Friday, February 29, 2008
« AddThis - reduce clutter AND let people ... | Main | burger math »
configure Exchange 2003 for Forms Based Authentication, SSL and Windows Mobile Exchange ActiveSync
posted by: Martin

Whew... this was a bit of a chore but thank heavens for friends and the Internet.

After finally deciding to get a smart phone, paying the extra monthly charge for a data plan and assuming it would be easy as pie to configure mobile access on my Exchange server I was bummed to find out that this was not the case. Turning on Mobile Access is easy enough. All you have to do is open System Manager, expand Global Settings, right click Mobile Services, select Properties and under the General tab check the two boxes under Outlook Mobile Access.

msp

But every attempt to sync from my phone still failed. After looking up lots of sync errors and reading the same Microsoft KB article over and over, two friend of mine (Mark and Andy) finally found a site that explained it better than Microsoft and told me why everything was not working just because I had turned it on. At issue is the fact that I only have one Exchange server so it's having to perform the role of Front-End server and Back-End server. The Front-End server is the one that usually takes the traffic that is directed to your mailbox, to OWA and to OMA and tells it where to go and on what port. In my case since I had Forms Based Authentication turned on, SSL traffic was already being monopolized by OWA and so OMA was not working. Here is the fix mentioned in the link above with my edits.

  • In Exchange System Manager, Servers, <your server>, Protocols, HTTP; right click on the Exchange virtual server and choose Properties. Click on the "Settings" tab and disable Forms Based Authentication.
  • In IIS Manager, remove the SSL certificate from the default web site.
  • Still in IIS Manager, remove the "Require SSL" setting from all virtual directories, particularly, /exchange, /exchweb, /Microsoft-Server-ActiveSync and /oma. I did this to every virtual directory.
  • Drop in to a command prompt and type iisreset and press enter.
  • Go back in to IIS manager, and find and right click on the Exchange virtual directory, choose All Tasks, and then Save Configuration to a File.
  • In the File name box, type a name. To follow Microsoft's example, type "ExchangeVDir" and then click OK.
  • Right click on the root of the Default Web Site and choose New, then "Virtual Directory (from file)".
  • In the Import Configuration dialog box, click Browse and locate the file that you created earlier. Choose Open, then Read File.
  • Under "Select a configuration to import", choose Exchange, and then choose OK. A dialogue box will appear that states the "virtual directory already exists." The option to create a new virtual directory should already be selected. In the box enter a new name. To follow Microsoft's example, enter "exchange-oma" and choose Ok. The new folder should be created.
  • Right click on this new virtual directory and choose Properties. Then click on the "Directory Security" tab.
  • Under "Authentication and access control", click the Edit button. Ensure that only "Integrated Windows authentication" and "Basic authentication" are enabled. Change it if required. You need to ensure that Anonymous authentication is not enabled. Leave the Default domain and default realm blank. Press OK to go back to the main properties of the virtual directory.
  • Under "Secure communications", click the Edit button. Make sure that "Require secure channel (SSL)" is not enabled, and then click OK.
  • Drop in to a command prompt and run iisreset again.
  • Copy and paste the following registry entry in to a new notepad document and then save it as ExchangeVdir.reg. Then right click on it and choose Merge.

  • After making the change, run iisreset again, then restart the "IIS Admin Service" in Services.
  • Put the SSL certificate back on the site, but do NOT set the require SSL option at this time.
  • Test the sync process to prove that it works.
  • If sync works (and it did on the second try), re-enable forms based authentication in Exchange System Manager.
  • You can now also require SLL on the /exchange virtual directory.

    • I found a ton of articles that suggested the problem was my self-signed SSL certificate and how I should go with a trusted (read: commercial and expensive) certificate authority but I'm happy to report that it was not! I just had to export the root cert from my certificate authority, copy it to my Dash using ActiveSync, double click it and it installed beautifully. No certificate errors, no problems.

    technology
    Friday, February 29, 2008 9:47:45 PM (Pacific Standard Time, UTC-08:00)  #    Disclaimer  |  Comments [1]  |  Related posts:
    spam drops by 75%
    nerd alert
    Port-O-Rotary
    Xobni - it truly is email happiness
    AddThis - reduce clutter AND let people easily bookmark your site or add your feed
    from PEBL to Dash

    Bookmark and Share
    Sunday, July 13, 2008 8:37:31 PM (Pacific Standard Time, UTC-08:00)
    I had to do the same thing so I wrote a tool to make it easier to export your corporate certificate to the handheld.
    http://digitallabs.net/mcb
    Even handles custom signed software.
    chad
    Name
    E-mail
    Home page

    Comment (Some html is allowed: a@href@title, b, i, strike) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

    Enter the code shown (prevents robots):
    Live Comment Preview