Category Archives: Mobile

ActiveSync, Intermediate Certificates and You

Posted on by
2

Recently, a customer called with ActiveSync issues. They had installed the certificate with the proper Subject and SAN entries on the Exchange server, but were unable to synchronize their Windows Phone 7 devices with Exchange 2010; iPhone and Android device encountered no issues.

A quick run of the Exchange Remote Connectivity Analyzer (ExRCA) showed the following:

Capture1 - Ano

As ExRCA discovered, not all certificates of the certificate chain were offered by the server. A quick inspection of the certificate showed the following certification path:

CertChain

In this example, the certificate authority (CA), GlobalSign, uses an intermediate CA, GlobalSign Domain Validation CA – G2, to delegate the process of creating UC certificates. Consequence is that the certificate of the root CA, in this example GlobalSign, as well as the certificate of the intermediate CA, here , must be present on the device or should be offered when setting up the connection so the client can validate them.

Inspection of the Exchange server showed that the intermediate certificate was properly installed on the Exchange server, after the customer imported the Personal Information Exchange File (.pfx) file, provided by the CA as part of the certificate package, which contained all certificates in the chain: root CA, intermediate CA and the UC certificate.

CertIntermediate

Then, investigation moved to the reverse proxy, in this case ISA Server 2006 SP1. It turned out the intermediate certificate on the ISA server, or rather the lack of it, was causing the issue. The customer had imported the individual UC certificate on the ISA server. Because the ISA server didn’t contain the intermediate certificate, it couldn’t send it to the client as part of the certificate chain. After importing the intermediate certificate on the ISA server, ActiveSync started working.

Generally speaking, Windows Mobile or Windows Phone devices don’t contain intermediate certificates so be sure to install them on your Exchange servers as well as on your reverse proxies. Checking and validating intermediate certificates is a client thing and in this case the intermediate CA was available on the non-Windows Phone devices which explained the difference in behavior between Windows Phone, iPhone and Android devices.

Note that, depending on your situation, you may have never seen the above issue before. |This could be the case when you’ve been using certificates directly provided a root CA so far. When selecting your CA, this might be something to take into account as not all mobile devices behave identical as you’ve seen. Also, although lifetime of root and intermediate certificates is quite long, it is something you should manage properly in your environment as you have to an additional certifiate to watch (which might expire or be revoked). Also, depending on volume and mobile costs, sending down extra traffic through the wire/air could be something to take into account. If you don’t think this could be an issue because certificates are relatively small, there’s a reason Mini OWA’s so popular in some regions. Distributing certificates to clients might become a better alternative in those circumstances.

Finally, I want to recommend the excellent SSL Certificate Management & Troubleshooting Tool, provided by DigiCert. It cannot only indicate potential certificate issues like these, or wrongly imported certificates (e.g. user store instead of computer store), but also fix them. As an alternative to ExRCA, you could use the online SSLchecker provided here.

Exchange ActiveSync and Inheritable Permissions issue

Posted on by
4

The issue and solution described here is by design, but not known by every customer so here’s my short write-up on this subject.

Recently, I was at a customer reporting issues with several users not being able to synchronize their mobile devices using ActiveSync. The customer was running Exchange 2010 SP1 and used various mobile devices, e.g. iPhones as well as Android phones and tablets. A quick look in the IIS logs revealed that devices were connecting properly, but they received HTTP return code 403 (forbidden):

2011-08-30 10:09:31 172.16.10.12 OPTIONS /Microsoft-Server-ActiveSync/default.eas User=XXXXX&DeviceId=d849cec9be024c828b9af73da93bb59b&DeviceType=htcbravo&Log=LdapC2_Error:UserPrincipalCouldNotBeFound_Dc:dc.domain.com_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5Fe205201e-d418-409a-a15b-4b51baef9bf4%2cNorm%5bResources%3a(DC)dc.domain.com(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_ 443 domain\XXXXX 62.140.137.149 Android-EAS/0.1 403 0 0 124

Another clue was provided by the eventlog, which revealed MSExchange ActiveSync was reporting error 1053:

ss

The remainder of the message reads: “Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions blocking such operations”. What happens when setting up ActiveSync is that Exchange tries to create a container named ExchangeActiveSyncDevices below the user object in Active Directory and will store in that container an MsExchActiveSync object for each ActiveSync device. Apparently Exchange doesn’t have sufficient permissions to create these objects.

To fix this, open up Active Directory Users and Computers. Now, to be able to inspect the security settings, we first need to activate Advanced Features if not already set. To do this, from the View menu option, select Advanced Features.

Next, navigate to the user object experiencing the issue. Open up Properties, select the Security tab and click Advanced.

image

Notice the Include inheritable permissions from this object’s parent is not set, the reason for Exchange not having any permissions on the object.

To fix the issue, simply check Include inheritable permissions from this object’s parent and click OK. You’ll return to the previous window where you’ll notice the Exchange Server account is now granted permissions on the object:

image

At this point, ActiveSync will work and Exchange will be able to create MsExchActiveSync objects in the ExchangeActiveSyncDevices container:

image

Note that Include inheritable permissions from this object’s parent by default is not enabled for members of the protected groups, e.g. Domain Admins. In fact, every hour the DACL on members of protected groups will be reset and inheritable permissions will be removed. This process is called AdminSDHolder which is to prevent inappropriate changes from being made to protected groups, accidently or otherwise.  Michael B. Smith did a nice write-up on this subject here. This is also the reason why bypassing the AdminSDHolder limitation by manually granting Exchange permissions would be inappropriate.

To prevent this issue, it is recommend to follow an old, yet far from rusty administrator best practice, which is to use one account for day-to-day operations, e.g. work and e-mail, and another account for administrative purposes.

SSL client compatibility

Posted on by
Reply

Exchange fellow Jetze Mellema blogged (in Dutch) about a useful online check, which will allow you to check your current client – computer or smartphone – against a set of certificates from different vendors. The short – and more memorable and mobile friendly – URL for this test is as follows: http://m.ssltest.net.

The creator, SSL reseller FairSSL, also keep a total overview, which is located at http://www.ssltest.net/compare/sar.php. Note that the table’s titles are hard to read, but when hovering above the cells the corresponding product will be displayed.

Exchange & Windows Phone 7

Posted on by
Reply

This TechNet article on Windows Phone 7 got my attention. It appears you cannot fully utilize Exchange ActiveSync mailbox policies, unless you set AllowNonProvisionableDevices to True. If you don’t do that, you can only use the following properties, otherwise synchronization issues might be experienced:

  • PasswordRequired
  • MinPasswordLength
  • IdleTimeoutFrequencyValue
  • DeviceWipeThreshold
  • AllowSimplePassword
  • PasswordExpiration
  • PasswordHistory
  • DisableRemovableStorage
  • DisableIrDA
  • DisableDesktopSync
  • BlockRemoteDesktop
  • BlockInternetSharing

Another option is to create a seperate policy for Windows Phone 7 users.

Another thing worth mentioning is that when using multiple Exchange accounts on your Windows Phone 7, policies will be merged into a most restrictive set (credit to Dave Stork who got the information at TEE10).

Exchange ActiveSync and Hotmail

Posted on by
Reply

As of Monday, it is possible to synchronise your Hotmail account, i.e. e-mail, calendar and contacts, with your mobile using Exchange ActiveSync (EAS).

To synchronise your mobile with Hotmail, use the following settings:

Server m.hotmail.com
Username E-mail address, e.g. jandvries@hotmail.com
Password *****
Domain Leave blank
SSL Enabled

When asked, choose to accept the SSL certificate.

Synchronisation currently works for Windows Mobile 6.x, Windows Phone 7, iPhone, iPod Touch, iPad and Nokia E/S/N-Series with Mail for Exchange.

Windows Phone 7 to support multiple Exchange accounts

Posted on by
1

I seem to have missed the news from a few days back that during a broadcast on the @ch9live development network , Joe Belfiore, Microsoft Corporate Vice President for Windows Mobile, confirmed multiple Exchange account support in Windows Phone 7 Series. Goodbye to unsupported hacks or POP/IMAP’ing those additional Exchange boxes. I assume includes all the additional benefits like Direct Push (hello battery life!).

In addition, Belfiore stated that on Windows Phone 7 various calendars will be displayed in a single view using coler coding to differentiate between the calendars (i.e. accounts).

Thanks to fellow Exchange guy Magnus Björk for spotting this one.

Windows Mobile 6.1 update for Exchange 2010

Posted on by
Reply

An update for Outlook Mobile has been released for Windows Mobile 6.1 users who connect to Exchange 2010; users running Windows Mobile 6.5+ do not need this update. This update adds the following functionality to Windows Mobile 6.1:

  • E-mails conversation view
  • Free/Busy lookup
  • Sync text messages to Exchange
  • Enhanced Voice Mail, e.g. Unified Messaging voice mail preview

More information with screenshots in the related Exchange Team blog here. When your Windows Mobile 6.1 phone is connected to Exchange Server 2010, you are automatically informed if there is an update.

BlackBerry Enterprise Server Express

Posted on by
Reply

Today at the Mobile World Congress, RIM announced the BlackBerry Enterprise Server Express (BESE). BESE is positioned by RIM as a free(!) alternative for small to medium sized companies which require BlackBerry’s security and manageability, but don’t require all enterprise funtions. For example, this also means lack of advanced monitoring and high availability options found in the enterprise product. BESE will work with Exchange 2003 SP2, 2007 SP1 and 2010 in combination with Windows SBS 2003 and 2008. Very helpful is the BlackBerry comparison chart you can download here (PDF).

You can read the full press release here. BESE is scheduled for release in March. BESE has its own webpage on RIM’s website here.

Windows Phone 7

Posted on by
Reply

Windows Phone 7, shouldn’t that be Windows Mobile 7? Yes and No. Windows Phone 7 (WP7) is the successor to Windows Mobile 6, but the rebranding also hints at changes in the approach towards Windows Phone 7, being a mobile platform instead of an operating system. At first glance WP7 is very social networking, multimedia and game focused. The (clean and neat) GUI is also full of animations when you interact with it. I wonder what that will mean for battery life.

You can watch the recording of the press conference from Mobile World Congress 2010 here. For more information on WP7, check out Engadget’s hands-on review here or check out the online demo here.

Update: More information in this hands-on demo on Channel 9 here.

Windows Mobile 6.5.3

Posted on by
Reply

Today Sony Ericsson released a new phone, the Aspen. Normally that wouldn’t be worth blogging here, but the press release contained something of interest:

Operating system: Windows Mobile® 6.5.3

So, that might imply Windows Mobile 6.5.3 is now official. Exchange-wise nothing changed; changes are mainly UI focused or under the hood. These include capacitive touchscreen support, multi-touch, touch controls (bye stylus), consistency, horizontal scroll bar instead of tabs, magnifier, Start Menu drag & drop, increased browser performance (IE), improved memory management, smoothed pan & flick gestures and speed improved zoom & rotation speed. It also contains updated runtime tools (.NET CF 3.5 and SQL CE 3.1) as well as Arabic read/write document support.

Also, it seems Sony Ericsson licensed SPB Mobile Shell as both Pro and Lifestyle models contain SPB Mobile Shell 3.0. Apparantly plain Windows Mobile isn’t appealing enough; Sony uses SPB Mobile Shell and HTC has HTC Sense UI.