre-NT4 alias for the userid due to the naming convention ues by our company in their provisioning console. Therefore once I found out the alias the config was a snap. working perfectly now! Thanks.
What tech support for your host meant to tell you is that they do not have a clue what they are talking about. I support numerous WM implementations using AUTD and Push email with WM devices of all flavors that support one of those options (2003, 2003se, 2005) and NONE of my customers have to continually put in ANY information to keep syncing.
It is true that using the special sms tickle method of pull on 2003 devices does sometimes hang up and have to be restarted manually but even then you should not be asked for information you already saved about the connection.
Find a new mail host.
Well, since you have no problems setting up "WM implementations using AUTD and Push email with WM devices", I would love to hear your thoughts on why I keep getting a password prompt over and over again with the message "Please corrrect your exchange Server password".
Using Cingluar 8125 with stock 2.25 ROM.
Mobile services are enabled under ESM
Pre-2k alias is set in the username
SSL is installed on the server with front end virtual directory
I have disabled certificate checking on the device itself by hacking the registry on the device since I'm using self singed cert
Exchange SP2 is installed
Activesync on the PC with USB works like a charm
But, trying to sync over GPRS/EDGE with the exchange server it keeps prompting me to correct exchange server password which I know it's correct since I administer the server myself.
I've seen NUMEROUS posts about this issue but no one seems to have the answer.
This is driving completely bonkers
You say you can sync while connected via USB to a computer but you do not specify whether that computer is INSIDE or OUTSIDE your network. So I am going to assume it is INSIDE, and bet that were you to try the same test from OUTSIDE your network it would fail just as it does using GPRS. If so the indications point to incorrectly putting in your user name/domain information and not the password itself.
I assure you, the domain\username and password combinations are quite right. It's DOMAIN\username and then the password. I mean you can't really get away from that format when you enter the information in the pocket pc or activesync on your pc since it asks you for the domain and the username and the password. I can however login to webmail and oma through the web browser using the exact username and password.
Any more thoughts?
I have no more thoughts until you answer the question I asked. Can you sync while connected to a computer that is OUTSIDE your network?
When putting in your information on the mobile device, in the username field if you are putting domain\user you are wrong. That box is USER NAME ONLY.
Let me start over again. No, usb or gprs outside doesn't work. And yes, the username is put in as just the username with no domain\ in front of it. Activesync substitutes the domain from the domain field as domain\ is what I meant.
So it doesn't work from outside no matter what the connection. Again, the problem is the domain reference. We just have to figure out what is wrong with it.
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
I'm using https://servername/exchange
I can also user https://servername/oma from the phone and it works too.
I would really like to see https://servername/exchange work from outside your network. I am interested to know how you got a NETBIOS name to resolve from outside your DNS zone over the internet.
Please read the question asked before answering so I can stop asking you the same thing twice. I asked you:
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
Click to expand...
Click to collapse
Your answer might work inside your network but no way will it work outside. And if you are afraid that advertising your domain name will compromise your Exchange box you should just shut it down anyway.
Ok,
I'm REALLY trying to be tolerant here. Unfortunately, I'm starting to reach the end of my patience. You and I BOTH know that I'm not advertising my NETBIOS name on the Internet. We BOTH know EXACTLY what I mean when I say https://servername/exchange. It means a URL accessible from the outside which points to the server via NAT on our firewall and then /exchange. So, here's the URL:
https://mail.glaucomaexpert.com/exchange
When I say that webmail works, I REALLY REALLY mean that it works. I'm not making it up. If you don't know the answer or if you are not sure of the answer, just let me know. That's no problem. I'm really starting to think that this issue is due to the registry hack on the phone to remove certificate checking.
Unfortunately, I'm using a self generated cert and I've tried using the .cab method to import the cert, that didn't work. I simply copied into a file (DER encoded) and tried to import it no workie either. I tried copying as a Base-64 encoded, copied to the phone and when I tried to import it said it was unable to access certificate. Before I disabled certificate checking, it wouldn't accept the certificate. So, now it accepts it but it keeps asking for the password.
I have gone over the exchange settings over and over and over again and I'm simply not seeing anything wrong.
So....here's where I am.
Great. Thanks for answering the question. So in your server configuration fields you are filling in those blanks like this:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name which may or may not be the same as your FQDN
Does all of that sound like what you are using? If you feel more comfortable PMing the information then thats fine. But your settings should resemble what I wrote.
Are you forcing users to use SSL for Outlook Web Access? If so, you might try turning it off TEMPORARILY and test syncing without requiring SSL to eliminate the self signed cert possibility. I won't be much use troubleshooting that as I get my customers fo flip for a Thawte certificate to avoid untrusted root cert authorities.
That's exactly what I'm using:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name
Under secure communications I do not have require secure channel checked.
I just enabled http(port 80) access to the exchange server and it's working like a charm.
So I guess it's still a certificate issue. I guess disabling certificate checking is not doing the trick but instead cause more problems.
I really wish I could import the self signed certificate. This really sucks. Your help is appreciated. Thanks. I should had tried this before. I just assumed this registry hack wouldn't have any bearing on it originally.
@deeztech - I'm also suspicious of the registry hack to disable the certificate checking. This worked for me in the 2003 days with my client's Blue Angels but I've never been able to get it to work with WM5. I have numerous Exchange 2003 servers that I maintain here in So. Fla and they all have self generated certs. I use MMC and add the Certificates snap-in. From the Trusted Root Authorities I'll right click my certificate - all tasks and then export to a Der encoded x.509. Copy to my storage card and execute it from there.
Of course it sounds like your certificate is installed correctly as your logon to OWA and OMA are working which is why I suspect that reg hack you mentioned.
I did read on exchange-experts to check the authentication on the webserver....
Curious if it's just your PDA or are there others with the same issue?
Glad you narrowed it down. Unfortunately I don't have a magic bullet for the self signed certificate piece but I do have some suggestions for you.
1) Enable forms based authentication: http://support.microsoft.com/kb/830827/
2) Require SSL for access
3) Unless you intend to offer services you might turn off the default website at https://mail.glaucomaexpert.com/
If you are interested in a cert from a trusted CA check out Thawte, where you can get an SSL123 certificate in just a few minutes for as little as $149: https://www.thawte.com/process/retail/new_ssl123?language=en&productInfo.productType=fssl2

*** Wifi on Corporate Network ***

Does any one know if there is a way to use your WM6 device on a secured WPA, TKIP, PEAP network when you have your own user name and password to access regular pc.
I'm trying to use my TILT at work and everytime i try to log in it tells me that i need "personal certificate" to positively identify me.
Would it possible to retreive my personal certificate from my work loptop and transfering it somehow to my Tilt?
I really need some help with that, i've been trying this forever.
THanks in advnace
marcini said:
Does any one know if there is a way to use your WM6 device on a secured WPA, TKIP, PEAP network when you have your own user name and password to access regular pc.
I'm trying to use my TILT at work and everytime i try to log in it tells me that i need "personal certificate" to positively identify me.
Would it possible to retreive my personal certificate from my work loptop and transfering it somehow to my Tilt?
I really need some help with that, i've been trying this forever.
THanks in advnace
Click to expand...
Click to collapse
That personal certificate is linked to your work computer name and how it is registered on the AD domain. I don't know how or if it's possible but thats the sorta technicle rundown.
marcini, you should contact your company's IT services and inquire whether it's allowed and whether they will provide support. Most companies are very particular about network access, and rightfully so.
If they use certificate-based authentification for their wpa network, they obviously want to control who gains access to their network, and unauthorized probing might risk your job.
Have fun!

WiFi on the Corporate Network???

Does any one know if there is a way to use your WM6 device on a secured WPA, TKIP, PEAP network when you have your own user name and password to access regular pc.
I'm trying to use my TILT at work and everytime i try to log in it tells me that i need "personal certificate" to positively identify me.
Would it possible to retreive my personal certificate from my work loptop and transfering it somehow to my Tilt?
I really need some help with that, i've been trying this forever.
THanks in advnace
marcini said:
Does any one know if there is a way to use your WM6 device on a secured WPA, TKIP, PEAP network when you have your own user name and password to access regular pc.
I'm trying to use my TILT at work and everytime i try to log in it tells me that i need "personal certificate" to positively identify me.
Would it possible to retreive my personal certificate from my work loptop and transfering it somehow to my Tilt?
I really need some help with that, i've been trying this forever.
THanks in advnace
Click to expand...
Click to collapse
You can get that certificate from your network adminstrator.. It has to be installed on the Tilt to work... You should only need a certificate based upon the protocol that you choose to use (afaik)...
debonairone said:
You can get that certificate from your network adminstrator.. It has to be installed on the Tilt to work... You should only need a certificate based upon the protocol that you choose to use (afaik)...
Click to expand...
Click to collapse
well i would love to get it from my it guys, but they wont give it to me, there is no pda devices on our network set up for wireless, everbody's using blackberries and their data plans. and since we have wifi, i was thinking of using that if that's possible

ActiveSync config for Exchange

Trying to set up ActiveSync on my Telus P4000 (Titan), although the issue should be the same with an WM6.1 phone...
I can't for the life of my figure the right server settings to enter in the Configure Server section, and I have yet to find a definitive "this is how you do it" procedure for it. As near as I've been able to glean, for the "Server address" section, you give it JUST the domain name of the Exchange server, without an http:// or a /exchange or /oma or anything... correct so far? But the catch in my particular instance is that Exchange web access is on port 8080, rather than 80 or 433.
I've tried adding a :8080 to the server address, I've tried adding the http:// and/or https://, I've tried adding the /oma and /exchange to the end, and all combinations of the above, with no luck... when I go back into the settings, it's reverted to JUST the domain name. Is there somewhere else I can tell it to use a non-standard port? Registry key, maybe?
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Soundy106 said:
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Click to expand...
Click to collapse
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
playerkiller said:
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Click to expand...
Click to collapse
I've searched everywhere for info on using non-standard ports for activesync, and I haven't found anything, and I couldn't get it to work.
jeen said:
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
Click to expand...
Click to collapse
Yeah, did that... still not helping
Go to first new post ActiveSync config for Exchange
Exchange ActiveSync cannot access the server if SSL is set to be required. For
information about how to correctly configure Exchange virtual directory
jeen is right. Unless the certificate is issued form a Trusted Certificate Authority, you will need to import the issuing CA in the Root Certification Authority store of your Phone.
If it's a self signed cert, just export it from exchange server (without Private key) and copy it to your phone. Then, double click it from File Manager. This should be enough.
^Yeah, I did that right off the top (see my reply to jeen). Still no joy.
Perhaps Tendulkar can finish his thought...
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Win2008 (IIS7)
Open IISManager.
Navigate through site, default website, hilight Microsoft-Server-ActiveSync.
Make sure you have the features view selected (should be by default).
Choose SSL Settings.
Unflag "Remove SSL".
Obviusly click Accept.
playerkiller said:
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Click to expand...
Click to collapse
Hmmm... "require SSL" was already un-checked. I've re-checked it, let's see what happens with that.
OK lemme know.
make sure you have the same root certificate installed also. you have to trust the same certificate authority as the certificate that you have on your exchange server.
Did anyone find solution
I am having same problem. Certificate installed and tried all connection settings that can find on internet. Cannot get ActiveSync to syn with my server (same certificate error, but hosting company states tested with WM6.1 that all is working fine on their end) and also cannot get Windows Live Messenger to work, states there's a connectivity problem. Funny thing is MMS, surfing net with IE, and Google Maps with GPRS work fine. Only Microsoft network products are not working. My phone is Palm Treo Pro with WM6.1 Professional. Vodaphone version but bought in China and have since added A4 Chinese text editor, which I think could be problem, but need to hard reset phone to check. Any ideas? Better yet, any solutions?
One tip for getting this working in my case (same certificate errors) was that I had to get the certificate off the internally facing OWA server, rather than the externally facing version. Although they're both the same server, the external one goes through an IAS box which seems to be presenting its own certificate rather than the one on the exchange server. Don't ask me - I don't run the system.
As soon as I add the Internal version of the cert, Exchange, OTA Sync and ActiveSync spring into life.

Categories

Resources