locked
Activesync fails because of invalid security certificate RRS feed

  • Question

  • We have configured an ActiveSync trunk on our Intelligent Application Gateway SP2 server. On the server (ISA/IAG) we have a certificate signed by a trusted authority. This is a certificate which is valid for three different dns names. For one of the names we have defined a portal trunk using the same certificate and this works fine.

    With the ActiveSync trunk we can not get the Windows Mobile phone to connect using ActiveSync. It works with Nokia and iPhones. The Windows Mobile phone fails and says that the server certificate is not valid, support code 0x80072F06.

    On the CAS we use a self-signed certificate. Can this cause this error ? From the IAG we have a https connection to the CAS using the internal AD name of the CAS machine. Why does it seem like the client has to trust both the IAG certificate and the CAS certificate ?
    Thursday, June 11, 2009 12:14 AM

Answers

  • Hi Amigo. First thing to check is that the mobile device is trusting the certificate. Second is that I guess you are using a SAN certificate. Is the Subject Name or the first entry in the Subject Alterntaive Name the same FQDN as the URL you are using for the trunk? As far as I know, ActiveSync only checks the first FQDN in the SAN list.

    Hope it helps

    // Raúl

    I love this game
    • Marked as answer by Erez Benari Wednesday, June 17, 2009 8:17 PM
    Thursday, June 11, 2009 11:24 AM

All replies

  • Hi,

    You should never used self signed, except for lab. Use your internal PKI for your CAS server and install the RootCa on your mobile.

    Have a nice day,
    Alex
    GIRAUD Alexandre - MVP Forefront France - http://www.alexgiraud.net/blog
    Thursday, June 11, 2009 8:52 AM
  • Hi Amigo. First thing to check is that the mobile device is trusting the certificate. Second is that I guess you are using a SAN certificate. Is the Subject Name or the first entry in the Subject Alterntaive Name the same FQDN as the URL you are using for the trunk? As far as I know, ActiveSync only checks the first FQDN in the SAN list.

    Hope it helps

    // Raúl

    I love this game
    • Marked as answer by Erez Benari Wednesday, June 17, 2009 8:17 PM
    Thursday, June 11, 2009 11:24 AM
  • You can also get a public SSL certificate, which saves some time by not forcing you to install the rootCA on all devices. You can get a pretty cheap certificate from companies like http://www.rapidssl.com and even a free one from http://www.startcom.org . When you do get certificates, consider getting a wild-card one, so it can be used for multiple trunks.

    Good luck,
    Ben Ari
    Microsoft CSS IAG Support
    e
    Thursday, June 11, 2009 11:29 PM