Sunday, April 09, 2006

oh where, oh where...has my little cert gone?

oh where, oh where can she be?

noticed something strange last week at a client site, having to do with a self-signed certificate not being created when using the configure email & iinternet connection wizard (aka ceicw) on sbs.

here's the environment:
  • sbs standard with sp1 installed
  • exchange 2003 sp2 installed
  • single nic
client had two brand-spankin' new cingular 8125 pocketpcs running windows mobile 5 that needed to be configured for wireless e-mail sync.

up to that point, none of the web services in sbs had been configured for remote access.

like any good sbser, your friendly neighborhood happyfunboy ran the ceicw to enable the necessary services the windows mobile 5 devices would need.

when yours truly got to the web services configuration screen, the only service i chose to enable was outlook mobile access aka oma.

because, like any good system admin, i had decided to enable only what was absolutely needed.

makes sense, right?

proceeding through the ceicw, i was prompted with the web certificate screen, which asks for either the info to create a self-signed certificate or a 3rd party certificate.

i entered the information necessary to create a self-signed certificate, then continued through the ceicw to the end, which finished successfully without returning any errors.

however, after i connected the first windows mobile 5 device to a client machine, and then navigated to the clientapps share on the sbs server to copy the self-signed certificate to the device, there was no sbscert folder at all.

normally, this folder is created to hold the self-signed certificate.
the absence of this folder then, gave me a hint that something was amiss.

i then searched the sbs server for .cer files...nothing there.

so...i immediately re-ran the ceicw again, same settings as before.

when i got to the web certificate page again, the do not change choice was grayed out, indicating the self-signed certificate had not been created on the previous go-round.

as a workaround, i did the following:
  • chose outlook web access aka owa in addition to oma when enabling the web services using the ceicw.
  • immediately re-ran the ceicw when it finished and disabled owa access again.
the addition of owa to the list caused the self-signed certificate to be generated successfully.

and since disabling owa afterward does not affect the certificate whatsoever, this seems like the easiest and most logical workaround.

to make sure this wasn't something wacky on that particular client installation, your friendly neighborhood happyfunboy verified this same behavior in his virtual pc test "lab" last evening.

just a friendly happyfun heads-up so maybe you won't get bitten by the same issue.

good hunting!


Blogger Tim Barrett said...

FYI - Some newer Windows Mobile 5 devices have problems with self-signed certs.

7:49 AM  
Blogger happyfunboy said...

yeah...but not that particular model of ppc.

and it's not that the devices wouldn't take the cert.

it was the fact that...

the ceicw wasn't creating any cert at all

1:32 PM  
Blogger Ken Edwards said...

You know...

Thats why we push you out to the leading edge of you get cut and we don't. :)

Interesting that the developers never thought that someone would want ONLY Outlook Mobile access. I bet this configuration was never test in the lab.

2:42 PM  
Blogger Ken Edwards said...

Oops... TESTED

2:43 PM  

Post a Comment

Links to this post:

Create a Link

<< Home