.comment-link {margin-left:.6em;}
A Collection of Random Thoughts
Monday, August 21, 2006
 
More on Windows Mobile, Certificate Checking and the continual password prompt

It seems that my post on "Hacking your Windows Mobile 5.0 Registry" gets read a lot.  In fact, about 50% of the traffic to my blog comes from visits to that page (most of it from search engine referrals).  Based on some comments, though, I feel like I need to clarify something.

The main reason that I blogged about the ability to disable certificate checking in Windows Mobile 5.0 is because I use a Wildcard certificate (*.company.com) at my current company.  Unfortunately, wildcard certs are NOT supported in Windows Mobile 5.0.  This means that even if the certificate is installed properly, Windows Mobile 5.0 will not properly use it and will instead display an error stating that an invalid certificate is installed.  In order to get synchronization working with MY environment, I had to disable certificate checking.  This still allows me to use SSL, but it tells Windows Mobile not to check if the certificate is valid (basically, the hostname doesn't have to match).

However, if you are using a self-signed certificate (generated by an internal Certificate Authority), there is NO need to add this registry key.  Windows Mobile 5.0 fully supports self-signed certs, and has made it MUCH easier to install your own certificate.  An abundance of posts provide helpful information on how to install a certificate on Windows Mobile 5.0 in many different ways, from copying and clicking a .cer file, to installing as a .cab file, to installing using a signed version of the spaddcert.exe tool (Sprint and Verizon).  Think of it this way.  If you are using a self-signed cert for, say, OWA access, what happens when an external client tries to log in to OWA?  Internet Explorer indicates there is a problem with the certificate.  How do you get around that certificate error popping up each time you visit the page?  You install your certificate into IE's certificate store as a Trusted Root Certificate Authority.  The same action is required with Windows Mobile, with the exception that if you want to synchronize at ALL using SSL, you have to install the cert (or disable SSL - not recommended).

What prompted this post?  I've had some questions about the original post that indicated folks had disabled certificate checking, only to be continually prompted for a password.  That's annoying! (the continual password prompt, not the questions!).  The common thread I've seen in each case so far, though, was that the issue was one with the certificate.  In at least one case, disabling SSL (as a test) allowed sychronization to work (a sure sign that the issue is with the cert).

What do you do if you are continually being prompted for a password?  Here is a list of things to check.

1.  Are you sure that you have installed your certificate as a root certificate on your Windows Mobile device?  Windows Mobile devices also have a certificate store, which is viewable by the user.  Check your device for the exact location (I believe it may display in a different location depending on if you have a PocketPC-based device, or a Smartphone-based device), and make sure that your certificate shows up there.

2.  Have you made sure that the server name in the ActiveSync settings *exactly* matches the one that's on the cert?  This is what disabling certificate checking is supposed to fix (a wildcard cert won't match exactly), but since disabling cert checking does decrease security, it shouldn't be done unless absolutely necessary.

3.  If you disable SSL on your Windows Mobile device, does synchronization work and your password get accepted?

4.  Does the name of the server you are entering in ActiveSync exist in external and internal DNS?

5.  Have you made sure that your cert is indeed valid, and not expired?  IE should show you any issues from this side of things.

If I can think of anything else, I'll edit this post.  I've also asked the folks on the Windows Mobile blog to comment on what might cause the looping password.


Comments:
Hi Ben,

Thanks for your posts they are very usefull and informative. I am a RW6828 user and am having the password issue problem and look forward to a solution. I am able to access my exchange server via OMA but continually hit the password problem when trying to sync on my IPAQ. I have tried to disable SSL but it will not recognise the server. Ihave tested access to the server via a palm treo and have been able to access it and sync with no problem it's just the IPAQ i have troubles with.

Norm - Australia
 
Hi Norm - glad that you like the content.

So have you done the disable certificate checking bit that I originally blogged about? If so, I got a response back from one of the guys on the Windows Mobile team, and he said that the only time that they had run into the looping password issue with Windows Mobile 5 was if certificate checking was disabled, which is why it isn't supported (by Microsoft).

When you access via OMA, is it the SSL site you are going to? https://server.domain.com/oma, or just the http site? As far as disabling SSL, are you perhaps requiring SSL on the ActiveSync virtual directory? I truly do wish it was easier to get ALL devices working.
 
Hi Ben,

Yes I have done the disable certificate bit and yes that's when the password starts looping. As for the OMA access it is through the SSL site. I am not sure about the virtual directory setting will have one of our IT techs have a look tomorrow. Might also look at buying a certificate and see of that works. Will let you know how it goes.

Thanks Norm
 
Hi Ben,

Well I am pleased to report that I am now able to sync to my exchange server, but I had to buy a certificate that matched one of the certificates on my device, (not a cheap exercise).

Norm
 
Ugh. Sorry to hear that you had to do this. It outlines the fact that there are still problems that the Windows Mobile Team needs to address.
 
I kept getting the error "server certificate expired", when I selected my OWA server for synching with WM5. Checking the certificate via IE on the OWA, it is fine. I installed the certificate from the OWA on my WM5 device, no help. Using your registry 'hack', I now can sync via the OWA, no problem. Any other thoughts on why I would be getting the "server certificate expired" error? (Verisign class 3 certificate)
 
Are you sure that the certificate actually got installed on your device properly? You might try installing the cert via the cab method, as mentioned in http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx. Aside from that, what happens if you try to browse to the OMA or OWA site via your WM device? Do you still get the certificate expired issue? Is your cert a chained cert? If so, you need to make sure that you add all the certs in the chain. You might also want to post this in the Windows Mobile newsgroups.
 
Browsing to the OWA site on my WM5 device works fine. The certificate appears to be installed properly as well. They show up in my root certificate list. I am unsure about the chained certificate issue. How does one check? Also, why would the error be the server certificate is expired, not the client certificate, etc?
 
It isn't a client certificate error. You are installing the server certificate as a trusted cert on your device.

I'm not sure why it would only give you the error during ActiveSync. Does the name you are putting in ActiveSync exactly match the name on the certificate? Check http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php for suggestions on how to address specific errors during ActiveSync.
 
Hi, thanks for your post; it has helped me forward, facing this synchronisation problem, but I am unable to solve it completely so far.
I also end up with this looping password issue, however I can add something here, that I've not read so far. I had a guy looking along, at the owa server, and he has noticed that I get into password authentication there some of the time. It seems that one time, my password is refused, and the next time it it accepted. However, I still do net get out of this annoying loop. I'm using an IPAQ 6915 on win mobile 5.0. On my previous IPAQ 6515 on the earlier version of windows mobile, the registry hack was sufficient. So I really think, the problem is not in the server, but on the IPAQ.
 
I think you may be missing the point. You shouldn't need to use the registry hack unless you are using a wildcard cert. If you are not using a wildcard cert and are still being prompted with the looping password, then there is either an issue with the certificate, or an issue with the way it was installed on the device. Also, certain devices are locked down in different ways by the carriers, so it is entirely possible that the 6915 had different security settings than the 6515 did. All my testing was done on a completely unlocked device (Imate Jasjar), so I can't speak as to whether this will work on a locked down device (which most devices in the US are).
 
I also get the continual password prompt, SSL is disabled both on the device and the server, I can browse the OWA from IE on my mobile device using my user/pass just as I have it entered in to activesync.
 
Post a Comment



<< Home

Powered by Blogger