Adding Root Certificates for Exchange Activesync
How can I add root certs to my Windows Mobile 5.0 device?
In WM 5.0, the certchk tool no longer works for disabling SSL certificate verification on the Exchange ActiveSync connection. What are the options for secure connections to the server?
- Buy a SSL certificate from a major vendor. You should be able to get one for < $100. If you do this, the connections will just work. Launchpad page to find a SSL cert vendor here.
- If you have management access to the device, you can add your self-signed cert to the ROOT store directly via rapiconfig, a CAB file, or the certinst.exe tool. This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot. In some cases you will need to add the intermediate certs as well. (details)
- Some OEMs or mobile operators provide certificate installers for their platform.
If you can't buy a cert that chains to a major root, you can't manage the device, and there is no signed installer for your platform, there is not a good way to do this in WM 5. We have definitely gotten the message that a lot of customers find themselves in this situation and we feel your pain.
There is some more documentation and instructions around this process in the MSFP Deployment Guide.
edit: MSDN page about adding root certs here. The page also has a signed cert installer for Sprint and Verizon devices.
update 1/10: iMate provides a certificate installer application for the SP5 series of phones. Link here
update 3/8/06: Added link to MSDN page showing choices for where to buy root certs and which ones are supported on which OS versions.
update 4/4/06: Added link to creating a root cert CAB file inline. Linked forward to page about intermediate certs.
update 4/6/06: link to deployment guide
Comments
Anonymous
November 03, 2005
Ok, you feel our pain.
For the smartphones it is as simple as releasing a trusted signed version of certinst.exe. In the past you helped manufacturers like HTC to create a trusted signed version of regedit.exe. Why not create the same for certinst.exe to relieve our pain?Anonymous
November 03, 2005
You forgot to mention that an extra root certificate is also required when enabling your device for 802.1x acces to wireless networks.
Nobody I know of runs their (internal) RADIUS server with a public certificate.Anonymous
November 04, 2005
How come you can't specify a different certificate name like you can in Outlook (the msstd principle proxy setting)? The problem we are having is that our ISA server has one IP and we route several secure sites through it so we have a wildcard certificate on the frontend. Are there any work arounds for this implementation.Anonymous
November 04, 2005
Raymond,
The OEMs or Operators are free to deploy root cert install tools if they want to. The linked MSDN page contains sample code to write such a tool and also signed versions for Sprint and Verizon devices.Anonymous
November 04, 2005
It doesn't matter that the operators are free to do something. They won't.
The problem here is that there is no way for the owner of the device (the end user) to tell their phone to trust their server's 3rd party certificate.
How would you feel buying a new car that you could only put one brand of gas into. There might be cheaper gas, and your car company would be free to make an adapter for you, but you can bet that it would never happen, and you would not get the choice of what gas to use here.
The USER needs to have the choice here.
The security concept is certainly a good idea, but when it makes it IMPOSSIBLE to use your device, it is just unacceptable.
Yes, I'm ranting. I have a godaddy cert on my exchanage server, and I cannot use my MPx220 device with it. I cannot update my phone as the software is locked, and the MS tool does not allow me to install software.
This MUST be fixed.Anonymous
November 05, 2005
Amen Nick!
What I find most concerning, is that I buy a simlock free phone to find out that it is software locked.
In my case I managed to break down this so called 'security feature' and install my own certificate. But there was no sign on the phone as being software locked for me when I bought it.
I'm not sure if it is up to Microsoft to force the OEM's to deliver a trusted version of certinst.exe with their device when it's supposed to be software unlocked.
I expected an 'open' device when I bought it. It should be an end user option to thighten it's security.Anonymous
November 05, 2005
You're right, wi-fi is the other major reason to need to add a root cert. We are very very aware of this problem. In the meantime, you need to make sure you buy devices that you can fully manage if you need this capability. Any device that has the grant_manager policy set to user_auth will work - that's most PocketPCs and some Smartphones. I wish there were a master list so that you could make an informed decision - I will look into seeing if we can get that.Anonymous
November 07, 2005
Hello, I purchased an i-mate sp5m, and I have this problem about the certicate, we don't have a trusted certificate, can you explain how to use (in detail) the RAPICONFIG or the certinstall.exe tool? I tried but without success, the device is locked for adding 3rd party certificates.Anonymous
November 08, 2005
Thanks for the support Scott.
There is definitely no list to make an informed decision when purchasing a WM5 device. Usually there is no way to return the device when you find out that is does not enable you to install your own certificates. In many cases this criples the usability of the device when the only way to connect to your WLAN is 802.1x based.
Again. Why doesn't Microsoft urge the OEM's to create a trusted version of certinst.exe? Or am I wrong about the simplicity to create such an application?
rafaelc
Have a look at http://groups.google.nl/groups?hl=nl&q=%22Unlocking+Windows+Mobile+5+Smartphones%22 for the solution on your imate smartphone.Anonymous
November 08, 2005
Adding those root certs is an administrative activity currently so it's up to the manager of the device to delegate that to you. The manager of those phones is the operator (if it's not the user). Verizon and Sprint already have signed the SPAddCert tool, but I can't speak for the other operators. Signing a tool with a retail cert is a pretty big deal because it means it will run on all those devices, past and future, regardless of security policy, so it's not something to be undertaken lightly.Anonymous
November 08, 2005
I understand that adding root certs is an administrative activity that should be restricted in a controlled environment.
But my phone for example is an i-Mate SP5. iMate is not an operator, but a (small) company that sells HTC devices under its own name. iMate will NEVER ever administer my smartphone. I expect hardware support and software updates, but no administration. Why should iMate care if I want to add a certificate to MY phone? If Verizon and Sprint are able to release signed versions of the SPAddCert tool, what takes HTC/iMate so long to release their version? Did Microsoft help Verizon/Sprint and forgot about HTC? I am looking for the reasoning behind HTC's not releasing their signed tool as of yet.Anonymous
November 09, 2005
Okay, I understand the iMate situation better now, but I can't speak for why they don't have a tool. It's not really appropriate for HTC to sign the tool because HTC's certs are on all HTC devices so that code would run on all the HTC devices regardless of operator. I'll see if we have an existing relationship with iMate and if we can get something to happen.Anonymous
November 11, 2005
The comment has been removedAnonymous
November 13, 2005
Matt,
Did you get Active Sync working before?
What I get from your message, is that the certificate from your webserver does not contain the url you use for accessing in the subject field.
You better open the certificate of the webserver and check if the contents of the subject field resembles the url you configured on your Windows mobile device.Anonymous
November 13, 2005
My Windows Mobile 2003 device had the same problem, but I could get around it by disabling certificate checking the certchk.exe. Since that tool does not work with WM 2005 I am unable to get Active Sync working with my current device.
The certificate from my web server is a wildcard certificate with a common-name that looks like "*.domain.com" while the actual name of the server is "servername.domain.com"Anonymous
November 14, 2005
Matt,
Thanks for the info. Disable certificate checking is not an option on WM5 for the moment. Maybe Scott can shed some light on its future availability.
To make it work now you need a certificate for the specific url you are using for mobile active sync. A wildcard certificate will definitely not work.
HTHAnonymous
November 14, 2005
The comment has been removedAnonymous
November 14, 2005
w.r.t. wildcard certs and adding root certificates to locked devices, all I can say is that there's no wildcard cert support in the platform currently, and there's not a good way to add a root cert to a locked-down device without a priv-signed app. I can't discuss future product features right now except to say that we are aware of both of these issues and the problems that they cause for some customers.Anonymous
November 14, 2005
I know that certchk just set a registry key value to disable certificate checking. I also know that the setting that same key on WM2005 has no effect. Is it entirely impossible to do the equivalent with WM2005 or is Microsoft just unwilling to share the method for doing so?Anonymous
November 15, 2005
Disabling SSL verification for exchange isn't possible on WM2005 that I know of. If there were a easy way like certchk to share with you I would have definitely already done that.Anonymous
November 18, 2005
The comment has been removedAnonymous
November 18, 2005
Hi Jacob,
I'm not sure why your connection isn't working. We do have the Verisign Class 3 CA that signed your cert in the root store - you can see it yourself in the Certificates control panel. I actually couldn't get your cert to validate in Firefox either, and Firefox also has the same root cert installed. Sorry I can't be of more help - that area isn't one I work directly on.Anonymous
November 18, 2005
The comment has been removedAnonymous
November 18, 2005
The comment has been removedAnonymous
November 19, 2005
Wait, the HW6515 is a WM2003 PPC device. Why can't you add certs to it? Does certinst not work?Anonymous
November 19, 2005
We have done some investigation into how many of our customers need wildcard cert support. It's in the bucket of features under consideration for the future but it's not yet slated for a particular release that I know of.Anonymous
November 30, 2005
And what's about client certificate it's a pitty even on PPC. We still need a tools like this one :
http://www.jacco2.dds.nl/networking/crtimprt.htmlAnonymous
December 12, 2005
I've just added a root cert no problem. I copied the cert to the device using Active Sync Explorer, then on the device located it, clicked on it and it installed it no problem.
Hope that helps someone.
TimAnonymous
December 15, 2005
I was able to add my own certificate to my WM5 Smartphone (Audiovox SMT5600) by doing the following:
Change the value of following registry entry on the device:
HKLMSecurityPoliciesPolicies�0001017
from 128 to 144.
Restart the device.
Export the desired certificate as a binary encoded (DER) certificate (.cer).
Copy the .cer file to the device.
Open the .cer file on the device via file explorer.Anonymous
December 16, 2005
i have bought the QTEK 8310.
I spend 2 hours for sync to exchange, contacting our admin and take also time form him.
Its realy a shame.
Microsoft can tell what they want, its your product, its your marketing and it doenst work.
It's in generaly user unfriendly in worst case and in detail completley unnecassary.
It still doenst work.
:-((((Anonymous
December 20, 2005
I did the same thing; exported the root and intermediate certs (for instantssl, in this case) and just copied and clicked.
I'm a little puzzled at some of the responses from the MSFT poster, though. Did you guys just forget that it's this easy? Or does it work by mistake?Anonymous
December 20, 2005
Oh Great!
So I buy a wm2003 which was a nightmare to get working... you read of Ex SP2 an WM2005 an you think ok great ill just do that and now we just get more excuses yet again...
Im on the dev network guys and I think MS is great as a whole, the mobile department make a lot of false promises though! I really think you should speak to your marketing guys becuase you have a lot of customers extremely unhappy over the exchange issues.
There is hardly anything of any substance on the matter on the web also which makes me wonder.
Get it sorted guys, we dont want excuses we want some hard answers and "HOW TO's"
Proper ones though where you dont have to be a MVP in winCE etc to understand!
come on guys MS are the best at listening and helping customers so why are you letting it slip now?Anonymous
December 21, 2005
Brian: Like I said, "This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot." It's not as easy on a device that is deployed in a more restrictive configuration.Anonymous
December 21, 2005
Pace:
It would help if you could be more clear about what exchange problems and false promises and lack of information exactly is a problem for you. If it's specifically that you can't add root certificates to a restricted device, then I'm sorry that I don't have any more information than what's on this page. If there's something else, maybe I can point you to a resource.Anonymous
January 04, 2006
Hi All,
Can I get some opinion re. this post: http://www.modaco.com/index.php?showtopic=231066&st=0&p=702622&#entry702622
As you'll see I've followed the steps in it but I'm not able to get my third party certificate to install on my MDA Vario.
Thanks,
WillAnonymous
January 10, 2006
There is a patch for the HP6515 which is a 2003SE device out on HPs support newsgroups. I tested it on a 6515 here and it worked. Note- this is unrelated to the WM5 questions around security changes on that platform.
http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=983508&prodTypeId=215348&prodSeriesId=501209Anonymous
January 19, 2006
The comment has been removedAnonymous
January 19, 2006
Hi Stu,
I would need to see the site / certificate to really investigate your problem. If youd' like tto e-mail it to me I can try to take a look.Anonymous
January 22, 2006
Just want to thank Scott he resolved the issue for me. The problem was occuring for me because I was taking the certificate which came from OWA and installing that one my WM5 device. This certificate is a child (mail.my-domain.com) of a a root certificate (Equifax Secure Global eBusiness). This can be ascertained by going into properties of the issued certificate and going to Certification Path. From highlight the root and View Certificate, now export this one and install it on the device aswell. This resolved my issues.
Thanks again ScottAnonymous
January 27, 2006
hmmm...
I have a self certified Exchange server. I exported the server's cert (from MMC Certificates) and copied it to my i-mate K-JAM. The imate accepted it, added to the root certificates list, yet STILL doesn't recognize the cert as valid. From IE on i-mate, the cert still throws a "The certificate was issued by a company you have not chosen to trust" WHY? I mean the cert DOES show up in the trusted ROOT certificate section...Anonymous
January 27, 2006
hmmm...
I have a self certified Exchange server. I exported the server's cert (from MMC Certificates) and copied it to my i-mate K-JAM. The imate accepted it, added to the root certificates list, yet STILL doesn't recognize the cert as valid. From IE on i-mate, the cert still throws a "The certificate was issued by a company you have not chosen to trust" WHY? I mean the cert DOES show up in the trusted ROOT certificate section...
If the problem can't be fixed quickly, how about list of accepted SSL providers?Anonymous
January 27, 2006
I finally resolved my activesync/exchange problems the other day by using a free ssl certificate from here:
http://cert.startcom.org/
Use this guide
Before that i even bought an expensive Verisign cert but i still could not get it working.
Hope this can help others out there.
JacobAnonymous
January 27, 2006
Oops
forgot the URL for the guide
http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free-3rdParty-Certificate.html
JacobAnonymous
February 02, 2006
Scott,
You mention the MSDN article about installing a root certificate onto your Windows Mobile device. You also mention the Verizon signed certificate install tool. Unfortunately, the MSDN doc only describes the process for Windows Mobile 2002 and 2003 devices, there is no mention of WM5. In WM5 where do I put the install tool and where does my CAs certificate need to be? I put both of them on the phone(treo 700w) and ran the cert intall tool, but it says that it cannot find the cert...the cert is in the same folder. I've also tried putting the cert on the root of the phones file system...with no luck.
Hope you can provide some insight here.
TIAAnonymous
February 06, 2006
How about getting p12 (Personal Information Exchange) certificates to work on WM5? Is there a tool that can convert these into a format that WM5 understands?Anonymous
February 07, 2006
Hi Rohan,
Do you mean PFX files? You can use the above method - open them up in explorer and then export to a .CER file and proceed. If you're writing code for the device you can also use the PFXImportCertStore API in CAPI to do it.Anonymous
February 09, 2006
The comment has been removedAnonymous
February 09, 2006
I already have a purchased SSL certificate on my Exchange server to support all my other activities (OWA, RPC/HTTP etc...) I need another certificate and I have to load a copy on each WM phone?
K-Anonymous
February 13, 2006
OK. Got my Dopod 818pro to import the Startcom CA & sub-CA certs which I use on my Exchange server and now EAS with SSL is working quite nicely. (Using the reg key method)
However, when I tried to import my personal cert (also by Startcom) via changing the reg key to 144, my email/ID certs gets imported into the root cert store. Any way around this?
I know the outlook client on the WM5 does not support email signing but I was hoping to authenticate myself to certain websites via my personal cert......Anonymous
February 13, 2006
I'm not sure what method you are using to import the cert - are you just clicking them? The certificate installer in the platform will install to the ROOT store. If you want to install to the MY store, you can do that via XML. See instructions at http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx. Just change ROOT in the XML to MY. You also don't need to change any security policies to add certificates to the MY store. It is allowed by default.Anonymous
February 14, 2006
Er, will that really work, Scott? What use is a personal certificate without the corresponding private key? Or can you also add a private key to the MY store with XML provisioning?
Marshall and Rohan wanted to import a personal certificate from a PKCS#12 file. Sure, you can use the PFXImportCertStore API in CAPI to do it. But then they would have to write their own program and that program would only run on Windows Mobile 5.0.
My program P12imprt can import a PKCS#12 file and runs on both Pocket PC 2003 and Window Mobile 5.0. Check out the link above.Anonymous
February 14, 2006
Jacco is right - I was focusing on just the certificate store aspect. You cannot add the associated private keys through the Certificate CSP. You'll need to write code or use some other tool to import a certificate for client auth.Anonymous
February 17, 2006
The comment has been removedAnonymous
February 25, 2006
The comment has been removedAnonymous
February 26, 2006
I have been trying to sync with our corporate Exchange 2003 SP2 server via wireless Activesync for a couple of months, and after a visit to my company IT Dept, we have narrowed it town to a certificate issue. I could really use an experts help, PLEASE! Here are some facts:
1) Phone = PPC-6700, WM5.0 on Sprint
2) My profile on the exchange server has me enabled to sync via OMA
3) We tried temporarially disabling certificate checking on the server. With cert checking disabled I was able to sync sucessfully! But of course, the admin can't leave this feature disabled due to potentially security issues. This leads me to belive I have a certificate issue
4) With cert checking enabled as default on the server, when I attempt to sync, I get an error "Your account in Microsoft Exchange Server does not have permission to sync with your settings..."
5) I have a Root Cert (generated by my company) and personal cert (also generated by my company) listed under certs on my phone
6) I can access our OWA page with no problems on my phone via pocket internet explorer and I can access my account with no problems. It prompts me to select a cert below to log on with (standard stuff, just like on the laptop) and I can sign in no prob. This leads me to believe that my cert is valid since I can log on with OWA
7) When I try to access https://companyname.com/oma, I get right in - it does not prompt me to select a cert, user name, or password. Just takes me right to my inbox.
So what do you think is causing this problem? My IT guys are stumped. I read somewhere that this may be because my root cert is "home brewed" and not a verisign, etc.. One other thing to keep in mind - In order to get a personal cert installed, I had to export my cert as a .pfx and I used a program to convert it to a .cer. My IT guys said I absolutely had to use the pfx because it contained an encrypted key that was required to log into the server.
Please help me on this one. I can't wait to get my sync going! Thank you very much for your help.Anonymous
February 27, 2006
I have had similiar issues as mentioned by Mario and the others on this blog. The fix I found that covers issues for Windows Mobile 2003 to 2005 is to have your certificate provider generate a new certificate. We use a third party provider that is not one of the big boys like Verisign. It appears that the answer is to ensure that they issue the new ssl certificate from the GTE Root. If you dont have an ssl certificate generated this way then you will see issues like Mario mentions and the others with Windows Mobile 2005 and older versions. Anyhow this worked for us so I hope it helps ease the pain.Anonymous
February 27, 2006
Thank you very much for your reply, Philip. I will go ahead and try this. Any other ideas, guys? Thanks!Anonymous
February 27, 2006
I was able to get this working by downloading the root cert from GeoTrust that corresponded to our SSL cert and importing that into the root store on the phone. Importing/adding the issued SSL cert does not work (nor has it ever worked in my experience).
FWIW, here is the GeoTrust page I used to get the root cert:
http://geotrust.com/resources/root_certificates/index.asp
I just looked for the one that matched the data on the cert we had installed on the Exchange server.
Note that T-Mobile also told me to import/add the issued cert, instructions they claim came from MS, so clearly there is a lot of bad information flying around.
Good luck-
LorenAnonymous
February 27, 2006
Right - you must add the ROOT certificate to the device. Any other intermediate certs, if needed, must be added to the CA store. See the other root certificate posts from me on the blog for more detail on those issues.Anonymous
February 28, 2006
The comment has been removedAnonymous
February 28, 2006
Thanks to MisterWembley, It worked.
# re: Adding Root Certificates for Exchange Activesync
Thursday, December 15, 2005 11:19 AM by MisterWembley
I was able to add my own certificate to my WM5 Smartphone (Audiovox SMT5600) by doing the following:
Change the value of following registry entry on the device:
HKLMSecurityPoliciesPolicies�0001017
from 128 to 144.
Restart the device.
Export the desired certificate as a binary encoded (DER) certificate (.cer).
Copy the .cer file to the device.
Open the .cer file on the device via file explorer.Anonymous
March 06, 2006
The comment has been removedAnonymous
March 08, 2006
"update 3/8/06: Added link to MSDN page showing choices for where to buy root certs and which ones are supported on which OS versions."
That's fine and dandy, but I can tell you that the QuickSSL certs I've gotten from GeoTrust are not issued from one of the few roots preinstalled on Windows Mobile 2003 or 5.0- in both cases the root cert must be added, or in the case of WM2k3, the certchk tool must be used to turn of cert checking.
This page edit and the linked page (https://partner.microsoft.com/global/partner/40027352) will only cause more confusion, not less.Anonymous
March 10, 2006
Hi Loren,
I'll update the page to be more clear about which roots are on the device for those CAs that use more than one root. If you have any other specific examples, please send them.Anonymous
March 12, 2006
PingBack from http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspxAnonymous
March 12, 2006
I have a pocket PC and can not access my OWA or some SSL sites..it is running windows mobile 5...my previous mobile 2002 SE worked just fine...what do I need to do to make mobile 5 work on a pocket pc to access
OWA?Anonymous
March 13, 2006
The comment has been removedAnonymous
March 13, 2006
You need to get and import the root cert from Equfax, not the cert they issued to you: First lookup the root cert from which the cert you installed was issued, then download that root from Equifax and add it to the root store on the device.Anonymous
March 14, 2006
Thank you for this blog/forum. It has helped to understand the problems with EAS. I am very happy to say I have gotten my Qtek 8310 working perfectly with a 3rd Party cert that was not initially recognized by the phone. I guess this phone is supposed to be the same as a the Cingular 2125? and the i-mate SP5? These are the two links that I followed to the "T" and everything worked perfectly.
http://cert.startcom.org/?app=127
http://www.eksternkompetanse.no/blog/PermaLink,guid,a87f5aa1-a61c-433a-b8e3-121bd867dbb3.aspxAnonymous
March 16, 2006
The comment has been removedAnonymous
March 19, 2006
Panic over. I found a regedit tool for WM5, flipped the bit that and earlier poster provided, and that fixed the root certificate problem with IE, but not Opera (I suspect this is a bug in the Opera beta).
But the server I need to talk to via SSL uses Javascript for the menus, so now I have IE talking SSL, but no menus because it does not support Javascript, and Opera with great Javascript support, but no self-signed certs, so no SSL!!
Grrr...
RonAnonymous
March 20, 2006
The comment has been removedAnonymous
March 21, 2006
MS has done a poor job of communicating that the push functionality comes with a "Feature Pack" that will only be available from phone vendors. They could easily have made that obvious amidst all the trumpeting about push technology in WM5.
Contact you phone service provider, but I'm not aware of any offering it yet: It's vaporware.Anonymous
March 21, 2006
I believe iMate is already shipping the MSFP upgrade.Anonymous
March 26, 2006
Hello - I am a first time poster begging for assistance.
I have a Cingular 8125 running WM5.0. I am using Activesync 4.1 (which came with the phone).
My business uses Exchange - from which I can access via the web using OWA.
My Activesync on my 8125 was working on and off about 4 days ago - and now does not work at all in synching with my server.
Everytime my mail on my 8125 tries to synch with my server, I receive an error on Activesync that says, "Your account in Microsoft Exchange Server does not have permission to synchronize with your current settings. Contact your Exchange Server administrator. Support code:0x85010001"
I have called Cingular, Microsoft, and my company internal IT department. Cingular and MS basically said, "not our problem". My company exchange server IT group is looking at it - but nothing has changed in 5 days.
It appears to me that my issue is related to the one on this board.
I am asking that someone who has seen this issue and knows how to resolve it - please let me know. I can email you - or even call you for assistance. Like many of you on this board - the reason I bought this phone was for the email Activesync - which is not working at all! PLEASE PLEASE HELP!
Thanks,
DanAnonymous
March 26, 2006
That's actually not a root cert issue at all. Check the activesync and exchange mobility newsgroups: http://groups.google.com/groups?q=0x85010001 - there is a lot of traffic about that error.Anonymous
March 28, 2006
Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing...Anonymous
March 29, 2006
The comment has been removedAnonymous
March 29, 2006
For all users trying to sync t-mobile new MDA WM5s: I just got someone from the PDA support group and they finally admitted that teh device is not working with Exchange 2003 SP2. Period. No more questions. Not that I did not try before to get any information from this department, but most fo the time they wouldn't know what "exchange server" is. So advise I got was to wait until they release new software update for MDAs. Did anyone out there get any different info than this?
Sad MDA user :(Anonymous
April 02, 2006
For anyone digging with as much frustration as I had been looking for this solution, I can report the following:
For one of my users with an O2 XDA Atom WM5 handheld, I was able to add a root CA certificate for my LAN's MS Cert Server (as well as the certificate for my public Exchange 2003 Server) by:
1. using Active Sync Explorer to copy the DER encoded certs to the device
2. using Resco Explorer 2005's registry editor to edit the specified keys (regeditstg did not appear to be trusted by the device)
3. soft-booting the device and then clicking on the certificate files to install them
4. restoring the registry values to their former values and soft-booting.
I'm happy to say it's working perfectly.
I hope the marketeers at MS realise that by denying users their right to decide whom to trust, they are behaving quite unethically. Perhaps if enough people remind them of this - and I include the MS developers who are seemingly at their mercy - they will concede a simple checkbox in any SSL-capable WM5 application to allow users to make this choice for themselves and avoid the anger and frustration that these tactics inspire.Anonymous
April 02, 2006
You actually shouldn't even need to reboot between those steps.Anonymous
April 03, 2006
Can someone clarify this for me ? Is it currently impossible to do Exchange ActiveSync on WM5 using a self-certification certificate ? We have the same problem, i.e., our certificate works for OWA, but not for Exchange ActiveSync.Anonymous
April 03, 2006
The comment has been removedAnonymous
April 03, 2006
Sam
Is the only registry entry you edited this one:-
"HKLMSecurityPoliciesPolicies�0001017
from 128 to 144"
Also have an xda Atom and have installed self certified certificate, but cannot get it to work. Also, I heard that the current ROM versions in the xda Atom's don't have the WM5 MSFP yet for "push" email. Is this correct?Anonymous
April 03, 2006
The comment has been removedAnonymous
April 03, 2006
Be aware there is in fact a workaround to disable SSL certificate checking for Windows Mobile 5.0 devices. However, it requires a registry tweak, so you have to have management access to your device. Exchange MVP Ben Winzenz tells you how here: http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.htmlAnonymous
April 03, 2006
Thanks Devin, I had already found this but for whatever reason was using 1 and not 0. I have now got past the certificate checking and am now stuck on a continous password prompt.Anonymous
April 04, 2006
Exchange mobility resources (Kudos to Eileen Brown)
Here's a comprehensive list of Exchange/Mobility...Anonymous
April 04, 2006
THANKS, LOREN!! Your solution worked for my setup here. Exch 2003 w/ sp2, Treo 700W, Equifax SSL.Anonymous
April 04, 2006
I have the same problem as Dave Jones: got past the certificate checking and am now stuck on a continous password prompt.
Any ideas?Anonymous
April 04, 2006
The comment has been removedAnonymous
April 04, 2006
Dave Jones: If you have installed your certificate and it shows up in the ROOT control panel, then you've passed every problem that this blog post covers. Try hitting your exchange server via the web browser on the device. If it can connect and doesn't prompt that the SSL cert doesn't match, there are no certificate problems.Anonymous
April 04, 2006
Devin, Matt M, et. al:
Let's clarify. The reg key that Ben Winzenz describes does not require manager level access. If you have management access to the phone you can change any reg key or security policy and there is nothing stopping you from adding certificates or doing anything else you want.
As for the repeating password thing - when I say that "certchk doesn't work", this is what I mean. If it were as simple as changing that reg key, that would be in bold print at the top of this page and we wouldn't have 90 comments. You're welcome to play with that key and if you have a reproducible way to make it work please post it, but that's not a solution that is expected to work on these devices.Anonymous
April 04, 2006
After major cert issues we are trashing all Windows mobile devices & going Blackberry. Good work Microsoft.Anonymous
April 04, 2006
Scyost wrote "As for the repeating password thing - when I say that "certchk doesn't work", this is what I mean."
Thanks I had not made the connection between the Secure 0 setting and the next error in the food chain.
<3 self certs and 2 root certs later>
I guess after all said and done the problem comes down to a recognised certificate it just took a long time to realise this. It would appear that their is money in old rope or in this case SSL certification after all.Anonymous
April 04, 2006
Kinda corresponds to Loren's posts, this, but I got it sorted for ourselves and thought I should post anyway. As mentioned, ActiveSync was telling me the Exchange server was not trusted, even though I'd installed the certificate.
So here's what I did. On my desktop PC (from which I can access OWA), I removed all the certificates issued by our organisation using the Certificates console snap-in. I then went onto http://<server path/certsrv> and downloaded and installed the CA certificate chain. This worked, giving me access to OWA from my desktop without warning. I then went back into the Certificates snap-in and located the two certificates which formed the chain. I extracted both the certificate from the Trusted Root CAs store and the certificate from the Intermediate CAs store and transferred them to my device. I then installed them on the device in the same order by double-clicking them in Explorer (i.e. using certinst.exe) This created the requisite certificate chain on the device and I was able to enable SSL for Exchange ActiveSync and it worked.Anonymous
April 05, 2006
Ross, I'd like to learn more about this issue with certs. Would you mind sharing with me offline?Anonymous
April 05, 2006
Hi Huddie,
I added a forward link to a page where I discuss the intermediate certs. If that's not clear enough, please let me know how what information would have been more useful and I can try to add it.Anonymous
April 05, 2006
Until Microsoft remove the "feature" that lets operators lock the certificates like this I suggest people use the RoadSync software on a compatible Palm, Nokia, Sony Ericsson or Samsung device.
These are much cheaper than a WM5 device and even with the cost of RoadSync added it is less! Maybe if MS sell less WM5 devices they will act.Anonymous
April 06, 2006
Huddie,
Can you explain how you accomplished Adding Root Certificates for Exchange Activesync in terms I can relay to my IT staff back at corporate. I must get ActivedSync enabled and I do not understand your post.
Thanks...
- jmsAnonymous
April 06, 2006
jms:
There's an appendix in the new MSFP deployment guide that describes this process. Check out the link I added in the main post today and see if it meets your needs.Anonymous
April 09, 2006
Ok, so here's my strange story. We have a Tmobile MDA with WM5 and E2k3 SP2 server.
We replaced our first phone (suggestion: try that, it helped!). We replaced our self-signed cert with a $17 SSL cert from our registrar (Equifax Secure Global eBusiness CA-1)
ActiveSync AND Push are both working with the "connect using SSL" option turned off in ActiveSync. But it only works intermittently and I'm about to be told to get rid of the MDA and get a Blackberry.
Opening the OMA webmail site in PocketIE does not work and never has. I get the message about the cert not being trusted - and thanks to the posts here I believe I just need to install the CORRECT Equifax root cert to fix that.
The strange part? Everything - and I mean everything from Push to ActiveSync to the OMA site - works perfectly 24/7/365 IF the phone is connected to the computer and a wired Internet site.
It is ONLY when the MDA is wireless that ActiveSync fails with error code 0x80072eff. Once that happens it will never ever sync again until the phone is plugged back in and sync'd using the wires. It then works again for another totally random amount of time. For a busy travelling executive this is not an option.
I can't tell if this is a cert issue, a Tmobile connectivity issue, or a failure in ActiveSync to deal with connectivity issues. I seem to be so close!
Any thoughts?Anonymous
April 10, 2006
The comment has been removedAnonymous
April 12, 2006
Windows Mobile 5.0 Security Model FAQAnonymous
April 14, 2006
Another user here who is stuck because WM5 does not seem to support wildcard certs, although IE6 and Windows XP seem to have no problems with it?
Why the disparity between the two?
Another LOUD vote for wildcard cert support.Anonymous
April 14, 2006
The comment has been removedAnonymous
April 18, 2006
Saying you "Feel our pain" is not the same (by a longshot) as solving it. All the solutions presented so far are difficult, only work on some versions of WM, or require 'help' from the phone operator.
What a disaster.Anonymous
April 19, 2006
I have just been reviewing this on behalf of a mate at work who is trying to get his Xda Mini up and running with a cert. I notice Chris and Kotee above are getting issues similar to a timeout issue AFTER getting the Cert to work?
Please check my link above for reference as to how to sort this with the Firewall - the EAS (ExchangeActiveSync) will try and use a slidding window technique to push the heartbeat out to as much as 30 minutes if it can. If your SSL/HTTPS timeout value is under 30 mins you will be timed out before the next Heartbeat and it will fail - does this make sense? more at http://geekswithblogs.net/wallabyfan/archive/2006/04/06/74522.aspx
Hope this helps?Anonymous
April 20, 2006
Hi,
On Qtek 9100 WM5 + MFSP we success installing our self-signed certificate. (E2K3+SP2)
But we now have the following error code : 0x80072F17 (ERROR_INTERNET_SEC_CERT_ERRORS) Unable to end synchronisation. Try again later.
On the same configuration with the same cert, WM2003 device synchronisation are successfull.
Did you ever meet this problem ?Anonymous
April 24, 2006
Here was my situation -
OMA on Exchange 2003 was working perfectly without SSL. At the request of management, I had to add "RCP over HTTP" funtionality for connecting Outlook to Exchange over http, and that requires you to use SSL.
I tried using the MS CA tool to make my own cert, but RPC didn't work, and it caused the OMA to stop working. I tried removong the cert and CA tool, but the damage was done...After 2 days of searching for answers, I noticed that several articles indicated that a 3rd party CA might work better than Microsoft. I signed up for a godaddy turbo SSL cert and installed that on my server and the OMA device.
Now I was getting a "server could not be reached" error...(at least that was a new one!)
I realized that my watchguard firewall was using NAT to translate http requests from an external IP to an internal IP, so I set up a NAT forwarding rule the same way for https.
I tried it again, and then it reached the server.
Sadly, it now said that the cert on the server had a problem and to contact my administrator.
Since that's me, I read the godaddy cert installation directions (for the first time) and realized that I had failed to install the intermediate cert. So I removed the cert from the server and followed the directions this time.
Now the OMA device is synching up fine, though I still have to work on the RPC over HTTP thing. At least I got past the OMA issue and there is something to be said for following directions.Anonymous
April 27, 2006
"On Qtek 9100 WM5 + MFSP we success installing our self-signed certificate. (E2K3+SP2)
But we now have the following error code : 0x80072F17 (ERROR_INTERNET_SEC_CERT_ERRORS) Unable to end synchronisation. Try again later.
On the same configuration with the same cert, WM2003 device synchronisation are successfull.
Did you ever meet this problem ?"
same issue, and man did i try every thing on this page,,, no luck ,,, it would be nice to demo it to my managment before getting a $$ certAnonymous
May 02, 2006
The comment has been removedAnonymous
May 02, 2006
I stand corrected! I just imported a few intermediate VeriSign CAs (into the root store on the device) and now it all works fine.
There really does need to be a way of managing this centrally or something though if it's ever going to replace Blackberry with corporates.Anonymous
May 08, 2006
The comment has been removedAnonymous
May 18, 2006
Thank you all for usefull info in thís thread!!
I am now up syncronising my Qtek 8310 over internet to SBS2003/Exchange. WORKING AS A SWISS CLOCKWORK!
The things I had to do was changing in registry policy 00001017 as described above (Required registry editor).
+ Changing security settings in IIS:
Find "Microsoft-Server-ActiveSync" in IIS.
Right click on settings. Go to the tab Security and click on edit "IP Adress and domain name restrictions". There you can configure whom shall be able so sync from outside.
I am so happy!Anonymous
May 26, 2006
After attempting to get a few 700w's to work with our Exchange 2003 SP2 server, I was in the same boat as a lot of people here. I kept getting the "unknown publisher...blah..blah" message even after I attempted to install our companies root CA on the device (we issue our own certs). About 2 weeks ago I installed the MSFP for the treo's, then re-installed our company root CA cert and viola....Exchange push began working. It's been about 2 weeks since I installed the MSFP and there have been now issues from these devices at all. I sure wish Verizon would have shipped this with the phone or at least mentioned that the "push" ascpect would not work without it.
For those of you with 700w's crashing...sounds like you've either done something to your phone or simply got a lemon as we have a number of them and do not have that issue.Anonymous
May 30, 2006
Can anyone please help me....I have been getting the error code 80072F17 when attempting to activesync via SSL and digital certificate. I have an Imate SP5(WM 5.0) trying to activesync via Bigpond GPRS using a self signed certificate.
The Server it is connecting to is Windows SBS 2003+SP1 with Exchange+SP2. for example - The public name is mail.domain.com.au. The Sites common name that has been created on the certificate is mail.domain.com.au. My local server name is actually server.domain.local This certificate has been installed locally on the phone and I can see it listed on the phone, in Trusted Root certificate store. The certificate is also installed under the Intermediate Certification Authority, Trusted root Certification Authority, and personal certificate store on the SBS server. I have added the certificate by internet explorer and mmccertificateslocal computer. OMA works ok on the phone via internet explorer without getting prompted to install a certificate, I only get prompted for a username and password. I don't understand why I am still getting the error "unsupported digital certificate is installed" How do I create a Self signed certificate that is not a wildcard certificate?Anonymous
June 01, 2006
This whole issue is completely ridiculous. I had spent most of 2005 trying to convince my collegues and more importantly my bosses that we should adopt the Microsoft offering and move away from Blackberry, the way it is going I am picturing me eating a gigantic slice of humble pie!!
I have a smartphone (v1240) on trial from Vodafone at the moment and I have managed to install our company root certificate on there with no problems. However I am getting problems syncing over-the-air like most people. I am waiting for a Vodafone QTEK9100 to arrive soon which has WM5.0 for Pocket PC installed am I right in thinking that I should be able to get that working as it isn't bound by the security features open to mobile operators that the smartphone version of WM5.0 is???Anonymous
June 01, 2006
The comment has been removedAnonymous
June 06, 2006
Hi Everyone -
I'm seeing issues on here dating back to quite a while ago, so I wanted to put up a fresh post and see is any reccomended solution to this issue for WM 5.0 (it's clear there is one for previous versions).
I just bought a T-Mobile SDA and am trying to get it to sync with my company's exchange server. The challenge is that our certificate is not from a trusted source.
Q: Has anyone found a good way to turn off the check for WM 5.0? I realize the crtcheck tool will no longer work - will the registry change do the trick?
Thanks!Anonymous
June 06, 2006
The comment has been removedAnonymous
June 14, 2006
The comment has been removedAnonymous
June 19, 2006
The comment has been removedAnonymous
June 19, 2006
Hi Toby,
The answer is really "It depends on the device."
Have you tried the cab file method linked above? It works for all Pocket PC devices and some smartphones. We put the GoDaddy cert in rom for AKU2, so you may or may not have that one. You can check the ROOT store in the control panel on the device to be sure.
ScottAnonymous
June 20, 2006
I am havine a problem with my canada telus phone. my provider is telus. i have a moto q and i am trying to install a cert for exchange.
i have tryed the tools for verison,sprint and i get a lock message. "phone is locked"
i do not have write prmisssion to the reg i can view. i cannot rename system files delect system files.
the service provide is not aware of this problem or lieing.
is there a way to break down secutity on windows mobile 5
please respond.Anonymous
June 23, 2006
Some people said, that client certificates do not work with EAS on WM 2003. Here is the answer:
http://support.microsoft.com/kb/893707/en-us
I confirmed this today by Microsoft Support. You have to use a WM5 device AND to install the feature pack! Then it works...Anonymous
June 24, 2006
Right. Client auth isn't implemented for sync until MSFP.Anonymous
June 28, 2006
Has anyone found a definitive resolution for the root cert issues yet, I have root cert on device and am stool unable to connect. How can I suggest WM5 as an alternative to blackberries if they are unable to sync to exchange over SSL?Anonymous
June 29, 2006
The comment has been removedAnonymous
July 02, 2006
I hopes this helps others. I have sbs 2003 sp1 with exchange sp2 and tmobile SDA phone (build 14406.1.1.1).
Following the CAB method at the top, I was able to get it to work.Anonymous
July 06, 2006
I added the self-signed certificate to Motorola Q with pfximport tool. Now I receive "ActiveSync encountered a problem on the server" Support Code: 85010014". I think I am going to try importing via the CAB way. Hopefully that will work.Anonymous
July 24, 2006
PingBack from http://blog.kluka.net/2006/07/24/adding-certificate-into-windows-mobile-5/Anonymous
July 27, 2006
Did I miss something? Has anyone figured out how to fix the continuous password prompt issue? Setup is Verizon / Motorola Q...Anonymous
August 02, 2006
This is getting pretty old. I've tried every possible solution I can find on the 'net for SSL certs. I purchased a cert from Thawte. No issues with OWA. On the PPC, however, it's always any number of errors, most of which have been identified above. Turning OFF security works fine but I hardly want to leave THAT running.
Are we ever going to see a definitive answer/fix for this? If it doesn't work, SAY SO. It is causing great numbers of us to seriously look at tossing these things and moving to Blackberries. At least they WORK.Anonymous
August 02, 2006
If you're on a Pocket PC and the cert is not a wildcard cert, then you can definitely add the certificate using the CAB method linked, and that is the end of the troubles for this particular problem.
As for "ever", I can't comment on things in future releases until the release is announced. As soon as that's possible I'll be on here with the news.Anonymous
August 10, 2006
I have a motorola Q and have installed the cert on both the server and the Q. I get support code 0x80072F0D. OMA and /exhange work perfect but activesync gives me this error no matter what. Any thoughts?Anonymous
August 11, 2006
Try installing the certs with this tool: http://blogs.msdn.com/windowsmobile/archive/2006/08/11/sslchainsaver.aspx
That should eliminate any possible problems with installing the cert correctly.Anonymous
August 22, 2006
I heard from some colleauges that set this up succcessfully (after much hardship) that they used a verisign cert and my prob was a unsigned cert. I have previously installed wk2k3 server certs on the device by simply copying them across to the device and then clicking on them in file explorer and it automatically installs the cert. Now that I've finally for the ssl cert from verisign it works fine when connecting to owa but when I try to install it on the device it says "Error - Cannot access certificate" Aarrgggghhhh!!!!1Anonymous
August 23, 2006
I have been working on our WM5 and SSL for a number of weeks on and off, reading many comments from users with the same issues. I have now resolved the issue and it is working.
For those with the same problem I am posting this information that it may save you some time and stress.
We are using internal CA on W2K3 server and have O2 XDA Exec and mini WM5 devices. I confirmed that the devices are not locked by the supplier and I can install a root Cert without any supplier software.
This was my procedure:
Get a copy of p12imprt free on www. Install it on the WM5
Get a copy of the cert from the exchange.
In IIS, go to the default web site
Click on “Directory Security” TAB
In the Secure Communication section click “View Certificate”
Click the Details TAB
Click Copy to File. Next
Select “Yes, export the private key”. Next
Check “Include all certificates in the certification path if possible”. Next
Enter the password (You will need this password to install the certificate). Next
Choose where to store the cert and name. Next
Finish
Click “Copy to File” again
Next
This time select “No, do not export the private key”. Next
Check “DER encoded binary X.509 (.CER)”. Next
Choose filename and location (call it a different name than the previous process so that it is easier to identify. Next
Finish
Copy the certificates to a machine that will sync with the WM5 device.
Use the ActiveSync “Explorer” to move the certificates to the device.
On the device, browse to the DER format file first and click it, this will prompt to confirm you want to install the certificate. Click Yes.
Run the p12imprt utility on the device,
Browse to the location of the PFX Certificate and select it.
Enter the Password and click "import certificate".
With the WM5 device connected to the machine with a sync cable. Synchronise the device. It should look for changes and update the device.
Now disconnect the WM5 device and it should be ok.
Issues to what out for.
The certificate needs to be trusted. Just because it is in the trusted root on the WM5 it does not mean that it is working. If there is a problem with the certificate it will not sync and if you will get an error code like 80072F17 in this case it points to a problem with the certificate but does not tell you what the problem is exactly. If you connect it to the machine with the Sync Cable the error messages are a little clearer.Anonymous
August 24, 2006
VZW_SpAddCert.exe is what solves the problem for all VZW phones, including the Q, get it here: http://www.microsoft.com/downloads/details.aspx?FamilyID=5D7E27EE-4654-480C-876D-442AED8F47AE&displaylang=enAnonymous
August 24, 2006
oops, forgot instructions!
put the VZW_SpAddCert.exe file in the root of the device's file system. then create a directory called "storage" and put your .cer file in there. However, make sure that the .cer is a root authority certificate and that it is in the DER encoded binary format. have fun!Anonymous
August 29, 2006
Even after successfully installing an SSL certificate, I continued to get the username/password prompt when syncing my T-Mobile MDA. What finally fixed the issue was adding basic authentication to the /microsoft-server-activesync/ directory on the Exchange server.Anonymous
August 31, 2006
I have been having this issue with the T-Mobile SDA as well and do not want to give in. Could the person in the previous post, provide all the details. ThanksAnonymous
September 05, 2006
The comment has been removedAnonymous
September 13, 2006
I have a Sprint 6700 Running WM 5.0. Exchange is at SP2. I used the pfximort tool, copied my root certificate from my CA and have everything working fine. I'm able to both send and read encrypted email. The problem I seem to be having is that if I lose sync. Power device off or break the connection in someother way my personal certificate gets removed from the certificate store. Any Ideas?Anonymous
September 14, 2006
Having major issues getting my WM5 iPAQ rw6828 to do an over the air ActiveSync with my Exchange Server 2003 SP2. I have a Godaddy cert specifically for the front-end exchange www.domainname.com. The iPAQ can connect to the https://www.domainname.com/exchange without any worries using IE, but I still get the 0x85010014 error support code when I try to do an activesync. This error code is extemely non-specific!!! Can someone lead me in the right direction? - Please!Anonymous
September 23, 2006
George, I'm having the same problem on an iPAQ 6945. Were you able to fix your problem?Anonymous
September 26, 2006
all the instructions I've seen about installing a root cert on the Q deal with .cer files...but exchange only gives the option to export to .pfx format. ARRGH!!! How the heck do you convert the cert into the .cer format???Anonymous
September 30, 2006
Hello,
I've tried many things but i still get the "please correct your exchange server password" prompt.
i've reset my pass. got a legit SSL from verisign, removed compression or something - not really sure.
any other suggestions. i'm 99Anonymous
September 30, 2006
It's common to get that prompt if you've used the certchk tool or a registry editor to set the old "DisableCertChk" key. That key won't work on a WM5 device and it's likely you'll get the neverending password prompt if you to set it. Does that match your case?Anonymous
October 05, 2006
Well there is a ton of info on this site about the problem im having but no clean answer. sbs 2003 latest sp, exchange server with laters service pack. cingular 8125. Personal signed root cert. not purchased. Cert is on the 8125 in the root certs. Can access oma, and even exchange remote and do not get any cert errors. when i try to sync all i get is a reenter password prompt. Is this a problem with a personal signed cert? im lost. I do not want to disable ssl though disabling it allows syncing.Anonymous
October 10, 2006
The comment has been removedAnonymous
October 11, 2006
The comment has been removedAnonymous
October 31, 2006
We only use self signed certificates and do not have any issues at all with installing them on our HP hw6965 phones so I can not see how it is MS issue, I would be talking to your phone manufacturer.Anonymous
November 01, 2006
Ok - I've got a cingular 8125. I've done the regedit and changed 1001 & 1005 to the proper values. I copy my cert over - when I attempt to install it I still get 'Cannot access certificate'. I thought my device was unlocked and I could now install. What's gone wrong. Any pointers for the 8125 would be appreciated.Anonymous
November 20, 2006
If you are getting the "cannot access certificate" error, then the .cer file is either in the wrong format or has been corrupted. Make sure your certificate is is "DER" format or else you'll get this error. Hope this helps! -WestonAnonymous
November 20, 2006
I have the Cingular 8525 phone. I tried using the SslChainSaver to create two new certificates, the root.cer and the leaf.cer which I then copied to the Windows Mobile 5. Now when I run the Exchange Active Sync, I no longer get the certificate error. However, the login to the Exchanger Server 2003 SP 2 never gets past the password prompt. To the best of my knowledge I have entered correctly the password correctly. Does anyone have any suggestions at this point? Thanks.Anonymous
November 22, 2006
I have an HP hx2495b PDA, and we have a self-signed cert on our ISA server. Ok - so how do I get OMA to work? I understand I have to have a trusted cert, but after reading these messages, from whom do I purchase one? It seems that even a trusted cert may not necessarily allow this work correctly. Please help!Anonymous
December 08, 2006
Thanks Lee for your instructions below, they stopped me from really loosing it! I have been working on our WM5 and SSL for a number of weeks on and off, reading many comments from users with the same issues. I have now resolved the issue and it is working. For those with the same problem I am posting this information that it may save you some time and stress. We are using internal CA on W2K3 server and have O2 XDA Exec and mini WM5 devices. I confirmed that the devices are not locked by the supplier and I can install a root Cert without any supplier software. This was my procedure: Get a copy of p12imprt free on www. Install it on the WM5 Get a copy of the cert from the exchange. In IIS, go to the default web site Click on “Directory Security” TAB In the Secure Communication section click “View Certificate” Click the Details TAB Click Copy to File. Next Select “Yes, export the private key”. Next Check “Include all certificates in the certification path if possible”. Next Enter the password (You will need this password to install the certificate). Next Choose where to store the cert and name. Next Finish Click “Copy to File” again Next This time select “No, do not export the private key”. Next Check “DER encoded binary X.509 (.CER)”. Next Choose filename and location (call it a different name than the previous process so that it is easier to identify. Next Finish Copy the certificates to a machine that will sync with the WM5 device. Use the ActiveSync “Explorer” to move the certificates to the device. On the device, browse to the DER format file first and click it, this will prompt to confirm you want to install the certificate. Click Yes. Run the p12imprt utility on the device, Browse to the location of the PFX Certificate and select it. Enter the Password and click "import certificate". With the WM5 device connected to the machine with a sync cable. Synchronise the device. It should look for changes and update the device. Now disconnect the WM5 device and it should be ok. Issues to what out for. The certificate needs to be trusted. Just because it is in the trusted root on the WM5 it does not mean that it is working. If there is a problem with the certificate it will not sync and if you will get an error code like 80072F17 in this case it points to a problem with the certificate but does not tell you what the problem is exactly. If you connect it to the machine with the Sync Cable the error messages are a little clearer.Anonymous
December 15, 2006
did someone fix the problem with disappearing personal certificate? my cycle- creating connection through AS to Exchange. getting the message on PDA - install certificate - press ok - working fine until i reboot the PDA. in Certification, there is nothing on Personal tab ... any ideas?Anonymous
December 27, 2006
On the Treo700w, all I needed was the certificate file. I was required to export the certificate file from the mail server to get a compatible format, .cer. Once the file was transfered to the phone, I opened with with the file explorer. The new certificate was imported, and mail flow resumed. I hope this helps, the one piece that I was missing was how to get the .cer file as my provider, Network Solutions, did not provide that format.Anonymous
December 29, 2006
Damo, thank you!! I was just about ready to pull the rest of my hair out on a new Verizon Treo 700W here. Anyone have ideas on why Verizon's utility doesn't seem to actually add the certificates in a working manner?Anonymous
December 30, 2006
Damo, I followed the proecedure to the letter, got the certificates instaled to the Personal Store on my WM5, but when I try to send email I get msg cannot encryptAnonymous
January 03, 2007
The comment has been removedAnonymous
January 08, 2007
Ladies and Gentlemen, Microsoft may have actually helped everyone who has been dealing with this problem: Microsoft Exchange Server ActiveSync Certificate-Based Authentication Tool http://www.microsoft.com/downloads/details.aspx?familyid=82510e18-7965-4883-a8c3-f73f1f4733ac&mg_id=10095&displaylang=en Overview The Microsoft Exchange Server ActiveSync Certificate-Based authentication tool provides several utilities to assist an Exchange administrator in configuring and validating client certificate authentication for Exchange Server ActiveSync. These utilities include: · A tool to assist the administrator in configuring certificate enrollment for mobile devices connecting to Exchange Server 2003 Service Pack 2. Specifically, the tool will help the administrator populate the Active Directory with the following information to be used by the mobile device when enrolling for a certificate: o Certification authority (CA) server name o Certificate template that will be used o Other settings, such as custom Web enrollment URLs Because the tool writes information to the Active Directory, it must be run by someone with domain administrator privileges. · Additional tools to validate that a mobile device can successfully retrieve the above configuration information from the Active Directory. · Documentation outlining the server configuration steps necessary to enable & require certificate-based authentication for Exchange Server ActiveSync.Anonymous
February 09, 2007
For those who are having a problem installing an SSL certificate on a T-Mobile Dash with WM5, make sure you export the certificate as a DER format file with a .cer extension as explained above, then copy to your phone and "run" it from "File Explorer". You don't need to create a .CAB file as explained on some other WM5 postings. This worked great with the new GoDaddy root certificate that they started using in early 2007 or late 2006 instead of the Valicert root they used to use.Anonymous
February 13, 2007
The comment has been removedAnonymous
February 15, 2007
I purchased a GoDaddy Turbo SSL Cert as recommended by Brian C. and it works! No need to install .cer into my T-Mobile Dash, just installed server cert and intermediary cert on Exchange front end server and voila. Thanks to this blog for the help!Anonymous
February 28, 2007
I have an interesting problem. I have a server that has a GoDaddy cert on it...everything is fine. I installed a new cert from GoDaddy (old one was expiring) and now I get this error. Flipping back to the older (not yet expired) cert and everything is fine...but the 10 year renewal cert tanks.Anonymous
February 28, 2007
Managed to get the Microsoft Exchange server connection to work on a Verizon Motorola Q using the following steps
- Connect the motorola Q to your PC
- Download the VZW_SpAddCert.exe from the Microsoft site
- http://www.microsoft.com/downloads/details.aspx?FamilyId=5D7E27EE-4654-480C-876D 442AED8F47AE&displaylang=en
- Connect the Motorola Q to your PC
- Wait for the ActiveSync connection to be established
- Start explorer and select “Mobile Device”
- Copy VZW_SpAddCert.exe to the folder WindowsStart MenuAccessories
- Create Storage folder on the Q
- Copy the *.CER file to the folder Storage
- Click on Start on the Q
- Scroll down to the bottom and click on accessories
- Click on the VZW_SpAssCert Icon
- The Certificate details should now be visible on the screen
- Follow the instructions on the screen to confirm the installation
- Restart the Q
- Anonymous
February 28, 2007
The comment has been removed - Anonymous
March 05, 2007
My problem, by the way, turned out to be a cert issue with the intermediate cert (which GoDaddy changed around Jan 2007). If you are in my situation (installing a renewal godaddy cert and everything stops), do the following:
- Follow GoDaddy's complete instructions for installing the intermediate cert. While browsers are okay with the old one, mobile devices aren't.
- go into your trusted root authorities on your server and remove the "Godaddy" cert (not the valicert). The second step is effectively undocumented and I only learned it when I gave up and called their support. Steve
Anonymous
March 06, 2007
I've always wondered why most people end up implementing blackberries i think i now know why, as usual microsoft making a complete mess of implementing activesync!Anonymous
March 12, 2007
I do not recommend my customers to by WM5 on SmartPhones and other devices that has certificate problems. It has become to expensive to install certificates. More people do the same. That will teach MS to listen over time.Anonymous
March 21, 2007
Actually, the WM5 devices broadly recognize the most certs, and most of the devices released in 2006 do have valicert support. That's much, much better than "hard" cell phones such as Nokia and Sony Ericsson, which typically recognize only a handful of root certs and have no way of adding more. MS-based smartphones are by far the best in this area! For our commercial servers (we are a mobile services provider) we've been forced to go with Verisign as it is the only root cert recognized by everything.Anonymous
March 22, 2007
Wild card certificates can be installed. It's a pain, but doable:
- Find the Mobile Registry editor. Google it, it comes up easily.
- 5. Navigate to this key: Hkey_Current_UserSoftwareMicrosoftActiveSyncPartnersUID_Server_partnership where UID_Server_partnership is a long string easily identifiable by the domain of the server that you are trying to reach in the right hand pane.
- Right click on the UID_Server Key and create a new DWORD key called secure, value 0 This does the same thing as the utility crtcheck took in WM03 You will also have to have imported your wildcard cert into your store, methods listed on this page worked for me on an 8525 HTC using a Network Solutions wildcard cert. My HTC did not need a reboot, but other devices might. Good luck...
Anonymous
March 25, 2007
We bought a VM5 for development use. We are rather big smart phone development, house, but so far we have only done Symbian development. But I can not event take the VM5 phone into use, since I can not install our root certificate to the device. I can not recommend Windows Mobile 5 phone to anyone. Windows mobile 5 is a disappointment.Anonymous
March 29, 2007
Lack of support for wildcard SSL certificates (*.domain.com) on Windows Mobile is very disappointing. Microsoft claims to have made security a top priority, but disabling certificate security enforcement with a registry change makes mobile computing less secure. This change would allow an attacker to spoof the server's identity. This undermines the purpose of the certificate, which is to authenticate the identity of the server. This is standard certificate functionality to most client software (browsers, OSes, etc.). This shouldn't need a feature request. A patch should be issued.Anonymous
March 29, 2007
Microsoft put their name on the SPKI RFC at http://www.ietf.org/rfc/rfc2693.txt which allows for wild cards. While this RFC is experimental in RFC terms, wild card support has been widely adopted by 3rd party CA's, CA software (including Windows Certificate Services) and client software (including IE). I don't understand why this isn't a standard supported feature for Windows Mobile.Anonymous
March 29, 2007
We've already added wildcert cert support in WM6. The security risk of disabling the checks is one of the major reasons that the flag is no longer supported.Anonymous
March 30, 2007
The comment has been removedAnonymous
April 12, 2007
The comment has been removedAnonymous
April 25, 2007
We've recently built an application that makes all this so much easier. It extracts and builds the _setup.xml correctly. Then it puts it in a cab file. Finally, a desktop deployment tool is built for the end users to run. http://www.digitallabs.net/mcb/default.htmAnonymous
April 26, 2007
I am not a hi tech sys op, just a business owner setting up my own system with push pull email with WM5 and a 2003SBS with MSExchange with SP2. I have a fixed IP address that does not have a internet domain name, in the past we have entered our corp IIS via a number like 2XX.8X.2X.4X and it worked fine. I understand that I have to get a SSL cert, which I have purchased via Godaddy, however, I have hit a road block as they ask for a Common Name for the cert. and as I do not have a domain name I am guessing a SSL will not work with a ip address number. Can any one advise?Anonymous
May 13, 2007
I'm guessing GoDaddy won't sell you a SSL cert for a IP address. You are probably going to have to get a domain name for that IP in order to purchase a cert for it from a major vendor. Alternately you could create your own self-signed cert for that IP using an internal CA and then deploy that cert to the devices. Getting a domain name is far easier though.Anonymous
May 21, 2007
The comment has been removedAnonymous
May 29, 2007
For error you had to see http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.phpAnonymous
July 05, 2007
The comment has been removedAnonymous
July 06, 2007
I just upgraded to WM6 and now I am unable to reestablish syncing with the Exchange server. I have readded the cert provided by IT with no luck. The error I get is that the cert on the server is not valid. Is there a new cert for WM6 that is required? Thanks!Anonymous
July 09, 2007
Allow me to elaborate from my post of July 6. U am using a T-Mobiel Dash and I upgraded from WM5 to WM6. Prior to the upgrade all of the functions sync functions were working normally with no problems or exeptions. After the upgrade the cert was readded to the phone and the email account was readded with the exact same settings and info as before. Since then I get the old Support Code:80072f0d error. All other variables are equal. Same phone, same provider, same cert, same settings. The only difference is WM6 vs. WM5. Please help.Anonymous
July 19, 2007
The comment has been removedAnonymous
July 30, 2007
I didn't read this entire page so I don't know if this has been answered or not, but... I have a Mogul with WM6, and I have been setting up ActiveSync to Exchange 2007. After futzing around with a few of the cert issues mentioned here, I (a) replaced the default cert in my IIS root for Exchange with one generated by my AD CA. Then, on my device, I browsed to the URL that is hosting the /CertSrv/ directory (use https, click past the warning that the cert isn't trusted, you'll only have to do this the first time), then click to install the root certificate. Evidently, by installing it from IE on the device the cert is placed in the correct store (just clicking it in explorer places it in the wrong store). After doing this voila, Exchange started syncing.Anonymous
July 30, 2007
Hey Brett, could you send me a mail with the details or a copy of the cert? I definitely want to know why it got installed into the wrong store for you. You can mail me through the form here: http://blogs.msdn.com/user/Profile.aspx?UserID=13079 Thanks!Anonymous
August 09, 2007
The comment has been removedAnonymous
September 21, 2007
Mark, Did you figure it out? I have a dash and upgraded to WM6 and it won't connect to the exchange server. I receive error 0x80072f17 Anxiously awaiting your findings, BobbiAnonymous
October 15, 2007
Found an easier way to do this... don't know if it has been mentioned in the above comments; although I thought I would help. I exported the key from Internet Explorer on a current PC that has the self-signed certificate installed on it. I then moved the .cer file to the Windows Mobile Device, and had the end user go to My Documents and click the .cer file. It installs the certificate and then from there they were able to synchronize with the server. It worked for me; so I hope this helps someone out there. Dustin quicktechAnonymous
November 07, 2007
Re Dustin's solution didn't work for me. Certificate installs OK but still get same error.Anonymous
January 24, 2008
- Installing root certicate from EAS administrator
- Installing certificate that I am redirected from when going to https://webmail.alegent.org SPaddcert would not work but when I clicked on them individually it installed and shows as installed equifax global and local...
- Changing registry setting to secure = 0 from 1 to disable certificate checking all together on the phone under airsync, connections, secure tab.
- Installing RoadSync from DataViz that shows EAS 2007 support on SP 2003. Any insight to how I might be able to use the only windows phone my carrier has to offer would be appreciate. Thanks, Drue@alegent.org
Anonymous
January 25, 2008
#1 isn't going to help you - wild card cert support comes in WM6. I would expect #3 to work though. (on SP2003, back when that reg key was supported)Anonymous
May 02, 2008
The comment has been removedAnonymous
December 15, 2008
to the guy with the 'gasoline analogy' you're missing the point. this is like trying to run a gasoline engine on bio diesel. Or better yet trying to run a coal powered locomotive with nuclear fission. Apples and oranges, just be lucky there is a way with software that eventually they can make it work (given time and money).