Merge Replication using SSL on a Windows Mobile 5.0 device

Dear ppl,

I have a windows mobile 5.0 application that syncronises with SQL Sever 2005 (Merge Replication). The replication works fine without SSL. But when using SSL it doesn't work .On the device i get an error

28037, A request to send data to the computer running IIS has failed.

I have created a a Wild Card Certificate (*.domain-name.net) using Microsoft Certificate Services (Stand Alone) and setup the replication website with replication virtual directory under it , in IIS, to use this certificate. The host header for the replication site is set to "sql.domain-name.net". I have binded the host headers to the port as well.

I can access the https://sql.domain-name.net/replication/sqlcesa30.dll from remote computer and device and it says Microsoft SQL Server Compact Edition Server Agent, that means it is setup correctly.

I have installed the certificate authority and its wild card certificate on the device Root Certificates. Now when I call repl.syncrhonise() from device .. it throws exception with error 28037, A request to send data to the computer running IIS has failed.

which i think means, it can't find the service url.

I am not sure what is the problem..something to do with Trust - SSL certificates... Is there any thing i am missing ?

Awaiting,

Just try to rule out the obvious - you have specified "https://" instead of "http:" in the application source code, right?

Did you run the sync app as the same window's credential as running "https://sql.domain-name.net/replication/sqlcesa30.dll" from IE?

Thanks.

|||

thanx for the response Zhou... well i m not using any authentication..I have setup the replication website Directory Security in IIS as Anonymous Access... Is it necessary to use credentials (any authentication windows,basic etc) ?

Awaiting,

|||

It would be nice to try different credentials, at least the basic authentication, Windows username and password.

However, you need to specify these information in your application code.

This posting is provided AS IS with no warranties, and confers no rights.

|||

Nabeel -

I'm interested in what you find out.

I've been using SSL (with a certificate I created using Windows Server Certification Authority) with merge replication to SQL Server 2000 for a few years now. I'm in the process of trying to figure out how to migrate to SQL Server 2005 and SQL Server CE 2005. But I'm also noticing that Internet Explorer 7.0 can throw some very very nasty message to users browsing to my web site -- apparently, IE 7 sees these non-trusted certificates as a major security threat). So I'm now exploring how to deploy with a trusted certificate.

I'll keep an eye on how this thread develops and I'll post as I learn more information. Hope you will do the same.

Larry

|||

Nabeel -

Doing some research, you might want to take a look at this:

http://support.microsoft.com/kb/266695/EN-US/

Larry

|||

well if u take a look at this http://download.microsoft.com/download/6/d/9/6d9ab586-5bed-4cfc-b28b-d83dadb85b42/Windows_Mobile_Devices_and_Security_Proecting_Sensitive_Business_Information.pdf

It says that The Internet Explorer Mobile Web browser included in Pocket PC and Smartphone software uses 128-bit SSL (https) and PCT encryption technologies to access secured Web sites. In earlier versions, the High Encryption Pack may be required to upgrade from the native 40-bit encryption to 128-bit encryption. So i think it is not required to install the high encyption pack. However i tried to install it on a couple of devices WM5.0 and after installing and restarting the devices, the devices stopped working for some reason :) ... so I had to do for factory restart

|||

hi,

your device MUST recognize the certificate's CA. you should export your CA's root certificate into .cer file (via http://myca/certsrv/), copy it to the device, and import it into trusted root CA store there (just tap it and confirm). AFAIR you also need to do a soft-reset.

you can test if your device recognizes the site's certificate by launching IE on the device and going to the merge agent address. for merge replication over SSL to work you can not have any warnings about the certificate when opening the site using device's browser.

hth

kamil nowicki

|||

thanx for the response Kamil ... I have already installed the CA certificate on the device... the problem is when i access the merge replication address through IE on the device... it gives me the warning that "The name of the certificate is invalid or does not match the name of the site"

It also says that the certificate is from a trusted certifying authority and the certificate date is valid.

The certificate I am using for the merge replication website is a Wild Card Certificate (i.e. *.domnin-name.net) and the host header is "sql.domain-net.net"

If i install the certificate on a desktop PC and access the merge replication address through IE, it works fine without any warning. It says that the root CA has identified the site as sql.domain-net . However on the device it can not resolve the host header for some reason. I tried installing both Root CA and Wild card certificate on the device , but no use.

Any idea what could be the problem?

Awaiting,

|||

oops, looks like i did not read the entire message and wrongly assumed what the error was... sorry

i am not certain if PPC devices understand what a wildcard certificate is... maybe thats the problem ?

also, from my experience, if mobile IE gives you even a minor warning when accessing the agent hosted on IIS then the replication won't work.

could you try using a non-wildcard certificate and post the results ?

Merge Replication using SSL on a Windows Mobile 5.0 device

Dear ppl,

I have a windows mobile 5.0 application that syncronises with SQL Sever 2005 (Merge Replication). The replication works fine without SSL. But when using SSL it doesn't work .On the device i get an error

28037, A request to send data to the computer running IIS has failed.

I have created a a Wild Card Certificate (*.domain-name.net) using Microsoft Certificate Services (Stand Alone) and setup the replication website with replication virtual directory under it , in IIS, to use this certificate. The host header for the replication site is set to "sql.domain-name.net". I have binded the host headers to the port as well.

I can access the https://sql.domain-name.net/replication/sqlcesa30.dll from remote computer and device and it says Microsoft SQL Server Compact Edition Server Agent, that means it is setup correctly.

I have installed the certificate authority and its wild card certificate on the device Root Certificates. Now when I call repl.syncrhonise() from device .. it throws exception with error 28037, A request to send data to the computer running IIS has failed.

which i think means, it can't find the service url.

I am not sure what is the problem..something to do with Trust - SSL certificates... Is there any thing i am missing ?

Awaiting,

Just try to rule out the obvious - you have specified "https://" instead of "http:" in the application source code, right?

Did you run the sync app as the same window's credential as running "https://sql.domain-name.net/replication/sqlcesa30.dll" from IE?

Thanks.

|||

thanx for the response Zhou... well i m not using any authentication..I have setup the replication website Directory Security in IIS as Anonymous Access... Is it necessary to use credentials (any authentication windows,basic etc) ?

Awaiting,

|||

It would be nice to try different credentials, at least the basic authentication, Windows username and password.

However, you need to specify these information in your application code.

This posting is provided AS IS with no warranties, and confers no rights.

|||

Nabeel -

I'm interested in what you find out.

I've been using SSL (with a certificate I created using Windows Server Certification Authority) with merge replication to SQL Server 2000 for a few years now. I'm in the process of trying to figure out how to migrate to SQL Server 2005 and SQL Server CE 2005. But I'm also noticing that Internet Explorer 7.0 can throw some very very nasty message to users browsing to my web site -- apparently, IE 7 sees these non-trusted certificates as a major security threat). So I'm now exploring how to deploy with a trusted certificate.

I'll keep an eye on how this thread develops and I'll post as I learn more information. Hope you will do the same.

Larry

|||

Nabeel -

Doing some research, you might want to take a look at this:

http://support.microsoft.com/kb/266695/EN-US/

Larry

|||

well if u take a look at this http://download.microsoft.com/download/6/d/9/6d9ab586-5bed-4cfc-b28b-d83dadb85b42/Windows_Mobile_Devices_and_Security_Proecting_Sensitive_Business_Information.pdf

It says that The Internet Explorer Mobile Web browser included in Pocket PC and Smartphone software uses 128-bit SSL (https) and PCT encryption technologies to access secured Web sites. In earlier versions, the High Encryption Pack may be required to upgrade from the native 40-bit encryption to 128-bit encryption. So i think it is not required to install the high encyption pack. However i tried to install it on a couple of devices WM5.0 and after installing and restarting the devices, the devices stopped working for some reason :) ... so I had to do for factory restart

|||

hi,

your device MUST recognize the certificate's CA. you should export your CA's root certificate into .cer file (via http://myca/certsrv/), copy it to the device, and import it into trusted root CA store there (just tap it and confirm). AFAIR you also need to do a soft-reset.

you can test if your device recognizes the site's certificate by launching IE on the device and going to the merge agent address. for merge replication over SSL to work you can not have any warnings about the certificate when opening the site using device's browser.

hth

kamil nowicki

|||

thanx for the response Kamil ... I have already installed the CA certificate on the device... the problem is when i access the merge replication address through IE on the device... it gives me the warning that "The name of the certificate is invalid or does not match the name of the site"

It also says that the certificate is from a trusted certifying authority and the certificate date is valid.

The certificate I am using for the merge replication website is a Wild Card Certificate (i.e. *.domnin-name.net) and the host header is "sql.domain-net.net"

If i install the certificate on a desktop PC and access the merge replication address through IE, it works fine without any warning. It says that the root CA has identified the site as sql.domain-net . However on the device it can not resolve the host header for some reason. I tried installing both Root CA and Wild card certificate on the device , but no use.

Any idea what could be the problem?

Awaiting,

|||

oops, looks like i did not read the entire message and wrongly assumed what the error was... sorry

i am not certain if PPC devices understand what a wildcard certificate is... maybe thats the problem ?

also, from my experience, if mobile IE gives you even a minor warning when accessing the agent hosted on IIS then the replication won't work.

could you try using a non-wildcard certificate and post the results ?

Merge Replication using SSL on a Windows Mobile 5.0 device

Dear ppl,

I have a windows mobile 5.0 application that syncronises with SQL Sever 2005 (Merge Replication). The replication works fine without SSL. But when using SSL it doesn't work .On the device i get an error

28037, A request to send data to the computer running IIS has failed.

I have created a a Wild Card Certificate (*.domain-name.net) using Microsoft Certificate Services (Stand Alone) and setup the replication website with replication virtual directory under it , in IIS, to use this certificate. The host header for the replication site is set to "sql.domain-name.net". I have binded the host headers to the port as well.

I can access the https://sql.domain-name.net/replication/sqlcesa30.dll from remote computer and device and it says Microsoft SQL Server Compact Edition Server Agent, that means it is setup correctly.

I have installed the certificate authority and its wild card certificate on the device Root Certificates. Now when I call repl.syncrhonise() from device .. it throws exception with error 28037, A request to send data to the computer running IIS has failed.

which i think means, it can't find the service url.

I am not sure what is the problem..something to do with Trust - SSL certificates... Is there any thing i am missing ?

Awaiting,

Just try to rule out the obvious - you have specified "https://" instead of "http:" in the application source code, right?

Did you run the sync app as the same window's credential as running "https://sql.domain-name.net/replication/sqlcesa30.dll" from IE?

Thanks.

|||

thanx for the response Zhou... well i m not using any authentication..I have setup the replication website Directory Security in IIS as Anonymous Access... Is it necessary to use credentials (any authentication windows,basic etc) ?

Awaiting,

|||

It would be nice to try different credentials, at least the basic authentication, Windows username and password.

However, you need to specify these information in your application code.

This posting is provided AS IS with no warranties, and confers no rights.

|||

Nabeel -

I'm interested in what you find out.

I've been using SSL (with a certificate I created using Windows Server Certification Authority) with merge replication to SQL Server 2000 for a few years now. I'm in the process of trying to figure out how to migrate to SQL Server 2005 and SQL Server CE 2005. But I'm also noticing that Internet Explorer 7.0 can throw some very very nasty message to users browsing to my web site -- apparently, IE 7 sees these non-trusted certificates as a major security threat). So I'm now exploring how to deploy with a trusted certificate.

I'll keep an eye on how this thread develops and I'll post as I learn more information. Hope you will do the same.

Larry

|||

Nabeel -

Doing some research, you might want to take a look at this:

http://support.microsoft.com/kb/266695/EN-US/

Larry

|||

well if u take a look at this http://download.microsoft.com/download/6/d/9/6d9ab586-5bed-4cfc-b28b-d83dadb85b42/Windows_Mobile_Devices_and_Security_Proecting_Sensitive_Business_Information.pdf

It says that The Internet Explorer Mobile Web browser included in Pocket PC and Smartphone software uses 128-bit SSL (https) and PCT encryption technologies to access secured Web sites. In earlier versions, the High Encryption Pack may be required to upgrade from the native 40-bit encryption to 128-bit encryption. So i think it is not required to install the high encyption pack. However i tried to install it on a couple of devices WM5.0 and after installing and restarting the devices, the devices stopped working for some reason :) ... so I had to do for factory restart

|||

hi,

your device MUST recognize the certificate's CA. you should export your CA's root certificate into .cer file (via http://myca/certsrv/), copy it to the device, and import it into trusted root CA store there (just tap it and confirm). AFAIR you also need to do a soft-reset.

you can test if your device recognizes the site's certificate by launching IE on the device and going to the merge agent address. for merge replication over SSL to work you can not have any warnings about the certificate when opening the site using device's browser.

hth

kamil nowicki

|||

thanx for the response Kamil ... I have already installed the CA certificate on the device... the problem is when i access the merge replication address through IE on the device... it gives me the warning that "The name of the certificate is invalid or does not match the name of the site"

It also says that the certificate is from a trusted certifying authority and the certificate date is valid.

The certificate I am using for the merge replication website is a Wild Card Certificate (i.e. *.domnin-name.net) and the host header is "sql.domain-net.net"

If i install the certificate on a desktop PC and access the merge replication address through IE, it works fine without any warning. It says that the root CA has identified the site as sql.domain-net . However on the device it can not resolve the host header for some reason. I tried installing both Root CA and Wild card certificate on the device , but no use.

Any idea what could be the problem?

Awaiting,

|||

oops, looks like i did not read the entire message and wrongly assumed what the error was... sorry

i am not certain if PPC devices understand what a wildcard certificate is... maybe thats the problem ?

also, from my experience, if mobile IE gives you even a minor warning when accessing the agent hosted on IIS then the replication won't work.

could you try using a non-wildcard certificate and post the results ?

sql

Merge Replication using SSL on a Windows Mobile 5.0 device

Dear ppl,

I have a windows mobile 5.0 application that syncronises with SQL Sever 2005 (Merge Replication). The replication works fine without SSL. But when using SSL it doesn't work .On the device i get an error

28037, A request to send data to the computer running IIS has failed.

I have created a a Wild Card Certificate (*.domain-name.net) using Microsoft Certificate Services (Stand Alone) and setup the replication website with replication virtual directory under it , in IIS, to use this certificate. The host header for the replication site is set to "sql.domain-name.net". I have binded the host headers to the port as well.

I can access the https://sql.domain-name.net/replication/sqlcesa30.dll from remote computer and device and it says Microsoft SQL Server Compact Edition Server Agent, that means it is setup correctly.

I have installed the certificate authority and its wild card certificate on the device Root Certificates. Now when I call repl.syncrhonise() from device .. it throws exception with error 28037, A request to send data to the computer running IIS has failed.

which i think means, it can't find the service url.

I am not sure what is the problem..something to do with Trust - SSL certificates... Is there any thing i am missing ?

Awaiting,

Just try to rule out the obvious - you have specified "https://" instead of "http:" in the application source code, right?

Did you run the sync app as the same window's credential as running "https://sql.domain-name.net/replication/sqlcesa30.dll" from IE?

Thanks.

|||

thanx for the response Zhou... well i m not using any authentication..I have setup the replication website Directory Security in IIS as Anonymous Access... Is it necessary to use credentials (any authentication windows,basic etc) ?

Awaiting,

|||

It would be nice to try different credentials, at least the basic authentication, Windows username and password.

However, you need to specify these information in your application code.

This posting is provided AS IS with no warranties, and confers no rights.

|||

Nabeel -

I'm interested in what you find out.

I've been using SSL (with a certificate I created using Windows Server Certification Authority) with merge replication to SQL Server 2000 for a few years now. I'm in the process of trying to figure out how to migrate to SQL Server 2005 and SQL Server CE 2005. But I'm also noticing that Internet Explorer 7.0 can throw some very very nasty message to users browsing to my web site -- apparently, IE 7 sees these non-trusted certificates as a major security threat). So I'm now exploring how to deploy with a trusted certificate.

I'll keep an eye on how this thread develops and I'll post as I learn more information. Hope you will do the same.

Larry

|||

Nabeel -

Doing some research, you might want to take a look at this:

http://support.microsoft.com/kb/266695/EN-US/

Larry

|||

well if u take a look at this http://download.microsoft.com/download/6/d/9/6d9ab586-5bed-4cfc-b28b-d83dadb85b42/Windows_Mobile_Devices_and_Security_Proecting_Sensitive_Business_Information.pdf

It says that The Internet Explorer Mobile Web browser included in Pocket PC and Smartphone software uses 128-bit SSL (https) and PCT encryption technologies to access secured Web sites. In earlier versions, the High Encryption Pack may be required to upgrade from the native 40-bit encryption to 128-bit encryption. So i think it is not required to install the high encyption pack. However i tried to install it on a couple of devices WM5.0 and after installing and restarting the devices, the devices stopped working for some reason :) ... so I had to do for factory restart

|||

hi,

your device MUST recognize the certificate's CA. you should export your CA's root certificate into .cer file (via http://myca/certsrv/), copy it to the device, and import it into trusted root CA store there (just tap it and confirm). AFAIR you also need to do a soft-reset.

you can test if your device recognizes the site's certificate by launching IE on the device and going to the merge agent address. for merge replication over SSL to work you can not have any warnings about the certificate when opening the site using device's browser.

hth

kamil nowicki

|||

thanx for the response Kamil ... I have already installed the CA certificate on the device... the problem is when i access the merge replication address through IE on the device... it gives me the warning that "The name of the certificate is invalid or does not match the name of the site"

It also says that the certificate is from a trusted certifying authority and the certificate date is valid.

The certificate I am using for the merge replication website is a Wild Card Certificate (i.e. *.domnin-name.net) and the host header is "sql.domain-net.net"

If i install the certificate on a desktop PC and access the merge replication address through IE, it works fine without any warning. It says that the root CA has identified the site as sql.domain-net . However on the device it can not resolve the host header for some reason. I tried installing both Root CA and Wild card certificate on the device , but no use.

Any idea what could be the problem?

Awaiting,

|||

oops, looks like i did not read the entire message and wrongly assumed what the error was... sorry

i am not certain if PPC devices understand what a wildcard certificate is... maybe thats the problem ?

also, from my experience, if mobile IE gives you even a minor warning when accessing the agent hosted on IIS then the replication won't work.

could you try using a non-wildcard certificate and post the results ?

Merge replication over SSL

Hi All.

Hope you can shed some light on this for me. We have set up a merge replication between a SQL Compact SDF database and a SQL 2005 server located in a different domain , the communication is over SSL. If I sync the subscription from the SQl Server 2005 Management Consol the sync works fine however if I try sync from my application the sync fails.

Thanks in advance

Scott McKechnie

Scott, without wanting to sound unhelpful there really isn't enough information here for anyone to help you out (other than to point you at the documentation, which I'm assuming you already have). Can you please provide more information about the error that is being thrown and the configuration you have setup (for example is the SSL cert selfsigned, can you reach the sync url (http://<server>/<virtualdir>/sqlcesa30.dll) etc)

|||Hi,

I think we have a similar problem here. We are trying to perform merge replication between a MS SQL 2005 server and a Mobile Edition database over SSL.

We get an exception "A request to send data to the computer running IIS has failed" when we tried to perform replication via my mobile application.

However, when I tried to access the sqlcesa30.dll via a browser on the device, we encountered no problem.

Is there some code we have to write which we are missing? I am asking this because we started off writing our mobile application with no SSL in mind. So what we have for the replication object parameters are only as follows:

_repl.InternetUrl = @."https://xxx/mobypub/sqlcesa30.dll";

_repl.Publisher = @."xxx";
_repl.PublisherDatabase = @."mobiDB";
_repl.PublisherSecurityMode = SecurityType.NTAuthentication;
_repl.Publication = @."mobiPub";
_repl.Subscriber = @."mobiPub";

What could be causing the problem? Please enlighten. Thanks a lot.

Merge replication over SSL

Hi All.

Hope you can shed some light on this for me. We have set up a merge replication between a SQL Compact SDF database and a SQL 2005 server located in a different domain , the communication is over SSL. If I sync the subscription from the SQl Server 2005 Management Consol the sync works fine however if I try sync from my application the sync fails.

Thanks in advance

Scott McKechnie

Scott, without wanting to sound unhelpful there really isn't enough information here for anyone to help you out (other than to point you at the documentation, which I'm assuming you already have). Can you please provide more information about the error that is being thrown and the configuration you have setup (for example is the SSL cert selfsigned, can you reach the sync url (http://<server>/<virtualdir>/sqlcesa30.dll) etc)

|||Hi,

I think we have a similar problem here. We are trying to perform merge replication between a MS SQL 2005 server and a Mobile Edition database over SSL.

We get an exception "A request to send data to the computer running IIS has failed" when we tried to perform replication via my mobile application.

However, when I tried to access the sqlcesa30.dll via a browser on the device, we encountered no problem.

Is there some code we have to write which we are missing? I am asking this because we started off writing our mobile application with no SSL in mind. So what we have for the replication object parameters are only as follows:

_repl.InternetUrl = @."https://xxx/mobypub/sqlcesa30.dll";

_repl.Publisher = @."xxx";
_repl.PublisherDatabase = @."mobiDB";
_repl.PublisherSecurityMode = SecurityType.NTAuthentication;
_repl.Publication = @."mobiPub";
_repl.Subscriber = @."mobiPub";

What could be causing the problem? Please enlighten. Thanks a lot.

Merge replication and SSL

Hi Readers,

I am currently working on a merge replication szenario. I managed to synchronize some SQL Server 2005 database tables with my SQL Server 2005 Mobile Edition database.

Now I want to focus on security. I know that I want do do basic authentication together with SSL. I used selfssl from the iis resource kit to produce a certificate for the iis.

How do I install the ssl certificate on the mobile device? Do I need some tools? Do I need to export that certificate and if yes, how do I do that?

Can you give me some general hints how to solve this as I am totally stuck and don't know where to start.

Regards
Tobias

Tobias,

Here is what you'll need to do:

1. get a test certificate from Verisign - this process will generate a .CER file. I have had trouble getting this to work with certificates generated by the IIS Resource Kit and you can get test certs from Verisign for free. click on Free SSL Trial Certificate on this site: http://www.verisign.com/products-services/security-services/ssl/index.html

2. copy the .CER file to the mobile device. Once there, simply tap on the .CER file and PPC2003 and later devices will ask you if you want to install this certificate on the device - say yes.

3. re-run the SQL Mobile Configure Web Replication wizard on the server and provide the information about your SSL cert - specify that SSL is required and you wish to use Basic Auth

4. in your mobile app, be sure to change the replication url from http to https and provide the InternetUser and InternetPassword properties to get through Basic Auth.

First test that you can get to https://{serverIP}/{virt dir}/sqlcesa30.dll in Pocket IE on your device - of course you will be prompted for Basic Auth credentials - but this will verify that yoru transport and the SSL encryption on that transport are working. Then transition to testing your actual mobile device.

-Darren

|||

I want to add one more thing to this - it would appear that Verisign SSL certificates on Windows Mobile 5 devices are problematic for merge replication between SQL Mobile and SQL Server 2005. Certificates from Thawte http://www.thawte.com/ work fine. I am pursuing a better explanation as to why this is and will keep everyone posted. This is only true for Windows Mobile 5 devices - Verisign certs work just fine with merge replication on PPC2003 devices.

Darren