More on Windows Mobile, Certificate Checking and the continual password prompt
It seems that my post on "Hacking your Windows Mobile 5.0 Registry" gets read a lot. In fact, about 50% of the traffic to my blog comes from visits to that page (most of it from search engine referrals). Based on some comments, though, I feel like I need to clarify something.
The main reason that I blogged about the ability to disable certificate checking in Windows Mobile 5.0 is because I use a Wildcard certificate (*.company.com) at my current company. Unfortunately, wildcard certs are NOT supported in Windows Mobile 5.0. This means that even if the certificate is installed properly, Windows Mobile 5.0 will not properly use it and will instead display an error stating that an invalid certificate is installed. In order to get synchronization working with MY environment, I had to disable certificate checking. This still allows me to use SSL, but it tells Windows Mobile not to check if the certificate is valid (basically, the hostname doesn't have to match).
However, if you are using a self-signed certificate (generated by an internal Certificate Authority), there is NO need to add this registry key. Windows Mobile 5.0 fully supports self-signed certs, and has made it MUCH easier to install your own certificate. An abundance of posts provide helpful information on how to install a certificate on Windows Mobile 5.0 in many different ways, from copying and clicking a .cer file, to installing as a .cab file, to installing using a signed version of the spaddcert.exe tool (Sprint and Verizon). Think of it this way. If you are using a self-signed cert for, say, OWA access, what happens when an external client tries to log in to OWA? Internet Explorer indicates there is a problem with the certificate. How do you get around that certificate error popping up each time you visit the page? You install your certificate into IE's certificate store as a Trusted Root Certificate Authority. The same action is required with Windows Mobile, with the exception that if you want to synchronize at ALL using SSL, you have to install the cert (or disable SSL - not recommended).
What prompted this post? I've had some questions about the original post that indicated folks had disabled certificate checking, only to be continually prompted for a password. That's annoying! (the continual password prompt, not the questions!). The common thread I've seen in each case so far, though, was that the issue was one with the certificate. In at least one case, disabling SSL (as a test) allowed sychronization to work (a sure sign that the issue is with the cert).
What do you do if you are continually being prompted for a password? Here is a list of things to check.
1. Are you sure that you have installed your certificate as a root certificate on your Windows Mobile device? Windows Mobile devices also have a certificate store, which is viewable by the user. Check your device for the exact location (I believe it may display in a different location depending on if you have a PocketPC-based device, or a Smartphone-based device), and make sure that your certificate shows up there.
2. Have you made sure that the server name in the ActiveSync settings *exactly* matches the one that's on the cert? This is what disabling certificate checking is supposed to fix (a wildcard cert won't match exactly), but since disabling cert checking does decrease security, it shouldn't be done unless absolutely necessary.
3. If you disable SSL on your Windows Mobile device, does synchronization work and your password get accepted?
4. Does the name of the server you are entering in ActiveSync exist in external and internal DNS?
5. Have you made sure that your cert is indeed valid, and not expired? IE should show you any issues from this side of things.
If I can think of anything else, I'll edit this post. I've also asked the folks on the Windows Mobile blog to comment on what might cause the looping password.
Thanks for your posts they are very usefull and informative. I am a RW6828 user and am having the password issue problem and look forward to a solution. I am able to access my exchange server via OMA but continually hit the password problem when trying to sync on my IPAQ. I have tried to disable SSL but it will not recognise the server. Ihave tested access to the server via a palm treo and have been able to access it and sync with no problem it's just the IPAQ i have troubles with.
Norm - Australia
So have you done the disable certificate checking bit that I originally blogged about? If so, I got a response back from one of the guys on the Windows Mobile team, and he said that the only time that they had run into the looping password issue with Windows Mobile 5 was if certificate checking was disabled, which is why it isn't supported (by Microsoft).
When you access via OMA, is it the SSL site you are going to? https://server.domain.com/oma, or just the http site? As far as disabling SSL, are you perhaps requiring SSL on the ActiveSync virtual directory? I truly do wish it was easier to get ALL devices working.
Yes I have done the disable certificate bit and yes that's when the password starts looping. As for the OMA access it is through the SSL site. I am not sure about the virtual directory setting will have one of our IT techs have a look tomorrow. Might also look at buying a certificate and see of that works. Will let you know how it goes.
Well I am pleased to report that I am now able to sync to my exchange server, but I had to buy a certificate that matched one of the certificates on my device, (not a cheap exercise).
I'm not sure why it would only give you the error during ActiveSync. Does the name you are putting in ActiveSync exactly match the name on the certificate? Check http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php for suggestions on how to address specific errors during ActiveSync.
I also end up with this looping password issue, however I can add something here, that I've not read so far. I had a guy looking along, at the owa server, and he has noticed that I get into password authentication there some of the time. It seems that one time, my password is refused, and the next time it it accepted. However, I still do net get out of this annoying loop. I'm using an IPAQ 6915 on win mobile 5.0. On my previous IPAQ 6515 on the earlier version of windows mobile, the registry hack was sufficient. So I really think, the problem is not in the server, but on the IPAQ.
Links to this post: