1. Are you ready for the Galaxy S20? Here is everything we know so far!

Exchange - Certificate location???

Discussion in 'Android Devices' started by kevinbakon, May 21, 2010.

  1. kevinbakon

    kevinbakon Well-Known Member
    Thread Starter

    Is there a particular location (folder structure) that I should save my certificates (.cer files)?

    Here's my story/background:

    I successfully added my work email account through the built in Exchange ActiveSync, but have had problems since day one.
    It seems that every time it goes to sync (auto or manual), I get an error message:

    Security warning
    There are problems with the
    security certificate for this
    This certificate is not
    from a trusted authority
    Continue | View | Cancel

    View lets me see the specs on the certificate, but neither Continue or Cancel provides a consistant result. Most of the time I have to select combos of both and eventually it MAY sync.

    I have very little understanding of how Exchange works, but what I suspect is happening is that the phone is losing the certificate each time it goes to sync. Eventually (with manual finessing) the timing works out so that it assigns the correct cert.

    I've contacted both Verizon & my companies IT department.
    As I suspected, Verizon is attributing it to my companies security.

    I had no issues whatsoever with my Moto Droid, so I suspect that I I am having issues because of Sence. That's really the only main difference I can think of.

    My IT department has ordered an Incredible for them to troubleshoot on, but of course Verizon is back ordered right now, so who knows how long that will take, plus their troubleshooting.

    In the mean time, my IT department has provided me with 3 certificates to try (.cer files). Their instructions were to download the files and install them from a file manager (like Astro). When I select the files, the problem is that the phone gives me an error message stating that it does not support the file type.

    I've also noticed in Settings->Applications->Manage applications, there is a program caller "Certificate Installer" (version 7) with a 0.00 file size & all options (Force stop, etc.) are grayed out. I have no idea whether or not this is needed or used with Exchange.

    . . . . back to my question, is there a particular location (folder structure) that I should save the certificates (.cer files) that they sent me?

    Any help is greatly appreciated!

    1. Download the Forums for Android™ app!


  2. socalracer

    socalracer Lurker

    with a client of ours who is running exchange and has a self signed cert the thing i did was direct the phone via the browser to the owa address (Outlook Web Access) This is a web site that you can check your company email from any location with internet and a browser. Basically the problem was that the certificate needed to be installed and I could find no way of doing that easily. From what I researched android needs the certs in .p12 extension. I couldn't find an easy way to do that. By going to the owa address and logging in then I was prompted to accept the certificate. Once that was done I set up account in activesync on the phone and it worked. No issues since then. I did have to duplicate the scenario at the clients office and I ended up using the ip for the server name. Your owa address should be something like https://mail.company.com/owa. Hope this helps, if it doesnt give me some feedback on what happens and I will try to help
    kevinbakon likes this.
  3. kevinbakon

    kevinbakon Well-Known Member
    Thread Starter

    Thanks for the prompt response, I've been dealing with this all throughout the day, every day, since the 29th.
    I'm familiar with my company's OWA site (this is how I access my email from outside the office on my home computer, etc.)
    If I have read your reply correctly, the following steps may fix the issue:
    1st, I will remove the existing Exchange account (for good measure)
    2nd, I will visit my company's OWA site via my HTC Incredible browser
    3rd, I will accept/"Continue" when the cert pop-up displays
    (4th, I need to login)
    5th, ensure that I am successfully logged in
    6th, re-add the Exchange ActiveSync account
    I'm giving it a shot now & we'll see what happens . . . .
    Thanks again!
  4. Ruggar

    Ruggar Member

    The problem appears to be HTC's mail app and how it accepts and uses certs. There is a thread on xda-developers with a link to the native 2.1 mail app that works. I know it works because I downloaded it, installed it and now sync to our exchange server with no issues that I have noticed. When you try to connect you'll be prompted to accept or allow the cert.

    I don't know if it is against forum policy or not (i'll have to go back and re-read them) but here is a link to the app and with more info:
    Original Android 2.1 Email Client - xda-developers

    Hope that helps.
    kevinbakon likes this.
  5. socalracer

    socalracer Lurker

    i was unaware of that app, does it sync tasks? it says it doesnt support copy and paste which might be a killer for me.
  6. kevinbakon

    kevinbakon Well-Known Member
    Thread Starter

    Well, everything was fine for about 30-45 minutes, then I got the error message. It successfully retrieved the cert the first time, this time, but I suspect it's not fixed.

    I'll look into the app and see if that works for me. I don't use tasks, but the copy/paste may be an issue . . .
  7. Ruggar

    Ruggar Member

    No it will not sync tasks. Just calendar, contacts, mail. If it does, I missed it. Since I was setting it up at 1am there is a possibility of that.

    For me I need my email. So while their is no copy and paste feature in this app, I can live with it since I can get my e-mail to work.

    Also to note I tried K-9 too and could not get it to work with it after several attempts. The app I linked to worked the first time so I didn't investigate K-9 further.
  8. kevinbakon

    kevinbakon Well-Known Member
    Thread Starter

    Well for now I'm using the standard Email app, and so far, so good.
    Thanks so much for directing me to this thread/link!
    I even sent it to my IT department. They asked that I send it to them so they could install it on their Incredible when it arrives. (Hopefully they aren't going to consider this a permanent workaround).
  9. bjanow

    bjanow Android Expert

    It's possible that your company has a self signed cert. If so, you will get the error message. If your company purchases a wild card cert from a company such as Verisign, RapidSSL and perhaps even GoDaddy, then there will be no reason to go through all these gyrations. You might not even need a wild card cert, although I like them for simplicity, but only a commercial cert. The self signing ones are free but they suck from the outside.
  10. mb59

    mb59 Lurker

    If I understand the last posting correct, this means that since my company is using self signed/created certificates it is not possible to access Exchange2007 via my HTC Desire?
    The personal certificates which are used successfully with WM-Phones and iPhones are deployed as a .PFX file. After renaming this file to .P12 I can install it on my Desire ... but it seems not to work.
    After trying so many things (incl. the Android Email mentioned in this thread) I still get "Authorization failed (wrong user or password)" when connecting to our Exchange server. Anything else I can try?
    Looking forward to hearing from you!
  11. kevinbakon

    kevinbakon Well-Known Member
    Thread Starter

    Okay, here's a brief update:
    Still no dice, but a little more info . . .
    (Please forgive me, but I have no background in this sort of stuff, so most of all this "certificate" lingo is foreign to me.)
    Btw, I'm almost certain that my company works with Verisign.
    I was on the phone with Verizon troubleshooting another issue & the CSR had a HTC rep join the conversation. While I had him on the line, I figured it was a good opportunity to ask the manufacturer directly.
    The most useful info he had was that the certificate must be a .p12 file and to drop it on my SD card. Then to install it, simply go to [FONT=&quot]Menu -> Settings -> Security -> Install from SD card
    Also, he recommended visiting the OWA site & login from the browser to potentially remedy the issue, but I informed him that I had already tried with no success.
    I forwarded this info to my IT department & he informed me that we are using a .p7 certificate, therefore the phone does not "see" a file when attempting to install the cert.
    My IT guy did something (I believe he simply renamed the file, assigned a password, etc.) and provided me with a .p12 file. I was able to successfully install the cert, but unfortunately both his & my Incredibles behaved exactly the same way. . . . no progress
    So at this time, my IT guy told me he is waiting to hear back from Verizon . . . . (who knows how long that could take & how helpful they'll be)

    Are you getting the same error message that I quoted above?
    By the sound of it, I think you are getting a different error message, one that pertains to user login data, not certificate data.
    Just a guess, but are you logging in with your email address ID or your corporate account ID? When doing the manual setup, the default for the user ID is the same as the info I put in front of the "@" in the first line. In my case, this is wrong and I recieve a message similar to what you have described above. I had to back out the default & enter my corporate ID/user ID. From there, I am able to successfully add the account & the initial sync goes perfectly . . . within the next hour however, the phone has lost the security permissions and must be finessed to reconnect & then again & again & again (avg. 20 times a day or so).
  12. mb59

    mb59 Lurker

    I'm using my cooperate logon ID (= domain user) and password. I tried it with "<domain>\<user>" and <user> only but nothing works. Using HTC Mail one has to specify the domain name sperately. Using Android Mail one has to specify the domain in front of the user-id...

    I'm 100% sure that I didn't misspell my domain userid and password although there is the message "Authorization failed (wrong user or password)". On the server-side my admin sees only that I try to connect but I get kicked off by the server since the login-information (user, password, certificate) are not correct.

    Maybe the problem is here: Our certificate is a .pfx file. Since .pfx and .p12 are "nearly" the same I renamend the .pfx file to .p12. When installing the certificate I get the information that this is a certificate container holding user certificate, user name, password and a CA certificate. So this looks absolutely fine. No errormessage during the installation of the certificate. Unfortunately there's no way to check the certificate on the Desire after the installation...

    Since the first connection is done during the setup of the account it is not possible for me to setup (and save) the account. After entering all the data I end up with the errormessage that my login is invalid. It must be the certificate since - as I told before - I'm 100% sure that my domain user-id and my domain-password are correct.

    Looking forward to hearing from you and the information your IT-guy gets from HTC.

    Thanks and Best regards
  13. bjanow

    bjanow Android Expert

    Ok, I hate to push a product that costs $20 but let's take another look at this problem the two of you are having. There is obviously a problem with the way the HTC app is talking to your Exchange servers, be it a cert or password or sync policy. So I suggest downloading Touchdown 2.0, trial version for 5 days, and see if that works. If it doesn't then you need to speak with your admins. But if it does, and I suspect it will, then you need to ask yourselves how much is your time worth? I'm sure you have spent multiple hours on this issue and will continue to spend hours more. Make your decision on that and the aggravation factor. Also, some have said they don't like the TD interface, but I really don't give a shit as long as I get my email on time and reliably.
  14. batwings1

    batwings1 Well-Known Member

    +1 - TD may not be for everyone but it works and their support is pretty solid.
  15. mb59

    mb59 Lurker

    I already tried TD (don't know whether it was 2.0) and couldn't manage to connect either... Do I get 2.0 in the market?
    I'll give it another try tomorrow. Thanks for the hint!
    Best regards
  16. bjanow

    bjanow Android Expert

    Yes, in the Market. I just got an update for it today and I believe the release notes said 30 day free trial! See if your admin can remove any phone in your Exchange profile too. There are a bunch of options in the EAS policy too that you might want him to check, from password, to devices, to sync settings. Good luck.
  17. mb59

    mb59 Lurker

    You can imagine that I had to re-try it now ;-)

    Not successfull. The log says:

    Checking Certificate...
    Checking ActiveSync with SSL...
    ActiveSync: Check your credentials
    ActiveSync version check returnded
    negative, but still trying for 12.1

    attr value delimiter missing! (position:
    START_TAG <HTML dir='null'>@2:11 in
    java.io.StringReader@464ef338) for
    operation: Subscribe -> Error renewing a
    Checking 2003 with SSL...

    Now, I do know that we are running Exchange2007 with SSL.
    Best regards
  18. bjanow

    bjanow Android Expert

    It goes through all the checks until it fails which it did. Now I have to ask the question, are you sure this is allowed on your network? They can have EAS turned off for security purposes. I know Kevin, the OP, got it to work on his Droid, but does your IT dept have any that are working currently? If so, then you can email support@nitrodesk.com and get their take. They once called me on a Saturday morning when I was having issues.

    One thing to try is the username field since auth is failing. They suggested only using the user name without the domain or the @ sign.
    Keep us updated.
  19. mb59

    mb59 Lurker

    I'll check regarding EAS with the admin and let you know.
    Yes, we do have multiple iPhones and WM-Phones (I had one before I bought the Desire) running successfully. My Android phone is the first one.
    Regarding the User: I tried it differently - <user>, <domain>\<user> and <user>@<domain> with no success.
    Thanks again and best regards
  20. mb59

    mb59 Lurker

    One other thing I found: The certificates which are used will force the mobile phone to setup a "screen-saver password" (I don't know how this is really called). I mean, whenever my WM phone went into standbye mode I had to enter a PIN (not the provider PIN) to get it back working. Maybe this part of the certificate is sort of not supported...
  21. bjanow

    bjanow Android Expert

    You really need to call Touchdown support or email them with these questions and error messages. I believe they can get you up and running in short order. It could be the cert and they can tell you how to get it into the system. That initially happened with me and I played around with it until it worked. Well sort of, it fell back to Ex2007 not AS. So I bought a true cert from I think rapid ssl and then everything worked as designed.

    But if the iphones are working then you support EAS so it's just a matter of getting the right values in. Their support will help you even unlicensed.
  22. mb59

    mb59 Lurker

    TouchDown IS WORKING !!!!!
    As you wrote, NitroDesk is very helpfull and they pointed me into the right direction quickly. The problem was that I installed the certificate in Android but not within TouchDown. After doing that everything runs fine now. Although it's sad that Android/HTC seems not to support this type of connection, I can life with having TD for business and Android/HTC for private. Thanks again for your help! Best regards Michael
  23. bjanow

    bjanow Android Expert

    Great news! It's really why I recommend them even though the price is a little steep. I need my email for work and the program delivers. But I figure with all the apps that are free or very inexpensive I can spring for it. Just paid for the full version of PDAnet too for my airport travels, around the same price.
    Take care Michael, thanks for the update.
  24. kaushal101

    kaushal101 Newbie

    How exactly did you resolve this issue? I am also trying to setup TouchDown as I am receiving exact same error (authentication error, check username password) with standard mail application.

    With TouchDown I am also getting the exact same error:
    Checking Certificate...
    Checking ActiveSync with SSL...
    ActiveSync: Check your credentials
    ActiveSync version check returnded
    negative, but still trying for 12.1

    You have mentioned installing a certificate. How to get that certificate and where to install it? Do I need to get the certificate from my IT support department? It might be a little tough as my organization officially only supports WinMo devices :(

HTC Droid Incredible Forum

The HTC Droid Incredible release date was April 2010. Features and Specs include a 3.7" inch screen, 8MP camera, Snapdragon S1 processor, and 1300mAh battery.

April 2010
Release Date

Share This Page