Identify Exchange Server 2010 ActiveSync certificate errors

There are numerous issues that can prevent ActiveSync from working properly on Exchange Server 2010 mobile devices. But certificate-related issues are usually the most common causes. Get troubleshooting basics to ensure your certificates are properly configured.

Most of the ActiveSync problems I've encountered have been certificate-related. If your certificates are not configured correctly, ActiveSync won't work. This tip will help you get to the bottom of ActiveSync problems in Exchange Server 2010.

The easiest way to find out if you have a certificate-related problem is to log into Outlook Web App (OWA). OWA and ActiveSync both require SSL, and use the client access server (CAS). ActiveSync and OWA also use the same SSL certificate, so if OWA works properly, you can rule out a certificate issue.

As you test OWA, here are some things to keep in mind:

  • By default, Exchange Server 2010 is configured to use a self-signed certificate with OWA. However, self-signed certificates are not compatible with ActiveSync. You need to use a valid X.509 certificate.
  • When you enter the URL for OWA, make sure that the URL points to the same CAS that ActiveSync is using.
  • Be sure to use the HTTPS prefix in your OWA URL.
  • When OWA loads, make note of any certificate-related warning messages you receive. If the certificate has expired, it will not work with ActiveSync.
  • If you receive a warning that the certificate name does not match the host name, verify that you have entered the server's fully qualified domain name (FQDN) as a part of the URL --, as opposed to https://Lab-E2K10/owa.

    Entering the URL without using a FQDN can trigger false certificate identity errors. If a certificate identity error is legitimate, you will need a new certificate.

  • You will receive a warning message (Figure 1) if the computer does not trust the certificate authority (CA) that issued the certificate to Exchange Sever 2010. Both Windows and Windows Mobile are configured to trust most major third-party certificate authorities by default.
  • certificate-related warning messages
    Figure 1. A certificate-related warning message may signal an untrusted CA.

    If you are using your own CA, you must configure your computers and mobile devices to trust it. Windows-based CAs have a Web interface you can use to download a CA certificate. This certificate then must be added to the computer or device's certificate store. The Web interface is accessible at http:// /CertSrv (Figure 2).

    download the necessary certificates
    Figure 2. Use the certificate authority's Web interface to download required CAs.


  • An Enterprise certificate authority that is running Windows Server 2008 does not allow Web enrollment for mobile devices unless you install the Network Device Enrollment Service. Although it's possible to download the CA certificate, which allows the device to trust your Enterprise CA, using other methods, it's best to use the Network Device Enrollment Service.
  • When you attempt to access OWA using an HTTPS session, Internet Explorer may display an error message stating that the page cannot be displayed. If this occurs, try accessing OWA using an HTTP session, instead of HTTPS.

    If you receive a message telling you that the HTTP session is forbidden, there is probably an issue with the server's SSL certificate or its bindings. If you continue to receive the same error whether you use HTTP or HTTPS, this may signal a DNS problem.

A crash course in IIS 7

Unlike its earlier versions, Exchange Server 2010 requires Windows Server 2008 and Internet Information Sservice (IIS) 7. And the process for setting up SSL is quite different in IIS 7 than it was in IIS 6.

In IIS 7, SSL certificates are applied at the server level. If you look at the IIS Manager and select the listing for your IIS server, the details pane will contain a Server Certificates icon (Figure 3).

SSL certificates are applied to IIS at the server level
Figure 3. SSL certificates are applied to IIS 7 at the server level.

When you click the Server Certificates icon, the details pane displays the SSL certificates currently associated with the server. As you can see, the Actions pane contains an option to create a certificate request. If you're using your own CA, you'll have to use this link to create a text file containing the certificate request.

Next, use the certificate enrollment website to perform a certificate request, using the contents of the text file. When this process is complete, the website will allow you to download a certificate. After doing so, you must use the Complete Certificate Request link (Figure 4) to make IIS aware of the new certificate.

IIS displays existing certificates
Figure 4. Clicking on the Server Certificates icon causes IIS 7 to display the existing SSL certificates.

Although SSL certificates are managed at the server level, SSL encryption is actually enabled or disabled at the individual website level. OWA and ActiveSync are both a part of the Default Web Site and have SSL enabled by default. You can use the SSL Settings icon to verify that SSL encryption is enabled (Figure 5).

SSL can be enabled at the website level
Figure 5. SSL is either enabled or disabled at the website level.

Configuring a site's bindings

One step that often is overlooked involves configuring a site's bindings. In the case of SSL, site bindings tell IIS which certificate it should use for a particular site. If you look back at Figure 5, you'll notice a Bindings link, which is located in the Actions pane. Clicking on this link displays the existing site bindings.

To make sure that the site is using the correct certificate, select the HTTPS binding and click Edit. The IIS Manager will display the Edit Site Bindings dialog box (Figure 6), lets you choose the certificate you'd like to use with the site.

Select the certificate to associate with the website
Figure 6. Select the certificate you'd to associate with the website.

When testing this procedure in the lab, I ran into some problems and discovered they were related to the bindings. Although the bindings on my Exchange 2010 Server were configured correctly, they became corrupted -- causing Internet Explorer to display a Page Cannot Be Displayed error when I attempted to access OWA.

More on Exchange Server 2010:

Microsoft drops free migration tool for Exchange 2010

New unified messaging features in Exchange Server 2010

Apply Exchange Server 2010 message retention tags for email archiving

When I viewed the bindings through IIS Manager, everything seemed normal. I only encountered the problem when I was unable to modify my bindings. Deleting and recreating the bindings seemed to solve the problem.

Dig Deeper on EMM tools | Enterprise mobility management technology