the majority of Windows Mobile device emulator synchronization failures. Get tips on how to troubleshoot SSL-related issues here.
Note: If you don't have basic network connectivity between the Windows Mobile device emulator and the Exchange Client Access server (CAS), these troubleshooting techniques won't work.
Trust between Exchange CAS and the emulated Windows Mobile device
If you're using a commercial certificate authority (CA), such as VeriSign, Thawte, Go Daddy, etc., your emulated Windows Mobile device should be able to trust your Exchange Client Access server. However, an administrator may try to save a few bucks by creating an enterprise CA and using it to supply the SSL certificate for the CAS. Although this technique works, the emulated mobile device will not automatically trust the certificate. This will cause the synchronization process to fail.
First, you must configure the Windows Mobile device to trust your enterprise certificate authority, which is easier than it sounds. When you create an enterprise CA, Windows automatically creates a special website that is hosted by that server. You can use this website to request a copy of the server's certificate, which will cause the emulated mobile device to trust the certificate authority and all servers bearing a certificate from that certificate authority.
To access the certificate authority:
- Open Internet Explorer (IE) on the emulated mobile device, and navigate to https://yourserver/certsrv. For example, my enterprise certificate authority is named Mirage, so I entered https://mirage/certsrv. Using HTTPS is important, because a standard HTTP connection won't work.
- After connecting to the certificate authority's website, you will be prompted to enter a set of authentication credentials. Then, scroll to the bottom of the next page (see Figure A).
Figure A. Choose the option to download a CA certificate.
- Click the Download a CA certificate, certificate chain or CRL link.
- Next, choose the option to download the CA certificate in Base 64 format (see Figure B).
Figure B. Download the CA certificate in Base 64 format.
- When prompted, select Open file after download.
- Click Yes to download the certificate. When the download completes, the certificate will be installed automatically. Depending on how your network is configured, you may also need to download the Base 64 version of the CA certificate chain.
Performing the following steps ensures that the emulated mobile device trusts your enterprise CA:
- Navigate to Start -> Settings.
- From the System tab, open the Certificates applet.
- Next, go to the Root tab, and scroll to the bottom of the list of certificates. You should see your certificate authority at the bottom of the list (Figure C).
Figure C. Your certificate authority should appear at the bottom of the certificate list on the Root tab.
Exchange ActiveSync settings
Now that you've downloaded the necessary certificate, synchronization should work. If it doesn't, there are two additional settings you can check. To do so, open Exchange ActiveSync and go to Menu -> Configure Server (Figure D).
Figure D. The Exchange ActiveSync settings must be correct in order for synchronization to work.
The first thing you should notice in Figure D is the server name. If you aren't using SSL encryption, then Exchange ActiveSync is easy to configure. You can use a NetBIOS name, a fully qualified domain name (FQDN) or an IP address. When you use SSL, however, the name that you specify here must match the name that is specified in the Exchange server's SSL certificate.
Note: I've entered Mirage in the Server Address field. Mirage is a lab server that is hosting the client access server role; it's also acting as an enterprise certificate authority. You would never have a configuration like this in a real-world scenario. The name you specify here should be the name of your CAS, not the name of your enterprise certificate authority.
Try entering the Client Access server's fully qualified domain name first. If that doesn't work, then use its NetBIOS name as I have done in the Figure D.
You'll also want to make sure that the This Server Requires an Encrypted (SSL) Connection check box is selected. If you don't select this check box, synchronization will fail -- even if all of the settings are correct.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Server (IIS) and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.
This was first published in September 2008