Log in

No account? Create an account
Server not quite right yet - Songs of innocence and of experience — LiveJournal [entries|archive|friends|userinfo]
Douglas Spencer

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Friends| (full) (people) (communities) (both) (feeds) (friendsfriends) ]
[Using| (new) (rec) (clu) (inb) (tag) (bot) (adm) (mod) (poll) ]
[Other| (DJ) (DW) (IJ) (JF) (Scribbld) ]
[Me| (AoOO) (eF) (FB) (GP) (LI) (Tu) (Tw) (Wk) ]
[Links| (AVDAR) (Exchange) (il_calmo) (LGCM) (ZZ9) ]

Server not quite right yet [Dec. 8th, 2006|12:28 pm]
Douglas Spencer

I'm setting up the servers under this new domain of mine. I have Windows and Exchange all installed. The software is all fully patched, the firewall in front of the server is correctly configured, the SSL certificates are sound. IIS is working, IMAP-S is working, RPC over HTTPS is working, everything looks fine... but Server ActiveSync won't work, and I can't for the life of me pin down what I've omitted to do. If I go to www.shiny-new-domain-name.tld/Microsoft-Server-ActiveSync then I get a 501 error, "Not Implemented", and I don't know why, which is frustrating. I really need to get it sorted before I move my calendar and so on over to the new server.

(Windows 2003, Exchange 2003, Outlook 2003, ActiveSync 4.2, Windows Mobile 5)

I need to think of better search terms I can put into the MS KB search engine.

EDIT (half past one the following morning): Now fixed, see coments.

This post is brought to you by the campaign for restitution against people who make incomprehensible posts about bands and online games and TV shows I don't watch.

[User Picture]From: alex_holden
2006-12-08 12:31 pm (UTC)
Have you tried turning it off and on again?

(gratuitous reference to a TV show you probably didn't watch ;)
(Reply) (Thread)
[User Picture]From: sbisson
2006-12-08 12:31 pm (UTC)
Is OMA working?

That's a good first check. Also make sure the account you're testing with has mobile access rights.
(Reply) (Thread)
[User Picture]From: sbisson
2006-12-08 12:36 pm (UTC)
Hmm. I get the same error on a box that I know has it running, seeing as I have multiple WM5 devices syncing against it.

Test with a mobile device?

Also, what's in the IIS virtual directory?
(Reply) (Parent) (Thread)
[User Picture]From: dougs
2006-12-08 12:48 pm (UTC)
"A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator."

Mobile access rights are all assigned correctly.

I'll test from the handset (again) when I get Liam's WiFi password.

The usual several folders under "Default Web Site" -- Exadmin, Exchange, ExchWeb, Microsoft-Server-ActiveSync, OMA, Public, Rpc, RpcWithCert, aspnet_client. Under OMA there's bin/, global.asax, oma.aspx, Web.config. Under Microsoft-Server-ActiveSync there's nothing. Properties for Microsoft-Server-ActiveSync has the correct local path (D:\Program Files\Exchsrvr\OMA\Sync)... ah, just spotted that "require SSL" isn't ticked there. I'll check if it works when I get the handset online.
(Reply) (Parent) (Thread)
[User Picture]From: sbisson
2006-12-08 01:05 pm (UTC)
I'm currently suspecting it's doing some form of device sniff and then returning a 501 if you're not a device using ActiveSync...

(I'm still waiting for them to push out the new OWA that works with non-IE browsers. I suspect it'll need Exchange 2007 - which I think I'll be putting on my upcoming server in the new year. I'm planning on going 64-bit and retiring SBS...)
(Reply) (Parent) (Thread)
[User Picture]From: dougs
2006-12-08 01:35 pm (UTC)
I now discover that my handset's browser doesn't trust my certificate, although my desktop does. It's from RapidSSL, and it's supposed to be a kosher single root certificate. I suspect that the list of trusted CAs isn't up to date. I'll have to address that and try again.
(Reply) (Parent) (Thread)
[User Picture]From: dougs
2006-12-09 01:24 am (UTC)
It's now working.

There are (were?) two issues.

Firstly, WM5 doesn't understand/support wildcard SSL certificates, and assumes that the address I'm pointing at (www.domain) doesn't match the certificate (*.domain) -- and, additionally, my certificate's issuer wasn't on the list of trusted roots. The latter point I could fix, but not the former -- but there's a registry hack to persuade ActiveSync in WM5 to bypass checking the validity of the certificate. That could conceivably introduce a vulnerability to a man-in-the-middle attack, but hey.

Secondly, the Exchange virtual directory had been instructed to "require SSL", and the server's ActiveSync backend talks to Exchange locally on port 80, so I had to untick that. Fortunately port 80 from out in the wild never gets near the server, so that's not an issue.

Thank you for a couple of nudges in the right direction.
(Reply) (Parent) (Thread)
[User Picture]From: liam_on_linux
2006-12-09 06:27 pm (UTC)
You know those hints about checking what the mobile could see from the web & Googling on the error number rather than just looking in the MS knowledgebase?

You're welcome. ;-)
(Reply) (Parent) (Thread)