Your IT, our business


Skip Navigation Links
Home
About Us
IT Support
Training
Consultancy
Hardware Sales
Authoring
Software Licensing
Case Studies
Blog


Case Studies

Friends International
Network Upgrade

Kensington Group
Relocation

Infobasis
Testing & Documentation

Oxford Tutorial College
Network Upgrade

ITEX
Training Partnership

Microsoft Press
Technical Authoring

Contact Us
Discuss the consultancy options that best work for you.

C7 Solutions Team Blog

 

Latest News
C7 Solutions and the Top 10 Microsoft Blogs
Brian Reid from C7 Solutions publishes to the Industry Insiders blog at Microsoft which has recently been named in the top 10 Microsoft blogs by Redmondmag.com.

Systems training is available at prices less than the UK at our partner offices in the UK Channel Islands. Enjoy the sun, the beautiful beaches and excellent technical training from C7 Solutions.


Microsoft Certified Partner

Microsoft Small Business Specialist

Wednesday, April 01, 2009

Enabling ActiveSync on a Sony P1i with a GoDaddy Certificate

GoDaddy issued certificates are not trusted by the Sony P1i phone and so if you are using a GoDaddy issued digital certificate for ActiveSync on one of these phones you will be prompted to accept the certificate at each sync. As this kills the purpose of push email sync you will want to stop the prompt.

You do this by installing the GoDaddy trusted root certificate. On any Windows computer that works when connecting to a website protected with your GoDaddy certificate run mmc.exe and add the Certificates snap-in, selecting the local user option. Browse to Trusted Root Certification Authorities and click on the Certificates node. Find and right-click the Go Daddy Class 2 Certification Authority and choose All Tasks > Export. Export the certificate as a DER encoded binary X.509 (.CER) file to a folder on that computer.

Email that file to the owner of the Sony P1i and sync the phone to download their email (confirming the prompt that we want to remove). Open the email and download the attachment. Once the attachment is downloaded (which might involve syncing again and confirming the certificate prompt) open the attachment. The phone will install the certificate into its certificate store. No more prompts!

Labels: , , , , ,

permalink posted by Brian Reid : 7:06 PM 0 comments

Monday, June 25, 2007

ERROR_REPLICA_SYNC_FAILED_THE TARGET PRINCIPAL NAME IS INCORRECT

This rather imposing message is found if you try to force replication between to Active Directory Domain Controllers when one of the controllers machine account password is out of sync with the password as stored on the other domain controller.

I have seen this a number of times on Virtual PC or Virtual Server Active Directory deployments with more than one DC in the virtual environment.

So, how do you fix it:
  1. On the DC that is broken (the one that when using replmon reports the error above) set the Kerberos Key Distribution Center Service to manual and stop the service.
  2. From a command prompt on the broken DC enter the following:
    netdom resetpwd /s:name_of_working_DC /ud:domain\user /pd:*
    where domain\user is an administrator of the domain in the domain_name\user_name format. You will be prompted to enter your password.
  3. Upon pressing Enter, if the command fails then restart the broken DC and repeat the above command (this restart clears the Kerberos ticket cache and so clears the broken credential attempts that it has stored).
  4. Upon successful completion of the command in step 2 restart the broken DC. You must do this even if done already in step 3.
  5. Check that replication is working, and if so restart the Kerberos Key Distribution Center Service and set the service back to automatic.

This is a summary of Microsoft Knowledgebase Article 325850, with some more specific detail mentioned.

Labels: , , , , , , ,

permalink posted by Brian Reid : 4:06 PM 0 comments

Friday, July 29, 2005

Connecting a Windows SmartPhone to Exchange Server Protected with a Private Certification Authority Digital Certificate

Having recently obtained my first Windows Mobile powered SmartPhone, I needed to connect to my Exchange Server over the internet using ActiveSync. For those of you unfamiliar with Windows Mobile SmartPhones, they let you connect, using the phones internet connection (typically over a GPRS network), to your Exchange 2003 Servers to download your email at a given schedule. Additionally the SmartPhones running Windows Mobile 2003 and later support “Up-to-date Notifications”, where the emails are synchronised to your phone automatically upon arrival at the Exchange Server independent of the schedule. It was this Up-to-date Notifications feature that I wanted to implement, but it was not as straight forward as I thought it would be when I got down to it!

The reason was the phone. I have an Orange SPV C550 which is locked by Orange, the network operator. This means that you cannot install any software on the phone including any digital certificate that you need to connect to your Exchange Server.

To configure across the mobile network synchronisation of your e-mail you need to have Exchange ActiveSync enabled on your Exchange Server (it is on by default) and ensure that the “/Microsoft-Server-ActiveSync/*” path to an Exchange Server in your organisation is available through your firewall. If you do not use SSL to protect this HTTP session (not recommended) then you need do nothing to your phone apart from configure it to use the server synchronisation to get your email, but if you want to use HTTPS and the certification authority you are using to provide your digital certificates is a private certification authority you will find that you will not be able to connect as your phone will not trust the certificate issuer. Note that in test environments you can use the Disable Certificate Verification tool (see links below) to avoid this issue, but for a production network this is not recommended.

Therefore you need to unlock the phone and install the root certificate from your private certification authority and then relock the phone before you can make a secure connection to your Exchange Server from your Windows Mobile SmartPhone. The last step of locking your phone again is optional, but recommended as it maintains the security of your phone.

To unlock your Orange phone you need to follow these steps, though note that other mobile network operators will either provide unlocked phones or might have an equivalent process:

  1. Make at least one GPRS connection so that your device is registered at Orange
  2. That your handset is switched on and it has a good signal
  3. That you have a record of your IMEI number. You can get this by typing *#06# on the phone.
  4. Visit http://developer.orangews.com/orgspv/comdefq.aspx on a computer (you can do this on the phone, its just easier on a computer). At the time of writing this web page does not list the C550 phone as a phone it unlocks, but it does work.
  5. Choose to “Disable Certificate Security” and click Proceed. Enter the required information and your phone will make an internet connection (which you will be billed for) and it will unlock your phone. Once the phone is unlocked you will see a message in English and French telling you that “Your handset has had its certificate security disabled.”

Once the handset is unlocked you can install any application on the phone that you like, but for the purposes of connecting to your Exchange Server for Up-to-date Notifications:

  1. Start Internet Explorer on your phone and browse to a web site containing your root digital certificate (or use SPAddCert.exe if you already have the certificate downloaded to the phone’s memory. SPAddCert’s download location is on the list of links below). For example if your certificate server is the version that comes with Windows then visit http://servername/certsrv/certcarc.asp and download the certificate.
  2. Confirm that you want to install the certificate at the prompt. Assuming that the phone unlock was successful, the certificate will be installed.
  3. You can now relock your phone using the same process as described above, just choosing the “Enable Certificate Security” option instead. Though whilst your phone is unlocked you might want to investigate Global Contact Access from Microsoft (see the links below) to give your phone more access to your Exchange Server, such as the Global Address List and Free/Busy information.

Configuring Exchange ActiveSync on the Exchange Server is beyond the scope of this article, but full instructions can be found in the Microsoft Press Exchange Server 2003 Resource Kit on pages 892 onward to the end of the chapter.

Once you have the certificate installed you can configure the device to connect to the Exchange Server. This is done by starting the ActiveSync application on your phone and setting the options. Option 3, Server Settings controls this functionality and you need to choose menu item 4 (Connection). Here you need to enter your username, password and domain along with the server name, which is the web address to the Exchange ActiveSync server (for example mail.company.com). You can leave the SSL option selected as you now have the ability to do this connection securely, without needing to purchase a digital certificate from a public certification authority.

Links

Labels: , , , ,

permalink posted by Brian Reid : 8:57 AM 2 comments

Archive

March 2005 July 2005 February 2006 May 2006 November 2006 March 2007 May 2007 June 2007 August 2007 April 2008 May 2008 June 2008 September 2008 October 2008 November 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009