As of the writing of this post Palm has this statement at the start of their support FAQ on the subject:
Quote:
About Exchange ActiveSync (EAS) and security policies
Palm webOS Exchange ActiveSync (EAS) does not support EAS security policies. Palm understands that some business customers need support for specific EAS policies. We are developing webOS support for EAS PIN and password enforcement, as well as EAS remote erase, and hope to announce these new features by mid-August 2009. The features will be delivered to Pre phones as they become available through the over-the-air update system.
No doubt its still being baked. I was wondering what success others are having at setting this up. I just spent several hours trying to set this up for someone to no avail. I would like to set up a procedure here that others can refer to that will make this work.
I'm getting a SSL error and the date and time is not correct. What I did (that works with every WinMobile phone) doesn't seem to work with the Pre I had.
1) I loaded the web cert from the website where one would access OWA. The cert is installed through the Certificate Manager. Or you can go the OWA site and authenticate the certificate from there, that installs the cert into the Certificate manager as well..
2) input settings for the account:
User Name:
Password:
Mail server: Here I used the FQDN mail server name: ie mail.mydomain.com
Domain name: here I used the internal domain name ie: mydomain.local.. This setting I'm not sure about because the Support FAQ is not very specfic about what this refers to. But I figured if it is going to authenticate against the same cert that is used for OWA it must want the internal Active Directory name.
Given Palms statement in the FAQ and the amount of confusion on other sites I figure we will have to wait it out until Palm gets the implementation correct.
Mark
__________________
Luck is where opportunity meets preparation.
It's lacking a lot of features that are part of the EAS policies you would find in an Exchange 2K3 SP2 or higher or Exchange 2K7 setup. I think I can put in perspective why this stuff is really so important to have and that BOTH sides of it are configured correctly.
First off, anyone using a self signed certificate will have nothing but problems...period. Importing the cert into a PDA or PC and then "trusting" it defeats the purpose of having a cert. If you aren't an Exchange guru or a security guru like me, you either don't care or just think that its plain stupid since its stopping you from getting your mail. The whole purpose of using certs is to verify the identity of the server by comparing keys stored on a public server (like Verisign, GoDaddy, etc). Using a self signed cert and then telling users to simply "trust it" is like putting on a name tag that says "God" and now telling everyone you are really God...just trust me on this. That is why a self signed cert is pointless when you use it on the Internet. You have no way of telling if it is indeed the real deal since you elminiated any back checking.
The Pre does NOT support client side certificates either. Meaning, an Exchange administrator can make an EAS (Exchange Active Sync) policy that mandates that not only does a client connection need the proper username and password, it would also need to present a "known" valid client certificate. But as stated above, if you are using a self-signed cert, all of that is pointless. But for for a corporate exchange guru dealing with sensitive government information in emails, I need to keep it tight and verify that the end user is who they say they are and that for them, the server is who it says it is (with a PUBLIC cert) so they aren't giving their user/pass to just ANY server. Apple, for whatever reason, also did not include the ability to use client side certs in their iPhone rendition.
The Pre does not support the ability to have a mandatory locking mechanism. Meaning you can make an EAS policy force a device to use a PIN number or password to lock itself after a certain amount of time. But if the device does not support this, you will get errors on the first sync attempt. The whole purpose is that if some drunk engineer leaves his PDA at a bar or at the airport lounge, nobody can read his emails, powerpoint presentations, etc. You would be surprised how many things are leaked out from pure stupidity like that.
Which leads us to the next important step, remotely wiping a device through the Exchange Admin console. This way if it does become lost, it can simply be zapped remotely to prevent it from being tampered with, etc. This is Remote Device Security 101 here.
Exchange 2007 is HIGHLY complicated when compared to Exchange 2003. Too many IT guys have been slapping Exchange 2003 on servers with little understanding of how it works or what they are doing. Microsoft closed a ton of holes and made it so you actually have to configure 2007 to get it work correctly. This means IT guys will actually have to know what they are doing, GASP! Installing the proper public certs on an Exchange 2007 box can only be done through the Power Shell and the days of dropping a self-signed cert through IIS are loooooooong gone
So while I am glad Palm is going to address some of the EAS issues, I believe the majority of the griping is from uneducated end users who were previoulsy using unsecured and improprely configured Exchange servers to get their stuff. However, Palm certianly should have been more upfront with what works and what does not. That would have made it a whole lot simpler to figure out just why "it worked before, but now it does not".
Yes.. you make many good points. I've done some digging since I made my first post.. There are a host of things the pre won't support when it comes to Exchange. I don't know if Palm just found it too hard to implement them or they wanted to enable the bare minimum so they could say they support EAS.. either way I think they are short changing themselves by not supporting all the security that EAS has to offer and endear themselves to the corporate IT departments that take security seriously...
In the meantime, yes the Pre won't work with self signed Certs, unless you know how to configure the server to generate a proper cert.. Anyway get a 3rd party cert, it makes this setup easier and doesn't hurt the security of you server either!
Mark
__________________
Luck is where opportunity meets preparation.
In particular this quote:
"Support for self-signed certificates with multiple common names has been added."
So now the Exchange server I was working with, with Self signed certs.. synced up first time. As long as we're here, these are the specs you need to input. Make sure you running at least WebOS 1.10 (as of the writing of this post)
1) Load the server's web cert by saving it from the website where one would access OWA. Then copy the cert file through a USB connection, email it to your self then install the cert directly into the Certificate Manager. Or you can go the OWA site and authenticate the certificate from there, that installs the cert into the Certificate manager also.
2.Account settings:
email address: just like it sounds
User Name: just the user name part of the email address
Password: you know the "password"
Mail server: use the FQDN mail server name: ie mail.mydomain.com
Domain name: use the internal FQDM ie mydomain.local your full servers name is pobably server.mydomain.local
Then sync! worked form me first time! (that is first time after the latest update)
Mark
__________________
Luck is where opportunity meets preparation.
First off, anyone using a self signed certificate will have nothing but problems...period. Importing the cert into a PDA or PC and then "trusting" it defeats the purpose of having a cert. If you aren't an Exchange guru or a security guru like me, you either don't care or just think that its plain stupid since its stopping you from getting your mail. The whole purpose of using certs is to verify the identity of the server by comparing keys stored on a public server (like Verisign, GoDaddy, etc). Using a self signed cert and then telling users to simply "trust it" is like putting on a name tag that says "God" and now telling everyone you are really God...just trust me on this. That is why a self signed cert is pointless when you use it on the Internet. You have no way of telling if it is indeed the real deal since you elminiated any back checking.
That is absolutely incorrect. While you are correct that there is no WELL KNOWN third party 'certifying' that these SSL are in fact legitimate, they are still properly validated by the root cert you place in the certificate store on your Pre (and Windows Mobile device). The extra step you have to take in this case is to install a root cert for the CA that created this certificate. The public key in the SSL certificate still needs to be authenticated by a private key. This is perfectly safe. Verisign does the same thing - it's just that Verisign was the company that signed the SSL cert in the first place and they are big enough to be installed in every device's pre installed list of root certs. I'm no expert on this myself, but you claim to be so you should know this.
Quote:
Originally Posted by buggsbuny
The Pre does not support the ability to have a mandatory locking mechanism. Meaning you can make an EAS policy force a device to use a PIN number or password to lock itself after a certain amount of time. But if the device does not support this, you will get errors on the first sync attempt. The whole purpose is that if some drunk engineer leaves his PDA at a bar or at the airport lounge, nobody can read his emails, powerpoint presentations, etc. You would be surprised how many things are leaked out from pure stupidity like that.
After the 1.1. update it does, however I'm disappointed in how it does operate. While it can connect fine to an exchange server that requires password and locking timeouts, it still does not deviate from it's original practice of locking every time the screen goes off. Unfortunately Palm tied the PIN lock with the screen timeout, so the longest you can go without locking your phone is 3 minutes - and only if its because you allow the screen to stay on that long. Another failure is the security policies 'stick' with the phone long after it loses or deletes its relationship with exchange. I tested this the first night 1.1 was out hoping I could make my phone not lock for 30 or so minutes, however it retained the auto lock when the screen is turned off and when I tried to remove these settings (tried on the server side, tried on the Pre, tried removing the relationship with the exchange server) it proved to be impossible. I'm now stuck with no Exchange server security policy but a phone with a PIN lock it thinks is being forced on it...
I suppose I could perform a hard reset but I'd really rather not at this time (don't want to go through the rooting process again...). Overall, exchange performs decently besides the security issues I've had and the calendar hangs when making edits to the exchange calendar. I'll be very happy with exchange support once those are taken care of.
Another failure is the security policies 'stick' with the phone long after it loses or deletes its relationship with exchange. I tested this the first night 1.1 was out hoping I could make my phone not lock for 30 or so minutes, however it retained the auto lock when the screen is turned off and when I tried to remove these settings (tried on the server side, tried on the Pre, tried removing the relationship with the exchange server) it proved to be impossible. I'm now stuck with no Exchange server security policy but a phone with a PIN lock it thinks is being forced on it...
I suppose I could perform a hard reset but I'd really rather not at this time (don't want to go through the rooting process again...). Overall, exchange performs decently besides the security issues I've had and the calendar hangs when making edits to the exchange calendar. I'll be very happy with exchange support once those are taken care of.
I think you may have hit on the problem I am having. Could you please provide your opinion:
When I initially got my Pre, I had not trouble with EAS setup. My mail and calendar worked perfectly. Last Thursday, I tried to send a message and got an error that I think was something like unable to authenticate certificate (?maybe?). I realized that our server was down for maintenance/upgrade. Since that time I have not been able to send ot receive email or sync the calendar with EAS. I tried removing the exchange account and readding it manually as EAS, but I get an invalid certificate error.
If I use the auto set up, the account sets up as IMAP and receives email from my exchange server, but does not allow me to send email and does not sync the calendar.
Is the problem the 'sticking' phenomenon you mention (is it remembering the authentication problem) and is the only way to solve it to do a hard reset?
I think you may have hit on the problem I am having. Could you please provide your opinion:
When I initially got my Pre, I had not trouble with EAS setup. My mail and calendar worked perfectly. Last Thursday, I tried to send a message and got an error that I think was something like unable to authenticate certificate (?maybe?). I realized that our server was down for maintenance/upgrade. Since that time I have not been able to send ot receive email or sync the calendar with EAS. I tried removing the exchange account and readding it manually as EAS, but I get an invalid certificate error.
If I use the auto set up, the account sets up as IMAP and receives email from my exchange server, but does not allow me to send email and does not sync the calendar.
Is the problem the 'sticking' phenomenon you mention (is it remembering the authentication problem) and is the only way to solve it to do a hard reset?
I think what you're seeing is the general certificate error you receive when trying to sync with an exchange server that has a self signed certificate. This is pretty common and the fix involves you getting the certs (root and exchange cert) from your IT department and installing it on your Pre. Once the certs are exported they can simply be emailed or transferred via USB. Installation happens when you tap on them and are prompted to accept them into the cert store.
Since your exchange server is configured to use IMAP you will probably want to delete the profile completely and reconfigure it from the beginning (select the manual method).
I think what you're seeing is the general certificate error you receive when trying to sync with an exchange server that has a self signed certificate. This is pretty common and the fix involves you getting the certs (root and exchange cert) from your IT department and installing it on your Pre. Once the certs are exported they can simply be emailed or transferred via USB. Installation happens when you tap on them and are prompted to accept them into the cert store.
Since your exchange server is configured to use IMAP you will probably want to delete the profile completely and reconfigure it from the beginning (select the manual method).
Another easy way of getting the certs on your device is by going to the OWA site for your Exchange server using the browser on Pre itself... You'll get the same prompt you would get if you did it from the PC and you can install the cert as well. Make sure you install it to the Trusted Root,,, Its much more convenient that doing it on a PC and figuring how to transfer the file via USB or email. Not all PDA phone browsers support this. That's why I find it cool to do it this way.
Mark
__________________
Luck is where opportunity meets preparation.
I've never been successful at getting the cert imported into the Pre's certificate store based on browsing to the web page. You can get it to be imported, but for some reason it will not recognize it as the same thing when connecting via activesync.
I got the Cert through the OWA on my PC and transferred it to the Pre by USB. It seemed installed just fine, but I am still having the same problem.
When I try to add the account using the manual setup, using "mail.[server domain] as the incoming mail server, after a long delay I get this error:
Unable to sign in
unable to validate incoming mail server settings
If I use the IP address for the mail server, almost immediately I get this error:
Cannot connect to Exchange Server
The server's security certificate is invalid, or your date and time is set incorrectly.
My date and time are correct (from sprint).
Do you think this is a cert problem or is a hard reset in my future?
As I said before, it used to work perfectly until they did some maintenece on the server and I tried to send mail and got a cettificate validation error.
I went with a hard reset and exchange set up with no problem. It appears that the failed certificate confirmation may have stuck with the Pre until the reset.
Also, here's something scary. After the reset, I went to my Palm profile to repopulate my device adn it said that my profile was empty. Fortunately I had everything backed up, but this is pretty disconcerting in teh event of an actual crash.
I did lose my downloaded apps which I think are supposed to be saved in the profile. The most annoying thing is that Splash ID for WebOS still does not have a backup function. Apparently the major update coming out tomorrow will add a payment feature to the APP store so i better download my apps again before then. No telling who is going to start charging.
Oooh I would double check to see what the issue is with your profile account.
The saved profile is a nice feature. I recently had to reconfigure an existing client with a new phone.. all the account information was already there for his EAS account, but the Cert needed to be reloaded. I was able to go to the OWA site from the phone and loaded the Cert. It worked from there on!
Mark
__________________
Luck is where opportunity meets preparation.
The whole purpose of using certs is to verify the identity of the server by comparing keys stored on a public server (like Verisign, GoDaddy, etc). Using a self signed cert and then telling users to simply "trust it" is like putting on a name tag that says "God" and now telling everyone you are really God...just trust me on this. That is why a self signed cert is pointless when you use it on the Internet. You have no way of telling if it is indeed the real deal since you elminiated any back checking.
Login
Panel
