Exchange 2007 and windows mobile / active sync issue

[guest]

I have a client that has an exchange 2007 server. They just replaced the certificate that was expiring with a new one.

Their users have many phones such as droid, blackberry, and windows mobile

the windows mobile phones are now having an issue. They will not sync any email at all. The certificate seems to be good as outlook, OWA, black berry's, and droids all work..

Any ideas?

[guest]

The issue is that after your exchange replaced a new certificate, your windows mobile cannot access your exchange mail or calendar.. The cause is that when the first time your windows mobile connects to exchange either through Windows Mobile Device Center (desktop connection) or exchange direct access, it will download and install the certificate of exchange on the mobile device, but since your exchange server replaced to a new one, i think that your mobile device didn't have a chance to sync with exchange to download a new certificate, that's why it cannot connect to exchange.

Now what we need to do is to download the certificate from exchange and then install on mobile device. There are methods: Throughing Windows Mobile Device Center or through OWA download directly. I recommand your users to use WIndows Mobile Device Center to enroll the new certificate.

Here is the detail steps:

1. Download Windows Mobile Device Center setup software and install the Windows Mobile Device Center on your desktop: http://www.microsoft.com/downloads/en/d ... laylang=en (Note that this software has different version for different OS platform, please be attention to the version selection)

2. Restart your computer. Attach one end of the data cable to your Windows Mobile device. Attach the other end to your computer's USB port.

3. Wait for the Windows Mobile Device Center to launch and detect a connection. Click "Next" at the setup window.

4. Select Microsoft Exchange from your computer's list of programs and files. Click "Next." Select the Microsoft Exchange Certificate from the drop-down menu.

5. Click "Next" once more. The synchronization will begin. Click "Finish" when it is complete.

The windows mobile device center will download and install the certificate for you automatically. We think it's the easiest way to enroll the certificate for your users. If you still has touble on that, please feel free to let me know.


--------------------------------------------------------------------------------

[guest]

The phones that are having the issue still are all windows mobile version 6.1

The certificate was 1024 now it is 2048

Does windows mobile 6.1 have a problem with the stonger encryption of the certificate?

[guest]

Thank you for your latest upate. Actually Windows mobile supports 2048 encryption certificate. So now what's the error message do you recieve when you try to sync with Exchange? Do you have the exact error code? If you can give us the error code, then we can decide how to fix it.

Meanwhile, what does your certification come from? Is it a 3rd party trusted CA signed cert or a self-signed cert? If your exchange SSL cert is expired or is a 'wildcard' cert or is a self-signed cert. The formal cert should be signed by a trused 3rd party CA like verisign. But if you are using the self-signed cert, you may face this situation on some devices with strong securty protect. To confirm this: You can use this device to access OMA by https://Exchange_FQDN/OMA. If the certificate is not trusted in your device, you will encounter a Security Alert including sentence as below: "This security certificate was issued by a company that you have not chosen to trust". When you click Yes, you can continue accessing mailbox by OMA. If so, this means that the cert is not trusted on the device.

To avoid this, you may try such steps to disabling the cert checking on windows mobile device, this could make you vulnerable to the security attack. So this method is not recommanded from Microsoft, but I just write to for your information. please note that this has the security risk.

You can find such registry on your windows mobile using some registry edit tool for windows mobile:

Hkey_Current_User\Software\Microsoft\ActiveSync\Partners

Here you should notice 2 sub-keys, both with a unique UID. One is set up for the ActiveSync Partnership with your PC, the other is set up for the partnership with your Exchange server. Fortunately, it is fairly easy to distinguish between the two. Simply highlight one of them, and look at the different values. You'll see pretty quickly which one is for your Exchange server. While the partner key for your Exchange server is highlighted, create a new value with the following parameters

Type: DWORD
Name: secure
Value: 0

Then you can disable the security checking. We will not support such behavior, so please don't easily try that.

Please understand that if you can provide the error code, then we can get some hint from that. The steps above is just based my experience and for your reference. Here is the detail steps for certificates on Windows Mobile Devices: http://technet.microsoft.com/en-us/libr ... 82295.aspx


--------------------------------------------------------------------------------