none
ActiveSync not working

    Question

  • Hey All,

    First off I'm not an Exchange expert by any measure of the word.

    I'm working on migrating 2007 to 2010. I have a couple problems that may be cert related. One is that ActiveSync won't work. The other is that Outlook 2011 keeps prompting for authentication every few minutes.

    I ran the connectivity analyzer and it indicated that I have a cert trust issue. Below is the output.

    The certificate chain didn't end in a trusted root. Root = CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    I have a Verisign EV cert installed on my pair of F5 BIG-IP load balancers. The F5 boxes front end a couple of 2010 CAS servers. The names on the cert are mail.domain.com and autodiscover.domain.com.

    Any ideas?

     


    --Patrick
    Tuesday, March 15, 2011 4:49 PM

Answers

  • Aaaaaah! It just started working. The last thing I tried was alowing permissions inheritance on the AD account.

    Well thanks for ready along while I pulled my hair out.

     

     


    --Patrick
    • Marked as answer by Patrick Brown Tuesday, March 15, 2011 5:50 PM
    Tuesday, March 15, 2011 5:49 PM

All replies

  • Okay, I made some progress. I was missing the intermediate cert from Verisign on my F5 boxes. That is fixed. I still cannot get ActiveSync to work.

    If I go to this URL, I get prompted for credentials. Nothing I enter will get me in.

    https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml

    Here is some other output from the utility:

    ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user email@domain.com.
    ExRCA failed to obtain an Autodiscover XML response.
    Additional Details
    A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.

    ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/ for user email@domain.com.
    ExRCA failed to obtain an Autodiscover XML response.
    Additional Details
    The Autodiscover XML response received by ExRCA was invalid. Exception: Exception details:
    Message: There is an error in XML document (0, 0).
    Type: System.InvalidOperationException
    Stack trace:
    at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
    at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
    at Microsoft.Exchange.Tools.ExRca.Tests.AutoDiscover.AutoDiscoverGetXMLBase`2.Discover()
    Exception details:
    Message: There is an error in XML document (0, 0).
    Type: System.InvalidOperationException
    Stack trace:
    at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
    at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
    at Microsoft.Exchange.Tools.ExRca.Tests.AutoDiscover.AutoDiscoverGetXMLBase`2.Discover()

    This is looking like a permissions issue to me but again, I'm no expert.

    Any help would be apreaciated.

     


    --Patrick
    Tuesday, March 15, 2011 5:41 PM
  • Aaaaaah! It just started working. The last thing I tried was alowing permissions inheritance on the AD account.

    Well thanks for ready along while I pulled my hair out.

     

     


    --Patrick
    • Marked as answer by Patrick Brown Tuesday, March 15, 2011 5:50 PM
    Tuesday, March 15, 2011 5:49 PM
  • I had a similar configuration and experienced the same error from ExRCA:

    Additional Details
      The certificate is not trusted on any version of Windows Phone device. Root = CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    It turned out that while I did have a root certificate expiring in 2036, this one needed to be deactivated, and another imported.  This resulted in a 4-level certificate chain.



    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Wednesday, June 06, 2012 3:43 AM