Exchange 2003 ActiveSync, Sprint PPC-6700 and SSL: Giving me an ul

Discussion in 'Windows Small Business Server' started by Michael Smith, Dec 20, 2005.

  1. Ok, I know this retreads a few posts, but I couldn't find anything to solve
    my problem.

    As with many others, I am having problems with the Sprint PPC-6700 utilizing
    Exchange ActiveSync over the Sprint Dialup connection on SBS 2003. Based on
    my research so far, it seems that the most likely offender is the way WM5
    processes SSL certs. Whereas previous versions were a bit liberal in what
    they accepted, the current version apparently wants an exact SSL.

    Based on some postings on a few other boards, I tried to copy the SSL
    certificate onto the PDA. It was easy to do, however, the SSL certificate
    reflects the internal site name. Well this is a problem as the phone needs
    to connect to it anywhere. When I sync with this cert, it tells me it needs
    a cert with the correct name... in this case the outside name.

    So my question is, other than paying for an SSL cert, something I reject on
    principle in this situation, how can I use SSL when syncing with Active Sync
    in the manner described above. Is there another certificate I can use to
    copy onto the PPC-6700 that will do the trick? Can I create one using
    SelfSSL that will work?

    PLEASE HELP!!! If you know a workaround, or which cert to use please let me
    know. Please be specific on the certs, as in where it is located in the
    Certificates MMC. Any help is greatly appreciated.

    Thanks!
     
    Michael Smith, Dec 20, 2005
    #1
    1. Advertisements

  2. Ginny Caughey [MVP], Dec 20, 2005
    #2
    1. Advertisements

  3. Did you bring down the 'two' certs?

    One is the name, the other is 'publishing..blahblahsomething'?
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Dec 20, 2005
    #3
  4. How would one generate a root certificate?

     
    Michael Smith, Dec 20, 2005
    #4
  5. How does one generate a root certificate? I am not sure i have done that
    before.
     
    Michael Smith, Dec 20, 2005
    #5
  6. No I did not actually. I did see the publishing one as well. DO both need
    to be installed? Have you tried this and gotten them both to work?
     
    Michael Smith, Dec 20, 2005
    #6
  7. Michael,

    Thanks to Bart Martens, Mobile Devices MVP, for these directions which
    worked for me:

    On your SBS server you have to generate first a certificate. You have to go
    to IIS>Servername>WebSites>>Default Websites>Directory Security>Secure
    communicatio and than View Certificate>Details>copy to file.

    The *.cer file is now generated in your root folder on your C-drive (I
    guess)

    Copy the .cer file to your device.

    Once the file is on your device, find it using the device's File Explorer
    and click on it to launch it (which installs it).
     
    Ginny Caughey [MVP], Dec 20, 2005
    #7
  8. I will give it a try and let you know. Thanks.

     
    Michael Smith, Dec 20, 2005
    #8
  9. Ok I found where you are talking about and the certificate listed was

    publishing.domainname.local

    This is obviously not the address that we connect to for mail. So my
    question becomes... even though this cert is not the exact name, will it work
    the same as if it was?

    Did you have the same problem Ginny with your phone? Did this particular
    cert work or did you have one that was the exact same?
     
    Michael Smith, Dec 20, 2005
    #9
  10. Michael,

    My certification path was the same www.mydomain.com that my website uses for
    some reason. For email I use www.mydomain.com/exchange and that's the
    address I used for Activesync and my phone works great with air sync. But
    try the certificate anyway - it won't hurt anything on the device if it
    doesn't help.

    And if it doesn't work, where is the website (in IIS) that you do use for
    Exchange mail? How to you connect to your remote mail from outside the
    office? When I look at IIS in Server Management, I see Exchange under the
    default website tree, but maybe yours is somewhere else?
     
    Ginny Caughey [MVP], Dec 21, 2005
    #10
  11. We are using SBS, and do not have a seperate backend server. I did not set
    this up and have inherited it. Both Exchange and the Exchange OMA virtual
    directories are under Default websites (SBS created both folders by default,
    according to some MS KBs.) The certificate under these two folders is the
    publishing.domainname.com one. I am not sure why it doesn't match the
    outside address... I did go to the outside Webmail and get prompted that
    they don't match. After importing that cert, I didn't get the prompt... so
    IE was happy. But given how freakishly restrictive they made 5.0, who knows
    if it will work. Once I hear from the person and give it a try I will update
    you. I have another possibility linked from a technet blog, although the KB
    article says it works for 2002 and 2003 phones, the MS developer claims it
    will work for 5.0... Allowing one to import a root cert.
     
    Michael Smith, Dec 21, 2005
    #11
  12. Michael,

    Once you've got the right certificate, it should just work regardless of
    what it's called as far as I know. But if you find out differently, please
    do let us know. The only thing a bit strange is that WM 5.0 doesn't give you
    the same option that you have with IE to just install the unknown
    certificate, but once you've got it working it just continues to work. Do
    save the .cer file that works somewhere convenient though in case you need
    to reset your device and have to reinstall it.
     
    Ginny Caughey [MVP], Dec 21, 2005
    #12
  13. Unfortunately, it isn't my phone otherwise I would have had this up by now.
    I am going to save a copy on his PDA and on his PC, so that it will be an
    easy copy if a hard reset has to be done.
     
    Michael Smith, Dec 21, 2005
    #13
  14. Good plan, Michael. I don't think a hard reset would remove it, but using
    the option to restore the device to the factory condition would.

    And get yourself one of those phones - they're very cool. ;-) I really like
    mine - a K-Jam actually.
     
    Ginny Caughey [MVP], Dec 21, 2005
    #14
  15. Yeah, they sound cool, but that pesky price tag holds me back. Can't afford
    the $200-500 dollars right now. Although if I can get out of my contract
    with Cingular, since the QOS has gone in the toilet in the last month in
    Chicago, then I might look at that with a new phone.
     
    Michael Smith, Dec 21, 2005
    #15
  16. Good luck! Everybody's got a QOS story with somebody these days. Sorry it
    happened to you too. It does seem that those contracts should be void if the
    service gets worse than when you signed on, but obviously I am not a lawyer.

    There's more cool stuff coming with the next wave of WM 5 phones and
    Exchange 2003 sp2, so maybe you'll be ready by then.
     
    Ginny Caughey [MVP], Dec 21, 2005
    #16
  17. Ok still cant get it to work. I may bight the bullet and call MS.

    I created a new certificate matching the outside name, but I am not sure how
    to set it up right. I changed the association in IIS, and changed the
    listener cert in ISA2K4 to that cert. I added them to the trusted roots and
    I get an Error 500, its pointing to the wrong name. Not sure what i need to
    do to get it pointing to the right name.
     
    Michael Smith, Dec 22, 2005
    #17
  18. Michael,

    It just worked for me, so maybe a call isn't a bad idea since your setup
    seems different.
     
    Ginny Caughey [MVP], Dec 22, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.