- I had an exchange 2003 (SP2) FE server running OWA and OMA with a public (verisign) certificate (secure.mydomain.net) on it. All ran no problem, including activesync (even using FBA, never had to install certificates on the smartphone as it is a public cert).
- Now I've installed an ISA 2006 in front of the mail FE server, moved the certificate to the new ISA server and published OWA and other resources through it. I've made internal and external DNS changes to reflect the changes. All (OWA and other published sites) work fin except OMA/ActiveSync.
My smartphones keelp throwing an 0x80072F0D (invalid certificate) error.
I've tried the following: - set internal authentication from ISA to mail server to basic with and without SSL (created an internal certicficate: mail.mydomain.net) - turned off FBA on internal mail server - exported the internal certificate (mail.mydomain.net) and installed it on my smartphone.
But no matter what variation I try keep getting the same error message though OWA and RPC/HTTP still work fine.
If all else fails I'll have to get a second public cert for the mail server and punch a hole through the ISA to allow direct communication from my smartphone to the mail sever instead of using it's publish OMA feature (which almost defeats the purpose of putting ISA there in the first place)
My understanding is that as long as I have a valid public cert on the ISA server that will be proxying OMA requests then that should be fine, shouldn't it? It certainly works fine for OWA, RPC/HTTP and other services.
Many thanks for your reply I really enjoyed your ISA2004 book!.
I've installed the CA certificate of our domain on the phone as suggested but the problem persists.
I don't think I should need to install anything on the smartphone anyway as the smartphone communicates with the ISA server that has a valid Verisign certificate (matching FQDN) installed and the phone accepts it as valid (or at least it did when this same certificate was directly on the exchange FE server before putting ISA in front of it).
The only reason I installed an 'internal' certificate on the exchange server is to SSL communications between ISA and the exchange server but whether I use SSL or not between ISA and Exchange the error message is the same.
As I understand, the smatphone should communicate only with ISA (with the valid verisign certificate) and ISA 'proxies' on to the exchange server (either SSL with privert cert or http) so the smartphone shouldn't need a certificate for the internal exchange server. Or have I misunderstood?
All other services published behind ISA and using this certificate (including OWA) work fine so not sure where the problem may be.
I've managed to make it work by using an access rule allowing https to the exchange FE server (not using web publishing) and using the internal private certificate (installing CA cert on the phones). In other words punching a 'hole' through ISA and getting the phone to communicate directly with the exchange server. Which works, but I wanted to use the OMA publishing feature in ISA and the public Verisign cert instead. But running out of ideas now.
Wow is that weird.. So the same cert installed on ISA fails but on the FE it succeeds..
First I would try to connect with another https client (not the failing phone) and see if that shows anything suspicious. Confirm that the cert being used is the right one, that it shows as valid, etc.
The only other thing I can think of is that maybe IIS is responding using a different revision of SSL/TLS protocol than ISA is.. But that's kind of a long shot idea and I don't have a very high accuracy with those :)
This sounds familiar to an issue that I once faced. In my scenario, I performed the following steps to fix the issue: 1. Created a cert from my internal Enterprise CA a. Cert must include the INTERNAL name of the FE server, not public name (webmail.company.com). - If your FE server name is OWA01, the friendly name of the cert must match OWA01 (machine name) 2. Connection between ISA server and FE server must be SSL protected with the cert you created in step 1. (Edit listener) 3. These simple steps should fix your issues.
Please let us know if you were able to get things working...
< Message edited by akwoolf -- 13.Jul.2007 8:53:04 PM >