webOS & EAS Troubleshooting: Start Here

Based on the large volume of EAS related requests, I decided to compile a list of the big issues we've seen and post the fixes/workarounds for those issues into a single, consolidated spot for easy access. I put it in a very simple form up top so that those who just want a fix have it. If you are like me and like all the geeky details, scroll down for additional background information. Also, I will continue to update this post as I learn/hear about more problems or solutions. Here we go:

 

Definitions Section

 

Fully Qualified Domain Name (FQDN): This is the part of the URL after the protocol prefix. For example, if you have the http://forums.palm.com URL, forums.palm.com is the FQDN.

Outlook Web Access (OWA): This is a special website where users can access their Exchange account in a web interface. This is also the site you enter into the Pre as the Exchange Server.

Exchange Active Sync (EAS): This is the name of a feature that lets you sync mobile devices directly to an Exchange Server

 

Troubleshooting Section:

 

Issue: Getting the error message "The mail server requires security policies that are not supported" when adding an EAS account

Cause: The Exchange Server is requiring certain EAS security features to be enabled and older versions of webOS do not support these security features.

Solution: Update to the latest version of webOS (1.1.0 at the time of this writing)

Workaround: Add Pre users to the Exception List until Palm has posted a fix

 

Issue: Getting the error message "SSL certificate error: Is the date and time correct?" when adding an EAS account

Cause: This can be caused by a few things, but the most common one I have seen is that the FQDN in the Cert does NOT match the external FQDN of the Exchange Server (usually it's pointing to the internal FQDN).

Solution: There a few ways to fix this. I will list the two easiest here. Both involve getting a new cert for the Exchange Server.

Solution 1: Use a wildcard Cert.

Use this solution if your Exchange server has a similar domain structure to the server your Cert is issued to. For example, if your cert is issued to www.domain.com and your Exchange server's public FQDN is mail.domain.com, request a new Cert with *.domain.com in the Subject field. Replace the Cert on the server with the new one everything should start working

 

Solution 2: Use the Subject Alternative Name field.

Use this solution if your Exchange server has a completely different domain structure than what your Cert was issued to. For example, if your Cert was issued to exchange.internaldomain.com and your Exchange server's public FQDN is mail.domain.com, request a new Cert with exchange.internaldomain.com in the Subject field and mail.domain.com in the Subject Alternative Name field. Replace the Cert on the server with the new one and everything should start working.

 

Note: According to http://kb.palm.com/wps/portal/kb/common/article/47857_en.html the Pre supports self-signed Certificates. If you use a self-signed Certificate or use a Certificate Authority not mentioned in the list of the same article, you will need to add the Cert to the Pre. See the next step for information on doing this

Workaround: Turn off SSL on the Exchange Server. Since webOS 1.0.3, the Pre can connect to Exchange servers without the use of SSL. While this is not recommended, it is technically possible.

 

Issue: Getting the error message "Invalid Certificate: The file xxxxx.xxx cannot be opened because it is not a valid security certificate file format." when trying to add a self-signed Certificate or Root Certificate.

Cause: The Pre only supports certain Certificate formats. According to http://kb.palm.com/wps/portal/kb/common/article/47857_en.html these are: PEM (aka Base 64), DER, and PCKS#12. PCKS#7 is NOT supported

Solution: Export the Certificate to a supported format, then add it to the Pre. Here is an easy way to do this (although there are many other methods):

1. Open the Certificate in Windows (double-click on the file)
2. Click the Details Tab
3. Click the Copy to File... button
4. Click the Next button
5. Select a supported format and click the Next button
6. Choose your Desktop and click the Next button
7. Click the Finish button
8. Review KB Article 47857 for steps on how to add this certificate to the Pre

Workaround: None

 

Issue: There are various forms of this one, but the common symptoms are folders are missing or folders are empty after adding an EAS account to the Pre (e.g. I only have the Outbox on my Pre).

Cause: This is a known compatibility issue with Exchange 2007 (no Service Pack)

Solution: Update to the latest webOS version (1.1.0 at the time of this posting. However, this fix has been included since 1.0.3).

Workaround: Upgrade the Exchange Server to SP1

 

Additional Configuration Gotchas:

• The Pre will support connecting to Exchange without SSL, but only if you upgrade to the latest build (1.1.0 at the time of this posting. However, the fix has been included since 1.0.3)
• UPDATE: The latest version of webOS (1.1.0 at the time of this posting) now supports using the IP address in the server name field for Exchange ActiceSync.

 

Geeky Details Section:

 

What the heck is a Root Certificate and why would I need to add it to the Pre?

This has to do with how Certificates work. Certificates are like ID cards that are used to create trust relationships. Since we're dealing with secure connections, we need to trust the server we're connecting to. In order for this trust relationship to work, a middle man is used (this is called a Certificate authority). Think of it like this, your good friend introduces you to a person you've never met before and says "this is a trustworthy person." This is exactly how Certificates work. The Certificate Authority (your buddy) uses it's ID (a Root Certificate) to create an ID (a leaf Certificate) for the person you've never me. This is the techie way of  the Certificate Authority saying "this server is trustworthy". The Root Certificate goes on the Pre and the Leaf Certificate goes on the Server. A list of pre-installed Root Certificates can be found here: http://kb.palm.com/wps/portal/kb/common/article/47857_en.html. If you use a Certificate Authority (CA) that is NOT on that list, you will need to get the Root Certificate for that CA and add it to the Pre before EAS syncing will work

 

What the heck is a Self Signed Certificate and why would I need to add it to the Pre?

A Self-Signed Certificate is a special kind of certificate where a Certificate Authority is not used to validate the information in the Certificate. The easiest way to identify a Self Signed Certificate is to open it with Windows Explorer (double-click on the file) and examine the Issued To and Issued By fields. If they are the exact same, it is a self-signed Certificate. Since the Issued By field won't match any of the pre-installed Root Certificates, you must add the self-signed Certificate to the Pre before EAS syncing will work.

 

I hope this helps in your Pre & EAS setups. Please note I will be updating/adding to this post as I get more information and updates become available.