Related
My company runs an exchange server that i can connect to via SLL on the web. However, I always got an invalid certificate message. On 2003 devices on ran certchk and i could synschronize my mail, calender and contacts.
Now - with my JJ - i can not get to my mail anymore because of this invalid certificate. I does not help to download the certificate to my device, since it is invalid.
Is there any reg hack, apps or whatever i can use to overcome this?
Thx
Ronaldovic,
Try exporting the root certificate from the Certificate Authority in "DER" format, copy it to the JJ and run it. This should work as the JJ is not certificate locked.
Ferg.
I did - and when i look in settings-certificates - it shows in the list of certificate but with an enddate of somewhere in 2003 (so it is not valid).
Again, with certchk in 2003 devices it all worked flawlessly.
Are the certificates still be the problem now? Or is it something else?
When i sync, i get an error: 0x80072F17
Ah sorry, I read your mail but didn't really read it and assumed I knew what you were saying.
If you can get a reg editor for the JJ (I use something called "Mobile Registry Editor" which is a PC-based app and works through ActiveSync), change DWORD Value under HKCU\Software\Microsoft\Activesync\Partners\[Secure] to 0 I gather this will do it.
On the point of the certi though, can you not get the CA to issue a new certificate to the Exch box? When connecting through SSL, ActiveSync doesn;t give you a "Yeah connect, I don't care!" dialog box as OWA does.
Ferg.
got a good reg editor, but can not find the last [secure] part...what do u mean by that? For example below ..\partners i see two entries(default) and (ServerNameChanged). and two directories with strange numbers.
About the certificate thing...if i understand u correctly i will never connect if i do not have a valid certificate?
I appreciate the help!!
YEAH!!! Great, got it working, thx to u!
I just love this forum.
Glad to hear it!
I am back....
The sync goes ok now, but every time i send a new mail, it gets send twice. In my outbox on the JJ there is one email, when i receive i see two coming in (exactly the same)
Any1?
i can get it to look like its working by turning off ssl. e.g. it says sycing 20/20 emails. However when i go to messages there are none there! Similarily contacts, tasks and calendar items appear to be syncing in active sync, but they just dont show up!
Hi,
I have run into the same problem.
Used the tips on changing the registry (for which I really thank you!!!).
However, it seemed working until I realize that my Treo 700w keeps asking for the password. No matter how many times I enter my password correctly, it just keeps asking the password over and over again. It does not save my password even if I select "save password" option.
Have you run into this problem and found any workaround?
Thanks in advance. Bo.
Boryu,
Remove and re-add the server source.
I've had this a few times and it's well annoying! This seems to do the trick though.
Ferg.
same issue
i have the same issue,
i used registry editor but its not allowing me to add the reg key!!
am i doing something wrong,, and were do i add the Secure Dword?
Why don't you just renew the certificate? Just right click the website folder within IIS 6.0 and select Properties. There is a security tab (Directory Security?) within which you can renew an existing certificate.
I had the same problem getting push email to work, and renewing the certificate fixed the problem.
Why don't you just renew the certificate? Just right click the website folder within IIS 6.0 and select Properties. There is a security tab (Directory Security?) within which you can renew an existing certificate.
I had the same problem getting push email to work, and renewing the certificate fixed the problem.
ronaldovic said:
got a good reg editor, but can not find the last [secure] part...what do u mean by that? For example below ..\partners i see two entries(default) and (ServerNameChanged). and two directories with strange numbers.
About the certificate thing...if i understand u correctly i will never connect if i do not have a valid certificate?
I appreciate the help!!
Click to expand...
Click to collapse
Hi i see exactly the same, but wich value do i have to change ??
please help
thanks in advance
I try to get my mails pushed to my TyTN. Thus I enabled the appropriate services on my Exchange 2003 SP2 server, set the user permissioning and so on. I generated an P12 cert with my CA and imported it using p12import.exe on my tytn. I also installed .cer for the domain and for the CA on the mobile device. Thus I was able to sync and push. Now I am facing the following issue:
After successfully syncronizing and pushing for some hours, I regularely get an 0x85030027. Checking my certificate I can see that my p12 is gone. After reimporting it using p12import, i can change the server settings the following way to force an "reinitialisation" of the link between user settings and cert: I delete the "m" in "blabla.dynaccess.com", go forward to login information - the password is gone then - go back to the server, add the "m", go forward adding the password. Sometimes I am than able to sync again, sometimes I get an 0x85010004. In the latter case I must delete the whole server setting - loosing all my mails - and have set it once again.
Dealing with this issue now for several days and beeing unable to find any description or solution in this forum and the web, I kindly ask for any idea which could be considered beeing helpful...
PS.: Sorry for my English - it is not my native tongue ;-)
I use CACert certificate for my email and have imported it using smartphoneaddcert utiltity from Micro$oft.
Copy your certificate into \Storage\root.cer (has to be named like this) and run SPAddCert.exe, hopefully that should work
thanks for the immediate answer. i already installed my root-certificate with no probs. The issue I have is related to the individual cert for the device, generated and signed by my ca, which is trusted by the tytn. This individual one disappears after some syncs?!
I don't experience the same problem ...
I think your method is ok (Jacco in DDSL.NL) have a nice tools to import personal certificate to device...
You may also look : http://www.httpsync.net
Cheers
André
Now I can describe the problem more precise: the personal certificate disappears after every soft reset?!
I have the exact same problem !!!!
When you do a soft reset the personal Certificate disappears.
I can reimport it directly, but I need to hook it up to a PC in order to validate the Certificate.
Is there no other way. This is really annoying when i'm on a trip, and I have to soft reset the device.
Does anyone know hpw this can be done differently.
Thanks
Micman
I tried to set up ActiveSync/Direct Push on my 8525 to sync my corporate email without needing a laptop. I seemed to have gotten part way through the process:
The server pushed to me the new password policy complete with x-digit requirement and x-minute timeout.
When it came time to sync, it bombed (I tried another device - I just think my company doesn't allow ActiveSync).
I'm convinced IT isn't supporting that feature,
Problem - HOW DO I GET RID OF THE PASSWORD POLICY! I'd like to go back to my plain 4 digit PIN with the big keypad. I see some reg entries that must be associated, but I'm not sure.
I did a search on the forums, but didn't find anything. I appologize if this a newbie post ...
AFAIK there is no easy way to do this other than hard resetting the device. I had the same problem I had to hard reset it.
I could be wrong.. but from what i have read the password policy is set on the server and not the phone.. you would probably have better luck talking to your IT people than editing the policy on the phone..
shogunmark said:
I could be wrong.. but from what i have read the password policy is set on the server and not the phone.. you would probably have better luck talking to your IT people than editing the policy on the phone..
Click to expand...
Click to collapse
It is definitely set on the phone. It has to be disabled on the Exchange server before you can remove it from your phone. Once it's disabled on the Exchange server it requires a soft-reset before you can remove the lock.
Hi,
I have the same problem on my trinity ;-)
I delete the exchange server in activesync but security et here :-(
I found the solution :
"
Originally Posted by SeanH
I have been using a registry hack everyday to prevent my WM5 device from locking itself every 30 minutes. At around 7:00pm the company I work for forces a policy to my device using push email. At that time I open a registry editor and modify \hklm\security\policies\policies\00001023 from 0 to 1. That prevents the unit from asking for a password for 24 hours."
I had this problem on the HTC Kaiser as well; the SeanH solution works like a charm! The tick mark is NO longer grayed out!
Thanks!
006fazer said:
Hi,
I have the same problem on my trinity ;-)
I delete the exchange server in activesync but security et here :-(
I found the solution :
"
Originally Posted by SeanH
I have been using a registry hack everyday to prevent my WM5 device from locking itself every 30 minutes. At around 7:00pm the company I work for forces a policy to my device using push email. At that time I open a registry editor and modify \hklm\security\policies\policies\00001023 from 0 to 1. That prevents the unit from asking for a password for 24 hours."
Click to expand...
Click to collapse
Hi all,
I have bought HD2 yesterday and today when I try to connect to wifi of my office it asks me to "the network requires a personal certificate to identify you", while I have done some research and followed below threads, but there seems to be no clear solution. Please can somebody help with a patch to disable network certificate check.
Thanks
followed threads
http://forum.xda-developers.com/showthread.php?t=344087
http://forum.xda-developers.com/showthread.php?t=264781:confused:
I have been struggeling with this also for quite a while.
The suggestion you mention is probably not worth while investigating.
The certificate is required by the access point so you should change it there is you do not want to cahnge the phone.
My solution was the following.
The HD2 comes with a base set of certificates and our corporate network requires one that is not in there.
I managed to find out which certificate I needed and was able to Google it.
Then just copy it to the phone, run the cert file and you're done!
watnuweer said:
I have been struggeling with this also for quite a while.
The suggestion you mention is probably not worth while investigating.
The certificate is required by the access point so you should change it there is you do not want to cahnge the phone.
My solution was the following.
The HD2 comes with a base set of certificates and our corporate network requires one that is not in there.
I managed to find out which certificate I needed and was able to Google it.
Then just copy it to the phone, run the cert file and you're done!
Click to expand...
Click to collapse
I could not get one for my corporate network is there any patch to disable it, i had tattoo and iphone which never required such certificate
neitin said:
I could not get one for my corporate network is there any patch to disable it, i had tattoo and iphone which never required such certificate
Click to expand...
Click to collapse
You cannot patch your device to disable this.
It is a requirement of YOUR network.
You need to find out which base certificate it is you need and then install to your phone.
Hi. Sorry to bring up an oldie, but I'm having this issue as well with the exception that my network doesn't require a certificate. I've confirmed this with my IT department. Any ideas as to how this can be disabled? It only seems to happen when I connect my phone to my PC (which is only done to install software, not sync with exchange; that's done wirelessly).
GrandAdmiral said:
Hi. Sorry to bring up an oldie, but I'm having this issue as well with the exception that my network doesn't require a certificate. I've confirmed this with my IT department. Any ideas as to how this can be disabled? It only seems to happen when I connect my phone to my PC (which is only done to install software, not sync with exchange; that's done wirelessly).
Click to expand...
Click to collapse
The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
I have personally tried this and works like a charm, please let me know if doesn't
Greetings from India
PS: remember to reboot your device once you have added the registry
neitin said:
The only thing you have to do is to add a DWORD Regestry Entry under HKEY_LOCAL_MAICHNE-->Comm-->EAP-->Extension-->25
Name:"ValidateServerCert"
Value: 1 to activate Validation, 0 to turn it off"
I have personally tried this and works like a charm, please let me know if doesn't
Greetings from India
PS: remember to reboot your device once you have added the registry
Click to expand...
Click to collapse
Nice!!!! Thanks for the information . I will give this a try as my work wireless network presents the same problem.
It may be tied into the following info I found out there on the web, problem as described by someone else with the same or similar issue:
"the wireless controller was sending out EAP-Identity-Request packet very quickly (1 per second), so the time I typed my pass on the PDA, it has already received 5+ EAP-Requests and when I pressed OK, it was sending my Identity with Request-ID=1 and was rejected because the controller was already expecting a greater Request-Id.
I adjusted the timeout and voilà !!! Here is the command line for Cisco Wireless Controller 4402 (the value was set to 1s !) :
"
This info relates to WM EAP and Cisco's implementation of EAP.
I will try the regedit and see if this fixes things for me.
i tried doing this by entering a dword via regedit but i am still facing the same issue...please help
While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?