exchange ssl problem with 700p - Page 3

jim_johnston · 08/11/2006, 02:59 PM

The easiest way to resolve this problem is just to disable (uncheck) "Use Secure COnnection (SSL)" in the advanced setting. Some IT departments may only allow external access over SSL to the exchange server. If they are, then they need a cert signed by one of the authorities listed by palm, link above in thread. I am not sure why palm does not allow you to add a self signed cert to the device. Many people (myself included) just want the encrypted connection and don't really care that it is a self signed cert. This used to be a problem in Windows Mobile 2003 and you had to actually downlaod an applet from MS to turn of SSL on the device. It was one of the most common questions posted to boards. It has become easier with WM5.

So bottom line, there are only two options, add authority signed cert to server or disable SSL. The later is not that big of a deal as everyone makes because it would take a pretty sophisticated exploit/hacker to get to your data once it hits the cell data network. IMHO...

Glitch010101 · 08/11/2006, 03:53 PM

We enforce SSL connections to our webmail server because users connect from all sorts of networks and devices, including unsecure wifi access points on the road.

Because SSL is forced, the Treo must support it!

Luckily, the $20 godaddy turbo cert described above worked perfectly! Installing the cert on IIS is a little tricky. Be certain to follow the instructions for installing the intermediate cert to the letter! Once you do, install your $20 cert, and voila, your server is trusted by browsers and treo's everywhere!

vikas3576 · 10/22/2006, 05:54 AM

Expert throw advice.

I have Exchange 2003 on windows 2003 small business running Outlook via web on dynamic DNS setup. I was all ok before upgrading to versamail 3.5. Now that I realized that I cannot use self sign certificate and want to go ahead with godaddy turbo ssl cert, will the SSL cert from godaddy can be used for Dynamic name. My Dynamic name is like this (apple303.dyndns.org) and domain name (www.apple-world.com).

Help me out guys. Thanks in advance

boe · 02/19/2007, 09:02 AM

Any update - is go daddy the only cheap way or is there a way to enable a certifcate?

vikas3576 · 02/19/2007, 11:53 AM

YEs until now only godaddy ssl is solution

Izzy1700p · 02/20/2007, 03:14 PM

I bought the GoDaddy Cert for $20, installed to the tee, and when i try to sync i still get an ssl error. Air Sam statemachine c 1913 14721. When i checked the error Palm says the fix is making sure ssl is checked and port is correct. But by default its already using port 443 which is to my knowledge secured by the ssl i installed.

Any help would be appreciated thanks.

boboche · 02/28/2007, 05:18 PM

I get the exact same problem, I've doublechecked the certificates installation procedures on IIS6, and my palm 700p ends up with the same error message. I also have a TurboSSL certificate from Godaddy.

I've also installed the Versamail EAS patch (dated 2007) on palm's website, still no luck.

I find the new palms still to be extremely unpleasant to deal with from an administrator point of view. Also, There's NO reason not to force self-signed certificates on the device, I wouldn't care if it would be a 200 steps procedure; it should be an option.

And as for versamail, It's still buggy at revision 3.52 , impressive, such a little app, not a huge code tree, and you still end up with issue where you have to create additionnal dummy accounts to get the Exchange ActiveSync option to appear again when creating a new account (even if there's currently NO activesync accounts added in versamail), etc.

Good thing there was a workaround. People blame microsoft for sloppy software, well, I find no excuses for such issues on embedded-type of software. We're in 2007, there's still duplicate contacts issues happening, etc... god.

Ok ranting off, if anyone has a fix or a workaround for this error code, this forum pops up high in the google search, so post this solution below and you'll probably help 100s of people!

B.

salliecookies · 03/11/2007, 03:02 PM

First, we have successfully connected treo 650 from cingular on medianet with exchange server activesync and synced email, calendar, and contacts.

Second, we did have problems.

Running sbs 2003 server, godaddy turbo cert, treo 650 cingular medianet with versamail 3.5.

1 upgraded versamail to 3.5 didn't install eas patch for direct push since phone is with cingular.

2 had error message stating ssl cert wasn't trusted. (we need ssl so unchecking as suggested was not an option and not recommended)

3 purchased $20 a year turbo cert from go daddy root authority valicert which is trusted by palmos. make sure name on cert is same as what you are authenticating with on treo settings. i.e. if it is mail.server.com you want your cert to be mail.server.com listed with godaddy and you want mail.server.com to be the settings in your treo. that way they all match up and are trusted. when you browse to the mail webpage you should not see a dialog popping up about certificate with ie or firefox.

4 encourted problem. still had error message. i noticed by browsing to mail.server.com/exchange that the certificate was saying issued by go daddy which it still does in current working setup but i thought i may see something about valicert which i didn't. i used the palm blazer web browser went to my owa mail.server.com/exchange and got an error message saying invalid certificate do you want to proceed. i called go daddy troubleshooted with sysadmin double checking discovered problem on their end with cert being authenticated by valicert. go daddy called back and problem resolved.

5 tested site again with web browser and didn't give error message about invalid cert. tried to sync with treo 650 to excange server and still no luck. the error message this time was later on in the process and not about ssl. different error message was a good sign.

6 changed login settings for versamail user authenticating to exchange server. test settings and got a success. i needed to add the domain to the username like you do for rpc like DOMAIN\user. everything else is the same. we're ussing ssl so 443 is checked. test the settings and make sure you get a success message.

7 tested an all sync with contacts, email, and calendar from both endpoints treo and outlook and changes showed up. i am getting an error message intermittently, perhaps from bad service where i'm at so i will know later today. most likely, i'm thinking it is an authentication issue with the directory on the server since we are running sbs. it's a different error then i have seen before it's like 1.1 500 http or something. seems more generic to all mobils using activesync. i found a good read about it perhaps here. http://support.microsoft.com/?kbid=817379 won't know until later for sure with this issue though.

8 everything works!

Final thoughts! it's been fun. I'm glad it is possible to sync the treo 650 from cingular with an exchange server. I hope that in the future it is more simple and easy for others. I registered here hoping to help others. Maybe if we complain palm will notice and do something about homegrown certs. maybe allow us to import the certificate to the treo or add a lookup feature. maybe disable the need for the cert with server. i don't know but i hope it gets more easy!

Good luck

I hope this helps if you have questions feel free to ask.

grim02 · 03/21/2007, 12:13 PM

Hi all,

I've had this issue ever since upgrading to the 700p when it was released. I had to switch to Chatter and the EX plugin. But after looking at this updated thread, did anyone try this link:

http://www.palm.com/us/support/downl...rtmodtool.html

It seems to be a tool that allows you to add a certificate to the device. It was at the bottom of Palm's site that describes the issue. I'm going to give it a try - maybe someone else can try to and see if it helps.

grim02 · 03/21/2007, 02:40 PM

Good news on my end - the solution posted in the link above is working perfectly. Using the tool, I was able to add 2 certificates from my computer to my 700p. I can now sync without the certificate error, and push is working perfectly.

To get the certificate, I went to my OWA site for work. This downloads the certificate into the browser. You can then go to Tools -> Internet Options... -> Content tab -> Certificates... -> Trusted Root Certification Authorities tab. In the list of certificates, look for any that relate to where you work in the "Issued To" column. There were 2 that related to my company. Select them and click Export... Choose where you would like to save them and give them a name - it can be any name, it doesn't matter.

When finished, you can then use the tool described in my previous post to create a .pdb and hotsync to your device. That worked for me.

Good luck!

canosatien · 06/21/2007, 03:10 AM

Does this work if my server also has an ISA firewall in front? I have exch2007, any difference from 2003? In the server setting, do I need to put HTTPS:// in front of my domain - mail.domain.com/owa? Anyone have a simple step by step howto for filling out the information? Thanks.

computanium · 08/10/2007, 11:55 AM

GoDaddy certs. What was said about certs by both parties is true. GoDaddy cert will work, but only if Exchange 2003. If you ever upgrade to Exchange 2007, the GoDaddy cert will create NIGHTMARES. Exchange 2007 secures e-mail both internally and externally, and you can't use both names on a GoDaddy cert. So with GoDaddy, if you cert your OWA / Direct Push, users internal to the network will get a certificate error every time they open Outlook regardless of the Outlook version.

Only the big name companies that sell trusted root authorities support using both names (I believe, if I recall correctly, that this is the subject portion of the certificate) will work with Exchange 2007, so beware! That $20 cert may work for now if you're using Exchange 2003, but you will have to change that certificate out if you upgrade, and GoDaddy is not currently an option. . . and don't be fooled by thier multi-domain name cert (the 6-in-1 cert).

jedwards · 02/17/2008, 11:21 AM

Give this a try. Exchange worked with VMail 3.1 on my Treo 650 and when I upgraded to v3.5 it still worked. I recently had to zero out on my phone and when I installed v3.5 and set up my account, it gave me the certificate error. Did the certificate Mod and that didn't work. So I went back to the older version, set up my account and synced mail, contacts etc. Then I installed the newer version basically 'upgrading' keeping all my previous settings and it worked fine. Installed the EAS update and I now have direct push. Sometimes you have to come in the back door with these apps.