Database Info

Exchange Server Help - Activesync Error 0x85010004

My company standard for pda's is the crackberry. However, I was able to connect to our exchange server with my ATT Tilt. I believe that our IT dept has now enabled some security feature that will not allow my phone to connect to the server anymore.
Using WM 6.1
Any ideas?

it sounds like the server cert is invalid. you can get more information on the error using activesync to set up the server source.
anyway, your it geeks must give you a copy of the server cert (.cer file). They can export it, and you can use activesync to put it onto your device

Thanks for the help. They've now established a "pilot" program for WM6, so I don't know if they'll actually give me a copy of the server cert. I was able to copy the cert that was assigned to my PC and install it on my device, but still no dice. It was installed as an Intermediate and not a root. I don't know if that makes a difference or how/if it can be changed if it does.

Im not sure either. It would take the it geeks about 30 seconds to generate the .cer file. I had the same problem as you, so I exported the certificate from my server, stuck it onto my htc cruise using activesync, then using file explorer, navigated to the .cer file, clicked on it, and it worked.
The certificate I exported was the exact on that was imported to iis.

thanks again.
For some reason the cert from the server is not working. Could you check to see if yours was installed as a root or an intermediate when you get a chance?

This is going to be a HUGE bummer if I have to get a crackberry.

to get the cert:
1) on the server where iis is running, run mmc
2) add the certificate snap-in referencing the local computer.
3) navigate to Personal or Trusted Root certificates (depending if your cert is self-signed or from a CA), find the cert that was used for the iis web service that is running OTA, right click on it, then select export (.der format will be ok).
4) have the it geeks give this file to you.
5) using activesync, move it to you device.
6) using file explorer on the device, navigate to where the .cer file is, then click on it.
7) thats it.

Step 4 is the problem. I don't think I'll get the cert from IT because I'm not part of the pilot program. This was a recent change that required certificates to crack down on renegades like me.
I guess I'll have to wait until they roll out the corporate wide program.
Oh well, Crackberry here I come.
Thanks again for the info.

Does anyone know how an exchange serve tells the difference between remote access from a desktop and remote access from a handheld?

The address is really different. webmail is at www.yourdomain.com/exchange, which over the air activesync is www.yourdomain.com/?something? (im not sure exactly). The ppc activesync program knows what to append to the end of your url to activate the correct application pool on the server.

security certificate

I am very frustrated. What was a working direct push sync with the company email has stopped working because a security certificate needs updating. I have searched and searched and tried a number of suggested solutions but nothing has worked. I've run out of ideas and suggestions.

Was the certificate on the Exchange Server already updated? Is it a "self-signed certificate"? If both is true you probably need to "install" the new certificate on your TP.

If you've donwloaded a certificate and it installed as it should and it still doesn't work, then try unchecking "'This server requires an encrypted (SSL) certificate" in your server settings.

Btw, you did download a new certificate, did you?

WDawn said:
Btw, you did download a new certificate, did you?
Click to expand...
Click to collapse
Sorry -- was away and couldn't answer. No I've not downloaded any certificates -- I'm not sure where to find them -- I get no support from my company's IT since they consider my Touch Pro "unsupported" (they're still using ATT 8525). What is troubling is I can get the exchange email working by deleting the server then re-establishing it. It will download and sync for awhile. But after a few hours it gives me the error msg telling me I have an out of date security certificate.

custom X.509 SSL cert?

Hi,
Does anyone know where SSL certs live in the Android file system? I searched these forums and there doesn't seem to be anything about it yet.
I would like to add a signing cert so I can access my web server with SSL. I don't have a publicly signed cert, just a privately signed one, to save $.
Any help would be appreciated!
Thanks!
Sheepdawg

Further Details
Hi,
Did some more research. There are two ways around this. One is to add a custom SSL cert to your G1. I didn't get this to work, as it requires fiddling around with JRE apps. A link is here, however:
http://code.google.com/p/android/issues/detail?id=1016
The other way is to use another mail client. This one:
http://code.google.com/p/k9mail/
is a fork from the regular android mail client, and seems to work well. It fixes the SSL issue by allowing you to use improperly signed and self-signed certs.
Sheepdawg

How to setup Outlook for Exchange Server on WP7?

I am trying to setup a WP7 Outlook, but it won`t connect to a company Exchange Server.
Always getting error- Error code: 80072EE7.
I have read on web that certificates needs to be installed on wp7. I did it, but no luck.
I used to synch this exchange account on my HTC Evo 4G.
Any ideas how to fix issue?

I wish WP7 had a better way to load self-signed certificates.
Best way to install a cert is to e-mail it to yourself using a Gmail account, set up the Gmail account on WP7, open the e-mail and the resulting certificate attachment, and then install the certificate.

Thanks for response,
But,
Everywhere on web people talking about certificates and no one says which particular cert needs to be installed.
I tried with verisign, Microsoft root authorication and other kind public certificates. But issue still persist.
Who knows where can I get the exact certificate from?

Also make sure you are putting in the local domain
(whateveryourdomain.local)
It is required for WP7 unless your username has the domain in it.
For cert... here is what one user said...
1. went to google chrome on my desktop, spanner, options, under the hood, manage certificates.
2. go trusted root certificate authorities.
3. found the certificate from our server.
4. exported it as a DER encoded binary X.509 (.cer) file to the desktop
5. emailed it to my godaddy account on my WP7 phone.
6. clicked on the link installed it AND THEN created the outlook account on my WP7 phone.
IT IS IMPORTANT TO NOT HAVE ANY OUTLOOK ACCOUNTS ACTIVE WHEN INSTALLING THE CERTIFICATE.
thanks for all your help guys!

yes, sure I have local domain:
\whatever - this is what i used on android outlook settings.
how to know which one is our server certificate?

in WP 7 though you don't need a slash. just the domain name when it asks for it.
For the cert... can you get to your mail server via web mail?
For ours in IE9, i just click the lock by the address bar and hit view certificate. Also if you know your Exchange admin, ask him to send it to you via the hotmail account. they you can just click on it and install it.

I believe we do not use any certificate. probably we use public certificates. i do not see lock next to address bar.

Does you host require on device encryption?
Does your company provide instructions for other phones? I may be able to tell you or translate them to how it works in windows phone.
No lock? go to advanced in account and uncheck ssl. I think its on by default.
If that doesn't work pm me the the web outlook address an i can tell u if there is one on there at least.

still cannot synch my outlook account. is there any new ideas?

The only thing left i can say is talk to your exchange admin / tech support. All the settings seem correct for a normal setup. Maybe they are using on device encryption... the only thing that windows phone really doesn't support for exchange, or maybe there is a setting we don't know that they will tell you.
The questions to ask are -
Does it require on device encryption?
Is the certificate required the same one outlook webmail uses as that is the one i walked you through installing?
Is the mail server address the same as outlook webmail minus the owa?
What is the local domain of the mail server? (that is different then the mail server address in most cases)
Does the username have to be whole email address? domain\username? or just username
Does the exchange admin have to add my phone?
Hope that helps get your questions answered.

I need some help also. I had my exchange account on my phone until my comp did server upgrades. This knocked me off as they say this will only support Blackberry and iPhone, don't ask me why. So I was able to setup my exchange account on my Android Epic 4g after trying for a week, as I figured if an iPhone can access it my Android should also. But I have tried the same settings from my Android phone on my WP7 and no luck.
After reading this it looks like I need to follow the above mentioned steps to manually add a sec cert to get it working just right?
I really want my exchange account on my WP7, sucks trying to be on the phone and not be able to download attachments cause you are talking on the phone that gets the email.
Any help would be great!

Did you mean to include a URL or two in there? Anyhow, setting up WP7 to work with Exchange should be pretty easy, although I'm not sure it will do EAP with anything older than 2007 (though IMAP on older servers will work fine). Both of my phone's synced Exchange accounts were set up easily and automatically by just telling it to add the email address; it found the servers and automatically configured the accounts.

black06c230 said:
I need some help also. I had my exchange account on my phone until my comp did server upgrades. This knocked me off as they say this will only support Blackberry and iPhone, don't ask me why. So I was able to setup my exchange account on my Android Epic 4g after trying for a week, as I figured if an iPhone can access it my Android should also. But I have tried the same settings from my Android phone on my WP7 and no luck.
After reading this it looks like I need to follow the above mentioned steps to manually add a sec cert to get it working just right?
I really want my exchange account on my WP7, sucks trying to be on the phone and not be able to download attachments cause you are talking on the phone that gets the email.
Any help would be great!
Click to expand...
Click to collapse
Did they post instructions on what was needed to get an iphone on it? Should be similar with windows phone. For the cert, once you get it, email it to your hotmail and open it. THat will install it.

ROCOAFZ said:
in WP 7 though you don't need a slash. just the domain name when it asks for it.
For the cert... can you get to your mail server via web mail?
For ours in IE9, i just click the lock by the address bar and hit view certificate. Also if you know your Exchange admin, ask him to send it to you via the hotmail account. they you can just click on it and install it.
Click to expand...
Click to collapse
once i click the lock and see the cert. how do i get it to send it in an email?
---------- Post added at 11:22 PM ---------- Previous post was at 11:16 PM ----------
ROCOAFZ said:
Did they post instructions on what was needed to get an iphone on it? Should be similar with windows phone. For the cert, once you get it, email it to your hotmail and open it. THat will install it.
Click to expand...
Click to collapse
other co-workers have their iphone's working just fine. I will get a hold of one and see if any settings in there make it work.
but again i got it setup on my android phone without much issue and those same settings won't work on my WP7. it errors about the cert.
as stated I can click the lock and view the cert from web access but how do I email it to myself? i don't see a export option.
lastly, they block any IP but intranet IPs to access the mail.companydomain.com so the cert from there may not even help?!?!?
to access mail from home/laptop i have outlook setup so no need to access via the web.
any help you can give to get this working would be great!! and yes IT won't give my squat.

Have you tried manual setup. That's what mine requires. I put in my email address and password but it never gets it. I then click on manual and add
Login name: whatdoyaknow
Domain: ad.xxx.com (actually mine is more complex than that, but start with ad.)
Server: exchange.xxx.com (again more complex)
I need certificates for most things, but this seems to work ok.
Actually I still have problems getting WM6.5 to connect, but WP7 goes ok with the above.

Samsung Stock Email App, S/MIME Certificates

I have a Comodo Personal email certificate, which I use for signing and encrypting emails using the S/MIME protocol, over MS Exchange.
The Samsung stock Email application supposedly allows the use of such certificates natively. However I am running into problems when I attempt to install my key.
I'm using a PFX file exported from Windows Certificate Manager. When I generate the file using the standard wizard, I have the option of exporting my key and user certificate either with or without the other certificates in the chain of trust.
The complete certificate chain, by the way, is as follows: Private key/Personal Cert --> Intermediate CA (Comodo RSA Client Authentication and Secure Email CA) --> Root CA (COMODO RSA Certification Authority, included in default store)
When I omit the other certificates in the signing chain when exporting, the PFX just installs my key and my user cert in credential storage. But then everytime I use it to sign or encrypt something in the Email app, I get a nag from the Email app warning me that it could not validate my credentials. That is, Samsung Email app is unable to verify my cert's trust unless the intermediate CA is provided to it.
But frustratingly, when I export the PFX file so that it includes the intermediate CA's in the chain and install, Android places the Intermediate CA in User folder in the keystore, and treats it as a root CA. That is to say, instead of inheriting trust from the COMODO RSA Certification Authority (which is in the default keystore) Android assigns trust to the intermediate CA *explicitly*. And so, despite the fact it's a valid certificate signed by a trusted root authority in the default keystore, Android gives me nearly constant nags about my phone being "monitored by a 3rd party" until I delete the intermediate CA from User Trust. Which of course, breaks the Samsung Email app's ability to verify the certificate chain and yields a nag everytime I send an email.
Anyone else encounter this issue/know of a solution?

Bump.
I've scoured the internet for months and I cannot find a single thread anywhere on exactly this issue. It's a pretty straightforward question, I think. So I'm surprised I can't find any insights anywhere.

[deleted]