ActiveSync/OMA certificate issues with ISA 2006 (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing


jmlab -> ActiveSync/OMA certificate issues with ISA 2006 (29.May2007 7:06:13 AM)

Hi all,
I'm stuck and hope someone can help:
- I had an exchange 2003 (SP2) FE server running OWA and OMA with a public (verisign) certificate ( on it. All ran no problem, including activesync (even using  FBA, never had to install certificates on the smartphone as it is a public cert).
- Now I've installed an ISA 2006 in front of the mail FE server, moved the certificate to the new ISA server and published OWA and other resources through it. I've made internal and external DNS changes to reflect the changes. All  (OWA and other published sites) work fin except OMA/ActiveSync.
My smartphones keelp throwing an 0x80072F0D (invalid certificate) error.
I've tried the following:
- set internal authentication from ISA to mail server to basic with and without SSL (created an internal certicficate:
- turned off FBA on internal mail server
- exported the internal certificate ( and installed it on my smartphone.

But no matter what variation I try keep getting the same error message though OWA and RPC/HTTP still work fine.
If all else fails I'll have to get a second public cert for the mail server and punch a hole through the ISA to  allow direct communication from my smartphone to the mail sever instead of using it's publish OMA feature (which almost defeats the purpose of putting ISA there in the first place)
My understanding is that as long as I have a valid public cert on the ISA server that will be proxying OMA requests then that should be fine, shouldn't it? It certainly works fine for OWA, RPC/HTTP and other services.
Any ideas?
Thanks in advance for your help
JM :)

tshinder -> RE: ActiveSync/OMA certificate issues with ISA 2006 (5.Jun.2007 10:47:21 AM)

Hi JM,

The CA certificate needs to be installed on the phones, not the Web site certificate.


jmlab -> RE: ActiveSync/OMA certificate issues with ISA 2006 (4.Jul.2007 12:24:10 PM)

Hi Tom,

Many thanks for your reply I really enjoyed your ISA2004 book!.

I've installed the CA certificate of our domain on the phone as suggested but the problem persists.

I don't think I should need to install anything on the smartphone anyway as the smartphone communicates with the ISA server that has a valid Verisign certificate (matching FQDN) installed and the phone accepts it as valid (or at least it did when this same certificate was directly on the exchange FE server before putting ISA in front of it).

The only reason I installed an 'internal' certificate on the exchange server is to SSL communications between ISA and the exchange server but whether I use SSL or not between ISA and Exchange the error message is the same.

As I understand, the smatphone should communicate only with ISA (with the valid verisign certificate) and ISA 'proxies' on to the exchange server (either SSL with privert cert or http) so the smartphone shouldn't need a certificate for the internal exchange server. Or have I misunderstood?

All other services published behind ISA and using this certificate (including OWA) work fine so not sure where the problem may be.

Thanks for any help or suggestions


tshinder -> RE: ActiveSync/OMA certificate issues with ISA 2006 (6.Jul.2007 2:41:41 PM)

Hi JM,

That's true -- if the Web Listener has a Versign cert bound to it you don't need to install the private CA certificate on the client.

Is this a Symbian based phone by any chance? There was a typo in the ISA config that prevented fallback to basic for Symbian phones.


jmlab -> RE: ActiveSync/OMA certificate issues with ISA 2006 (10.Jul.2007 9:18:51 AM)

Hi Tom,

Thanks for your reply. They run  Windows Mobile 5 (OS 5.1.195 build 1487.2.0.0).

I've managed to make it work by using an access rule allowing https to the exchange FE server (not using web publishing) and using the internal private certificate (installing CA cert on the phones). In other words punching a 'hole' through ISA and getting the phone to communicate directly with the exchange server. Which works, but I wanted to use the OMA publishing feature in ISA and the public Verisign cert instead. But running out of ideas now.

Thanks again for any help and advice.


JM :)

ferrix -> RE: ActiveSync/OMA certificate issues with ISA 2006 (10.Jul.2007 1:10:43 PM)

Wow is that weird.. So the same cert installed on ISA fails but on the FE it succeeds.. 

First I would try to connect with another https client (not the failing phone) and see if that shows anything suspicious.  Confirm that the cert being used is the right one, that it shows as valid, etc.

The only other thing I can think of is that maybe IIS is responding using a different revision of SSL/TLS protocol than ISA is..  But that's kind of a long shot idea and I don't have a very high accuracy with those :)

akwoolf -> RE: ActiveSync/OMA certificate issues with ISA 2006 (13.Jul.2007 4:56:18 PM)

This sounds familiar to an issue that I once faced.  In my scenario, I performed the following steps to fix the issue:
1. Created a cert from my internal Enterprise CA
a.  Cert must include the INTERNAL name of the FE server, not public name (
  -  If your FE server name is OWA01, the friendly name of the cert must match OWA01 (machine name)
2.  Connection between ISA server and FE server must be SSL protected with the cert you created in step 1. (Edit listener)
3.  These simple steps should fix your issues. 

Please let us know if you were able to get things working...

Page: [1]