Thursday, 30 July 2015

ActiveSync not working through Web Application Proxy after certificate renewal

I've recently had a hairy problem with a ActiveSync on Exchange 2010. Funnily enough this happened after a certificate renewal...

Just some background on this so you know where I'm coming from. Our client had decommissioned Forefront TMG (may it rest in peace/pieces) and was in need of a reverse proxy server. Luckily they had an ADFS 3.0 server setup for Office 365 domain federation so we made use of the Web Application Proxy.

Initially the transition worked great! Everything was hunky-dory, everything just worked.

Then came a notification for a certificate renewal... Cert gets renewed, applied to services, and tested for everything except ActiveSync... (bad oversight, this is now in my to check list when working with certificates).

A few weeks later after the renewal the problem becomes more apparent as people actually used the ActiveSync (funnily enough it took them that long to realise this). Wondering what went wrong I tried running through an ActiveSync setup on an Android phone and iPhone... neither worked. Then I tried on a Windows Phone... a miracle, it worked! But why not on the others?!?! Started testing 3rd party clients, Outlook for Android failed while the Nine mail client worked... More anger and frustration ensues...

Thinking it could possibly be something to do with Exchange, I patched it to CU9 in hopes that this would automagically correct the problem. No kudos. After taking a break and freshening up my thinking I eliminated the web application proxy from the equation by directing requests directly to the Exchange server, and wah-lah, ActiveSync is working! Put the requests back through the web proxy and sad faces, not working.

This left the web application proxy server as the culprit. After doing some Google-fu something interesting popped up. This command:

  netsh http show sslcert

Running this it returned something that was gone, a certificate bound to that no longer existed! Find the binding with the bad certificate and make a note of the appid as you'll need to rebind the port with this appid.

To fix this I removed the binding for

  netsh http delete sslcert ipport=

Then recreate the binding with:

  netsh http add sslcert ipport= appid={xxxx} certhash=xxxx

xxxx is the GUID of the appid and certhash is the thumbprint of the new certificate.

I had some problem in getting this to execute so I completed the same command inside the netsh CLI.

Once bound the ActiveSync started working on Android and iPhone with the native mail clients.

My life was spared - mail could now be had on mobile devices for all!

TLDR: Remove old SSL binding that references an old/removed certificate then re-create the SSL binding with the new certificate.

1 comment:

  1. Thank you so much!!! I couldn't figure out for the life of me why activesync was not working properly. Sure enough I had an old SSL certificate binded to port 443. Thanks!