none
SSL w/Windows 2000 problem RRS feed

  • 問題

  • Hi everybody, I have a problem and hope you can help me.

     

    I am using Exchange 2003 Enterprise on Windows 2000 std server. OWA and activesync is working fine before I use certificate. For security purpose, I add a certificate into "Defautl Web site" of IIS5 and enabled SSL. OWA is working as I expected, but activesync is not working. I cannot sync with either Windows Mobile 5 or 6 now. Does anyone know what I should do?

    2008年10月24日 上午 09:15

解答

  •  

    Dear customer:

     

    Please double read the following words:

     

    Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA) use the /Exchange virtual directory to access OWA templates and DAV on Exchange back-end servers on which the user's mailbox is located. Server ActiveSync and OMA cannot access this virtual directory if either of the following conditions is true:

     

    • The /Exchange virtual directory on an Exchange back-end server is configured to require SSL.

    • Forms-based authentication is enabled.

     

    This issue does not occur when you enable these settings on the /Exchange virtual directory on a front-end server.

     

    It means that you are unable to enable SSL on /Exchange virtual directory if you only have single Exchange server. Note it is /Exchange virtual directory not other virtual directory.

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年11月18日 上午 01:46
    版主

所有回覆

  • Hi HelloWorld

    Have you receive any error message about the issue?
    May be you can try the follow URL:
    http://support.microsoft.com/kb/817379/

    Hope this can help
    2008年10月24日 下午 04:31
  •  

    Dear customer:

     

    In order to better troubleshoot the issue, please collect the following information for further analyze.

     

    1.       Is the certificate that you installed from third party public Certification Authority or your private Certification Authority?

    2.       Send the screenshot of the error to the forum or v-rocwan@microsoft.com for analyze.

    3.       On Exchange server, open ESM, navigate to global settings, right click Mobile Service, select properties, click general tab, and send the screenshot of it to me.

    4.       How many Exchange servers do you have? Is there FE and BE server in your organization?

    5.       On a client, open Internet Explorer, access the following URL, and send the screenshot of the result to me.

     

    http://e2k3-backend/exchange

    http://e2k3-frontend/exchange

    http://e2k3-backend/oma

    http://e2k3-frontend/oma

     

    6.       On Exchange server, open IIS manager, navigate to OMA virtual directory, right click it and select properties, click directory security tab, send the screenshot of it to me, and then click edit under secure communication, send the screenshot of it to me.

     

    7.       On Exchange server, open ESM, navigate to protocols – http – Exchange Virtual Server, right click Exchange Virtual Server and select properties, click settings tab, and send the screenshot of the result to me.

     

    8.       Open ADUC, navigate the problematic user and right click it, select properties, click Exchange Features tab, send the screenshot of the result to me.

     

    Note: when you send e-mail to me, please let me know the subject of the post.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    2008年10月27日 上午 02:06
    版主
  • Thanks for your reply.

     

    The article is for Windows 2003 server. I tried it before, but not working. I am using Windows 2000 server. I found this following error:

     

    Windows Mobile side:

     

    ActiveSync encountered a problem on the server (ActiveSync 在伺服器上遇到問題)。0x85010014

     

    Windows 2000 server side:

    The mailbox server [XXX] has its [exchange] virtual directory set to require SSL.  Exchange ActiveSync cannot access the server if SSL is set to be required.  For information about how to correctly configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).

    2008年10月27日 上午 02:09
  •  

    It seems to missing SSL on WM devices. Do you import/install your SSL clients cert. on your clients devices?
    Thanks

    2008年10月27日 上午 09:10
  • I imported the root cert. into WM. Same setting of WM is working good with SSL for OWA and Activesync on Exchange 2007 on Windows 2003 server.

     

    By the way, if I use Exchange 2003 on Windows 2003 server. The OWA is workable with SSL, but Activesync is not working. If I disable SSL in Activesync, it is working good.

    2008年10月28日 上午 01:42
  •  

    Dear customer:

     

    From your reply, I found that you can access https://mail server/exchange, however you can access http://mail server/exchange.

     

    Please try to disable require SSL on the Exchange virtual directory and run iisreset /noforce command in the command line. And check the effect.

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年10月28日 上午 07:04
    版主
  • Both http://mail server/exchange and ActiveSync are working when SSL disabled. We really need SSL for both features.

    2008年10月30日 上午 09:26
  • Hi Rock,

     

    http and https for Exchange virtual directory is working good after I disabled "Requrie SSL".

    2008年10月31日 上午 07:27
  •  

    Dear customer:

     

    Since you only have an Exchange server, you can try to fix your issue via the following resolution in the following article:

     

    Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

    http://support.microsoft.com/kb/817379/en-us

     

    Note: This article aims at Exchange server 2003; it doesn’t care the version of your Windows server operating system.

     

    Hope it helps. If anything is unclear, please feel free to let me know.

     

    Rock Wang - MSFT

    2008年11月3日 上午 05:33
    版主
  • Hi Rock,

     

    I am sorry! It is still not work. After I added the registry, ActiveSync is not work. Before this step (17), ActiveSync is working fine.

    2008年11月3日 上午 07:38
  •  

    Dear customer:

     

    Please double check whether you follow the following steps,

     

    1. Disable the forms-based authentication for the Exchange virtual directory;
    2. Create a secondary virtual directory for Exchange server,

    a)      Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.

    b)      Click the Directory Security tab.

    c)       Under Authentication and access control, click Edit. 

    d)      Make sure that only the following authentication methods are enabled, and then click OK, please send the screenshot of it to me.

    • Integrated Windows authentication

    • Basic authentication

    e)      On the Directory Security tab, under IP address and domain name restrictions, click Edit. 

    f)       Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice. Please send the screenshot of it to me.

    g)      Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.  Please send the screenshot of it to me.

     

    Note: when you send e-mail to me, please let me know the subject of the post.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    2008年11月4日 上午 03:27
    版主
  • Rock,

     

    I am sure I did those steps correctly. I didn't put cert. into any virtual directory when do those steps. The solution that you gave me seems for Windows 2003 only.

    2008年11月4日 上午 04:08
  • Dear customer:

    Please help collect the above information in the previous post.

     

    Also, you can try to install a front end Exchange server and check the effect.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

     

    2008年11月4日 上午 08:46
    版主
  • Hi Rock,

     

    I sent the information to you on 27 Oct by email. Please check.

     

    If I setup a frontend Exchange server, should I still use Windows 2000? or Windows 2003 is better?

     

    2008年11月5日 上午 01:59
  •  

    Dear customer:

     

    You can install Windows server 2003 as a FE server.

     

    In addition, I need the new virtual directory’s screenshot not the old, please collect them according to previous post and send them to me for analyze.

     

    Note: when you send e-mail to me, please let me know the subject of the post.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    2008年11月5日 上午 03:41
    版主
  • Rock,

     

    I sent you an email with subject - SSL w/Windows 2000 problem + Exchange-oma, please check.

    2008年11月5日 上午 06:17
  • Dear customer:

     

    From your screenshot 1.bmp, I noticed that there is a red error on your Exchange virtual directory. This could cause OMA doesn’t work. please correct the error first.

     

    Thanks for your cooperation. If anything is unclear, please feel free to let me know.

     

    Rock Wang - MSFT

     

    2008年11月6日 上午 03:49
    版主
  • Hi Rock,

     

    I saw the following event:

     

    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 101
    Date:  2/11/2008
    Time:  23:48:06
    User:  N/A
    Computer: EXCHANGE1
    Description:
    The server was unable to add the virtual root '/Exchange' for the directory '\\.\BackOfficeStorage\[domain name]\MBX' due to the following error: The system cannot find the path specified.  The data is the error code.
    For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
    Data:
    0000: 03 00 00 00               ....   

    But I cannot found the solution on Microsoft's site. Would you mind to tell me how?

     

    By the way, this can be correct by restart iisadmin. But even the error was solved, ActiveSync is still not working.

    2008年11月6日 上午 04:31
  •  

    Dear customer:

     

    Please try to install another Exchange server 2003 as the FE, and check the effect.

     

    For more information about Front-End and Back-End implement and configuration, please refer to the following article:

    Introduction to Front-End and Back-End Topologies for Exchange Server 2003 and Exchange 2000 Server

    http://technet.microsoft.com/en-us/library/aa998987(EXCHG.65).aspx

     

    Rock Wang - MSFT

    2008年11月7日 上午 05:25
    版主
  • Rock,

     

    Is this the only way to solve this problem? I have not cert. for the front-end server.

    2008年11月7日 上午 06:33
  • Dear customer:

     

    You can purchase certificate from third party public certification authority such as Verisign ; you can implement your own CA via Windows server 2003 certification services.

     

    For more information about how to implement CA via Windows server 2003, please refer to the following article:

    Installing and Configuring Windows Server 2003 Enterprise Certification Authority

    http://technet.microsoft.com/en-us/library/aa998956(EXCHG.65).aspx

     

    Rock Wang - MSFT

     

    2008年11月10日 上午 05:40
    版主
  • Rock,

     

    I just want to make sure Windows 2000 with Exchange 2003 support SSL or not. If this environment is not support SSL, we do work on it anymore.

     

    Additional server is not the problem that we have originally. This is not technical problem; this is resource problem. We are not sure Windows 2003 with Exchange 2003 support SSL perfectly.

    2008年11月10日 上午 06:15
  •  

    Dear customer:

     

    Thanks for your reply.

     

    Windows Server 2000 with Exchange Server 2003 support SSL. However we suggest that you upgrade to Windows Server 2003 platform, which support more powerful features such as RPC over HTTP and so on.

     

    Rock Wang - MSFT

    2008年11月10日 上午 06:40
    版主
  • Rocky,

     

    I understand Windows 2003 is more powerful. But we must keep the Windows 2000 by some reason.

     

    Do you have any other suggestion for my problem? We have setup a stand alone computer with Windows 2000 and Exchange 2003 for testing, but SSL is not work also.

    2008年11月10日 上午 06:52
  •  

    Dear customer;

     

    Did you apply certificate from third party public certification authority or your own CA server? Send the screenshot of the error to the forum or v-rocwan@microsoft.com, maybe I can give you more information.

     

    Note: when you send e-mail to me, please let me know the subject of the post.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    2008年11月10日 上午 07:30
    版主
  • Hi Rock,

     

    I just sent you an email with subject "Cert. of SSL w/Windows 2000 problem".

    2008年11月10日 上午 07:54
  •  

    Dear customer:

     

    On your From IIS5 screenshot, I found that you hidden issued to section, which is needed for me. Please resend it to me without hide that.

     

    Also, I want to know what URL you input when you access mailbox via activesync.

     

    For activesync error, I want to know that the error occurs when you access mailbox via mobile phone or from your client computer?

     

    If you access via mobile phone, please let me know the Operating System version of your mobile phone.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    2008年11月11日 上午 07:49
    版主
  • Dear customer:

     

    From your reply, I found the following information:

     

    The "Issued to:" is mail.westpex.com.hk. The URL in ActiveSync is mail.westpex.com.hk. The error of activesync is only on client computer. WM5 does not have error code.

     

    Does the client computer is a pocket PC 2002 or 2003?

     

    For more information about ActiveSync, please refer to the following article:

    Exchange ActiveSync and Exchange 2003

    http://technet.microsoft.com/en-us/library/bb124307(EXCHG.65).aspx

     

    Thanks for your cooperation. If anything is unclear, please feel free to let me know.

     

    Rock Wang - MSFT

     

    2008年11月12日 上午 06:17
    版主
  • Rock,

     

    The client is Windows 2000 also. Although WM5 does not have error code, it didn't sync anything.

    2008年11月12日 上午 06:28
  • Dear customer:

     

    Did you install Activesync software on your Windows 2000 client and want to synchronize the data between your Windows Mobile phone and Outlook?

     

    Rock Wang - MSFT

     

    2008年11月13日 上午 08:44
    版主
  • Rock,

     

    I installed Activesync software on Windows 2000 client and connect it to WM5 phone. This client computer does not have Outlook. I want to sync WM5 phone to Exchange 2003 server via the Activesync software.

    2008年11月13日 上午 08:51
  •  

    Dear customer:

     

    Please try to install Outlook 2007 on your Windows 2000 client and check the effect.

     

    Rock Wang - MSFT

    2008年11月13日 上午 08:58
    版主
  •  

    Dear customer:

     

    The following errors are related to the 85010014 error:

     

    • Synchronization fails when the Outlook script is blocked by antivirus software.

     

    Virus writers have used scripting technologies, such as JavaScript and VBScript, to infect computers. Antivirus software vendors provide technologies, such as script blocking, to help protect you from malicious scripts. Script blocking against Outlook will prevent ActiveSync from accessing Outlook's object model by blocking all ActiveSync calls to Outlook. Only users who are performing synchronization between a Windows Mobile-based device and a computer will experience this behavior. 

     

    Synchronization fails when Outlook is in offline mode.

     

    When Outlook is disconnected, folder synchronization fails with an HTTP 500 error on the first synchronization try. The HTTP 500 error occurs because ActiveSync cannot open the Server Failures folder. 

     

    Synchronization fails when ActiveSync is incorrectly registered to Outlook.

     

    This problem generally occurs when Outlook is not the primary e-mail client. In this case, ActiveSync may be incorrectly registered to Outlook. 

     

    Synchronization fails when Outlook is not installed.

     

    For more information about how to resolve the issue, please refer to the following article:

    You may receive error 85010014 when you try to synchronize a Windows Mobile-based device with a computer by using ActiveSync 4.1 or ActiveSync 4.0

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;912241

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年11月13日 上午 09:22
    版主
  • Rock,

     

    Something I don't understand. If I sync with Exchange 2003 server directly via mobile network, how can I install outlook?

    2008年11月13日 上午 09:36
  •  

    Dear customer:

     

    You can just install Outlook via the normal method that you have ever used. For more information about how to install Outlook, please post the issue into the Office forum.

     

    Thanks for your cooperation.

     

    Rock Wang - MSFT

    2008年11月13日 上午 09:46
    版主
  • Rock,

     

    Let me describe the current status.

     

    Setting:

    1. Cert. added in IIS

    2. SSL not required for all virtual directory.

    3. No exchange-oma virutal directory.

    4. No addition registry for "exchange-oma"

     

    Result:

    1. HTTP and HTTPS for OWA is working.

    2. Activesync in WM5 without SSL is working normally.

    3. Activesync in WM5 with SSL is not work no matter Outlook installed in client computer or not.

     

    Once I added "exchange-oma" virtua directory (no SSL required) in IIS and relative registry, without SSL (error code on both WM5 and Activesync software of client:85010014) and with SSL (error code on both WM5 and Activesync software of client: 80072f0d) of Activesync is not work. After I remove the registry, without SSL is working normally but with SSL(error code on both WM5 and Activesync software of client: 80072f0d) is still not work.

     

    Summary:

    Has exchange-oma - WM5 without SSL - error: 85010014

    Has exchange-oma - WM5 with SSL - 80072f0d

     

    No exchange-oma - WM5 without SSL - OK

    No exchange-oma - WM5 with SSL - 80072f0d

     

    Now the question is how I to make Activesync with SSL working normally and how to allow SSL only for all connections of Activesync

    2008年11月14日 上午 01:45
  • Dear customer:

     

    Common error codes

     

    The following error code explanations address common causes. An error code might be the result of a different cause.

     

    • 0x850020xx

     

    • Cause: synchronization requires user interaction. 

     

    • 0x850100xx and 0x8600xxxx

     

     • Cause: Server/Desktop internal error. 

     

    • Solution: If synchronization was recently successful, there may be an error that occurs with the ActiveSync partnership. Delete and then re-create the partnership on the device and desktop. 

     

    • 0x850200xx and 0x80072Exx

     

    • Cause: Network/radio issues. 

    • Solution: Adjust radio coverage. Turn the device's radio off, and then turn it back on. 

     

    • 0x80072Fxx

     • Cause: Certificate (SSL) problems. 

    • Solution: Renew the certificate. 

     

    For your description, “Has exchange-oma - WM5 with SSL - 80072f0d”, it maybe related to certificate.

     

    Microsoft Exchange ActiveSync is a program in Microsoft Exchange Server 2003 that is used to examine the root certificate store on a Windows Mobile-based device. Exchange ActiveSync is used to verify that the certificate on a server to which a Windows Mobile-based device connects is issued by a trusted authority.

     

    Root certificates that are installed on a Windows Mobile-based device

     

    The following root certificates are installed on a Windows Mobile-based device:

     

    • Class 2 Public Primary Certification Authority (VeriSign, Inc.) 

    Class 3 Public Primary Certification Authority (VeriSign, Inc.) 

    Entrust.net Certification Authority (2048) 

    Entrust.net Secure Server Certification Authority 

    Equifax Secure Certification Authority 

    GlobalSign Root CA 

    GTE CyberTrust Global Root 

    GTE CyberTrust Root 

    Secure Server Certification Authority (RSA) 

    Thawte Premium Server CA 

    Thawte Server CA 

    Note Windows Mobile 5.0 with AKU2(MSFP) has the following additional root certificate installed:

    http://www.valicert.com/

     

    We recommend that you install a certificate that is issued by an authority that the device trusts. Alternatively, install a certificate that is issued by a company that is chained to an authority that the device trusts.

     

    Please double check the certificate that you installed on your Exchange server 2003 is from the above root certificates list. If not, please apply certificate from the above root certificates list, and check the effect.

     

    How to install root certificates on a Windows Mobile-based device

    http://support.microsoft.com/kb/915840/en-us

     

    Hope it helps.

     

    Rock Wang - MSFT

     

    2008年11月14日 上午 05:37
    版主
  • Rock,

     

    I installed root certificate that from Hong Kong Post Office in WM5. Do you mean Hong Kong Post Office is not one of authorities?

     

    I built a testing environment to try to use this WM5 device to sync with a Exchange 2007 server by same certificate. It is OK. Is that Exchange 2007 use a difference way to verify certificate/root certificate?

     

    2008年11月14日 上午 06:17
  • Rock,

     

    Thanks for helping me. Some problems has been solved. Let me explain the current status:

     

    Setting:

    1. Cert. added in IIS.

    2. SSL not required for all virtual directory.

    3. No "exchange-oma"

     

    Result:

    1. HTTP and HTTPS is working.

    2. WM5 with SSL and without SSL is also working.

     

    How to restrict exchange server only accept SSL connection? I set virtual directory "exchange" to required SSL, OWA succeeded to only accept HTTPS, but WM5 has error: 8501014 even I set it use SSL. I re-created the partnership many times, it still has error.

    2008年11月14日 上午 07:24
  •  

    Dear customer:

     

    Thanks for your reply. From your following description:

     

    I set virtual directory "exchange" to required SSL, OWA succeeded to only accept HTTPS, but WM5 has error: 8501014 even I set it use SSL. I re-created the partnership many times, it still has error.

     

    It seems that it comes back the original issue. if you only have Back end Exchange server, you shouldn’t enable SSL on Exchange virtual directory.

     

    Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA) use the /Exchange virtual directory to access OWA templates and DAV on Exchange back-end servers on which the user's mailbox is located. Server ActiveSync and OMA cannot access this virtual directory if either of the following conditions is true:

     

    • The /Exchange virtual directory on an Exchange back-end server is configured to require SSL.

    Forms-based authentication is enabled.

     

    This issue does not occur when you enable these settings on the /Exchange virtual directory on a front-end server.

     

    So please install another Exchange server as Front end server and check the effect.

     

    For more information about it, please refer to the following article:

    Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

    http://support.microsoft.com/kb/817379/en-us

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年11月17日 上午 11:11
    版主
  • Rock,

     

    Do you mean for single Exchange Server, Server ActiveSync and OMA is unable to require SSL?

    2008年11月18日 上午 01:38
  •  

    Dear customer:

     

    Please double read the following words:

     

    Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA) use the /Exchange virtual directory to access OWA templates and DAV on Exchange back-end servers on which the user's mailbox is located. Server ActiveSync and OMA cannot access this virtual directory if either of the following conditions is true:

     

    • The /Exchange virtual directory on an Exchange back-end server is configured to require SSL.

    • Forms-based authentication is enabled.

     

    This issue does not occur when you enable these settings on the /Exchange virtual directory on a front-end server.

     

    It means that you are unable to enable SSL on /Exchange virtual directory if you only have single Exchange server. Note it is /Exchange virtual directory not other virtual directory.

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年11月18日 上午 01:46
    版主
  • Rock,

     

    Sorry for misunderstanding. I mean when /Exchange not requried SSL, can I set something else to make a single Exchange server required SSL only for server Activesync? Noted Form Based Authentication is not enabled.

     

    I cannot get another server. So I cannot do the method 1 of http://support.microsoft.com/kb/817379/en-us. I tried the method 2 before. Because I am using IIS5, I cannot do export "/Exchange". I can only create "/Exchange-oma" manually. Once I add the additional registry, no matter required SSL or not, server Activesync is not work.

     

     

    2008年11月18日 上午 01:54
  • Dear customer:

     

    You can try the following suggestion:

     

    Open Exchange System Manager.

     

    - Expand Administrative Groups ---Name of the Administrative Group ---server --- Protocols --- HTTP ---Exchange Virtual server.

    - Right click on Exchange Virtual Server and select New Virtual Directory.

    - On the Name field, type Exchange-OMA.

    - Select “Mailboxes for SMTP Domain” option.

    - Make sure that the correct SMTP domain is selected.

    - Click on Apply and OK.

    - The new virtual folder will get replicated to IIS.

    - Add the ExchangeVDir reg key as per <http://support.microsoft.com/kb/817379>

    - Restart IIS Admin service.

     

    Hope it helps.

     

    Rock Wang - MSFT

     

    2008年11月18日 上午 05:44
    版主
  • Rock,

     

    Your information is very helpful. Now I can require SSL when using OWA. Server ActiveSync with SSL must be optional, is it right?

    2008年11月18日 上午 06:33
  •  

    Dear customer:

     

    For new exchange-oma virtual directory, make sure that require secure channel (SSL) is not enabled.

     

    For more information, please refer to the following article:

    Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

    http://support.microsoft.com/default.aspx/kb/817379/en-us

     

    Hope it helps.

     

    Rock Wang - MSFT

    2008年11月19日 上午 09:44
    版主