Related
My IT guys have been trying to get this push email thing working and it seems to be one difficulty after another and is not as simple as pressing "push email" in the connection icon....
Our latest error appears on my device with the above error code stating
"the security certificate on teh server is invalid. contact your exchange server administrator or ISP to install a valid certificate to the server".
I have read that I need to buy a public certificate from a public authority (CA) or similar such as Verizon or Thawte. Is this the case, or is there a simpler way to get this push email working using the existing configuration and setup of the server?
We use exchange SP2, with outlook 2003 all around. Internet based webmail works correctly with full access, and activesync via PC works perfectly, but push email encounters the above error.
Any suggestions.
are you sure it's 80072fd or 80072efd ?
I don't have a solution, but the problem is described in M$ knowledgebase article: 915438 - see attached Acrobat .PDF.
I had already tried the suggestion in KB915840 to import the certificate from my sbs2k3-domain, but this had failed with "cannot access the certificate" - even with them on the device. However, certificates from my clients' servers, both sbs2k and sbs2k3, import without problems. This happened both before and after o2's AKU2 ROM update - so AKU2 is not the problem. In addition, I spent Easter *totally* reinstalling sbs2k3 and tested it immediately afterwards. All the sbs2k3/Exch2k3-Sp2 boxes are fully patched. The certificate itself is correct/working, since it works for Outlook Web Access via the web with laptops and even the Exec (Universal).
Whilst sync'ing from the workstation via ActiveStink/USB, if you turn off the SSL requirement the sync suceeeds, but that's obviously not a working solution via the 'Net.
Update:
Just had a thought, and checked the various certificates in a hex-editor. The one from my sbs2k3 box is a completely different format. :? I'll see what I can find out.....
maybe not related, but here's a list of all ActiveSync Server Error Codes: http://blogs.flaphead.dns2go.com/archive/2005/11/21/3202.aspx
80072f0d
Sorry, the correct code is 80072f0d.
I know your pains astage, but there is no way we are pulling the box down and putting it back up again, our server hosts 30 + staff simultaneously and I cant take it down just to fix my one desire to have push email.
But I do find it painful and frustrating that microsoft do not adequately support their own platforms and systems dont integrate as they should and as they are promoted.
M$ sks.
Re: 80072f0d
simon_darley said:
....I know your pains astage, but there is no way we are pulling the box down and putting it back up again, our server hosts 30 + staff simultaneously and I cant take it down just to fix my one desire to have push email.....
Click to expand...
Click to collapse
I'm not sure if it was clear from my reply - too tired - but rebuilding the server did not help at all.
Yeh, the pains of rebuilding SBS and having it all configured and running correctly when the staff arrive in the morning is not something I do willingly - hence the use of the holiday. It was done only as a last ditch attempt to solve this and another problem that had Micro$oft totally stumped - not related.
There is a difference in the certificate formats, so that's where I'm concentrating my efforts now. Will let you know what I find.
80072f0d error - the fix!
Just spent the past hour kicking and calling myself an £$%&* idiot.:x
Anyway, to cut the story short, the problem *is* indeed the damn format of the SSL certificate exported by sbs2k3. For the WM5 device to import it, it needs to be in DER X509 format.
If you have imported it into your PC/laptop for OWA/OMA/RWW, then you can easily export it from IE's Internet Options into DER format.
From Internet Options:
- go to Content-tab
- click Certificates-button
- find and highlight your certificate - I had imported mine into Trusted Root Authorities
- click Export-button
- click Next on wizard page
- enable the "DER encoded binary X.509 (.CER)" radio-button, and click Next
- enter a suitable path & filename, e.g.: "myserver.cer"
- click Next, click Finish, click Ok.
- Now copy the certificate to your PDA via ActiveSync.
- Open File Explorer on the PDA,
- Find the certificate file and launch it.
- click Yes to import it and you're done!
I think the reason why my sbs2000 certificates worked was that I had installed Certificate Services on those boxes and exported those certificate from there. I don't understand why some of my client's sbs2003 certificates were in DER-format, and others weren't, but we are talking about Microsoft software, so what else should I expect......
msfp and 80072f0d
After testing a few different certificate variations, the engineers that maintain our servers was able to send me two alternative certificates, one or bother of them appear to ahve worked effective.
So it imported, and now my active sync works for receiving these emails, now I need to look at these heartbeat pings and find out how I set the periodic checking.
Just wondering, normally if you dial a gprs/3g connection, you pay once, and stay connected all day. Does this now mean that it connects, downloads, disconnects, then 5 minutes later reconnects, downloads, and disconnects, thus paying a much larger reconnect fee everytime?
I am playing with this as a new toy, but I can see the costs are going to go ballistic....
and... perhaps for all those that are already experienced here, how does one send an email that remote wipes the device?
is there a command, or a key word or something that makes the system realise the remote wipe command....
sorry, I know this is off the topic of my original post, but thought you might know.
if not, I can start a new topic....!!!
The certificates that I was given was a server.cer and a root.cer.
If anybody needs to know, I can ask the engineers how they did what they gave me to get it to work.
The remote wipe is done from the sbs2k3 box - or rather the box running Exchange2k3Sp2. Your admin needs to install a small tool that he (Domain Administrator credentials needed) then accesses via IE.
Microsoft has published a new white paper (Feb 2006) that describes the whole procedure - just a shame they missed the need for the certificate to be in DER format. The white paper is: "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003".
I am using mail2web free service to have my mail pushed to my WM5 device, but I don't like the idea of forwarding my private email to a company I don't know and I don't trust.
Normally I have my email at a home mail server running linux, and I was wondering if there's any open/free solution compatible with directpush technology to replace the need for an exchange 2003 server.
If it does not exist (i have been searching and couldn't find it), what is preventing someone of writing a free replacement? patent issues? authentication issues? I haven't sniffed the protocol yet, but I think it's impossible that no one has thought about it before... wouldn't you like to have your home imap server pushing your inbox to your PocketPC phone? If the protocol is not very obscure it should be easy to write a daemon that does it...
any thoughts or experiences?
Kerio Mail Server has the push compatibility.
Not free though, but it is an alternative to Exchange.
Their latest beta supports it. I reported a bug to them re: contacts getting corrupted but they say they fixed that in the latest build.
Can't retest now since that server is at another site I won't be visiting for a while.
Hmm the directpush "protocol" is pretty trivial it shouldn't be impossible to implement an open alternative.
I installed the latest Kerio MailServer yesterday. It works great!
Especially nice is that it runs on XP as well as Linux. Too bad about the price!
pof, have you had the chance to sniff the protocol?
not yet ivorh, been too busy with many other things, but this is still on the queue
sniffed
Heh, got bored so I setup an exchange account and sniffed the packets.
I'll go through them and post some details when I get a chance.
great ivorh!
Can you attach a capture in pcap format?
update and thoughts
Pof,
Hmm, ok a bit more thinking and digging and I'm not sure implementing an open alternative directly is that useful. Let me explain why:
The direct push only works with the outlook exchange active sync. When the device gets a "direct push" byte, it triggers a sync with exchange - the functionality is tightly bound together, and as far as I can tell you cant dip in and get it to do something else. So to get it working you would need a server providing the exchange http interface. This wouldn't be impossible but would need a lot of effort for little benefit.
I took a look at the open-exchange but that doesn't seem like an ideal solution since it would require a completely different server installed rather than IMAP or POP and as far as I can tell the Outlook connector isn't one of the open-source components anyway.
Now what I'm currently thinking would be a neat workaround would be to implement a custom "direct-push" to basically do exactly the same, have a client app on the device open an http connection to a server running, er, "OpenPush" if you like... use exactly the same technique of a keep-alive connection and occasional heartbeats, but on a message notification on the client get the client to trigger an IMAP pull.
Now this is where I need some advice.... I haven't done any Windows Mobile development yet, so can anyone tell me what sort of API is available to the messaging app? Can you/how do you trigger a mail pull? (oh someone please tell me it's not the same horrible old MAPI interface??).
PS I've just been capturing the data using a simple http proxy actually, I'll make some samples and upload them with descriptions.
Cheers,
Ivor.
http://www.ivor.it
Hi pof,
try funambol. It was formerly known as Sync4j. I once found it when I searched a complete sync solution that I could implement in the mailserver of my company. We are using kolab so I only tried the old Sync4j cause there is a kolab connector available for v2.3.
v3.0 implements (real) Push-Mail. Microsoft Active Push works with a http connection that is opened by the client. Funambol Push-Mail connects to a port the client opens. I didn't want to test any further cause I'm using a Wapflat and thus only get an internal IP and have to use a proxy.
http://www.funambol.com/opensource/
Perhaps this is what you are searching for
What I forgot to say: For funambol you install a java program on your phone wich will insert the received mails in your Pocket Outlook
Yay!
Pof,
Ha! Ok I've whipped up a version 0.0.0 of OpenPush. and it works rather nicely!
Basically it consists of two parts one is an app that runs on the mobile and operates in the same manner as DirectPush. It opens up a socket connection to the server and waits for a notification byte. If it recieves a byte it kicks off a mail retrieval.
The other is a daemon that runs on the server and watches for a change in the users mailbox if it changes (i.e. a mail has arrived) then it pops a byte down the socket.
It just needs finishing now...
Currently the daemon is just an app that listens on a dedicated socket. I plan on turning it into a mod_perl module and using http keep-alive in the same fashion as directpush.
Regards,
Ivor
ivorh, that sounds cool!!
I had a look at funambol but seems too 'bloated' for my needs, I think your OpenPush will be more tight to what I was looking for, so if you want a beta tester just send a link to it
Is there any specific server configuration? I am running a Gentoo server with courier-imap, sendmail and apache2.
Any chance you could extend the daemon so other programs can tie into your new-item notification? It would be cool to write a program that can keep files synchronized over-the-air with a desktop machine using push sychronization.
Pof,
Yeah it's just a prototype at the moment. So I need to write it properly next. At the moment the requirements are simply "perl". It's independent of mail system, it simply monitors a directory/file you give it for changes.
I'm going to write it to be a mod_perl module for various reasons, so the requirements will be just apache and mod_perl.
I'll hack some more tonight and try and get a 0.0.1 ready.
aatreya,
Well I'll keep it simple for now and just doing one job well.
Sound interesting to me.
I am new to this. Pardon me for some questions.
Do I need to buy a server at home?
This server can be any OS?
I am really happy to see some people trying to do just about the same I intended to. Today I started experimenting with Open-Xchange. I also have a Gentoo server that provides an ebuild for Open-Xchange, but after a bit of browsing it just seems like the thing MS Exchange and OX have in common is the similarity of their names. So installing OX and doing all the Exchange stuff with it does not seem to be an option.
So I looked into Funambol - sort of again. About a year ago I already tried to get Sync4J running to sync my SyncML phone. I did not succeed, but that just makes me eager to try it harder this time.
I also have to use a Proxy-Server for my GPRS connection but I want to have it working via WLAN, too, hence without proxy and the whole tunneling disco.
PS: Ivor, I am glad to meet You once again. When our roads crossed the last time, You just figured out how to get the CLE266 MPEG2 stuff working, respect!
A very rough pre-alpha version should be ready this weekend. I can only apologise in advance for the quality of my WM5 app!
But it's "working for me".
CWKJ,
At the moment the "server" is a simply perl app that watches for changes to a directory or file so its pretty portable. I run it on linux since that's what my mailserver is on.
As for needing a server at home... well its entirely up to you, really you want the server running wherever your mail is retrieved from.
If the app/system gets a bit more polished and advanced you might even find independent ISP's willing to add it as a service.
rabinath,
Heh! Small world.
I'd also like to be considered for Beta testing when available,
I run Ubuntu 5.10 Server at home, hosting 5 domains for myself, and would Love to not have to forward them through mail2web anymore as I don't like to reply because it will go through Mail2Web. I know I can create a separate "account" in Pocket Outlook but you can only have 5. I need more than that...
with direct push over the o2 wap proxy all https conections are closed after 2 min. this is becausse all 2 minutes a new sync is needed. This eats much battery. So why is it nnot possible to mak e a ppc client that just sends the current ip adsress to the client on the server. and the server just push the email to the known ip adress. The client on ppc just has to send a new ip in case it changes. this wouldt be much better for battery life.
Thats the reason Exchange-Activesync works the way that it does. The server sends out a text message that is handled at the system level on the PPC, and this is basically an instruction to sync with the server. No unneeded traffic just to check if there is anything new.
Most Celllar service providers are using NAT technology so reporting your IP address to a server and telling it to make a connection to that IP, would just be telling the server to connect to the "gateway" back into the Cellular network. A text message sent to what is called the "SMTP Gateway" for each service provider will get to the phone no matter if the phones IP changes.
Hi,
Found lots of interesting little programs for my Windows Mobile phone recently, but one thing I can't find.
I want to be able to access the files on my phone from the network, via wifi (as a normal file share). I know it can be done the other way around, ie I can see files on the network from the phone, but haven't found anything to make the phone share its own files.
Is this possible? Can't see any particular reason why not - networking obviously works the other way, I know you can get http and ftp servers for the phone. Am I just missing something?
If there isn't a program out there that can do it, is it because no one's found a use for it and so not developed it, or is there a technical reason why it can't be done?
Any help much appreciated!
David
google this:
Mocha FTP server
I'm trying hard to like my x1, can anyone help?
Whenever I try to access OWA using either PIE or Opera I get a page cannot be displayed error. Anyone else seen this and got a solution? OWA works fine using my E90 S60 browser.
Thanks, Martyn.
Just tried it on Opera 9.5 build 15202 and it renders really nicely - pleasantly surprised!
Doesn't work in my Opera Mobile. Can't remember the build. It's the one with Manila favs from Itje's thread.
It works nice and is really fast (as always) in latest Opera Mini.
martynb said:
I'm trying hard to like my x1, can anyone help?
Whenever I try to access OWA using either PIE or Opera I get a page cannot be displayed error. Anyone else seen this and got a solution? OWA works fine using my E90 S60 browser.
Thanks, Martyn.
Click to expand...
Click to collapse
Try Opera Mini.
I'd not like to use Opera Mini for sensible sites
like OWA. It transmits logins over a proxy,i don't
think it's a good idea...
why don't you use Active Sync? You can sync it
manually and e.g. only for the last days. But for
the most it uses less traffic then visiting
the OWA site everyday...
Better yet, set up your push email. It keeps a HTTPS session alive. You just need to install the certificate on your PC to set up the sync, which you can get from OWA.
bedlam_au said:
Better yet, set up your push email. It keeps a HTTPS session alive. You just need to install the certificate on your PC to set up the sync, which you can get from OWA.
Click to expand...
Click to collapse
How?
Will it work without OMA (mobile access)? I don't think so. We don't have a frontend server to support ssl connection from mobile devices, and I'm pretty sure I've tried everything.
If you have a magic way to make it work I would really like to know.
I've been having the same problem...
...and I tried Activesync, but I get a 'certificate' error. I can't figure out how to get the certificate on my device.
I spent days searching the web for an answer... and I gave up after a while.
Oms said:
I've been having the same problem...
...and I tried Activesync, but I get a 'certificate' error. I can't figure out how to get the certificate on my device.
I spent days searching the web for an answer... and I gave up after a while.
Click to expand...
Click to collapse
If you have the .cer file, you just copy it to your device like any other file and run it from there. It should install. I had a few weird cert errors when trying to get mine to work but random poking and prodding seemed to get it up and running eventually.
maedox said:
How?
Will it work without OMA (mobile access)? I don't think so. We don't have a frontend server to support ssl connection from mobile devices, and I'm pretty sure I've tried everything.
If you have a magic way to make it work I would really like to know.
Click to expand...
Click to collapse
To be honest, I don't know, I'm not the exchange admin.
My company's fairly tightfisted when it comes to IT expenditure, so I'd be surprised if they forked out anything extra.
A cursory glance at MS's documentation implies that it shouldn't be necessary because as far as the exchange server is concerned, it can't tell the difference between WinMo's client and a regular web browser. I stand to be corrected by someone who actually knows what they're talking about.
Try installing the cert and setting up your server in Active Sync. It should just work.
I had problem in my work getting this working but after a clean install of OWA on our front end server everything worked properly. The only think needed on the X1 was to import the cer file if you going to use Exchange/Active Sync connection as someone has already suggested.
IE and Opera always worked it was just Active Sync which had problems.
I've just recently got an X1 and been trying furiously to get active sync to work. But as I don't have access to the exchange server at work, I've been trying to find out how to obtain a copy of the cert from my outlook.
Haven't been able to find anything, any suggestions would be much appreciated!
Grab the cert from the OWA website, cause it should be SSL encrypted. The browser shows the encryption with a small lock symbol. Click on it an get more information about the cert. When you opened it, open the cert for the CA shown on the last register. In there choose "save to file" and copy it to your phone.
On the phone open the cert with any file explorer, that will import it into the phone's cert store. From now your phone will trust your company internal CA.
This way is only useful, if your company uses self generated certs with an internal CA. You can see this, if your browser at home (the pc there has nothing to do with your company) show an cert warning, if you open the OWA website. If you really can't get acces to this site from the internet, forget all of the above
Brilliant! I'll give that a go when I get home! I'll let you know how I get on.
Thanks again mcfisch!
I just realised what I did wrong the first time. Under server, I put the wrong address didn't I. However, I've come across another problem, Where it asks for the login credentials, there' username, password and domain, what do I put under domain?
Its all sorted now! I can't believe I was being such a dumbass! I was over complicating things way too much!
Happy days!!!!!!!!
I have just installed the Citrix Receiver in hopes that I could connect to my Office's network remotely.
I have been able to connect to my published desktop but when I try and connect to a published app I get "Error SSL/TLS error: The certificate Validation failed."
The Iphone i have is able to connect without problems. Now i'm trying to work out if it is a 1.6 limitation or if there is a way for me to connnect by updating the certs on this X10.
Anyone had any similar issues?
Turns out it's a limitation of the current android OS which isn't fixed until 2.2!
The Verisign CA class 3 Cert is not included on android versions 1-2.1.
It just seems that everyday there's something else i can't do on this phone.
I'm finding it harder to find reasons to keep this phone and not go for the desire!
Maybe you should take a look at this article from the Citrix Knowledge Center:
https://hqextsrvsft01.citrix.com/article/CTX125431
It helped me to import "TC TrustCenter Class 2 L1 CA XI" into Android's root certificate store. Now I can use Citrix Receiver from market with my work environment (which NEVER worked before), yeah!!
nachtschicht said:
Maybe you should take a look at this article from the Citrix Knowledge Center:
https://hqextsrvsft01.citrix.com/article/CTX125431
It helped me to import "TC TrustCenter Class 2 L1 CA XI" into Android's root certificate store. Now I can use Citrix Receiver from market with my work environment (which NEVER worked before), yeah!!
Click to expand...
Click to collapse
Hi, may I ask how did you get your TC TrustCenter cert? I have the same problem with connecting to my work environment via citrix receiver.
I have tried the same steps but it didn't help. My cert is a "Class 3 Public Primary Certification Authority" from Verisign, and I exported the cert from my PC's browser of the site.
I downloaded my certificate from here:
http://www.trustcenter.de/infocenter/root_certificates.htm
I assume Verisign is offering a similar service.
Thanks for replying.
Just to share my experience.
Turns out my cert is the correct one all this while, for some reason, on top of adding the cert to cacerts.bks, I have to use the default android browser to navigate to the site with the cert and "accept" the cert from browser, after which everything works like a charm.
The bad news is that this particular cert seem to conflict with android market, because I can't download any apps after this, saying "network error".
So my current workaround is to keep 2 versions of cacerts.bks, and swap them whenever I need to use citrix receiver.
I am suspecting that android market could be keeping this cert for it's own use hence did not include it in their list. If that's the case it would be quite a stupid design decision. I hope I am wrong.
nachtschicht said:
Maybe you should take a look at this article from the Citrix Knowledge Center:
It helped me to import "TC TrustCenter Class 2 L1 CA XI" into Android's root certificate store. Now I can use Citrix Receiver from market with my work environment (which NEVER worked before), yeah!!
Click to expand...
Click to collapse
Hi!
Would you, please give steps here?
The article has been removed from citrix site...
Thank you.
Workaround...
I found a workaround for this Citrix Reciever issue when using Gingerbread ROMs. When my phone was running on Froyo I had no issues using the receiver. So I went back to Froyo on my phone where the receiver worked fine, and copy the cacerts.bks located in /system/etc/security to my machine (using adb pull command). Then I installed my Gingerbread ROM again and copy this certificate from my computer over the one in Gingerbread ROM in the same location (using adb push command), and Citrix Receiver works! I'm not sure what newer things the Gingerbread cacerts.bks have, as there is a substantial difference between both files (61391 Froyo vs 143095 Gingerbread), but everything seems to be working normal, including Market.
Hope this works for others the same it worked for me.
I have the same problem on SGS running 2.3.5
Problem is i am using itnernal certificates; i have imported the root ca certificate ( it said it installed it from sdcard ) but i still receive that the server certificate is invalid.....
I choose then to accept the certificate but it does not open published applications or desktops ( connection error )
Needless to say that it is working flawalessly from windows mobile or iphone