4.4 OTA breaks certificate-based authentication support

Just upgraded my device to OTA 4.4 and Exchange services crashed every time I opened Email (I kept getting a message "Unfortunately Exchange Services stopped" repeatedly).

After deleting both the email account and the user certificate (we use certificate-based email authentication), I am unable to re-add the Exchange account back (after defining all credentials and parameters, I get a popup that says "Couldn't finish. Can't connect to server."). Additionally, I see a white triangle with an exclamation point inside in the notification bar. When I pull the bar down, the exclamation bar has a caption of "Network may be monitored by an unknown third party". When I click on that caption, I get a new pop-up saying "Network monitoring. A third party is capable of monitoring your network activity, including emails, apps and secure web sites. A trusted credential installed on your device is making this possible". There is a button underneath called "Check trusted credentials" and clicking on that takes me to a "user" portion of the trusted credentials store, where I see my corporate CA certificates.

In general, the issue of certificates issued by a non-public CA generating a "Network may be monitored" message has already been documented in several forums and there is an issue #62076 created for it. However, I suspect that "security features" introduced in KitKat are somehow preventing my device from using my certificate for email authentication (because device does not trust it). I knew I could count on Google to break the most used feature of my phone (email) and thus render it useless. Another win for the history books.

aldouse said:

had the same issue after updating to 4.4. in short, i had to re-push both OA and CA certificates to re-establish the authentication system for work

Click to expand...

Click to collapse

I already tried that twice. No joy.

The most annoying part is that I also have a Nexus 10 tablet and it had ZERO problems after upgrading to KitKat (aside from the annoying "your network is being monitored" notification). This means Motorola yet again mucked with the stock Android install and broke it.

Any other ideas? I'd hate to go through a pain of reverting back to 4.3.

So....here is what the issue is: https://code.google.com/p/android/issues/detail?id=61785

Looks like quite a lot of people are affected by this. I cant believe how sloppy Google's QA is if something as major as this was pushed out of the door.

Now I need to wait for Motorola to incorporate this fix into their build of Android, then for Verizon to "test" it and roll it out via another OTA update. In the mean time, my Moto X is as good as a brick because I cant get my corporate email/contacts/calendar on it.

Ridiculous!

Just wanted to update everyone - Google has stated that the issue is fixed "in a future release". One "minor" problem - there is zero information as to which release, as well as when it is going to be rolled out.

So....as of now thousands of people using private certs on Kitkat devices are still screwed and this number is growing by the day. In order to make it more convenient to pretend like the issue is minor and insignificant, Google has blocked further comments on issue 61785 after 260 people starred it, so now users that have an issue cannot even report it.

SYNSYNACKACK said:

Strange, I have Exchange email set up on my Moto X 4.4 and synching without issues.
After the pop-up, I accepted or ok'd. We're running a 2010 Exchange Server.

Click to expand...

Click to collapse

Are you using a certificate issued by a private CA for ActiveSync authentication?

SYNSYNACKACK said:

Under Exchange settings, Port is 443, Security type is SSL/TLS, client certificate is None.
Strange, I thought it pushed a CA though when I completed the set up.

Click to expand...

Click to collapse

That's the point. This issue only affects users that are using certificates issued by private CAs for ActiveSync authentication. If you are not using certificates, you would not be affected.

lowvolt1 said:

Not necessarily true. I use exchange email for work and although I can set up my account I cannot receive emails. I can send sometimes. But never receive.

via my slapped KIT KAT moto X

Click to expand...

Click to collapse

What you are experiencing is a separate issue, so please open a separate thread for it.

The issue being discussed here is a situation where an attempt to use private certificates for authentication while adding an Exchange Activesync account to a device running 4.4 results in a bogus "Couldn't finish. Can't connect to server." error message (while the device does not even attempt to go out and establish a connection).

binary visions said:

If the issue is resolved and Google has a rollout plan for the fix, what use is there for further bug reports or reporting? It just becomes noise in their bug tracking system. Is there a purpose for yet more people to say, "hey, yeah, I have this issue too"?

Click to expand...

Click to collapse

There are several reasons the thread should have remained open:

1. While Google is taking their sweet time to roll out a fix, someone may find a workaround for the issue. A workaround is certainly better than a phone with no email/contains/calendar (and no, nobody wants to pay for and use those crappy 3rd party email clients).

2. Having 10,000+ people star a thread gives a great indication of how widespread the issue is, hopefully giving Google developers a hint that it needs to be prioritized and rolled out ASAP (as opposed to incorporating it into the next general patch release).

3. Since most handset vendors customize their Android build, the issue may not exist on every handset made by every manufacturer. Someone may report that a particular device is not suffering from this issue, thus making it safe to buy.

4. If and when the fixed version of Android is finally rolled out and the "fix" does not work, users have no way to report it, other than opening a brand new thread and wasting more resources.