Hello everyone,

We have a self-signed certificate deployed via group policy from our domain controller to domain users. We are using Exchange 2013. Via the way I just stated, users can access email in Outlook 2010 on the domain. However, we run into problems when trying to add the accounts on mobile phones. On an Android-based phone which is the Samsung Galaxy S4, we try to enter the settings manually via Exchange ActiveSync but it doesn't work. 

I looked at this and followed the directions: https://support.office.com/en-ie/article/Set-up-email-on-an-Android-phone-or-tablet-886db551-8dfa-4fd5-b835-f8e532091872#__find_your_exchange

I logged into the Outlook Web App and looked at the POP settings and tried that server with SSL and it doesn't work. I tried that with the full email address as the username and just the username. Our domain is the prefix for both. The POP server and the SMTP server are the same but POP has SSL and SMTP has TLS. I'm not sure if that makes a difference or not.

I looked at the Exchange server settings and it looks like mobile access is enabled for all. I didn't create any policies though.

What do you guys think?

The certificate isn't installed on the phones. My first thought would be to try installing the certificate on the phone.
Assuming of course that you have your external DNS configured correctly and the certificate has all the correct na

I doubt it, but I'm not certain. It wouldn't exactly be

Hi CharGP02A,

how does the error exactly look like? Any messages?

As a first step to check your configuration I suggest you con go to https://testconnectivity.microsoft.com/ and run the test for ActiveSync. Please provide the result/error message.

If you had a certificate issue your Galaxy S4 usually comes up with a message that it cannot verify the certificate. If you did not get the message I think that is not your cause.

Also if you installed the cert paths certificates on your webserver, there is no need to install the certificate on the device. The webserver will deliver the certiuficates from the path. The only thing left on Android is that it may ask you because there is a root cert that is not trusted (yes, I suggest to use some 3rd party CA). 

A good point to start would be

--> check your ActiveSync externalURL using get-activesyncvirtualdirectory, https://technet.microsoft.com/de-de/library/hh529912%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

--> check your CAS mailbox status for the mailbox

--> run the test using testconnectivity.microsoft.com , so you will receive a clear description of errors.

Regards,
Martin

Hi CharGP02A,

Have to checked on the mobile to Accept all certificates?

Im using self signed certificate on my Exchange server as well and it Works fine,BUT it is chained to a Root CA in my domain.

There is no need to install self signed cert on Your phone,if you do so it will complain about Security issue.Android doesnt fully support installing self signed certificate.

On desktop and Laptop,your root cert has to be installed on local computer for it to work without issues.

Hi CharGP02A,

how does the error exactly look like? Any messages?

As a first step to check your configuration I suggest you con go to https://testconnectivity.microsoft.com/ and run the test for ActiveSync. Please provide the result/error message.

If you had a certificate issue your Galaxy S4 usually comes up with a message that it cannot verify the certificate. If you did not get the message I think that is not your cause.

Also if you installed the cert paths certificates on your webserver, there is no need to install the certificate on the device. The webserver will deliver the certiuficates from the path. The only thing left on Android is that it may ask you because there is a root cert that is not trusted (yes, I suggest to use some 3rd party CA). 

A good point to start would be

--> check your ActiveSync externalURL using get-activesyncvirtualdirectory, https://technet.microsoft.com/de-de/library/hh529912%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

--> check your CAS mailbox status for the mailbox

--> run the test using testconnectivity.microsoft.com , so you will receive a clear description of errors.

Regards,
Martin

I just tried connecting my email account via POP3 and got "unable to connect to email server to verify your account information. No response from the server." However, it pushed me to the next screen to put in more settings. I did that, got the same error, and then it let me finish adding the account with no issues. My email inbox doesn't have any email in it only because we haven't converted the MX records from our hosting service to Exchange yet. So unfortunately I won't know if email truly works on the phone that way.

Regarding the ActiveSync part, I looked at our virtual directory for ActiveSync on Exchange 2013 EAC and the URL for that externally is https://web.domainname.net/Microsoft-Server-ActiveSync. The tried the Exchange verifier site that you guys linked and it won't let me run it with that URL due to characters. Web is a CNAME record on our DNS server and not a host record. Does that matter in this case? I tried it with just the web.domainname.net and it gave me 

Hi CharGP02A,

how does the error exactly look like? Any messages?

As a first step to check your configuration I suggest you con go to https://testconnectivity.microsoft.com/ and run the test for ActiveSync. Please provide the result/error message.

If you had a certificate issue your Galaxy S4 usually comes up with a message that it cannot verify the certificate. If you did not get the message I think that is not your cause.

Also if you installed the cert paths certificates on your webserver, there is no need to install the certificate on the device. The webserver will deliver the certiuficates from the path. The only thing left on Android is that it may ask you because there is a root cert that is not trusted (yes, I suggest to use some 3rd party CA). 

A good point to start would be

--> check your ActiveSync externalURL using get-activesyncvirtualdirectory, https://technet.microsoft.com/de-de/library/hh529912%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

--> check your CAS mailbox status for the mailbox

--> run the test using testconnectivity.microsoft.com , so you will receive a clear description of errors.

Regards,
Martin

You can test using Microsoft RCA but not sure it is going work with your self signed cert

https://testconnectivity.microsoft.com/

You can test using Microsoft RCA but not sure it is going work with your self signed cert

https://testconnectivity.microsof

it mean this is a DNS issue.

http://mxtoolbox.com/DNSLookup.aspx

check what ip does it resolves to - something wrong at your DNS or at yourISP DNS.

it mean this is a DNS issue.

http://mxtoolbox.com/DNSLookup.aspx

check what ip does it resolves to - something wrong at your DNS or at yourISP DNS.

this may be because of not having the activeync.domain.net in your SSL SAN cert.

how do you access the OWA, owa.domain.net? if so then change the activesycn.domain.net to owa.domain.net

this may be because of not having the activeync.domain.net in your SSL SAN cert.

how do you access the OWA, owa.domain.net? if so then change the activesycn.domain.net to owa.doma

you can use *wildcard certificate.

how did you install the SSL Cert on Exchange,  you can use the cert instillation option within Exchange management console

you can use *wildcard certificate.

how did you install the SSL Cert on Exchange,  you can use the cert instillation option within Exchange management con

you can use *wildcard certificate.

how did you install the SSL Cert on Exchange,  you can use the cert instillation option within Exchange management con