Palm Pre Exchange 2003 Configuration
Had some Palm Pre phones come into work today, and had to set them up to the Exchange 2003 server. As with other Palm devices and such that use OWA (Outlook Web Access) and EAS (Exchange Active Sync) we need to export our CA Root Certificate to the phone and install it to the Cert Store. This seems to be a huge problem for some people, so maybe this guide will help you out.
First, you need to make sure the IIS Web Server that you connect to using the phone or web browser has a SSL certificate that has the correct CN (Common Name) of the server. This is very important. If you are connecting to say; https://mail.server.com on the phone the CN of the web server certificate must be mail.server.com
The server at work did not have this for some reason, so in the IIS System Manager open SERVER (local computer) and Websites, right click on Default Web Site and click on Properties. Make sure you have 443 in the SSL port on this page, and then click on Advanced. Make sure under ‘Multiple SSL identities for this web site’ you have a Default with SSL port 443. Click OK if you added it, if you have it cancel out of it.
Click on the Directory Security tab.
Now click on View Certificate if you have the ability to (the server already has a certificate installed). Click on the Certification Path tab at the top and you should have a certificate at the top with the CA name, and one under it, this should be the CN of this web server.
If you cannot click on the View Certificate button you need to have this server request one from the available CA server on your network. When you are asked for the CN make sure it is the external FQDN of this server, not just the hostname.
Now once that’s done, you should have an Edit button under the View Certificate button, click Edit and at the top make sure you have ‘Require secure channel (SSL)’ unchecked. You will use SSL yes, but if you have only one Exchange server on your network you cannot have a Front-end and Back-end server setup and need this unchecked for Exchange to communicate with IIS and such on the server itself. We will be using our self-signed certificate for SSL communications from the Palm Pre to the IIS Server over the Internet.
Click OK at the bottom and your done here. Open the Exchange System Manager. Open up Global Settings and then right click on Mobile Services and choose Properties. On this first page, I have (by default it seems) everything at the top checked. At the bottom I checked Enable Outlook Mobile Access and Enable unsupported devices, and clicked OK. This is up to you, not sure if you need the unsupported devices checked, but it seems to work fine.
Some people talk about it not working with Forms Based Authentication. I do not use this at home, but we do at work, and it does not make a difference in either case.
We should be done on the server end. On your workstation, you should be able to connect to https://exchange-server-fqdn/exchange and get your login page, or popup for login, or if you use Internet Explorer you might get a transparent login to the Outlook Web Access. In Internet Explorer at the right of the address bar you should have a SSL Lock icon, either in green or red depending if you installed your self-signed certificate on the local machine. Left click on this and choose View Certificates.
At the top click on the Certification Path and here you should have two lines of certificates. At the top, the root certificate under that, the CN of this web server running Outlook Web Access. Click on the top Root Server CA certificate and click on View Certificate near the bottom of this dialog. At the top of the new dialog, click on Details, then at the bottom click on Copy to File.
In the wizard click on Next, then Next again. Browse to a location you can remember, the desktop is fine, and type in a file name and click Save. Click Next in the wizard then Finish. It will say the export was successful. Click OK to close all the dialogs and you can close Internet Explorer.
Connect your Pre via USB and set it to USB File Mode. Copy the certificate to your phone and use the Certificate Manager to install the certificate. You should be able to setup your Exchange account on the phone now.
Once everything is up and running, you can get the Microsoft Exchange Server ActiveSync Web Administration Tool and install it on your server to get a few administrative functions for Mobile Devices.
I will continue to post a few links that may help others out as I find them.
- Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
This is great for for IT people like us but imagine all of the SBS 2003 end users / small business owners trying to sort through all of this, it might as well be written in Japanese. The PRE needs to have an option to either accept junk certificates or to not use SSL at all. The Palm tech I spoke with on the phone seemed pretty overwhelmed with calls regarding this issue so I imagine it will be addressed soon.
@Chad
Oh I know. I understand the need for -only- SSL connections, but I can see a use for allowing non-SSL but with a huge warning. The real solution would be some option for allowing certificates to work that do not have the exact CN of the server your connecting to.
Please offer some more setup for sbs2003, i have done everything you have listed with no avail
@J
I do not have an SBS server at the moment to help you, but which part are you having trouble with? Getting the certificate?
@J
This might help out some of you SBS users to create a self signed certificate for your IIS server.
http://technet.microsoft.com/en-us/library/cc949119.aspx
Also, if you cannot create a certificate, this may help others.
http://www.startssl.com/?app=22
I setup one phone accessing our Exchange server 2003 using IMAPI and I saw it as a go to start adding more employees.
As soon as I added my booss with the exact IMAPI settings of my phone she got a triangle with exclamation mark. No go. Palm had me setup another person in the office on my phone and it seemed to work. I did leave the account on my phone very long. Tried to setup bosses acct. on my phone and no dice.
Palm decided there was corruption some where in bosses Exchange Acct. We removed her acct from Exchange. Purged mail box after doing a .pst file. Re-installed .pst file and the phone conected. Alas it soon went ga-ga. Mail coming into contatcs. Contacts loaded only 35 out of 1500 nmaes. Contacts had no other info but name.
Since then I took her back to her Treo 755P. No problemo with using EAS.
The Pre definitely has a problem. We are a smaller compnay who is not going to strat using SSL certificates
I’ve not tried setting up the Pre with the non-ssl modes now available so I’m not sure if this is a problem relating to that or what.
Even though your a small company, a self-signed certificate from your own Exchange/IIS/Certificate Services server would be better for security then none.
It’s your way of doing things though, but I would at least give it a shot, see if you can enable SSL. Not just for the Palm Pre but for general good practice with encryption and data security.
BTW, IMAP is not the same as EAS. The Palm Pre does EAS native, as well as IMAP and POP3. I have two seprate Exchange accounts on my phone, work and home. Using SSL on both, calendars, contacts, notes and the rest. Works fine in my case, but I am not setup like everyone else.
Thanks for your help!! This fixed the problem for me.
Thanks for your guide. Unfortunately, this didn’t quite do the trick for me. I did everything as mentioned, but no luck. But the problem is solved now! In my case, the problem was that the cert that the OWA provided was not the right one. This cert is just a daughter cert of my root cert. As soon as I exported the root cert on my server and imported it, everything worked.
The server is a small business server 2003, I just found a hint on the web to try it with the root cert (which differs from the OWA cert).
There was this thread on the Palm forums which pointed me to the problem.
[quote]*****NOTE: SBS 2003 WILL ISSUE A CERT TO THE IIS WITHOUT THE CA ROOT. THIS APPEARS TO BE THE PROBLEM WITH THE SELF GENERATED CERTS THAT I HAD[/quote]
http://forums.palm.com/palm/board/message?board.id=Synergy&thread.id=32&view=by_date_ascending&page=2