Hello!

We have various mobile devices (iPhones, WinMobile) synchronizing e-mail successfully, but I'm stuck with Nokia E51 and MfE. I hope anyone can help.

Environment -------
Mailserver: Exchange 2007 SP1
Hubservers: IIS7 (.NET 3.5 SP1)
Phone: Nokia E51 v400.34.011
MfE: 2.09.158

We have enabled basic authentication in IIS settings, but certificates are required for ActiveSync, so there is no basic authentication used. Certificate mapping is enabled.

Certificates installed in phone's Certificate store -------
Authority certificates:      
   self-signed Root_CA and Sub_CA certificates
Trusted sites certificates:  
   certificate for our hub server (signed by Sub_CA)
Personal Certificates:      
   user certificate for client authentification (signed by Sub_CA)

Symptoms -------
Synchronization fails with: "Communication Error. Try again later".
MfE never asks what client certificate to use.

I traced IP packets on hub server, and this is what I've got:
1. (Cl) --> (Srv) Client Hello
2. (Cl) <-- (Srv) Server Hello, Key Exchange
3. (Cl) --> (Srv) Key Exchange, Change Cipher Spec, Finished
4. (Cl) <-- (Srv) Change Cipher Spec, Finished
5. (Cl) --> (Srv) HTTP req, ActiveSync OPTION command, Basic Authentication
6. (Cl) <-- (Srv) Hello Request
7. (Cl) --> (Srv) Alert (Warning, No renegotiation)
8. (Cl) <-- (Srv) RST

So, the problem is in step 7, after the server has asked for renegotiation to ask for a client certificate, MfE returns a TLS alert - NO RENEGOTIATION.
As the certificates are required but renegotiation is not possible, server closes the connection.
Seems like MfE doesn't have ability to provide a certificate for the user.

Questions -------
1. What parameters in client certificate are critical for MfE to work?
2. Does MfE support a certificate chain like Root_CA -> Sub_CA -> User?
3. Any other ideas?

Thanks in advance!

k.