Hello,
I would like to have your experience feedbacks about Direct Push and SSL under WM5.
I have my own authority of certification (Windows 2003 Server) and I generated the root certificate and installed this one in the terminal.
But activesync does not function (error 8001014). Lot of articles covers the subject, how to add certificates root, the activesync errors, but nothing goes. I spent already much time on the subject.
Then I decided to contact Microsoft. The answer is surprising: Microsoft use direct push with HTTP and not with https (strange isn't it ?)
Here their answer: "Indeed, we have in-house HTC but we pass in HTTP and not in https… If not, WM5 in SSL functions and all the incidents which I saw relate to WM5 and not WM6 and the resolution were to pass in HTTP "
I have create this post to know if somebody made a success of this exploit or if it is really impossible...
Thanks in advance
PS: Does WM6 works with SSL/Direct Push/Own certificate ?
Anyone Please ?
I am using SSL over WM6 right now. What I did was I renamed my *.crt file to *.cer and then put it into the mobile phone and clicked on it to install the certificate. After that I can use SSL over Exchange.
-TKN
Do you have FormBased Authentication enabled? If so; read this: http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm
And perform option 3. I'm running Exchange 2003 with SLL and Form Based Authentication enabled, and having pushmail.
I am not exactly using Exchange Server but something similar. It is a software by Kerio called Kerio Mail Server. It has push mail features and many other features that exchange lack. Setup is very simpler for me on Kerio than on Exchange but the procedure for setting up Push Mail is very simple: go into your pocket pc, setup the server information and ssl if using it. Then download the certificate from the kerio mail server and rename the file from *.crt to*.cer for windows mobile to be able to install it. Then once it is installed, you can sync and receive mail on pocket pc using push mail. I am not familiar with Form Based Authentication and I think it has no relationship with Push Mail unless you are using it without SSL. I don't think you can use Form Based Authentication since there is only SSL option in the pocket pc. Hope this helps!
-TKN
I don't know what Georgeot uses for mail. I assumed he used Exchange. And with exchange there is a problem with the ActiveSync, FormBased Authentication and SSL on one computer.
Related
Currently using exchange 2003 SP2. My s710 will not retrieve mail for my account or any new account created. Funny thing is it retrieves for another user he currently uses a wm5 device.
I have checked the global setting on exchange server and all necessary sychronizing options are on
Does anyone know how to fix this error: 0x85010004
Your Account does not have permissions to sync with your current settings. Contact your Microsoft Exchange administrator.
Thanks
Hi !
Your Exchange Server Use Https ¿?
I Live This Problem And The Solution Is Install The Secure Certificated On The Pda...
Sorry For My English I Live In Mexico...
Or try, when connected to your PC to open Internet Explorer (on your mobile). You'll have to give a username, password and domain (don't forget to check the remember password checkbox).
Then, it should work without problems.
Hey guys, I searched this forum and pretty much everything on the net but couldn't find anything.
I have a WM6 smartphone with direct push access to our company exchange server. Works flawlessly, I get all my work emails right away on the handset.
But I was wondering, is there a XP or Mac client out there that could "pretend" it's a mobile device and give me my email on my private computer?
On top of that, I'm a Mac user. (Apple Mail has OWA Exchange supprt but it wouldn't let me in. I think it needs to tell the server it's a mobile device.)
Naturally, a Windows client would also do just fine.
The only settings known to me are: activesync server address, user, pwd, domain. The server is accessible from the internet (I know this because my smartphone can sync via any wifi hotspot too.) so that's no problem.
any ideas?
RPC over HTTP
Hey Greg,
do you have a certificate file from the exchange server ?
It could be that it's not really working because of the missing cert-file.
Maybe you need Entourage on your Mac, but i have read about, that it is not fully functional (but... i have no idea about it.... )
Or ask your IT stuff in the company if they are servering RPC over HTTPS.
RPC over HTTPS and Outlook this is imho the best solution to use your company mail at home.
Or maybe you can access the exchange via pop3 or imap if it is allowed in your company. But using RPCoHTTP is much better...
Cheers,
Peter
Thanks,
no there is no certificate. I can just enter my credentials into any phone fresh-out-of-the-box and it will work.
I'd like not to ask my IT staff because their standard answer to such questions is "not supported, don't do it".... I don't wanna hear that
Ok I have wrestled with this for 2 days straight.
I had issues with this with my CFO's windows mobile device but at least his was giving me a specific error message.
My Tilt has the latest Dutty ROM upgrade (Dual Touch), I haven't been able to get my exchange server synced OTA.
I run a Exchange 2007 Enterprise environment. Everything on the server side is fine. My OWA url is https://webmail.firethornmobile.net. All I get is waiting on network after 2-15 minutes.
I have soft reset, deleted the PC partnership, taken my connection off of auto and tried both my work connection and isp.
I'm starting to suspect it maybe the ROM upgrade but it was doing the same thing when I first started the phone.
Please help.
OMA enabled?
Do you have the OMA enabled? Do you have the server root CA installed in the tilt (I am assuming you are using secure method for OMA)?
I have flashed Dutty's dual touch v2 and I don't have problem to get emails through OMA services.
Do you ever get the other PDA sync with email before? From the error message, it seems the Activesync in the Tilt can't talk to the exchange (front end) server at all.
Yes on Exchange 2007 OMA is enabled natively. In the middle of seperating data centres from our sister company.
We just got bought by Qualcomm so we never bought a cert from Verisign. I am using a self sign cert from our exchange server ( I have to turn SSL off on the pda side.
This has never worked, I already called Cingular and they said if I can get webmail from gmail and hotmail then it isn't their problem.
I have installed the self signed cert on the handset.
OK, you don't need to install the self-signing cert in the PDA, but you need to install the root cert of the self-signing cert in the PDA.
Usually, a server cert or user cert has a root authority (CA), you need to install the CA cert in the PDA, not the server cert.
If you can install a window server (2000 or 2003), you can enable the certificate authority server and issue your exchange server a server certificate. In this case, you will have your own root certificate. I don't suggest you to use Verisign's certificate because everyone has Verisign's root certificate can try to "play" with your OMA server.
However, the error message is still showing that the Activesync in PDA can't reach to the OMA at all.
BTW, the push email doens't work if it's not on the SSL connection.
I apologize that I wasn't clear. Its is the root cert from the CA (Which is our DNS server).
I realize the message means that it isn't getting to OMA. I have been on the phone with AT&T and HTC aboutthis and no one can tell me why it can't connect. I have been given tons of different network settings by AT&T and HTC and nothing changes. I get different error messages but when i put everything back to the way it should be it still gives me this generic message.
I have configured my CFO's handset to get email (Its Palm Treo with WM 6.0) and even though that was a pain in ass it still works (just as good as his Blackberry) and he has SSL unchecked as well.
In that case, you can try to see if you can reach to the OWA from your PDA, if it can, you shall not have network issue.
BTW: the connon name of the server cert must be the same as your public domain name, otherwise, the Activesync will still reject the connection.
Apex i ITR said:
I apologize that I wasn't clear. Its is the root cert from the CA (Which is our DNS server).
I realize the message means that it isn't getting to OMA. I have been on the phone with AT&T and HTC aboutthis and no one can tell me why it can't connect. I have been given tons of different network settings by AT&T and HTC and nothing changes. I get different error messages but when i put everything back to the way it should be it still gives me this generic message.
I have configured my CFO's handset to get email (Its Palm Treo with WM 6.0) and even though that was a pain in ass it still works (just as good as his Blackberry) and he has SSL unchecked as well.
Click to expand...
Click to collapse
I agree with the poster above. I have this exact same set up at my company and it does work. The certificate has to be the external name of the exchange server. If this does not match the PDA will never sync. Check your certificate and make sure the FQDN is correct.
I just check your exchange server from the URL you posted above, your OMA and OWA are working, but the certificate's common name is not the same as the public domain name.
Try to re-issue the certificate, it may just work.
Thanks guys. I'll try that.
Webmail does work from the handset. I don't know how I got my CFo's working to be honest if its flaking on the name of the cert but I'll try that and let you know. I was about to hard reset this thing and leave the cooked ROM's alone for a while. Hopefully this resolves it.
From my experience dealing with Acticesync in the PDA, it's very picky of the name of the certificate. I think that's security reason. The Activesync doens't accept certificate that common name doesn't match the public domain name.
When I use the IP address for test, I have to get a certifiate with the IP address as its common. So I believe that's the certificate's problem, not the cooked rom.
I still suggest you to get your own CA and certificate, in that way, you have more control even debugging this problem.
I feel like a moron asking but how the hell do I change the common name.
You can't change an existing certificate, you have to re-issue a new certificate.
I guest you can't do it by the self-siging certificate, but I am not fimiliar with the self-signing certificate. Get a WIN server machine and install the CA server, after that, you can issue a certificate.
Assumeing you have a CA server ready:
1. Request the certificate from exchange server: you will have a chance to enter the common name of this certificate.
2. Generate a certificate from this certificate request from CA server
3. Import the certificate back to the exchange server.
If you can't get a WIN server as CA server, I will need to ask my colleagues about the free CA server he used from the Internet.
My DNS box is a CA server (started the service on that).
I'll try that then (I hard reset and I now I have an error stating I'm not authorized).
I'll let you know if it works. Thanks.
Ok I believe I did it right but I still get tha error (When connect via usb cable) and I still get the waiting for network message.
When you connect to the USB cable, you have to "allow" the Internet access pass through from the Activesync in the PC, otherwise, it won't reach out to the Internet at all.
Try to connect to other web site to see if you have a good internet connection or not.
Some updates. I made sure the cert is the right common name. I noticed that after I install it on the handset it doesn't put the cert in the root tab...only intermediate. I installed the ca server's cert as well (That went into the root tab).
Im leaving ssl checked and now I get 0X80072F17.
incorrect common name
Your common name is still not correct, it shall be "webmail.firethornmobile.net" only, but you put "http://" at the begining and "/owa" at the end, it not correct.
You have to issue the server certificate one more time with "webmail.firethornmobile.net" (without quotes) as the common name.
Also, when I check the Certification path of your certificate, I don't see this certificate is under any root certificate. Properly you need to check your CA (DNS) to see if it's setup properly.
Hey,
Use this site to figure out the errors you are getting on your phone. http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
Also are you the Exchange Admin? If so enable verbose logging so that you can see what is going on with exchange as the connection comes in.
Also if you want to make sure it is not the cert you can "Enable" SSL on the phone and then reg hack it so that it doesn't check for the cert. this will allow you to see if it is a cert problem.
Let me know if you need any help with that. I"m an Exchange Admin and i work with Active Sync day in and day out.
Tried Fix Suggested on Pocket PC FAQ Site
I think this is ON TOPIC. If not, please advise and I will repost elsewhere.
I flashed my phone with the Dutty Beta 2 Touchflow ROM for Tilt. I am getting the following error and have tried the matched solution from Pocket PC FAQ:
0x80830003 N/A Synchronization failed. If the problem continues, contact your network administrator.
1. The Exchange server is configured to require client certificates.
1. On the Exchange server, launch Internet Services Manager. Right click on the Microsoft-Server-ActiveSync virtual directory and choose Properties. Select the Directory Security tab. Click the Edit button in the Secure Communications section and select the option to “Ignore client certificates.”
I continue to get the same error even after dumping the device through the exchange server.
My System Admin thinks that there is something wrong with the version of ACTIVE SYNC provided in the ROM used to flash the device.
Any thoughts/direction you could point me in or is there any other info you need?? Is th
I'm having certificate problems DirectPush. The exchange server 2003 is configured and setup and webmail works.
I have configured my Xda Orbit 2 to use direct push but get the following error:
"The security cerfificate on the server is not valid. Contact your Exchange Server administrator or ISP to install valid certificate on the server"
Support code: 0x80072F06
I have ported the certificate from the server to the device and registered it. Is there a hosts file equivilant on WM6 so it can resolve the IP address of my server to the certificate I have installed?
Thanks,
Mike
Follow this http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx
It was the only way I could get around it. Installing it from the cab file worked brilliantly too, makes it easier to do too. And it makes vista sync with the exchange server, as long as you've installed the root certificate. Yer make sure it's the Certificate Authorities Root Certificate to make it work best
Thanks for the reply Nick, I will look into it now.
Greetings all, first time post.
I have a customer that has the new ATT Captivate. I have tried to get his exchange account working to no avail.
For those who have set this up, what setting have you used? It seems like every smart phone is just a little different.
I have used
domainname\username
domainname.local\username
domainname\mailboxalias
for exchange server I have used the DNS names, IP address, with and without /exchange
With and without SSL
I keep getting authentication errors.
I have tried 2 different servers, 3 different accounts to no avail.
The user was using a blackberry before so I know it can connect.
What am I missing? The password is 4 digits.
i use the following
user: domain\username
server: owa address
flextechs said:
Greetings all, first time post.
I have a customer that has the new ATT Captivate. I have tried to get his exchange account working to no avail.
For those who have set this up, what setting have you used? It seems like every smart phone is just a little different.
I have used
domainname\username
domainname.local\username
domainname\mailboxalias
for exchange server I have used the DNS names, IP address, with and without /exchange
With and without SSL
I keep getting authentication errors.
I have tried 2 different servers, 3 different accounts to no avail.
The user was using a blackberry before so I know it can connect.
What am I missing? The password is 4 digits.
Click to expand...
Click to collapse
Just because it was working with a Blackberry doesn't mean he can Exchange SYnc.
The BB has 2 ways to connect: 1 BES (BB Enterprise Server) - only BB can connect and does all the encryption. The BES talks to Exchange. The BB phone talks to BES.
2. BIS (BB Internet Server) - this is a hack - it screen scrapes the Outlook Webmail.
Neither of these methods guarantees that the exchange admin allows EAS (Exchange Active Sync). Can the user login to the Webmail component? If so, have you tried the server webmail address?
Has the person even asked their Exchange admin if they support EAS?
99% of the time, authentication deny is because they are blocking EAS as many phones that support it, are not very secure. If they are a BB shop, this is not unusual.
alphadog00 said:
Just because it was working with a Blackberry doesn't mean he can Exchange SYnc.
The BB has 2 ways to connect: 1 BES (BB Enterprise Server) - only BB can connect and does all the encryption. The BES talks to Exchange. The BB phone talks to BES.
2. BIS (BB Internet Server) - this is a hack - it screen scrapes the Outlook Webmail.
Neither of these methods guarantees that the exchange admin allows EAS (Exchange Active Sync). Can the user login to the Webmail component? If so, have you tried the server webmail address?
Has the person even asked their Exchange admin if they support EAS?
99% of the time, authentication deny is because they are blocking EAS as many phones that support it, are not very secure. If they are a BB shop, this is not unusual.
Click to expand...
Click to collapse
I am the admin. He was using the att BB setup through the webpage that had where you put in the OWA information. This server is setup like all of my customers. I have other customers using windows mobile just fine. Deafult SBS 2003 Install. He is part of the Mobile User Group and all exchange features for this user are enabled. Reading MS Article ID: 817379
You can use Exchange only if you have owa available to the internet. It sounds like you do.
Do you have a direct url to your owa site? Do you have an ssl certificate? You should be able to use \[email protected] and just put your direct url as the server. If using ssl then select "accept all certificates."
Sent from my SAMSUNG-SGH-I897 using XDA App
domain\login
password
use mailserver.domain.com/exchange
NOT https: // mailserver.domain . com/exchange
use ssl
accept all certs
hope this helps (sorry, i'm not allowed to post links)
JimmyStale said:
domain\login
password
use mailserver.domain.com/exchange
NOT https: // mailserver.domain . com/exchange
use ssl
accept all certs
Click to expand...
Click to collapse
Just another confirmation that what JimmyStale (and others) wrote works fine:
DOMAIN\Username
Password
Server: OWAserver.domain.com (whatever your Outlook Web Access URL is)
- rp
For Exchange activesync you do not have to put the /exchange or /owa after the server name. It actually uses the OMA part of the default website on the server. I have a dns registration pointing to my external ip for Exchange and it works just by putting the domain\username and the dns name that points to your server.
I also have a hosted exchange account for my personal email on my personal phone (Captivate). It works without the /exchange as well.
It may just be an issue with the password being too short or something along those lines.
Also, if you plan to support Android 2.2 you will need a signed SSL certificate. I verified this with my work phone (Moto Droid) and it would not authenticate until I installed a signed certificate. Outlook 2007 also has this requirement.
naplesbill said:
For Exchange activesync you do not have to put the /exchange or /owa after the server name. It actually uses the OMA part of the default website on the server. I have a dns registration pointing to my external ip for Exchange and it works just by putting the domain\username and the dns name that points to your server.
I also have a hosted exchange account for my personal email on my personal phone (Captivate). It works without the /exchange as well.
It may just be an issue with the password being too short or something along those lines.
Also, if you plan to support Android 2.2 you will need a signed SSL certificate. I verified this with my work phone (Moto Droid) and it would not authenticate until I installed a signed certificate. Outlook 2007 also has this requirement.
Click to expand...
Click to collapse
The phone is a brand new ATT Captivate. From what I understand from the ATT Rep, this phone is brand new. It is running Android 2.1 according to ATT website. The user PW is 4 charaters, so I guess I can try that.
flextechs said:
The phone is a brand new ATT Captivate. From what I understand from the ATT Rep, this phone is brand new. It is running Android 2.1 according to ATT website. The user PW is 4 charaters, so I guess I can try that.
Click to expand...
Click to collapse
I just pointed out the info about 2.2 because the Captivate will be upgraded to 2.2 soon enough.
I would try a longer password and see if that works.
flextechs said:
I am the admin. He was using the att BB setup through the webpage that had where you put in the OWA information. This server is setup like all of my customers. I have other customers using windows mobile just fine. Deafult SBS 2003 Install. He is part of the Mobile User Group and all exchange features for this user are enabled. Reading MS Article ID: 817379
Click to expand...
Click to collapse
Are there other mobile users at this site using winmo? Check server logs for clues. It could a virtual directory permissions issue.
Sent from my SAMSUNG-SGH-I897 using XDA App
A fool I am
Ok. For those of you who know SBS 2003, I had to run the Internet Connection Wizard and turn on the Windows Mobile function. Friggin' duh. I thought it was on.
he used
domain\username
webmail.domain.com
with ssl and auto accept certificates.
Thanks all for who contributed to me finding myself at fault.
I can't beleive all the time wasted. Between the customer, the rep at ATT, and myself about 6 hours. Not including your reading and replies. DOH!