Results 1 to 12 of 12
  1.    #1  
    I know there are a few threads on this already but wanted to start a separate thread for the specific config where root & client cert are required to connect to EAS.

    There's been a lot of traffic on this forum and others about getting EAS working but the picture still seem to be murky on this specific scenario which is what I need to connect to Exchange at work.

    I was hoping the 1.0.3 update would help on this front but in my case it did not. I still get the "Unable to validate account settings" error and am unable to complete creating the account.

    When I browse to the EAS server HTTPS address via the browser, I connect to the server but then get "The page requires a client certificate" error, which indicates that the Pre is not presenting the client cert or not doing it in a way that the server will accept.

    If anyone has been able to get THIS SPECIFIC SCENARIO to work - cert based authentication using both a root cert (for the EAS server) and a client cert (specific to the AD user) please post here.

    - Chris
    Last edited by ckgoodwin; 06/19/2009 at 07:06 PM. Reason: Fix typo
  2.    #2  
    Still playing around with this trying to get EAS working.

    I notice from other threads that the Pre seems to need the Common Name in the cert to match the FQDN of the EAS server.

    In my case, neither cert displays the CN of the EAS server in the Common Name field when viewed in the Pre certificate manager. Our windows admin assures me that there are multiple CNs included in the cert which works with iPhones and other mobile devices but apparently not with the current WebOS on the Pre.

    I can ask the admin to generate a cert that has only one CN -which matches the EAS server but am not sure if that's the root cert or the client cert?

    Can someone clarify the best way to ensure the CN in the cert matches the EAS FQDN such that the Pre will handle correctly?

    Any help or advice is much appreciated...

    - Chris
  3. #3  
    The reason for the import of the root cert is so that the Pre will recognize the validity of the cert provided by the EAS service each time you connect (assuming you are using self signed certs from the Windows Server Certificate Authority).

    The cert presented to the Pre from the EAS server on every connection must have been issued by the server that created the root cert you are using (and/or the told level cert authority in your domain). If this is isn't the case then the Pre will not trust it and the connection will fail.

    Additionally, the cert being used for connections on the IIS server for EAS must have been generated by that same server and when created would need to have included the external (Internet) FQDM of the EAS server. This would usually be the url you type to get Outlook Web Accsess minus any vertual directories such as /exchange.

    This is what I had to do to get the certs working correctly.

    With a properly configured setup and with root certs installed, you should not be getting any cert errors when browsing to OWA. If you install the root cert provided to you by your IT folks on your home computer do you get a cert error warning or is it just on the Pre?
  4. #4  
    It sounds like you're using a personal certificate? I don't know if those are supported on the pre..
  5. #5  
    Actually that is a good point. You should call Palm support (not sprint) and ask if the EAS implementation supports client certs at this time.

    Last edited by ryleyinstl; 06/23/2009 at 09:16 AM. Reason: Add phone number
  6.    #6  
    Quote Originally Posted by ryleyinstl View Post
    ...You should call Palm support 1-866-750-PALM
    You know, that's the one idea I had not tried. I generally find better info on forums like this and shy away from calling the usually horrible off-shore, script-based, ESL, knuckle-heads available via the typical phone support operation. But in this case, after jumping through a few hoops I am on with a relatively knowledgeable L2 support tech who is taking a detailed look at my config. Will keep you posted...

    - Chris
  7.    #7  
    Ok, just got off a 45 minute call with a L2 tech who seemed pretty knowledgeable. He actually had me send him my certs and login info (temp passwords obviously) and they attempted to connect to EAS from one of their devices and found the same issues I had. I was impressed they dug that deep into my issue.

    He explicitly confirmed that the current version of WebOS has known issues with EAS. He indicated that those issues should be addressed in an upcoming update - which got my hopes UP. But then he mentioned that update was looking at pin-locking and remote wipe features (which are not related to my issue) so then my hopes started back DOWN.

    At this point just hoping that the next release addresses all or most of the EAS authentication issues along with adding any additional features.

    Thanks all for the suggestions...

    - Chris
  8. #8  
    Quote Originally Posted by ckgoodwin View Post
    He explicitly confirmed that the current version of WebOS has known issues with EAS
    I don't suppose he elaborated on a few of those issues, such as client cert support? Would help if he did so that others in your situation could avoid 2 weeks of trouble shooting.

    At least the Palm tech gave it the old collage try....I'm sorry to hear that your particular situation could be resolved.
  9.    #9  
    Quote Originally Posted by ryleyinstl View Post
    I don't suppose he elaborated on a few of those issues, such as client cert support? ...
    No, he was predictably cagey about what issues exactly were being worked on but definitely confirmed that even their own engineers could not get my root/client cert config working - so I would say that is pretty strong evidence that client certs are NOT currently supported in their current EAS implementation.

    I would LOVE to be proven wrong on that front - so again, if ANYONE has the root/client cert config working - please post some details here!

    - Chris
  10.    #10  
    Ok, just tried EAS sync again after upgrading to 1.1 and still no luck - dang it all. Anyone else tried this with better results using a client cert?

    - Chris
  11.    #11  
    Ok - just upgraded to 1.2 which is nice overall but does not seem to fix the lack of support for client certs &*%^#$%!. EAS sync is still not working for me and the browser still does not seem to be aware of client certs either. I know this was not specifically promised in 1.2 but I keep hoping. Anyone seen anything to the contrary on this?

    - Chris
  12.    #12  
    Ok, well - I am enjoying talking to myself here but just in case anyone else is interested in this issue - I have official confirmation that the Pre (WebOS 1.2) does not currently support client certificates. Here is a copy of a chat thread I just had a few minutes ago with Palm Support. I have bolded the punchline for your viewing pleasure:

    1:11 PM Connecting to Rescue Gateway:
    1:11 PM Connected to Rescue Gateway. A support representative will be with you shortly.
    1:12 PM Support session established with Kade.
    1:12 PM Kade: Hello.
    1:12 PM Chris Goodwin: Hi
    1:13 PM Kade: I understand that you want to know information about Certificates.
    1:13 PM Kade: Am I correct ?
    1:13 PM Chris Goodwin: Yes, I wanted to know if the Pre is able to utilize client certificates
    for authentication in EAS? Is that currently supported?
    1:15 PM Chris Goodwin: Note that I am referring to CLIENT certifcates which securely identify the user - not public certificates which indentify the EAS server
    1:15 PM Kade: Thank you for the information.
    1:15 PM Kade: Please give me 2 minutes to check the information about it.
    1:15 PM Chris Goodwin: ok
    1:16 PM Kade: Thank you for your time.
    1:17 PM Chris Goodwin: Ok, I am standing by
    1:17 PM Kade: If your certificates are valid then you can install it on the device.
    1:18 PM Chris Goodwin: Yes, that's true but does not answer my question
    1:18 PM Chris Goodwin: I am asking if the Pre WebOS 1.2 supports a specific type of certificate - a client side certificate
    1:20 PM Kade: Okay.
    1:20 PM Kade: The device supports any certificate which is released by Certificate Authority.
    1:22 PM Chris Goodwin: Yes, but there are several types of certifcates - and different types required different interaction from the client device (Pre in this case). I am looking to confirm if the Pre supports a specific type of certificate - client side certifcates.
    1:23 PM Kade: You can go ahead and install all types of certificates.
    1:23 PM Chris Goodwin: Yes, but again, that is not answering my question.
    1:23 PM Chris Goodwin: My question is if the Pre is capable of USING the installed client certificate
    1:23 PM Chris Goodwin: Support for that type of certificate would need to be specifically built into the OS so someone should be able to say "Yes, we support that" or "no, we have not implemented that"
    1:25 PM Kade: Please wait, I will provide you link which gives information about the Certificates.
    1:27 PM Kade: Please follow the link given below to know information about it :
    1:27 PM Kade has sent a link:
    Palm Support : Palm Pre Sprint - SSL Certificates
    1:27 PM Chris Goodwin: yes, I have seen that before. I see no mention of client side certificates though. Does that mean they are not currently supported?
    1:30 PM Kade: Well, I have just checked the information about it.
    1:31 PM Chris Goodwin: And?
    1:32 PM Kade: Please give me 2 minutes.
    1:32 PM Chris Goodwin: Ok
    1:34 PM Kade: Well, I am checking all the information related to it with my supervisor also.
    1:34 PM Kade: Please give me 4 minutes to provide you information about it.
    1:35 PM Chris Goodwin: Ok - standing by
    1:35 PM Kade: Thank you for staying online.
    1:36 PM Kade: As if now the Client certificates are not supported with Pre device.
    1:36 PM Chris Goodwin: Ok - thanks for confirmation.
    1:36 PM Kade: Can I help you with another issue?
    1:37 PM Chris Goodwin: Are they planned to be supported in a future software release?
    1:37 PM Kade: “Palm understands that some features are not currently supported. I’ll make a note of the feature you mentioned. Customer input is an important consideration when we make enhancements and introduce new features. Changes such as this are delivered automatically by our over-the-air update system.”
    1:38 PM Chris Goodwin: So no existing plans to support that?
    1:38 PM Kade: However I will also forward this input to our Palm engineers team.
    1:39 PM Chris Goodwin: Thanks
    1:39 PM Kade: As if now there is no information regarding that.
    1:39 PM Chris Goodwin: I would also suggest that the table in the link you sent me be updated to reflect the current status of support for client certs
    1:39 PM Chris Goodwin: This would avoid confusion for customers like me
    1:40 PM Chris Goodwin: And I certainly do hope that feature gets implemented soon. It's needed by me and many other users who need to connect to a secure enterprise mail system
    1:40 PM Kade: I understand your concerns.
    1:41 PM Chris Goodwin: Ok, well thanks. I think we are done...
    1:41 PM Kade: Thank you for your understanding and patience.
    1:41 PM Kade: Thank you for contacting Palm and feel free to contact us for further assistance. After our chat ends, you’ll receive a survey.
    1:41 PM Kade: Have a nice day !
    1:41 PM Kade: Bye !
    This sux for enterprise users like me that are required to have more than userID/password auth on externally exposed e-mail interface. Oh, well - hopefully in a future release. Maybe while they are working on all the other EAS SNAFUs after 1.2...

    - Chris

Posting Permissions