We are running off a 2003 server. We do have webmail access. However, apparently we are using a personal security certificate. I can set up the activesync connection, but it never syncs.
I need step by step instructions on what I need to do, how to get the certificate off the server, import to my device, etc. HELP!
Assume I know nothing about exchange, certificates, etc - cause I don't!
Exchange 2003
Have you resolved this yet? I have had extensive research on this subject. My first Q: Do you have exchange setup on laptop or desktop?
You need to install your private certificate authority as a trusted root certificate authority on your device. The following link talk about how to do this.
http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx
You can also disable the certificate checking. The communication would still be encrypted, but if you ever accessed another site where the certifcate was invalid you would not be warned, so this solution is much less secure and therefore not recommended.
http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.html
Related
All need some help. I'm trying to utilize the Push Mail technology. I have set up to sync with an exchange server correctly, however within our company we use certificates to authenticate. So I expported my certificate and imported it into my 8125. When I go to look at my certs in my 8125 I see that it imported successfully. Now when I try to sync it asks for the password and it comes back with an error code of 0x85030028 (cannot obtain a valid cert). Now if I use my PIE and go to the OWA which utilizes the cert as well it sees it and authenticates just fine. For some reason activesync isn't seeing it. Any ideas how to fix?
Geno
From what I know, you can't use certificates with Push email. You have to setup a new virtual site on the server running OWA called it Exchange-PPC or something and have it set for Intergrated Authentication, then you would configure your device to hit the new site like http://www.site.com/exchange/username or something like that.
There's a little more than just setting up the site, some registry changes, check Microsofts site for the error number, you'll find a KB document explaining how to setup the Virtual Site for syncing with your device.
Ever since buying the Wizard, I seem to be having trouble to get to our corporate OWA-pages. In general, logging in works perfectly, reading the first mail also without hassle, but replying, reading other mail or whatever results in constant login-screens.
On Windows Mobile 2003, there was a solution from Microsoft to circumvent this, but for WM2005 I have yet to see a solution.
Anyone?
You might try here or here to import personal certificates.
Do you need OWA or can you live with OMA instead? It's not elegant but it's functional.
Steven
Hello,
Why don't use the activesync synchronisation with exchange server ? (if it is a 2003 server of course !)
if it's an https site and using a private CA cert then download the root certificate from a desktop PC and run the .cer file on the handheld to import it. Really simple to do.
twaddle said:
if it's an https site and using a private CA cert then download the root certificate from a desktop PC and run the .cer file on the handheld to import it. Really simple to do.
Click to expand...
Click to collapse
Like jcleek mentioned; I followed instructions to import the certificate from my PC onto my Wizard. Still, after logging on to OWA, I get the same loop again. 1 mail can be read; every next action requests for my password again. :?
I have an 8125 with Summiter's 2.3 Rom installed. I am trying to establish a connection to my exchange server which is hosted. When I enter the server, user ID, password and Domain info correctly, activesync keeps prompting me with "Please correct your Exchange Server password"
My provider insists that the settings were correct on their side and their crack tech support staff told me that WM5 has problems storing the password. They said that the only thing to do is to keep deleting the server connection on the device and recreating it.
Through this persistence, I was able to get it configured once. It was syncing (with push email) for most of the day... until I connected the device to the PC with the USB cable to charge it. Then Activesync on the PC kicked in and the password prompts began.
I have deleted and reconfigured the server on the device in excess of 20 times now with every combination of soft resets in between to try to get this resolved.
Any thoughts? Your help is greatly appreciated!
***EDIT***
email host needed to create a pre-NT4 alias for the userid due to the naming convention ues by our company in their provisioning console. Therefore once I found out the alias the config was a snap. working perfectly now! Thanks.
What tech support for your host meant to tell you is that they do not have a clue what they are talking about. I support numerous WM implementations using AUTD and Push email with WM devices of all flavors that support one of those options (2003, 2003se, 2005) and NONE of my customers have to continually put in ANY information to keep syncing.
It is true that using the special sms tickle method of pull on 2003 devices does sometimes hang up and have to be restarted manually but even then you should not be asked for information you already saved about the connection.
Find a new mail host.
Well, since you have no problems setting up "WM implementations using AUTD and Push email with WM devices", I would love to hear your thoughts on why I keep getting a password prompt over and over again with the message "Please corrrect your exchange Server password".
Using Cingluar 8125 with stock 2.25 ROM.
Mobile services are enabled under ESM
Pre-2k alias is set in the username
SSL is installed on the server with front end virtual directory
I have disabled certificate checking on the device itself by hacking the registry on the device since I'm using self singed cert
Exchange SP2 is installed
Activesync on the PC with USB works like a charm
But, trying to sync over GPRS/EDGE with the exchange server it keeps prompting me to correct exchange server password which I know it's correct since I administer the server myself.
I've seen NUMEROUS posts about this issue but no one seems to have the answer.
This is driving completely bonkers
You say you can sync while connected via USB to a computer but you do not specify whether that computer is INSIDE or OUTSIDE your network. So I am going to assume it is INSIDE, and bet that were you to try the same test from OUTSIDE your network it would fail just as it does using GPRS. If so the indications point to incorrectly putting in your user name/domain information and not the password itself.
I assure you, the domain\username and password combinations are quite right. It's DOMAIN\username and then the password. I mean you can't really get away from that format when you enter the information in the pocket pc or activesync on your pc since it asks you for the domain and the username and the password. I can however login to webmail and oma through the web browser using the exact username and password.
Any more thoughts?
I have no more thoughts until you answer the question I asked. Can you sync while connected to a computer that is OUTSIDE your network?
When putting in your information on the mobile device, in the username field if you are putting domain\user you are wrong. That box is USER NAME ONLY.
Let me start over again. No, usb or gprs outside doesn't work. And yes, the username is put in as just the username with no domain\ in front of it. Activesync substitutes the domain from the domain field as domain\ is what I meant.
So it doesn't work from outside no matter what the connection. Again, the problem is the domain reference. We just have to figure out what is wrong with it.
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
I'm using https://servername/exchange
I can also user https://servername/oma from the phone and it works too.
I would really like to see https://servername/exchange work from outside your network. I am interested to know how you got a NETBIOS name to resolve from outside your DNS zone over the internet.
Please read the question asked before answering so I can stop asking you the same thing twice. I asked you:
From outside your network, can you access Ouloook Web Access? If so, EXACTLY what is the URL you use?
Click to expand...
Click to collapse
Your answer might work inside your network but no way will it work outside. And if you are afraid that advertising your domain name will compromise your Exchange box you should just shut it down anyway.
Ok,
I'm REALLY trying to be tolerant here. Unfortunately, I'm starting to reach the end of my patience. You and I BOTH know that I'm not advertising my NETBIOS name on the Internet. We BOTH know EXACTLY what I mean when I say https://servername/exchange. It means a URL accessible from the outside which points to the server via NAT on our firewall and then /exchange. So, here's the URL:
https://mail.glaucomaexpert.com/exchange
When I say that webmail works, I REALLY REALLY mean that it works. I'm not making it up. If you don't know the answer or if you are not sure of the answer, just let me know. That's no problem. I'm really starting to think that this issue is due to the registry hack on the phone to remove certificate checking.
Unfortunately, I'm using a self generated cert and I've tried using the .cab method to import the cert, that didn't work. I simply copied into a file (DER encoded) and tried to import it no workie either. I tried copying as a Base-64 encoded, copied to the phone and when I tried to import it said it was unable to access certificate. Before I disabled certificate checking, it wouldn't accept the certificate. So, now it accepts it but it keeps asking for the password.
I have gone over the exchange settings over and over and over again and I'm simply not seeing anything wrong.
So....here's where I am.
Great. Thanks for answering the question. So in your server configuration fields you are filling in those blanks like this:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name which may or may not be the same as your FQDN
Does all of that sound like what you are using? If you feel more comfortable PMing the information then thats fine. But your settings should resemble what I wrote.
Are you forcing users to use SSL for Outlook Web Access? If so, you might try turning it off TEMPORARILY and test syncing without requiring SSL to eliminate the self signed cert possibility. I won't be much use troubleshooting that as I get my customers fo flip for a Thawte certificate to avoid untrusted root cert authorities.
That's exactly what I'm using:
Server Address: "mail.glaucomaexpert.com"
User Name: "jdoe" or whatever your user ID is
Password: "Password1!" Your CaSE sEnsiTIvE password
Domain: "myeyessuck" your internal NETBIOS domain name
Under secure communications I do not have require secure channel checked.
I just enabled http(port 80) access to the exchange server and it's working like a charm.
So I guess it's still a certificate issue. I guess disabling certificate checking is not doing the trick but instead cause more problems.
I really wish I could import the self signed certificate. This really sucks. Your help is appreciated. Thanks. I should had tried this before. I just assumed this registry hack wouldn't have any bearing on it originally.
@deeztech - I'm also suspicious of the registry hack to disable the certificate checking. This worked for me in the 2003 days with my client's Blue Angels but I've never been able to get it to work with WM5. I have numerous Exchange 2003 servers that I maintain here in So. Fla and they all have self generated certs. I use MMC and add the Certificates snap-in. From the Trusted Root Authorities I'll right click my certificate - all tasks and then export to a Der encoded x.509. Copy to my storage card and execute it from there.
Of course it sounds like your certificate is installed correctly as your logon to OWA and OMA are working which is why I suspect that reg hack you mentioned.
I did read on exchange-experts to check the authentication on the webserver....
Curious if it's just your PDA or are there others with the same issue?
Glad you narrowed it down. Unfortunately I don't have a magic bullet for the self signed certificate piece but I do have some suggestions for you.
1) Enable forms based authentication: http://support.microsoft.com/kb/830827/
2) Require SSL for access
3) Unless you intend to offer services you might turn off the default website at https://mail.glaucomaexpert.com/
If you are interested in a cert from a trusted CA check out Thawte, where you can get an SSL123 certificate in just a few minutes for as little as $149: https://www.thawte.com/process/retail/new_ssl123?language=en&productInfo.productType=fssl2
Hi all,
I am new to the HTC (just got one this week , and would love to get push email working from my Exchange 2003 server.
I have used the reg hack to stop WM5 from requiring a valid SLL cert, and installed my Exchange 2003 server's SSL certificate on my device.
However, when I try to connect, the device keeps prompting me for my password, and does not accept it when I enter it.
I have seen this on other forums, but never seen a solution to it. I would be very grateful for any advice.
Great site btw!
first of al .. you don`t need a reghack to get ssl working..
just look at this site.. for your server..
http://www.visualwin.com/SelfSSL/
follow these steps.. remember.. if your server is avalible under
https://blabla.com/exchange name your ssl certificate: blabla.com
After this go to https://blabla.com/exchange install the certificate in youre IE on your pc..
then in IE tools -- options --- content --certificates -- trusted..
find your certificate and export this on your desktop. now with active sync transport your certificate to your mobile and install it, just with clicking on it.
Now the problem that you have is the auth part on your IIS on microsoft-active-sync virtual directory..
On the default directory set plain , ntlm, and windows intergrated
auth options on..
on the microsoft-active-sync only the plain text and ntml.
If this wont work play around with auth settings on microsoft-active-sync virtual dir.. trial and error.. but somewhere there is your answer and youre problem.
IMPORTANT turn of : require secure channel (ssl) on your server
Windows mobile cannot work with that
Yeah SSL needs to be enabled and setup on the exchange server. Also check your user policys to make sure they are set up correctly. We set up exchange systems daily at work and the most common problem we see is someone has messed up their policys in exchange.
Thanks for the reply's
I have had another crack, but am now getting an error on Activesync when sync'ing:
Support Code: 0x85010014
I am not sure what this points to....
I am still a little confused with my IIS6 authentication settings.
My "Exchange" vdir is set to Integrated and Basic authentication.
My "Microsoft-Server-Activesync" app is set to basic only.
My "OMA" app is set to basic only.
The "Exchange" vdir is the only one set to require ssl connections.
Thanks again for your time.
Fixed it! Followed this guide from Microsoft that helps create an oma directory especially for use by Activesync without using SSL:
http://support.microsoft.com/default.aspx?kbid=817379
I have searched and searched for an answer to this problem and have not been able to find anything. Hopefully someone here has run into this before and might have an idea or solutuion. Her is my problem.
I have two exchange servers (2003 SP2) on of which is a front end server handling OWA and OMA. We sync about 18 Windows Mobile 6.1 devices over the air using OMA. We are using SSL. All of our devices have random problems connecting to the server. They will sync fine most of the time but will randomly for no particular reason ask the user for their exchange password. We are not enforcing any password policies on the server and we are always checking the box to save the password. In order to get the device synching again the user has to re-enter their password multiple times and often has to kill and restart activesync on their device.
Any ideas as to what might be causing this?
Any help would be much appreciated.
You could try unchecking the box in Activesync on the phone that requires SSL. We use SSL as well, but we have to uncheck that box on the phone. Although our problem is that the phone never syncs when its checked as opposed to your problem of randomly not syncing and asking for a password.
Unfortunately that is not an option. Our SSL is required for authentication. It will not connect without it. It seems like what is happening is that the device is not always passing the credentials to the server. Usually when it asks me for the password I enter the password once making sure I check the Save Password box then when it asks me the second time I hit cancel. ActiveSync then gives me a could not authenticate error. Now if I just hit Sync again it goes through and works just fine without asking for the password. So my guess is that it is not passing the credentials until after the connection is reinitialized.
From what I understand, Push Email relies on the OMA functionality which uses IIS. The problem my lie there. Although I've never tried, you may have to uninstall/reinstall (or confirm) that the OMA part of Exchange is functioning correctly. Sorry I can't be of more help.
Do the log files on the server show anything when a phone can't log in?
No, the exchange logs don't show much. I almost think it might be something with the device configuration. At this point I just don't know. We will be migrating to Exchange 2007 sometime in the next few months. Hopefully that will resolve the problem permanently. I was just hoping maybe by some chance someone here had seen this problem before. Thanks a bunch for your help.
Is the FE server doing the authentication (NTLM) or is there an ISA server in the way configured with Forms Based Authentication? You should make sure the IIS virtual directory for OMA is set only for Basic Auth - and the following article might be worth a read.... http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1188440,00.html
Hope that helps - good luck!!
Mark.
^^^What he said. Took the words right out of my mouth. You'll still be secured through the SSL certificate, even though you're doing "basic auth" you aren't exactly sending your password as clear text. Requiring SSL on the OMA site will automatically encrypt the connection so you have no need to worry.
Try it out and get back in here. I manage a site with about 50 WM 6.1 Black Jack II's that sync with Exchange 2007 with no issues whatsoever. Also verify that you have all your hotfixes related to OMA installed on your Exchange 2003 server.