Apple based browser causing schannel errors on Exchange CAS

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Exchange 2010 SP1

I'm getting loads and loads of schannel errors (see pic). I've traced it down to IIS logs and cross checked the times. Seems to be a Mac web client triggering it. The error is bit vague and reads:

The following fatal alert was generated: 20. The internal error state is 960.

The IIS logs show:

2011-02-24 16:14:11 192.168.10.5 POST /owa/ev.owa oeh=1&ns=ReadConversation&ev=ExpIP&cpc=432328;C0:11;C1:159023;C2:10;C3:9;C4:1;C5:1;C6:0;C7:0;C8:0;C9:0;C10:0&pfmk=M40:1298563815126;M5:1298563815163 443 - XX.XXX.XXX.XX Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10_6_6;+en-us)+AppleWebKit/533.19.4+(KHTML,+like+Gecko)+Version/5.0.3+Safari/533.19.4 500 0 64 249

2011-02-24 16:15:06 192.168.10.5 POST /owa/ev.owa oeh=1&ns=PendingRequest&ev=FinishNotificationRequest&UA=0 443 - XX.XXX.XXX.XX Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10_6_6;+en-us)+AppleWebKit/533.19.4+(KHTML,+like+Gecko)+Version/5.0.3+Safari/533.19.4 500 0 64 328

I XXX'ed out IP of the user.

schannel is apparently related to TLS. We have valid third party certs in place and no other browsers cause anything like that. Because it's webmail and not a company owned machine I can't really do anything on the client side myself but can ask the user to make some changes (or maybe even run TeamViewer for me so I can get in)

Any thoughts? I'd like the errors to go.

 

GoDaddy

Extended Key Usage:
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

 

Don't Mac's just "work"?

Sorry, couldn't resist. :P

I'd recommend checking the client-side computer certificate... maybe request a new one.

 

They do, don't they!?!

Will try to get on the machine tomorrow. Not sure if I'll be able to as it's a private machine.

Could be. Weird thing is that we have 8 iPhones 4 and no errors are logged against Active-Sync requests.

 

Thanks for the link Sparky. I'll check the intermediate certificates. Brb

 

Nope. Intermediates are fine. Digicert SSL Tester shows it's all good too.

 

Will ask the user tomorrow. Pollutes my otherwise nearly perfect logs .

Thanks Sparky

 

This is a no-go. Why do you think we have company iPhones? It surely wasn't my idea.

 

Yep! That's us!

You can always tweak Active-Sync policies to make iPhones 'more challenging' for the users though!

 

I'd rep this if that's what rep was intended for.