Earlier this year we (or rather, myself) migrated to Exchange 2007 at work. We are not a big company but even so (or perhaps because of it) we have a rather heterogeneous set of client devices. People connect using Outlook 2003, Outlook 2007, Entourage 2008, Evolution, Apple Mail, Thunderbird and all kinds of mobile phones for both standard IMAP/SMTP (with encryption of course) or Microsoft licensed ActiveSync.
Before the migration we had a frontend Exchange server and three backend servers but after the switch we have just one Exchange 2007 server. Immediately after the switch, people started complaining that non-Microsoft mobile phones could not sync against the server using ActiveSync.
Since we are rather literate when it comes to computers we had set up an internal public-key infrastructure with a root certificate authority under SSL. The Windows domain included a certificate authority running as a subordinate authority which, in turn, had signed the SSL certificate for the Exchange 2007 server. All was done according to step-by-step guides from Microsoft. When accessing the web mail or using ActiveSync from Microsoft based mobile phones it worked. But it just wouldn’t work from Symbian phones – despite the fact that they had licensed the ActiveSync technology from Microsoft.
We tried all kind of settings before we eventually found the problem. It turns out that Exchange 2007 uses a relatively new (but still quite old) feature in SSL certificates called “Subject Alternative Name”. It is a feature that allows the certificate to be used for multiple host names and not just a single Common Name. The combination of Exchange 2007 and the subordinate Windows certification authority caused this extension to be set as “Critical” in the certificate which makes the certification check fail for any client that does not understand the Subject Alternative Name – which is exactly the case for Symbian phones.
The solution was simply to create a certificate by using OpenSSL alone and flag the extension as non-critical. The common name used in the certificate is still the only name used by ActiveSync clients so they have no problem with this change. The new host names in the certificate are to my understanding only used by Outlook 2007.
3 replies on “Exchange 2007 certificate problem with Symbian phones”
Firstly – nice article, and glad to know that we aren’t alone on this one.
We have a similar situation with Symbian phones. However our Exchange 2007 set-up (to which we are in the process of migrating users from our 2003 set-up) consists of two ISAs, two CASs, two HUBs and three backend servers. We have a SAN certificate installed (believe it is on the ISAs and the CASs). Our users are limited to rpc/https access only and like you we have a mixture of clients, typiclaly Outlook 2003, some Outlook 2007 and a wide variety of phones. We also suport OWA as well.
My question is:
Is there any danager in installing a new certificate using OpenSSL which might make a mess of things for users that aren’t experinceing any problems at all?
You have a bigger installation than us – but I guess the principle is the same. My advice would probably be to take small, reversible steps. I would start by setting up an OpenSSL certificate structure. You don’t have to do it proper CA hierarchy like I did, you could have just a root CA and use that to sign all certificates in your company. Use a global policy in your Windows domain to get the root CA certificate out to as many clients as possible. Once you have done that you can install the mail certificate on the edge Exchange servers (or perhaps the ISAs). Then try to assign the new certificate to Exchange. If it doesn’t work, just switch back.
This is a great advertising tool.