Related
Hello to all.
I am using X1 with Dutch Tmobile.
One of the steps to complete setup for exchange account was providing lock pin/password, this was obligatory.
The problem i have now is that I can not disable it. Checkbox is greyed out and I can only change: lock time (0, 3, 5) and password itself.
I am really happy with Exchange acces from X1 but pin is really annoying.
Any help appreciated.
Cheers
gruczniak said:
Hello to all.
I am using X1 with Dutch Tmobile.
One of the steps to complete setup for exchange account was providing lock pin/password, this was obligatory.
The problem i have now is that I can not disable it. Checkbox is greyed out and I can only change: lock time (0, 3, 5) and password itself.
I am really happy with Exchange acces from X1 but pin is really annoying.
Any help appreciated.
Cheers
Click to expand...
Click to collapse
I have the same problem which is really anoying especially when using Tomtom as I have to type in my password every 5 minutes whilst driving.
From what I have been able to find out, it is caused by the policies on your server/exchange server, where for company information security reasons it requires a password and prohibits the phone user to dissable this function.
To change this, a change in windows server or exchange server is necessary.
If anybody can post instructions on how to do this I would be most grateful.
In Exchange 2003 SP2
You need to open system manager and click the + sign next to global settings. Now right click on mobile settings and select properties.
In the dialog box that has appeared click on device security and then u will have several options to do with the device pin code.
Enjoy.
scotjen1 said:
In Exchange 2003 SP2
You need to open system manager and click the + sign next to global settings. Now right click on mobile settings and select properties.
In the dialog box that has appeared click on device security and then u will have several options to do with the device pin code.
Enjoy.
Click to expand...
Click to collapse
Thanks for pointing me in the right direction.
In exchange 2007, start Exchange Management Console, navigate to Organisation Configuration/Client Access/Mailbox Policy Server. Double click, select Password tab and uncheck require password. Sync with active sync and then you can remove the password.
Huge thanks for that! It has been bugging the hell out of me. Am using Small Business Server 2008 and it does all these settings automatically so I had no clue where to look.
Saddly for me my organization is to big to alter anything on the Exchange server.
Exchange policy update is still a workaround when you do not sync for some time (vacation etc)
Trying to set up ActiveSync on my Telus P4000 (Titan), although the issue should be the same with an WM6.1 phone...
I can't for the life of my figure the right server settings to enter in the Configure Server section, and I have yet to find a definitive "this is how you do it" procedure for it. As near as I've been able to glean, for the "Server address" section, you give it JUST the domain name of the Exchange server, without an http:// or a /exchange or /oma or anything... correct so far? But the catch in my particular instance is that Exchange web access is on port 8080, rather than 80 or 433.
I've tried adding a :8080 to the server address, I've tried adding the http:// and/or https://, I've tried adding the /oma and /exchange to the end, and all combinations of the above, with no luck... when I go back into the settings, it's reverted to JUST the domain name. Is there somewhere else I can tell it to use a non-standard port? Registry key, maybe?
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Soundy106 said:
Okay, well I managed to get rid of the "Cannot reach server" messages by switching back to "require SLL", and as it turns out, the server wasn't set up for SSL (it is now). So now I'm connecting, but getting certificate errors. At least I've found plenty of info about solving that issue, so on to the next step...
Click to expand...
Click to collapse
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
playerkiller said:
I'm not sure it works with other ports than 80 (HTTP) and 443 (HTTPS).
You just need to put your external A record in the server value.
Try using standard ports first to be sure everything is working, then switch.
Click to expand...
Click to collapse
I've searched everywhere for info on using non-standard ports for activesync, and I haven't found anything, and I couldn't get it to work.
jeen said:
You will probabby have to install a certificate on the phone to be able to communicate with the exchange server. At least i had to...
Click to expand...
Click to collapse
Yeah, did that... still not helping
Go to first new post ActiveSync config for Exchange
Exchange ActiveSync cannot access the server if SSL is set to be required. For
information about how to correctly configure Exchange virtual directory
jeen is right. Unless the certificate is issued form a Trusted Certificate Authority, you will need to import the issuing CA in the Root Certification Authority store of your Phone.
If it's a self signed cert, just export it from exchange server (without Private key) and copy it to your phone. Then, double click it from File Manager. This should be enough.
^Yeah, I did that right off the top (see my reply to jeen). Still no joy.
Perhaps Tendulkar can finish his thought...
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Win2008 (IIS7)
Open IISManager.
Navigate through site, default website, hilight Microsoft-Server-ActiveSync.
Make sure you have the features view selected (should be by default).
Choose SSL Settings.
Unflag "Remove SSL".
Obviusly click Accept.
playerkiller said:
To disable SSL requirements for Activesync service is very easy:
Win2003 (IIS6.0)
Open IIS on your cas, expand the Default Website (or the website where ASVritualDir resides) right click on Microsoft-Server-ActiveSync and choose properties.
Go to the tab Directory Security, choose EDIT under Secure Communication.
Remove flag from Require Secure Channel.
Obvsiulsy Click ok.
Click to expand...
Click to collapse
Hmmm... "require SSL" was already un-checked. I've re-checked it, let's see what happens with that.
OK lemme know.
make sure you have the same root certificate installed also. you have to trust the same certificate authority as the certificate that you have on your exchange server.
Did anyone find solution
I am having same problem. Certificate installed and tried all connection settings that can find on internet. Cannot get ActiveSync to syn with my server (same certificate error, but hosting company states tested with WM6.1 that all is working fine on their end) and also cannot get Windows Live Messenger to work, states there's a connectivity problem. Funny thing is MMS, surfing net with IE, and Google Maps with GPRS work fine. Only Microsoft network products are not working. My phone is Palm Treo Pro with WM6.1 Professional. Vodaphone version but bought in China and have since added A4 Chinese text editor, which I think could be problem, but need to hard reset phone to check. Any ideas? Better yet, any solutions?
One tip for getting this working in my case (same certificate errors) was that I had to get the certificate off the internally facing OWA server, rather than the externally facing version. Although they're both the same server, the external one goes through an IAS box which seems to be presenting its own certificate rather than the one on the exchange server. Don't ask me - I don't run the system.
As soon as I add the Internal version of the cert, Exchange, OTA Sync and ActiveSync spring into life.
Here's the problem.
When I try to connect to my University's network , the Galaxy S is able to connect JUST fine. However, when I open a browser it says the incoming certificate is not secure and then I have NO INTERNET on any page.
What the network is supposed to do is redirect me to the login page so that I can register the device to the network. My phone can't do that apparently and just sits connected to the network with NO INTERNET connectivity. How can I fix the problem?
This is the university network and the instructions how to get on it for Android devices:
http://www.colorado.edu/its/docs/wireless/androidwireless.html
I connect to it just fine but am UNABLE to get to that device registration/login page.
This is NOT just for my university. ANY public network which requires me to accept an "agreement" before it lets me have internet access, my phone KILLS ITSELF and CANNOT pull up the agreement page but instead tells me there is no internet. I'm SURE its a software problem or something with settings but can't figure out just what it is. Help?
Just about the only networks I can connect to on Wi-Fi are home networks. It SUCKS.
Are you manually trying to type the page address into the browser (https://dhcp.colorado.edu/Public/forceresponse.cgi?SelectAccessData=true)?
No. I tried other websites. The phone browser is IMMEDIATELY redirected to that page and after 0.5 seconds it says "Communication Failed" or something similar and loads NOTHING. Hence my problem is that it can't get to that registration page.
I am not sure then. I have had no issues connecting to public connections that require logins. Maybe call the tech # listed on the instructions page and see what they say. I did notice the screenshot in the guide seems to be 2.2 so maybe this has something to do with it (probably not but who knows)
Sigh
That's not good.
EDIT: The EXACT error I get is:
"There is a problem with the security certificate for this site. This certificate is not from a trusted authority." I get this AS it attempts to load the redirect login page (both university and at work now). Same issue. It's browser/certificate related. And its ANNOYING as hell.
EDIT 2: Found the problem. It's that stupid certificate.
"This is a result of your corporation using an in house Certificate Authority to provide SSL encryption on your mail server and clients.
Basically....the computer that issued the certificate isn't trusted by the android phone. I'm new to android so I'm not sure if you can add a trusted CA (I haven't seen any options for it).
I don't know about future updates like the above poster mentioned.
Most companies will purchase a certificate from one of the major Certificate Authorities on the internet, which are pre-programed into most operating systems to be trusted. Internal CA's are trusted by the domain environment at your work, but not by anyone else. External (Internet) CA's are trusted by everyone.
if you want an example, open up IE (gross I know) and go to your options. Click the content tab, then there should be a button label certificates. inside the certificates window select Trusted Root Certification Authorities.
That is a list of all the builtin trusted CA's provided by Microsoft and the companies that govern the internet. "
I STILL have no idea how to fix it and to make the phone accept the certificate though.
While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?
I have LG D800, and on certain websites I get a security warning saying "there are problems with the security certificate for this site" with options of go back, view certificate, continue.
Before I get ahead of myself the reason I want to fix this is because I want to connect to my work VPN through Junos Pulse, and I get a security certificate error there as well, and it won't allow it to connect (I can't change security options w/this app and I don't think other apps work for this vpn)
So I noticed through browsers (both native and chrome) that one some websites I get an https error through my phone and then when I try it on my computer it works fine! (the site I tried was my school's: myllu.llu.edu
For the certificate errors it says: this certificate isn't from a trusted authority. The issuing athority for myllu is listed as GeoTrust SSL CA, and for the VPN I want to connect to: VeriSign Class 3 Secure Server CA -G3.
Can anyone help me with this? I realllly would appreciate it
PS: time and date are correct on my phone, a difference was not made by getting network time, or manually inputting time and date
if you choose to trust those certificates, why don't you just go ahead and install them?