Bug 6467 - (int-149512) MfE connection wizard fails to connect to Exchange2007 with "allow non-provisional devices" set
(int-149512)
: MfE connection wizard fails to connect to Exchange2007 with "allow non-provis...
Status: RESOLVED FIXED
Product: Synchronization
Mail for Exchange
: 5.0/(1.2009.42-11)
: N900 Windows
: Medium major with 10 votes (vote)
: 5.0/(2.2009.51-1)
Assigned To: unassigned
: activesync-bugs
:
:
:
:
  Show dependency tree
 
Reported: 2009-12-01 11:21 UTC by Petri Lipponen
Modified: 2010-08-12 11:10 UTC (History)
11 users (show)

See Also:


Attachments
The certificate of the Exchange2007 server (1.96 KB, application/octet-stream)
2009-12-01 12:51 UTC, Petri Lipponen
Details
Log for failed setup (222.51 KB, text/plain)
2010-01-31 16:57 UTC, Patrik Norrgård
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description Petri Lipponen (reporter) 2009-12-01 11:21:23 UTC
SOFTWARE VERSION:
1.2009.42-11

EXACT STEPS LEADING TO PROBLEM: 
0. Exchange2007 server set with "allow non-provisional devices" on!
1. ...->Settings->Mail for Exchange
2. Entered valid (works in N73 MfE) credentials, clicked "Next"
3. Entered valid server address, port 443, secure "on"

EXPECTED OUTCOME:
MfE is setup so that I can sync my calendar, mails etc.

ACTUAL OUTCOME:
"Error: Either Exchange server requires secure connection or account is
disabled"

REPRODUCIBILITY:
always

EXTRA SOFTWARE INSTALLED:

OTHER COMMENTS:
I tried to import the certificate in case that is the problem, but I couldn't
add it to N900 (exported in PEM format with .crt extension). 

This (MfE) is the most important feature for me on the device. I was about to
order my own N900 but I'm using my company test phone for now, and otherwise
I'm liking it. If I can't get mail & calendar sync working, I have to settle
for iPhone... 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6)
Gecko/2009011913 Firefox/3.0.6
Comment 1 Petri Lipponen (reporter) 2009-12-01 12:51:35 UTC
Created an attachment (id=1653) [details]
The certificate of the Exchange2007 server 

Here's the certificate of our Exchange2007 server in hope that it can help
finding the bug.
Comment 2 massimo.bilvi 2009-12-01 15:18:21 UTC
I have the same problem. 
For installing the certificates I made the following steps:

1) Exported the certificates from Outlook in p7b format.
2) Send the certificates in attachment to my gmail account.
3) By opening the attachment with the browser the certificates are installed in
the N900

By the way with or without the certificates the error occurs anyway.
Comment 3 Petri Lipponen (reporter) 2009-12-03 13:37:50 UTC
I've managed to install the certificate using Massimo's instructions (thanks!).
Still the problem remains... I've managed to configure just fine to the Nokia's
own MfE account (working as a consultant there). However still no luck with my
own companys Exchange2007.
Comment 4 Andre Klapper maemo.org 2009-12-04 13:51:43 UTC
Imported. Thanks for the confirmation!
Comment 5 Ilkka Pirskanen 2009-12-05 09:17:50 UTC
I can also reproduce the problem. Some observations:
1. If the synchronization is set to any automatic setting (always, every 15
minutes etc.), the error message is popping up continuosly on the screen which
makes the phone basically unuseable until synchronization is set to manual.
2. The error message is unclear and contains explanation for two different
scenarios. The error messages should be clearer and relate to the actual error
encountered.
3. The bug seems to be very random: the synchronization can work flawlessly for
hours after which the bug appears, and then the bug disappears as mysteriously
as it came after some change, for example when connectivity is changed from
WLAN to 3G.
Comment 6 Mohammed Hammad 2009-12-06 21:00:39 UTC
(In reply to comment #3)
> I've managed to install the certificate using Massimo's instructions (thanks!).
> Still the problem remains... I've managed to configure just fine to the Nokia's
> own MfE account (working as a consultant there). However still no luck with my
> own companys Exchange2007.
> 

can try reflashing the device and resynching it with nokia's exchange?
Comment 7 olaf slazak løken 2009-12-07 12:55:56 UTC
Please try with a different location. I have tried with my default location
Norway without any luck. Then i switched to Finland and then USA and i works.
I have tried this 3 times just to be sure. :)
Comment 8 Petri Lipponen (reporter) 2009-12-07 13:29:05 UTC
Hi. Thanks for the tip. I managed to get it working by changing my date format
from "Finnish" to "English (UK)". I think that there might be localized date
formats used somewhere in the MfE protocol code, which would explain the issue. 

I've updated the title to match this latest finding. I would not mark this as
"works" since I think the MfE should work with all date formats...
Comment 9 Ilkka Pirskanen 2009-12-07 13:43:24 UTC
(In reply to comment #8)
> Hi. Thanks for the tip. I managed to get it working by changing my date format
> from "Finnish" to "English (UK)". I think that there might be localized date
> formats used somewhere in the MfE protocol code, which would explain the issue. 
> I've updated the title to match this latest finding. I would not mark this as
> "works" since I think the MfE should work with all date formats... 

My date format is Finnish, and at the moment MfE works. I don't think this is
directly related to date formats. I would change the title back without
referring to date formats.
Comment 10 olaf slazak løken 2009-12-07 15:39:47 UTC
It did work with Finnish :) But it did not work with Norwegian.
It`s strange I know but that was the only solution for me. And now it works.
Comment 11 Mohammed Hammad 2009-12-07 16:24:52 UTC
(In reply to comment #10)
> It did work with Finnish :) But it did not work with Norwegian.
> It`s strange I know but that was the only solution for me. And now it works.
> 

I don't have Finnish under device language or regional settings :s
Comment 12 Andre Klapper maemo.org 2009-12-07 16:36:40 UTC
(In reply to comment #11)
> I don't have Finnish under device language or regional settings :s

Yes, that is probably because you use software version 1.2009.42-11.002.
Comment 13 Mohammed Hammad 2009-12-07 18:25:14 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > I don't have Finnish under device language or regional settings :s
> 
> Yes, that is probably because you use software version 1.2009.42-11.002.
> 

I'm using 1.2009.42-11.003.
What's the date format used for Finnish? ma 07-12-09? mon 12/07/09?
Comment 14 Ilkka Pirskanen 2009-12-07 19:40:01 UTC
(In reply to comment #13)
> I'm using 1.2009.42-11.003.
> What's the date format used for Finnish? ma 07-12-09? mon 12/07/09?

Finnish date format is 07.12.09.

This discussion is now completely on side track. For me, MfE works although I
have Finnish locale setting. Petri changed from Finnish to English UK and got
his MfE working.

This is probably an uninitiliazed variable or something similar and various
acts can lead to the problem resolution although not directly related to the
bug itself.
Comment 15 Mohammed Hammad 2009-12-07 20:08:11 UTC
(In reply to comment #14)
> (In reply to comment #13)
> > I'm using 1.2009.42-11.003.
> > What's the date format used for Finnish? ma 07-12-09? mon 12/07/09?
> 
> Finnish date format is 07.12.09.
> 
> This discussion is now completely on side track. For me, MfE works although I
> have Finnish locale setting. Petri changed from Finnish to English UK and got
> his MfE working.
> 
> This is probably an uninitiliazed variable or something similar and various
> acts can lead to the problem resolution although not directly related to the
> bug itself.
> 

I think it'll be better if the Finnish reference is removed from the bug title.
Comment 16 Andre Klapper maemo.org 2009-12-07 20:13:18 UTC
True. Done.
(No need to quote the entire former comment though :-)
Comment 17 Lari Tuononen 2009-12-11 16:54:21 UTC
When using self signed root sertificate (using exchange 2007) I had very big
problems getting the sync going, the wizard always ended with error "Error:
Either Exchange server requires secure connection or account is disabled".

I found out that MfE uses certificates from /home/user/.activesync/certs which
has symlinks from /etc/certs/common-ca/. But the user imported sertificates go
to /home/user/.maemosec-certs/ssl-ca and these are not symlinked to the
activesync folder. After manually doing the symlink in xterm, I got the MfE
working.

(see also bug 6582)
Comment 18 Mohammed Hammad 2009-12-12 22:08:47 UTC
(In reply to comment #17)
Confirming Labra's method.
I got it working by importing the certificate to the device.
Comment 19 Mohammed Hammad 2009-12-12 22:09:39 UTC
*** Bug 6592 has been marked as a duplicate of this bug. ***
Comment 20 NathanR 2009-12-14 02:40:46 UTC
Confirmed using Labra's method, imported self-signed or private certificate
authority chains are not recognized by MfE.
Comment 21 Adlay Ingemar 2010-01-12 09:25:48 UTC
(In reply to comment #20)
> Confirmed using Labra's method, imported self-signed or private certificate
> authority chains are not recognized by MfE.
> 

hi, may i know how to mporting the certificate to the device?
Comment 22 Patrik Norrgård 2010-01-31 16:57:51 UTC
Created an attachment (id=2174) [details]
Log for failed setup

We use a non-self signed cert
I added apolicy to allow non-provisional devices

Server version: 2007 08.00.0685.018
Phone OS:2.20009.51-1

Settings in wizard:
Location : Finland
Comment 23 Patrik Norrgård 2010-01-31 16:59:05 UTC
We use a non-self signed cert
I added apolicy to allow non-provisional devices

Server version: 2007 08.00.0685.018
Phone OS:2.20009.51-1

Settings in wizard:
Location : Finland

I added the log as an attachment.
Comment 24 Patrik Norrgård 2010-01-31 21:07:13 UTC
(In reply to comment #23)
> We use a non-self signed cert
> I added apolicy to allow non-provisional devices
> 
> Server version: 2007 08.00.0685.018
> Phone OS:2.20009.51-1
> 
> Settings in wizard:
> Location : Finland
> 
> I added the log as an attachment.
> 

Actually I got it working by updating the exchange server to sp2. I assumed it
was already updated, as the sp1 and sp2 did not show up in windows update /
microsoft update.
Comment 25 Andre Klapper maemo.org 2010-02-02 16:53:23 UTC
Petri: Do you also use SP2 (see last comment)?
Comment 26 Ilkka Pirskanen 2010-02-02 23:34:28 UTC
This bug was resolved at least for me by updating to PR1.1. After that I have
not had any problems with Exchange 2007.
Comment 27 Petri Lipponen (reporter) 2010-02-03 11:53:44 UTC
(In reply to comment #25)
> Petri: Do you also use SP2 (see last comment)?
> 

unfortunately my company merged with another and we no longer have the exchange
server in use (we use oracle beehive which triggered another bug report from me
:).
Comment 28 Andre Klapper maemo.org 2010-02-03 13:44:39 UTC
So for Patrik it works with Exchange PR2, for Ilkka it works fine in PR1.1, and
Petri does not have access anymore.

Closing as FIXED. Thanks everybody for the feedback!
Comment 29 BarneyB 2010-08-09 18:30:08 UTC
(In reply to comment #17)
> When using self signed root sertificate (using exchange 2007) I had very big
> problems getting the sync going, the wizard always ended with error "Error:
> Either Exchange server requires secure connection or account is disabled".
> 
> I found out that MfE uses certificates from /home/user/.activesync/certs which
> has symlinks from /etc/certs/common-ca/. But the user imported sertificates go
> to /home/user/.maemosec-certs/ssl-ca and these are not symlinked to the
> activesync folder. After manually doing the symlink in xterm, I got the MfE
> working.
> 
> (see also bug 6582)
> 

hi
could you advise me on how you did this as we are having the same issues on
pr1.2 and i have tried symlinking the folders but without too much joy.
any help on how you did this would be ace.

many thanks in advance

barneyb
Comment 30 Ilkka Pirskanen 2010-08-09 21:33:25 UTC
(In reply to comment #29)
> hi
> could you advise me on how you did this as we are having the same issues on
> pr1.2 and i have tried symlinking the folders but without too much joy.
> any help on how you did this would be ace.
> many thanks in advance
> barneyb

AFAIK, the solution you refer to is only valid to PR1.0. If you are still
having PR1.0, upgrade to PR1.2.

Check this web page for PR1.2 instructions.
http://wiki.maemo.org/Mail_For_Exchange_(MfE)_Heartbeat_and_FAQ#Debugging_possible_certificate_errors_on_self-signed_certificates
Comment 31 BarneyB 2010-08-10 10:17:33 UTC
(In reply to comment #30)
> (In reply to comment #29)
> > hi
> > could you advise me on how you did this as we are having the same issues on
> > pr1.2 and i have tried symlinking the folders but without too much joy.
> > any help on how you did this would be ace.
> > many thanks in advance
> > barneyb
> 
> AFAIK, the solution you refer to is only valid to PR1.0. If you are still
> having PR1.0, upgrade to PR1.2.
> 
> Check this web page for PR1.2 instructions.
> http://wiki.maemo.org/Mail_For_Exchange_(MfE)_Heartbeat_and_FAQ#Debugging_possible_certificate_errors_on_self-signed_certificates
> 
hi
yes we are runnung on pr1.2 yet we still have the problem. i have ran various
fixes but without success including the one above. any further help would be
great.

regards 
barneyb
Comment 32 Andre Klapper maemo.org 2010-08-10 12:16:58 UTC
(Please do not full-quote previous comments.)

Barney, do you really try to connect to a Microsoft Exchange 2007 Server, or to
a Novell DataSync Server as in your other bug report (bug 10763)?
Comment 33 BarneyB 2010-08-10 12:57:06 UTC
hi mate
yes is novell datasync but it uses the exchange framework. this system works on
almost all phones
but the n900 just seems to have issues which is not good as thats my phone.
im now holding onto straws and hoping some random solution will make this work.
with
the error i get : 
"Error: Either Exchange server requires secure connection or account is
disabled"
appears to be a common cert error and hoping there is some kind of fix
outthere:-(

anyway, the saga continues.

regards

barneyb
Comment 34 Ilkka Pirskanen 2010-08-10 22:07:43 UTC
(In reply to comment #33)
> > Check this web page for PR1.2 instructions.
> > http://wiki.maemo.org/Mail_For_Exchange_(MfE)_Heartbeat_and_FAQ#Debugging_possible_certificate_errors_on_self-signed_certificates
> > 
> hi
> yes we are runnung on pr1.2 yet we still have the problem. i have ran various
> fixes but without success including the one above. any further help would be
> great.
> regards 
> barneyb

If you have run the query above, what was the reported reason for certificate
rejection?
Comment 35 BarneyB 2010-08-11 11:14:49 UTC
the error is the same as before the update or syslink process :
"Error: Either Exchange server requires secure connection or account is
disabled"

bit of a nightmare really.

cheers

barneyb
Comment 36 Andre Klapper maemo.org 2010-08-11 11:24:14 UTC
(In reply to comment #35)
> the error is the same as before

No, that was not the question.
See the link posted before.
Comment 37 BarneyB 2010-08-11 11:48:50 UTC
hi
yes sorry for that. here are the responses as expected :

Nokia-N900:~# cmcli -T common-ca -v 10.1.8.45:443
a443ffe8c24d38a0cbce038c155a152b0b7df5f5 DataSync MobilityPack
 Verification failed: self signed certificate
Nokia-N900:~# cmcli -t ssl-ca -v 10.1.8.45:443
a443ffe8c24d38a0cbce038c155a152b0b7df5f5 DataSync MobilityPack
 Verification failed: self signed certificate
Nokia-N900:~# cmcli -T common-ca -t ssl-ca -v 10.1.8.45:443
a443ffe8c24d38a0cbce038c155a152b0b7df5f5 DataSync MobilityPack
 Verification failed: self signed certificate
Nokia-N900:~# cmcli -T common-ca -sv 10.1.8.45:443
a443ffe8c24d38a0cbce038c155a152b0b7df5f5 DataSync MobilityPack
 Verification failed: self signed certificate
Nokia-N900:~# cmcli -T common-ca -s 10.1.8.45:443
Nokia-N900:~#

this is what i expected. any clues for yourself.

cheers

barneyb
Comment 38 Ilkka Pirskanen 2010-08-11 20:07:59 UTC
(In reply to comment #37)
> hi
> yes sorry for that. here are the responses as expected :
> Nokia-N900:~# cmcli -T common-ca -v 10.1.8.45:443
> a443ffe8c24d38a0cbce038c155a152b0b7df5f5 DataSync MobilityPack
>  Verification failed: self signed certificate

Obviously, you have got an invalid certificate. You should either correct the
certificate or import relevant certificates to your phone according to the
instructions in the Wiki page.

Your problem is not related to this bug report.
Comment 39 BarneyB 2010-08-12 11:10:19 UTC
hi
yes i agree and have always thought the cert was the issue. thank you for
helping me confirm. just for the record, here is a complete rundown of
information incase you can spot something as this cert does work with all other
mobiles :

Nokia-N900:~# cmcli -T common-ca -t ssl-ca -v 10.1.8.45:443
a443ffe8c24d38a0cbce038c155a152b0b7df5f5 DataSync MobilityPack
 Verification failed: self signed certificate
Nokia-N900:~# cmcli -T common-ca -s 10.1.8.45:443
Nokia-N900:~# ls
a443ffe8c24d38a0cbce038c155a152b0b7df5f5.pem
Nokia-N900:~# openssl x509 -text -in
a443ffe8c24d38a0cbce038c155a152b0b7df5f5.pe                                    
                                                                               
           m
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 51480 (0xc918)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=DataSync MobilityPack
        Validity
            Not Before: Aug  6 09:20:03 2010 GMT
            Not After : Aug  3 09:20:03 2020 GMT
        Subject: CN=DataSync MobilityPack
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:d8:e1:4f:dd:6b:29:e6:7d:4d:5b:e4:10:5b:9e:
                    b7:a5:da:9f:9a:6e:bf:fb:99:50:c5:ca:d2:ba:81:
                    ab:72:56:80:c4:24:3b:7c:c4:6c:da:92:77:ca:cb:
                    7d:54:b4:d0:61:16:ec:14:cf:10:13:b0:61:58:b6:
                    29:3d:55:44:57
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        af:82:42:2d:f8:72:f2:29:8a:46:09:31:79:6f:ce:ce:12:81:
        2b:cd:63:52:e2:a3:0c:d3:08:03:0c:c7:f3:d1:19:20:42:ef:
        5e:03:0d:89:9d:90:ec:38:b8:d5:23:a3:fa:fe:06:26:e2:d5:
        e3:e2:6b:2c:fe:ab:24:ea:d3:48
-----BEGIN CERTIFICATE-----
MIIBKzCB1gIDAMkYMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAMTFURhdGFTeW5j
IE1vYmlsaXR5UGFjazAeFw0xMDA4MDYwOTIwMDNaFw0yMDA4MDMwOTIwMDNaMCAx
HjAcBgNVBAMTFURhdGFTeW5jIE1vYmlsaXR5UGFjazBcMA0GCSqGSIb3DQEBAQUA
A0sAMEgCQQDY4U/daynmfU1b5BBbnrel2p+abr/7mVDFytK6gatyVoDEJDt8xGza
knfKy31UtNBhFuwUzxATsGFYtik9VURXAgMBAAEwDQYJKoZIhvcNAQEFBQADQQCv
gkIt+HLyKYpGCTF5b87OEoErzWNS4qMM0wgDDMfz0RkgQu9eAw2JnZDsOLjVI6P6
/gYm4tXj4mss/qsk6tNI
-----END CERTIFICATE-----
Nokia-N900:~#

again, thanks for your help.

regards

barneyb