The SBS Cert rollercoaster

How to Deploy Windows Mobile 5 with SBS Self-Signed Certificates)

Choosing the right Device

Those of us who have looked into  this particular email on the move  solution realise a lot of focus is placed on the  need to choose the right mobile device  whether  it's a Smartphone  like the 3G (UMTS) HTC MTeoR or a PDA style handset like the Palm Treo 750V or even a hybrid unit like the Blackjack. Thankfully there are so many different types of units available that there is bound to be a Windows mobile device / form factor to suit you or your customer. If you can edit a word document on your phone your are using a device with the Pocket PC version of  Windows Mobile  otherwise it's probably running the Smartphone version of the operating system, so for example the Blackjack looks more like a PDA however it's running the Smartphone version of the Windows Mobile  5

<SCREEENSHOT 1>

Push mail

The email being pushed to the mobile device without user intervention is also seen as a crucial piece of the puzzle , which requires the selected mobile device(s) to be running  Windows Mobile 5 with the Messaging and Security Feature Pack  ( MSFP ) update applied, also referred to as AKU2 by most device manufacturers, basically in plain English  the push update to us humans.

Some devices unfortunately including some early Windows Mobile 5 Devices cannot be upgraded to this Feature Pack which will stop you in your tracks if your customer wants the email to be pushed automatically onto the device, you still will be able to deploy the device however the user will have to manually sync their email / calendar by selecting the  Activesync  icon on the mobile device and choosing "SYNC". Also you will miss out on the ability to remote wipe the mobile device should it get stolen or lost.

Unfortunately the Certificate question is often left to last even though both the security of your solution and the time you are going to spend on the deployment often depends on selecting the right approach.

3rd Party Certificate

In some cases a 3rd party certificate from someone like Thwate or especially Godaddy for SBS given it's relatively low cost will make sense particularly if there is a large number of mobile devices to be deployed  and you would prefer not to have to manually install your certificate  onto each device only needing to install the  3rd party certificate onto the  Server. If you want to us a 3rd party certificate make sure you choose a  Secure Sockets Layer (SSL) certificate  from trusted root certification authorities that have a root store presence in Windows Mobile devices otherwise you will end up installing it onto your mobile devices just like you have to with the SBS self-signed certificate.

The Microsoft Partner site provides a good list of 3rd Party Certificates compatible with Windows Mobile Powered Devices <https://partner.microsoft.com/global/partner/40027352>

<SCREEENSHOT 2>

However if there is a smaller number of devices you may prefer to go it alone and use an SBS Self-Signed Certificate generated by SBS itself. Firstly be careful when selecting your mobile devices  as some non Windows Mobile 5 devices like the Nokia E62 which uses a licensed  cut down Activesync implementation to connect are almost impossible to get working with SBS self-signed certs, details here from the Official SBS Blog  <http://tinyurl.com/create.php> also watch out for Smartphone devices as in general these devices are often restricted particularly in relation to the Certificate  Store making it more difficult but not impossible to get your SBS self-signed certificate onto the device.

 As a general rule it is much easier to install the self-signed certificate onto a Pocked PC Windows Mobile Device like a HTC TyTn or a Palm Treo 650V whereas most mobile devices running Smartphone Windows Mobile 5 are restricted in some way, which will tackle in this article.

 How to tell,  if your device can edit word then it's a Pocket PC device however  when purchasing you should evaluate all devices against your own in house SBS network, so you can make an informed decision one way or the other.

Self-Signed Cert Invalid Certificate  Problem

Okay so we are going to use the self-signed certs and you have run the Configure Internet and Email Wizard (CIEW) to generate the certificate.

Full details are here "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003" <http://www.microsoft.com/technet/prodtechnol/sbs/2003/deploy/winm5.mspx.

Most importantly when running the CIEW wizard from the To Do List on Server Management make sure you use the actual host name or IP address you will connecting  to from outside the network (usually the same as your Outlook Web Access host name ) as the Web Server Name with the http://   for the certificate , this is a deal breaker get it wrong and your mobile device will not sync.

When the wizard finishes CIEW will have created a certificate file calledSBSCERT.CER  and place it in a folder usually "C:\Clientapps\Sbscert" for most installations, alternatively if ISA is deployed on SBS the cert file will be called ISACERT.CER.

The Microsoft Documentation (referenced  above )  will ask you to drop this file onto your Windows Mobile Device using Activesync 4.1 or later, basically within the Activesync Explorer right click and copy the .CER file and then place in the mobile device's "My Documents" folder or alternatively you could copy the file onto an SD  / mini SD memory card and insert the card into the mobile device.

Once you have the file on the mobile device you browse to the file on the device and select the certificate and  "Hey Presto" it should install the certificate into the device's own certificate root store.

Unfortunately in most cases when you select  the certificate file  you will get the following error message "Invalid Certificate".

  You can normally get past this issue if you follow the steps below.

<SCREEENSHOT 3>

1.      Open a browser on your pc / laptop with Activesync 4.1 or higher installed  with the mobile device attached via USB

2.    Browse to Outlook Web Access and choose to view and then install the certificate, accepting the defaults as you go, this assumes you have not already installed the certificate.

3.    Once you have the Certificate installed on your pc click START  then RUN "certmgr.msc" and browse to Trusted root authorities and choose the cert you just imported.

4.    Right click and choose export and accept the defaults and save out as "SBSC.CER", if the phone is not locked you should be able to drop the cert onto the mobile device using Activesync as described above and then install it from the mobile device using file explorer without an error.

If you get an error at this stage it is normally a security related error because the device usually a Smartphone Windows Mobile has a protected Certificate store, the error message may read something like "Security Permission was insufficient to update your device" normally this can be bypassed by editing the registry but as always you need to be careful if you are going to edit the registry particularly on a mobile device and now's  probably a good time to revaluate that 3rd party certificate option :-)

Ok so you want to continue, having done this dozens of times myself it never caused any issues with any mobile device however the standard warning about editing the registry still applies, basically be careful and your on your own if you mess up.

<SCREEENSHOT 4>

Unlocking a Smartphone's certificate store

Firstly you need to get your hands on regeditstg.exe there is different versions available however I have provided a pretty generic version here http://markmulvany.fastmail.fm/RegEditSTG2.zip  which works with most HTC derived Smartphone devices like the iMate series Sp5 and Sp5m and earlier.

1.      Unzip the Regedit2.zip file onto your desktop or other location on your pc attached to the mobile device.

2.      In most cases the Regedit.exe program will not be correctly signed for your mobile device so you will not be able to drag and drop it onto the device using Activesync however you can put the file on an SD (mini SD) using the adaptor that came with the storage card for the device first on your pc and then transferring it to the Smartphone.

3.      Once you have the file on the mobile device then simply click on it from the file explorer and the Smartphone registry editor will open.

4.      Navigate to  HKEY_LOCAL_MACHINE\Security\Policies\Policies

Then change the following values to:

 HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001001 = 1

HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001005 = 40

HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001017 = 144

5.      Restart the mobile device and you should now have no problems adding your SBS Self-signed certificate onto your device.

6.      To verify that the certificate has been correctly installed, on your mobile device / Smartphone simply click Start, Settings, Security, Certificates, Root,0 (for more) and you should then be able to see your SBS certificate.

7.      You should now be either configure Activesync for the mobile device either on the handset itself or better still following the wizard on your desktop Activesync 4.1 or later.

Basically putting in the user name and password and the external name for the server as per the Microsoft Deployment document mentioned earlier.

Further information links

 Microsoft Whitepaper "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003" <http://www.microsoft.com/technet/prodtechnol/sbs/2003/deploy/winm5.mspx>

 3G (UMTS) HTC MTeoR <http://www.europe.htc.com/products/htcmteor.html>

 Microsoft Information on Messaging and Security Feature Pack for Windows Mobile 5 http://www.microsoft.com/windowsmobile/business/directpushemail.mspx

Smartphone mobile editor available from here http://markmulvany.fastmail.fm/RegEditSTG2.zip

Bio

Mark Mulvany works closely with Microsoft in Ireland and it’s partners as an external IT Consultant helping to increase partner skills around Small Business Server, Exchange Messaging, Active directory and Mobility.

When not teaching or presenting technical briefings, Mark designs and implements networks as an independent network advisor.

Mark Mulvany MCT, MCSE, MCSE+I, MLSS, CNA, INET+