Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1049 posts

Uber Geek
+1 received by user: 51

Trusted

Topic # 61077 8-May-2010 05:08
Send private message

Hi all

I'm trying to get my dad's Nokia 6120 classic phone to talk to an exchange server at his work so that he can sync his contacts and calendar to the phone. I've downloaded and installed the latest version of Mail For Exchange (3.x) and put what I think are the correct settings in, but the phone refuses to sync. I have no problem sync'ing to the same exchange server and user account with Mail For Exchange and the same settings on an N97 either via WiFi (Maxnet) or 2degrees' network. I'm thinking the reason for my problems may be that I'm using the wrong Telecom APN because I can't even navigate to the server using the phone's built in browser...

First some basic info. The Exchange server is Exchange Server 2003 SP2 with ActiveSync enabled (generally as well as for the user account of interest), running on IIS 6 and Windows Server 2003. Access to the server is via https. Note that the server certificate is self-signed, so I'm wondering if this could be part of the problem.

Attempting use Outlook Web Access in the 6120c's browser first gives me the message:
"Opening a secure connection. Content cannot be seen by anyone else."
I select "yes", and shortly after receive a very unhelpful error message:
"Web: unable to perform operation."
I have tried all the APNs that I know of (TelecomContent, TelecomDefault, TelecomData, and TelecomDirect although I'm not sure my settings for direct.telecom.co.nz are correct) and the result is the same for each.

Usually attempting to sync from within Mail For Exchange quickly gives the message:
"System error. Try again later."
Very cryptic! The only further tidbit of information I could get is that when trying to look up a user in the "Comp. Dir." app that comes with Mail For Exchange I get the message:
"Server does not support secure connection. Change Profile > Connection > Secure Connection to No."
This is a setting within Mail For Exchange which is logically set to "yes" because we're trying to connect via https. Changing it to "no" results in sync attempts timing out after about 30 seconds as expected (because the server doesn't host any http services). Using "no" and overriding the default port with port 443 doesn't work either. Note that the N97 works with secure connection enabled using the default port.

I have administration access on the exchange server so I can change configuration if necessary. I have already tried setting SSLAlwaysNegoClientCert to "TRUE" based on the advice found in this blog. The setting doesn't appear to have helped in itself, but that might be because I can't figure out how to get the certificate onto the phone.

Any help would be much appreciated!

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
3527 posts

Uber Geek
+1 received by user: 699


  Reply # 327900 8-May-2010 09:14
Send private message

I don't believe the 6120 supports Exchange.

246 posts

Master Geek
+1 received by user: 1


  Reply # 327911 8-May-2010 10:39
Send private message

Are you saying Activesync works for others devices over wifi or 2degrees?
If AS is working at the server end then don't change or reconfigure anything on the server, most of the issues is at the device end.

Steps to take:
1. Check internet connectivity on device by opening the browser and check you can browse to internet sites. If you can't check APN settings.
2. Check connectivity to AS server from device by using https:// to AS server from browser. If you get a certificate install prompt means connectivity is good.
3. The private cert need to be installed on the device. Now, im not sure the version MfE for 6120 will prompt you to install it when connect to AS server for first time, some versions do. If not, you need to install the cert manually.
4. Installing private certs manually usually involved exporting the cert from cert server to a .der file. Then use nokia pcsuite software to install/transfer it to the device.

Also, AS is an IIS service, so check the IIS log files to troubleshoot. AS will have entries with "AS...." as identifier. Google the error codes in the IIS log, microsoft has published a comprehensive list of error codes for AS to help you with your troubleshooting. Most common issues i have experienced with AS are user authentication, private certs and connectivity.

good luck.

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
246 posts

Master Geek
+1 received by user: 1


  Reply # 327912 8-May-2010 10:43
Send private message

One more thing, the private cert that you may need to install on the device is the root cert of your private CA, i.e the root cert from your private cert server.

Cheers



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 327936 8-May-2010 13:01
Send private message

Kiwipixter: Are you saying Activesync works for others devices over wifi or 2degrees?
If AS is working at the server end then don't change or reconfigure anything on the server, most of the issues is at the device end.

It still works with the N97 after I made the change, so I'm going to leave the change in for the moment. The change should make clients automatically select the appropriate certificate (if they have it), which the blog post I linked suggests is required to allow S60 v3 phones to connect.

Steps to take:
1. Check internet connectivity on device by opening the browser and check you can browse to internet sites. If you can't check APN settings.

Done. Can browse to regular http sites.

2. Check connectivity to AS server from device by using https:// to AS server from browser. If you get a certificate install prompt means connectivity is good.

I tried and failed to do this, which is what I explained in the original post. It asks if it is okay to visit a secure site, but then fails to load the page with a cryptic error.

3. The private cert need to be installed on the device. Now, im not sure the version MfE for 6120 will prompt you to install it when connect to AS server for first time, some versions do. If not, you need to install the cert manually.

Agreed - this is what the blog post said to do and also where I need some help. When setting up a profile for the first time, if you enter the server's https address as the domain then MfE does ask if it is okay to connect to a secure site that has an untrusted cert. You can allow it to connect or view the cert but *not* install/import the cert. Further attempts to connect fail as explained...

4. Installing private certs manually usually involved exporting the cert from cert server to a .der file. Then use nokia pcsuite software to install/transfer it to the device.

The exchange server is also the cert server, and I can see the cert server in the IIS Admin panel. However I need more specific help with this - I don't really know what I'm doing and I'd rather not screw things up. I already had a close call when I made the config change - IIS wouldn't start after I made the change, and the event log had a cryptic error number that translated to having a corrupt Metabase.xml file Foot in mouth. Anyhow I was successful in the end, but like I said I need specific help. Dad is meant to be the server admin but this is a small organisation that mostly relies on Computer Care to do the hard stuff for them and I have no experience with managing IIS, Exchange or Cert servers...

In summary: *thank you* very much for your help so far, but I need more specific instructions particularly for exporting the certificate in the right format.



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328110 9-May-2010 00:39
Send private message

Update: after going at this all day I eventually figured out how to export the root certificate from the server and install it on the phone. The problem is that the phone doesn't want to install the certificate, claiming it is corrupted (web download), unknown file type (USB transfer then open/run), or unsupported message type (bluetooth). I have tried transferring the cert via bluetooth, download from a personal web server, download from an external 3rd party web server with correct MIME settings, and direct transfer to phone via USB. I can get the cert on the phone but installation always fails with one of the 3 messages already mentioned. I am aware of the format specifications (X.509, DER, PKCS 12) and I can transfer and install other certificates without issue using any one of the methods but this particular certificate is proving troublesome. I'm beginning to think that installing the certificate won't solve the problem anyway because the IIS server is not registering any errors in the log.

I also tried sync'ing with a trial version of RoadSync. I pretty much knew it would be futile before I started, and I wasn't wrong. The RoadSync log contains the following:
"...Connecting to Internet...
Linnking to Exchange...
Connection established!
Synchronization failed due to a communication problem with the server. This may be due to the SSL option in your 'Adv' settings being incorrectly configured.
0x7370C0D
(httpErrTransactionNotSupported)
***Sync failed!..."
Googling the code and exception are both dead ends.

Any advice at this point would be most welcome!

1315 posts

Uber Geek
+1 received by user: 75

Trusted

  Reply # 328111 9-May-2010 02:16
Send private message

Your problem could well be the self signed certificate.


Have you had a look at the MfE admin logs? They can be found using File Manager on the handset under C:\Mail For Exchange.

In terms of installing the certificate

Export using Windows or otherwise convert the server?s root certificate to ?DER encoded binary X.509? format and save it with ?.cer? extension.

Have you made sure you're also using the most recent version of MfE? You can get it from the Ovi Store on the handset.




1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328147 9-May-2010 12:38
Send private message

Have you had a look at the MfE admin logs? They can be found using File Manager on the handset under C:\Mail For Exchange.

Thanks for pointing this out. I haven't got the phone right now but I'll take a look when I get the chance.

In terms of installing the certificate

Export using Windows or otherwise convert the server?s root certificate to ?DER encoded binary X.509? format and save it with ?.cer? extension.

Have you made sure you're also using the most recent version of MfE? You can get it from the Ovi Store on the handset.

I have tried getting the certificate numerous ways.

First, from [server]/certsrv (using a PC, because the phone can't get there). This gave me the server's root cert (.cer in DER encoded binary X.509), and optionally a personal certificate *with* the root cert in a .p12 (PKCS#12) package. I successfully installed both versions of the root cert on the phone by hosting them temporarily on my own web server and navigating there with the phone. No issues. Unfortunately no change in ability to visit the server via web browser or sync (note that I checked after power cycling the phone).

I then realised that the root cert wasn't actually the cert being used with the exchange server. Over the course of the day I used both Firefox 3.5.3 and IE8 to visit OWA, save the cert to file (tried DER with cer and der file extensions, base64 and PKCS#7) via both direct export and importing to the browser then export, hosting the cert on my personal web server as well as uploading to here (a web server with the correct MIME settings), transferring the cert to the phone via bluetooth file transfer and on memory card... essentially I did everything I could think of to deliver the cert in a variety of formats and via a variety of means to the phone. Whenever I tried to make the phone download the cert, it claimed it was "file corrupted". When I delivered it via bluetooth it said "message type not supported". When I put it on the phone by connecting to PC and tried to open it in the file manager it said "file type not supported". I've even tried using openssl to import the cert and spit it back out again. It made no difference and the hashes were the same. This cert opens fine in Windows - why won't the phone accept it! (AAAAARRRRRRRGGGGGGGG!)

There are a number of *unanswered* threads on Nokia forums with what seem like similar issues, so I know I'm not alone but as yet there appears to be no solution for the cert problem...

I'm just about pulling my hair out with this. And like I said before, there is no guarantee that getting the cert onto the phone would make MfE work (I am using the latest version direct from OVI, downloaded with the phone itself). The browser *can't* navigate to the server, which tells me the must be something seriously wrong (and yet the server doesn't register the phone's connection attempts in its logs - error or otherwise). RoadSync (latest trial from OVI store, downloaded with the phone) doesn't work either as mentioned. Check the log detail I posted above. I can't find any clues as to what this means anywhere.

Resources I've used:
1. Importing certs on Symbian
2. SSL certs and S60 v3
3. This and update

1315 posts

Uber Geek
+1 received by user: 75

Trusted

  Reply # 328151 9-May-2010 13:05
Send private message

Could it be that your Exchange server requires a device that supports TARM (Terminal Access Rights Management)? This is something that the 6120 doesn't support.



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328152 9-May-2010 13:09
Send private message

I don't know. I have no previous experience administering Exchange or IIS, or even using Exchange. How would I find out?

1315 posts

Uber Geek
+1 received by user: 75

Trusted

  Reply # 328153 9-May-2010 13:20
Send private message

You'll need to talk to the domain administrator.



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328154 9-May-2010 13:26
Send private message

The domain admin is my dad, and he asked me to do this for him because he has no idea how to do it. Could you point me to some instructions?

2942 posts

Uber Geek
+1 received by user: 434

Trusted
Subscriber

  Reply # 328155 9-May-2010 13:29
Send private message

BrentR: You'll need to talk to the domain administrator.


He mentioned he is the Exchange admin.

@mm1352000: if your Exchange server uses a publicly accessible DNS name, have you tried getting a $15 certificate from Godaddy or whatever and using that?





I finally have fibre!  Had to leave the country to get it though.


2942 posts

Uber Geek
+1 received by user: 434

Trusted
Subscriber

  Reply # 328156 9-May-2010 13:37
Send private message

Another thing to test. In Exchange System Manager, open Global Settings, and properties on "Mobile Services". Click on Device Security, and tell us whether "Enforce password on device" is checked.




I finally have fibre!  Had to leave the country to get it though.




1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328157 9-May-2010 13:40
Send private message

At first Google there appears to be very little info on TARM. I get the idea from what I read though. I don't think this is the problem. I'm trying to attach some screenshots of the Exchange server ActiveSync settings. I don't know if this will work so watch this space...
[Edit: I uploaded them to my image gallery (wherever that is - I can't find it!), so go there to see them.]
[Edit2: I think IG is a subscription feature. Try MegaUpload]

BDFL - Memuneh
60033 posts

Uber Geek
+1 received by user: 11121

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 328159 9-May-2010 13:58
Send private message

No, it's not a subscription only (it's just limited to a smaller number of bytes). Go to http://www.geekzone.co.nz/gallery.asp and you will find your pictures. Use the URLs to attach to your posts in the forums by clicking in the IMAGE button when composing a reply using the full rich-text editor.




 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.