none
An HTTP 403 forbidden response was received

    Question

  • I got ActiveSync to work and then we moved. Built a new certificate which now works but somehonw I cannot get ActiveSync to work again. When I run the Exchange Remote Connectivity Analyzer I get

    An HTTP 403 forbidden response was received

    I have gone through lmost of the KB articles regarding Activesync and Alan Hardesty's tutorial and I am stumped. Where do I go from here?

     

    Thursday, August 26, 2010 11:08 PM

Answers

All replies

  • Hi,

    Can you post more information about your configuration:

    1. What version of OS and Exchange do you use?

    2. Is this problem with all users?

    3. What tool do you use for Exchange publishing?

    4. Is there any change in your infrastructure after you move?

    5. How do you enroll new certificate?

    Usually this error mean errors with SSL or ACL on Exchange Virtual Directories. For the first you need to check certificate for Exchange server - are you sure that it contain name that you use for mobile access. Except this you can make follow steps to check your configuration:

    1. Choose one user with problem that you describe.

    2. Try to get OMA and EAS VD's directly using IE from desktop and from user's phone.

    3. Check all firewalls settings - may be somewhere packet filtration is turned on (http://support.microsoft.com/kb/924216 ).

    4. Turn off all SSL options on all Exchange servers and try to connect using basic authentication.

    5. Examine all security permissions and permissions inheritance on Exchange VD's and mailboxes.

    6. Examine user's EAS settings - may be he/she have turned off active sync.

    7. Examine user's group membership - may be you block some groups.

    8. Recreate Exchange VD's.
    "Нет высшего наслаждения для интеллигентного человека, чем уничтожить мировой шедевр" ©
    Friday, August 27, 2010 2:25 PM
  • I hope I can answer most of your questions;

    1. SBS 2003 and the client machine is XP Pro with SP3.

    2. Yes, all users

    3. Do not understand the question.

    4. Yes we had an IP address change and I made a new cert. Used the same modem

    5. This might be a problem. I used both the wizard in the IIS manager and also the wizard in the network setup. Do they do the same thing? If not we probably have a problem there.

     

    I have deletec the VD's and renewed them, not sure how to check permissions. I have tolerated this problem for several months and remember that there was a test utility for permissions, but I canot find it.

    I have checked group memberships.

    Should this question be moved to the Test Exchange response area?

     

    Thanks

    Friday, August 27, 2010 9:30 PM
  • It doesn't matter what version do you use on client machine, because ActiveSync used for synchronization between server and mobile device. I'm not sure that I understand you about certificate and modem - do you use IP address during ActiveSync connection setup on mobile device?

    In any way there is several steps, that you can make during troubleshooting (really this list contain more steps than you need, but it's hard to troubleshoot any problem when you doesn't see console :) )

    1. You use SBS 2003. Is there SP2 for Exchange Server installed? If you use SBS 2003 with SP2 or SBS 2003 R2, than you have all you need, if you use SBS 2003 SP1, than you need to install SP2 for Exchange 2003. (As I understand on this step all is fine and you have SP2 installed)

    2. Check that ActiveSync is enabled on Organization level and on User level .

    3. Check your firewalls settings . For this action you can use telnet from external machine. (And on this step all must be fine, because you have HTTP access error)

    4. Check your Exchange publication on ISA server (As I understand you use ISA for this). This article and this can be useful for you.

    5. If you use SSL, than check certificate on Exchange Server - you must be sure that you enroll certificate for name, that you use during EAS setup on device. This mean that if you try to connect to mobile.mycompany.domain, than your certificate is enrolled for this name. You can use a certificate with several domain names (and IP addresses) if you need . On device you need to install root and user certificate (if you use SSL).

    On my opinion that the best way is turn off SSL during troubleshooting and use only form-basic authentication.

    6. Try to reset Exchange's VD's again using this KB .

    7. Be sure that your devices configured correctly .

    Except this I recommend you to read articles about Exchange Remote Connectivity Analyzer Too l, Configuring Outlook Mobile Access , EAS FAQ and Configuring Exchange for Client Access .

    Hope this will be useful.

    • Proposed as answer by Novak Wu Monday, August 30, 2010 6:54 AM
    Saturday, August 28, 2010 8:10 AM
  • Thanks again, I just used the Microsoft Authenticaton & Access Control Diagnostics 1.0.

    Here is the response for Authentication, not sure how to resolve this.

    Authentication ResultsUrl:http://localhost
     
    StatusResultDetails
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT
    AuthType:Anonymous
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT
    AuthType:Basic
    Server's response: HTTP/1.1 403 Forbidden
    Learn about IIS status codesPath:W3SVC/1/ROOT/_private
    AuthType:Anonymous
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/aspnet_client
    AuthType:Anonymous
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Backup
    AuthType:NTLM
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/BrotherM.2
    AuthType:Anonymous
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/ClientHelp
    AuthType:Anonymous
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/ClientHelp
    AuthType:NTLM
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/ConnectComputer
    AuthType:Anonymous
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Exadmin
    AuthType:NTLM
    UNCPassword
    An invalid value for UNCUserName or UNCPassword is causing login to fail.Path:W3SVC/1/ROOT/Exadmin
    AuthType:Anonymous
    Test Authentication
    Path:W3SVC/1/ROOT/Exchange
    AuthType:Basic
    Test Authentication
    Path:W3SVC/1/ROOT/Exchange
    AuthType:NTLM
    UNCPassword
    An invalid value for UNCUserName or UNCPassword is causing login to fail.Path:W3SVC/1/ROOT/Exchange
    AuthType:Anonymous
    Basic authentication is not a secure authentication protocol. You should consider using Secure Sockets Layer (SSL) for added security.Path:W3SVC/1/ROOT/exchange-oma
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 200 OK
    Learn about IIS status codesPath:W3SVC/1/ROOT/exchange-oma
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 200 OK
    Learn about IIS status codesPath:W3SVC/1/ROOT/exchange-oma
    AuthType:NTLM
    UNCPassword
    An invalid value for UNCUserName or UNCPassword is causing login to fail.Path:W3SVC/1/ROOT/exchange-oma
    AuthType:Anonymous
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/ExchWeb
    AuthType:Anonymous
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/ExchWeb/bin
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/ExchWeb/bin
    AuthType:NTLM
    Basic authentication is not a secure authentication protocol. You should consider using Secure Sockets Layer (SSL) for added security.Path:W3SVC/1/ROOT/Microsoft-Server-ActiveSync
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 501 Not Implemented
    Learn about IIS status codesPath:W3SVC/1/ROOT/Microsoft-Server-ActiveSync
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 401 Unauthorized
    Learn about IIS status codesPath:W3SVC/1/ROOT/Monitoring
    AuthType:NTLM
    Basic authentication is not a secure authentication protocol. You should consider using Secure Sockets Layer (SSL) for added security.Path:W3SVC/1/ROOT/OMA
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/OMA
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Printers
    AuthType:NTLM
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Public
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Public
    AuthType:NTLM
    UNCPassword
    An invalid value for UNCUserName or UNCPassword is causing login to fail.Path:W3SVC/1/ROOT/Public
    AuthType:Anonymous
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Remote
    AuthType:Anonymous
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Remote
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Remote
    AuthType:NTLM
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/Rpc
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/RpcWithCert
    AuthType:Basic
    Test Authentication

    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/RpcWithCert
    AuthType:NTLM
    Server's response: HTTP/1.1 302 Object Moved
    Learn about IIS status codesPath:W3SVC/1/ROOT/tsweb
    AuthType:Anonymous
    Diagnostics complete

    Monday, August 30, 2010 11:00 PM
  • Just to clarify I used the wizard in the IIS server manager to create the request and then made the cert at GoDaddy and downloaded it and installed it.

     

    In the Server Manager, Internet Settings I also pointed to the certificate when I used the "Set Up an Internet Connection" wizard. I hope that is not a separate function to using the IIS wizard.

     

    Thanks

    '

    Tuesday, August 31, 2010 2:45 AM
  •  

    Hi,

     

    I would like to share you the following article to troubleshoot the issue.

     

    SBS 2003 + ActiveSync = http 403 / 409 errors

     

    Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

     

    Hope this helps.


    Novak Wu-MSFT
    • Marked as answer by Alan.Gim Friday, September 03, 2010 8:53 AM
    Wednesday, September 01, 2010 2:24 AM
  • In your logs I found this error:

    "An invalid value for UNCUserName or UNCPassword is causing login to fail.Path:W3SVC/1/ROOT/Exchange"

    I think that this could mean one of two things:

    1. You use wrong credentials

    2. You didn't publish Exchange on ISA right

    So for the first - try to create new user and connect to Exchange, and the second - try to make Exchange publication on ISA again using link I gave above in point 4.


    "Нет высшего наслаждения для интеллигентного человека, чем уничтожить мировой шедевр" ©
    Wednesday, September 01, 2010 4:12 AM