Getting your Iphone to work with Exchange Active Sync SSL Certificate
19 08 2008
This is only required if you are using a self signed certificate.
I recently set up an Iphone to work with Microsoft Exchange 2007. It was a bit complicated so I thought I would post the instructions for others.
The Exchange 2007 server was using a self signed SSL certificate and the Iphone was a first generation with the 2.0 firmware.
This article assumes the following:
-You have Active Sync enabled on the user’s mailbox
-You have updated to at least the 2.0 iphone firmware (can be updated via Itunes)
-You will need your SSL .CER file (click here for how to get the .CER file)
-You should have Exchange 2007 SP1
I would recommend backing up the information on your Iphone to Itunes before you start.
The user was getting an authentication failed message when he entered the Exchange info manually. I believe this is because the device was missing the Exchange SSL certificate. So here’s what to do.
Download the iPhone Configuration Web Utility
Follow the instructions in the Enterprise Deployment Guide.
This will allow you to create a configured profile that the user just has to install. You will need to either send it to the user’s personal email that is already configured on the Iphone or make it web accessible to they can download it to their Iphone.
Accessing the iPhone Configuration Web Utility
The iPhone Configuration Web Utility runs as a web server on your local computer on port 3000. To access the utility go to you web browser and type
Username: admin
Password: admin
1. Fill out all settings on the “General Settings” tab.
2. Upload your .CER file through the Credentials Settings page.
3. Fill out the settings under “Exchange Settings” Note that the “Exchange ActiveSync Host” field should read mail.example.com and not https://mail.example.com. There is a “Use SSL” check box instead of the HTTPS:// prefix. Also “User” should be entered as domain\username.
4. Have the user install the config file. The easiest way to do this would be to email the config file to the user’s personal email account that is already setup and have them click it. Setup a temp Yahoo account and email the file if the user does not already have one.
The user mentioned that he had lost all of his contacts after the config was installed. The contacts came back after the phone successfully synced with the server, others mentioned that they had to power cycle their phones for the contacts to come back.
UPDATE: After a recent setup, a user lost their original contacts, below is a note from the Iphone setup guide.
“Note that after configuring an Exchange ActiveSync account, all existing contact and calendar information on the iPhone or iPod touch is overwritten. Additionally, iTunes no longer syncs contacts and calendars with your desktop computer. You can still sync your iPhone or iPod touch wirelessly with MobileMe services.”
More resources are available here.
The Microsoft Exchange server can be a tricky beast. Exchange server administration should only be performed by qualified professionals. You wouldn’t want to be responsible for crashing your entire company’s email server, would ya?
Good luck!
Thank you for posting this, I was scratching my head until I found your guide.
This worked for me.
I have the new 3g Iphone.
Anyone using a self-signed SSL cert with success? I’m still having problems and I’m wondering if I need to buy a MS approved ROOT Cert. Help?
Hi Eric,
I was able to use the self signed cert just fine.
Where are you getting stuck?
Andy
I’ve been haveing a fun time too with SSL activesync and an iphone. I haven’t for the life of me been able to get all 3 working together until folloing your solution using the iphone config utility. Thanks!
However, I wonder if it really is working because when I set IIS to accept only SSL connections, my iphone no longer syncs! OWA works perfect with only SSL, so I assume my certificate (godaddy) are set up correctly. The Profile on the iphone has the setting greyed out, but it does indicate SSL in enabled.
I wonder if when I profile is set up in this manner, that if SSL is not availble it turns it off. In which case I am back to square one!
Interestingly, when I installed the profile on the iphone, includeing the certificate, it said that it was not from a valid authority. Did you experiance the same thing?
Chris
Hi Chris,
What version of Exchange are you running?
Are you using the Godaddy certificate on Exchange, OWA, and the Iphone?
Also, if you setup a profile with SSL enabled using the config utility, you cannot manually change the SSL setting on the Iphone.
I don’t know that this serves any useful purpose but you could try to manually setup the profile but you would have to find a way to install the SSL cert without the utility, you may be able to email it to your Iphone through a IMAP gmail account.
Andy
@Andy
To answer your questions:
>What version of Exchange are you running?
Exchnage 2003 SP2
>Are you using the Godaddy certificate on Exchange, OWA, and the Iphone?
Yes, in fact I even tried including the GoDaddy root and intemediate certificates in the profile I created with the iPhone Configuration Utility.
Having said that, I think I finally have a solution! I now have “Require secure channel (SSL)” checked without breaking activesync! Instructions are here:
http://support.microsoft.com/kb/817379
Chris.
Web config utility has moved. Find it at http://www.apple.com/support/iphone/enterprise/
Thanks Jonathan,
I’ve updated the link in the post.
@Chris
It sounds like your Godaddy cert is not chaining properly.
Follow the instructions from Godaddy for installing the cert.
Also, you can contact Godaddy support as they seems knowledgeable about this.
Hey Guys,
Im having a problem with installing the cert on m iphone.
it saz ” couldt not install the root certificate”
It was send to me by mail, to the device.
Any help `?
@Simon
Is this a self signed certificate?
Are you using the iPhone Configuration Web Utility?
Hi,
1. I can’t find the installer for the configuration “web” utility on that link anymore?
2. With the standard utility, I follow the instructions but when trying to add from a list of certificates it asks me to choose from a blank list. The “Certificate Chooser” does not allow me to pick any files from the computer. This means I can’t add the .cer file
My exchange account is also on godaddy, and the three customer service reps. I spoke to knew nothing on the topic. Any information would be much appreciated???
Ammad
PS: The godaddy account is setup on Exchange 2007
Hi Ammad,
Go to http://www.apple.com/support/iphone/enterprise/ then click iPhone Configuration Utility for Windows or Mac and download.
I’m not sure what you mean by the standard utility.
Also, if Godaddy hosts your Exchange account, the certificate should be valid and shouldn’t need to be install manually.
Good luck
Here’s my scenario that I got to work WITH SSL self-signed certs:
- iPod 1G
- Exchange Server 2003
In order for this to work you must be the Exchange Admin or know your IT guy. By default Exchange Server on IIS is ONLY able to SSL authenticate by either: Kerberos, NTLM, or Basic – which works fine for regular web browser OWA – not for iPod touch Exchange mail with SSL.
Microsoft states you MUST create a ‘new virtual directory’ in IIS (typically default, or wherever your OMA/Exchange directories reside).
If you are the IT guy read more here, read slowly and carefully it’s actually easy. Scroll down to the ‘resolution’ area:
http://support.microsoft.com/kb/817379
First, I don’t know can I do this because I have jailbroken 1gen iPhone.
And second, I have Exchange Server 2003 account on phone I want to move contacts to new Exchange Server 2007 account.
Any suggestions?
Hi Sinisa,
Are you saying that you have a 2003 mailbox configured on the phone and you want to setup a new 2007 account and migrate your contacts?
Or are you migrating your server from 2003 to 2007?
I have 2003 mailbox configured on the phone, and have 2007 account and want to migrate contacts.
I think I can figure it out, but I have to ask about that Iphone Configuration Utility, because I own jailboroken phone.
Is there any danger of locking my phone?
I don’t actually own and Iphone so I can’t say about locking it up.
Why don’t you just use Outlook on a PC to transfer the contacts, then configure the new account?
The config utility created a configuration file bundled with the SSL cert.
You can proabably view the file, there may be a way to do this without the utility.
Is the 07 server using a selfsigned cert? If it using a valid public properly chaining SSL cert, you wouldn’t need to use the utility at all.
Andy
I’m a bit confused. I am not the one using the Iphone, but have the responsibility of supporting the user with the phone. We were using Outlook 2003 and the phone would sync just fine. Read emails would appear as read in both places, deleting, replying, all that worked. Now we have upgraded to Outlook 2007 and that is no longer the case. Is there a setting that I am missing that would correct this issue?
This is for people who want to use MS windows CA component. To get a MS CA installed on an Iphone, follow the below process:
1. On your Iphone, browse your server by typing http OR https://mail.domain.com/certsrv
2. Login with Admin credentials on the users iPhone
3. Click on: Download a CA certificate, certificate chain, or CRL
4. Then click on Encoding method, e.g. Base 64
5. Now click on Download CA certificate
6. On iPhone you will now see a screen to install the certificate.
7. Now the certificate is on iPhone and you can use SSL for activesync feature.
Regards
AP
Hi
I am trying to setup iphone to work in on my network for users. We are using iphone 3gs with Exchange 2007 and ISA 2006. Anyone have any experience with configuring the ISA element.
My understanding is that it uses RPC over HTTP and a random port selection procedure. I know I will have to ensure our leased line provider has these ports open.
I’m struggling with the setup procedure at this point.
Chris
All this stuff about placing the Ca cert on the phone is lame.. This isn’t necessary at all.. why are you wasting everyone’s time.
@Certs This is only required for servers using self signed certificates and other special situations.
I have update the post to reflect this.
Thanks for the input.
@Chris I haven’t used this setup with an ISA server, maybe someone else will comment.
Hi I have followed these steps and unfortunaetly cannot get the exchange account to worrk on iPhone, can you please provide more details.
Hi Ravinder, are you getting an error message?