Gray Cloud

I have searched all over the web and am still looking for a definitive
answer to an issue I am having with SSL/Certificates and Activesync 4.0.

-I have an IPAQ 2495 running Windows Mobile 5.0.
-I cannot sync with Exchange 2003 SP1 when SSL is enabled on device and
Microsoft-Server-ActiveSync Directory in IIS. I get an Invalid Certificate
error.
-I can sync with Exchange 2003 SP1 when SSL is disabled on device and
Microsoft-Server-ActiveSync Directory in IIS
-I am using a Startcom free certificate on the IIS OMA
-OMA/OWA work fine.
-I would like to have SSL/Certificates running to ensure security when
remote clients are Acitive Syncing
-Do not want clients to have to use OMA as it does not support attachments.
Want them to be able to use the messaging client in the Windows Mobile
device.

What I have tried:
-Importing Startcom certificate onto PDA
-Running Disablecertcheck (cannot get it to run on my Windows XP Pro laptop
or Exchange server)

Questions:
-Is Disablecertcheck supposed to be installed on the exchange server or
client machine? Is it compatible with XP Pro?
-Would getting a certificate from a more reputible (expensive) organization
(Verisign, Thawte) fix the problem?
-Any other thoughts on how to make this work?

Thanks in advance!

"Michael D. McGill" (Thu, 05 Jan 2006 10:07:33) had
thoughts about "Clarification on Syncing and SSL":

So when you try oma on your ipaq are you prompted to accept the cert or
does oma just work? Disable crtchk needs to be run from whatever computer
your device is syncing from but that tool doesn't work with WM5 so in your
case it doesn't matter. If you can get the root cert onto the device then
that should fix your problems as well. Having a cert from verisign or
thwate would most likely work as the root certificates for those places are
already on the device. Another option is to run your own certificate
authority but that causes problems for people connecting with machines not
on your domain. For testing purposes it's worth a shot.

---
Eric Hicks [That_Kid](MS-MVP Mobile Devices)

The MS-MVP Program - http://mvp.support.microsoft.com This posting is
provided "AS IS" with no warranties, and confers no rights...

***Posted via my Apache(PPC6700) WM5 Device***

----- Original Message -----
From: "Michael D. McGill" Sent: Thu, 05 Jan 2006 10:
07:33 Subject: Clarification on Syncing and SSL

I have searched all over the web and am still looking for a definitive
answer to an issue I am having with SSL/Certificates and Activesync 4.0.

-I have an IPAQ 2495 running Windows Mobile 5.0.
-I cannot sync with Exchange 2003 SP1 when SSL is enabled on device and
Microsoft-Server-ActiveSync Directory in IIS. I get an Invalid Certificate
error.
-I can sync with Exchange 2003 SP1 when SSL is disabled on device and
Microsoft-Server-ActiveSync Directory in IIS
-I am using a Startcom free certificate on the IIS OMA
-OMA/OWA work fine.
-I would like to have SSL/Certificates running to ensure security when
remote clients are Acitive Syncing
-Do not want clients to have to use OMA as it does not support attachments.
Want them to be able to use the messaging client in the Windows Mobile
device.

What I have tried:
-Importing Startcom certificate onto PDA
-Running Disablecertcheck (cannot get it to run on my Windows XP Pro laptop
or Exchange server)

Questions:
-Is Disablecertcheck supposed to be installed on the exchange server or
client machine? Is it compatible with XP Pro?
-Would getting a certificate from a more reputible (expensive) organization
(Verisign, Thawte) fix the problem?
-Any other thoughts on how to make this work?

Thanks in advance!

I am facing the same problem. Also, will this SSL sync work with a wildcard
self-issued cert?
"Eric Hicks [MVP]" wrote in message
news:1136501048@i'm.home.with.u...
> "Michael D. McGill" (Thu, 05 Jan 2006 10:07:33) had
> thoughts about "Clarification on Syncing and SSL":
>
> So when you try oma on your ipaq are you prompted to accept the cert or
> does oma just work? Disable crtchk needs to be run from whatever computer
> your device is syncing from but that tool doesn't work with WM5 so in your
> case it doesn't matter. If you can get the root cert onto the device then
> that should fix your problems as well. Having a cert from verisign or
> thwate would most likely work as the root certificates for those places
> are
> already on the device. Another option is to run your own certificate
> authority but that causes problems for people connecting with machines not
> on your domain. For testing purposes it's worth a shot.
>
> ---
> Eric Hicks [That_Kid](MS-MVP Mobile Devices)
>
> The MS-MVP Program - http://mvp.support.microsoft.com This posting is
> provided "AS IS" with no warranties, and confers no rights...
>
> ***Posted via my Apache(PPC6700) WM5 Device***
>
> ----- Original Message -----
> From: "Michael D. McGill" Sent: Thu, 05 Jan 2006
> 10:
> 07:33 Subject: Clarification on Syncing and SSL
>
> I have searched all over the web and am still looking for a definitive
> answer to an issue I am having with SSL/Certificates and Activesync 4.0.
>
> -I have an IPAQ 2495 running Windows Mobile 5.0.
> -I cannot sync with Exchange 2003 SP1 when SSL is enabled on device and
> Microsoft-Server-ActiveSync Directory in IIS. I get an Invalid Certificate
> error.
> -I can sync with Exchange 2003 SP1 when SSL is disabled on device and
> Microsoft-Server-ActiveSync Directory in IIS
> -I am using a Startcom free certificate on the IIS OMA
> -OMA/OWA work fine.
> -I would like to have SSL/Certificates running to ensure security when
> remote clients are Acitive Syncing
> -Do not want clients to have to use OMA as it does not support
> attachments.
> Want them to be able to use the messaging client in the Windows Mobile
> device.
>
> What I have tried:
> -Importing Startcom certificate onto PDA
> -Running Disablecertcheck (cannot get it to run on my Windows XP Pro
> laptop
> or Exchange server)
>
> Questions:
> -Is Disablecertcheck supposed to be installed on the exchange server or
> client machine? Is it compatible with XP Pro?
> -Would getting a certificate from a more reputible (expensive)
> organization
> (Verisign, Thawte) fix the problem?
> -Any other thoughts on how to make this work?
>
> Thanks in advance!

Thanks for the response.

I have already tried installing the root cert but no dice. I am by no means
an expert on certs but the startcom one requires an intermediate cert maybe
this is causing the problem. I think I should just go with a more reputible
cert and see if that fixes the problem. Was hoping to save some $ with the
free startcom cert. Oh well.


"Eric Hicks [MVP]" wrote in message
news:1136501048@i'm.home.with.u...
> "Michael D. McGill" (Thu, 05 Jan 2006 10:07:33) had
> thoughts about "Clarification on Syncing and SSL":
>
> So when you try oma on your ipaq are you prompted to accept the cert or
> does oma just work? Disable crtchk needs to be run from whatever computer
> your device is syncing from but that tool doesn't work with WM5 so in your
> case it doesn't matter. If you can get the root cert onto the device then
> that should fix your problems as well. Having a cert from verisign or
> thwate would most likely work as the root certificates for those places
> are
> already on the device. Another option is to run your own certificate
> authority but that causes problems for people connecting with machines not
> on your domain. For testing purposes it's worth a shot.
>
> ---
> Eric Hicks [That_Kid](MS-MVP Mobile Devices)
>
> The MS-MVP Program - http://mvp.support.microsoft.com This posting is
> provided "AS IS" with no warranties, and confers no rights...
>
> ***Posted via my Apache(PPC6700) WM5 Device***
>
> ----- Original Message -----
> From: "Michael D. McGill" Sent: Thu, 05 Jan 2006
> 10:
> 07:33 Subject: Clarification on Syncing and SSL
>
> I have searched all over the web and am still looking for a definitive
> answer to an issue I am having with SSL/Certificates and Activesync 4.0.
>
> -I have an IPAQ 2495 running Windows Mobile 5.0.
> -I cannot sync with Exchange 2003 SP1 when SSL is enabled on device and
> Microsoft-Server-ActiveSync Directory in IIS. I get an Invalid Certificate
> error.
> -I can sync with Exchange 2003 SP1 when SSL is disabled on device and
> Microsoft-Server-ActiveSync Directory in IIS
> -I am using a Startcom free certificate on the IIS OMA
> -OMA/OWA work fine.
> -I would like to have SSL/Certificates running to ensure security when
> remote clients are Acitive Syncing
> -Do not want clients to have to use OMA as it does not support
> attachments.
> Want them to be able to use the messaging client in the Windows Mobile
> device.
>
> What I have tried:
> -Importing Startcom certificate onto PDA
> -Running Disablecertcheck (cannot get it to run on my Windows XP Pro
> laptop
> or Exchange server)
>
> Questions:
> -Is Disablecertcheck supposed to be installed on the exchange server or
> client machine? Is it compatible with XP Pro?
> -Would getting a certificate from a more reputible (expensive)
> organization
> (Verisign, Thawte) fix the problem?
> -Any other thoughts on how to make this work?
>
> Thanks in advance!

To follow up on this - it is possible to use a startcom cert once you go to
their site, download the root cert, and install it on the device. The
certificate chain your server is sending down may not include the root and
the device must have the root for the SSL chaining to succeed.

--
Scott Yost
Software Development Engineer/Test
Microsoft Corp.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Michael D. McGill" wrote in message
news:eixq0hvEGHA.376@TK2MSFTNGP12.phx.gbl...
> Thanks for the response.
>
> I have already tried installing the root cert but no dice. I am by no
> means an expert on certs but the startcom one requires an intermediate
> cert maybe this is causing the problem. I think I should just go with a
> more reputible cert and see if that fixes the problem. Was hoping to save
> some $ with the free startcom cert. Oh well.
>
>
> "Eric Hicks [MVP]" wrote in message
> news:1136501048@i'm.home.with.u...[color=green]
>> "Michael D. McGill" (Thu, 05 Jan 2006 10:07:33)
>> had
>> thoughts about "Clarification on Syncing and SSL":
>>
>> So when you try oma on your ipaq are you prompted to accept the cert or
>> does oma just work? Disable crtchk needs to be run from whatever computer
>> your device is syncing from but that tool doesn't work with WM5 so in
>> your
>> case it doesn't matter. If you can get the root cert onto the device then
>> that should fix your problems as well. Having a cert from verisign or
>> thwate would most likely work as the root certificates for those places
>> are
>> already on the device. Another option is to run your own certificate
>> authority but that causes problems for people connecting with machines
>> not
>> on your domain. For testing purposes it's worth a shot.
>>
>> ---
>> Eric Hicks [That_Kid](MS-MVP Mobile Devices)
>>
>> The MS-MVP Program - http://mvp.support.microsoft.com This posting is
>> provided "AS IS" with no warranties, and confers no rights...
>>
>> ***Posted via my Apache(PPC6700) WM5 Device***
>>
>> ----- Original Message -----
>> From: "Michael D. McGill" Sent: Thu, 05 Jan 2006
>> 10:
>> 07:33 Subject: Clarification on Syncing and SSL
>>
>> I have searched all over the web and am still looking for a definitive
>> answer to an issue I am having with SSL/Certificates and Activesync 4.0.
>>
>> -I have an IPAQ 2495 running Windows Mobile 5.0.
>> -I cannot sync with Exchange 2003 SP1 when SSL is enabled on device and
>> Microsoft-Server-ActiveSync Directory in IIS. I get an Invalid
>> Certificate
>> error.
>> -I can sync with Exchange 2003 SP1 when SSL is disabled on device and
>> Microsoft-Server-ActiveSync Directory in IIS
>> -I am using a Startcom free certificate on the IIS OMA
>> -OMA/OWA work fine.
>> -I would like to have SSL/Certificates running to ensure security when
>> remote clients are Acitive Syncing
>> -Do not want clients to have to use OMA as it does not support
>> attachments.
>> Want them to be able to use the messaging client in the Windows Mobile
>> device.
>>
>> What I have tried:
>> -Importing Startcom certificate onto PDA
>> -Running Disablecertcheck (cannot get it to run on my Windows XP Pro
>> laptop
>> or Exchange server)
>>
>> Questions:
>> -Is Disablecertcheck supposed to be installed on the exchange server or
>> client machine? Is it compatible with XP Pro?
>> -Would getting a certificate from a more reputible (expensive)
>> organization
>> (Verisign, Thawte) fix the problem?
>> -Any other thoughts on how to make this work?
>>
>> Thanks in advance!
>
>[/color]