Hello,
This concerns Echange, please bear with me.
I just tried to migrate my AD CS role from a 2008R2 to 2012R2 server, and the migration failed. Unable to go back to old server mor an unknown reason, despite all precautions taken to have a plan to do so.
I then decided to simply install the role on the new server, using the old Root CA certificate. Now, this certificate was renewed to get it's expiration date well in the future. All other services that rely on certificates still work, either with the old certificates or the new ones generated by the new role.
Only ActiveSync refuses to take certificates on my mobile devices. Everything else about the Exchange system works (Outlook, OWA, mail flow, etc. None of these use client certificates to authenticate users). The old certificates worked perfectly before the operation, but now either new or old, ActiveSync returns a 403. I searched high and low on the forums, documentation colleagues, without results.
Up to now I've tried:
- Going through ActiveSync configuration to accept certificates. Everything checks out
- Made sure all the Root CA certificates are present on all servers
- Made sure the certificates used on my mobile devices include the Root CA with the client certificate.
- Made sure all the correct rights are applied to the AD objects that are related to CS, although I'm not completely sure about this one. But since certificates work for everything else, I'm inclined to believe this part is OK.
I am frankly at a loss, and would appreciate any ideas what to look for next.
Thanks