locked
Exchange 2007 Active Sync RRS feed

  • Question

  • We have a client who needs active sync enabled but they refuse to pay for an SSL cert.  We logged in to the server and enabled Active sync on an account for testing purposes.  When we attempted to sync a device it gives a logon failure.  We began troubleshooting.  Following is the information and steps we have attempted to use to resolve the issue.

    Exchange management shell: Test-ActiveSyncConnectivity -allowunsecureaccess

    ClientAccessServer     : CAS name
    Scenario               : Options
    ScenarioDescription    : To retrieve the Exchange ActiveSync protocol version,
                             issue an HTTP OPTIONS command.
    PerformanceCounterName :
    Result                 : Failure
    MailboxServer          :
    StartTime              : 4/1/2011 9:41:40 AM
    Latency                : 00:00:00.0156000
    SecureAccess           : True
    Error                  : This failure occurred because, by default, this task f
                             irst accesses the server by using a security channel (
                             for example, by using the SSL protocol). If the -Allow
                             Unsecure flag is set, this task will next attempt to a
                             ccess the server by using a method that is not secure.
                              The -AllowUnsecure flag will cause test user credenti
                             als to be sent over the network in clear text.


                             [System.Net.WebException]: The underlying connection w
                             as closed: Could not establish trust relationship for
                             the SSL/TLS secure channel. Inner error [System.Securi
                             ty.Authentication.AuthenticationException]: The remote
                              certificate is invalid according to the validation pr
                             ocedure.
    UserName               : username
    VirtualDirectoryName   :
    Url                    :
    UrlType                : Unknown
    EventType              : Error
    Port                   : 0
    ConnectionType         : Plaintext

    ClientAccessServer     : CAS name
    Scenario               : Options
    ScenarioDescription    : To retrieve the Exchange ActiveSync protocol version,
                             issue an HTTP OPTIONS command.
    PerformanceCounterName : DirectPush Latency
    Result                 : Failure
    MailboxServer          :
    StartTime              : 4/1/2011 9:41:40 AM
    Latency                : -00:00:01
    SecureAccess           : False
    Error                  : [System.Net.WebException]: The remote server returned
                             an error: (403) Forbidden.

                             HTTP response headers:

                             Content-Length: 0
                             Cache-Control: private
                             Date: Fri, 01 Apr 2011 16:41:40 GMT
                             Server: Microsoft-IIS/7.0
                             X-AspNet-Version: 2.0.50727
                             X-Powered-By: ASP.NET

    Event Viewer logs the following error:

    Product: Exchange
    Event ID: 1031
    Source: MSExchange ActiveSync
    Version: 8.0
    Symbolic Name: UserHasBeenDisabled
    Message: User "%1" cannot synchronize their mobile device with their mailbox because Exchange ActiveSync has been disabled for this user.

    IIS log shows:

    2011-04-01 16:44:01 INTERNALIP GET /Microsoft-Server-ActiveSync/default.eas &Log=Error:UserHasBeenDisabled_ 80 DOMAIN\USERNAME CLIENTIP Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0) 403 0 0 234

    Steps we have attempted:

    Verified active sync mailbox policies.  Non-provisionable devices is set to true.  Created new default policy in the event the original was corrupt.

    verified the activesync URL is correct

    Verified permissions on the IIS site

    recreated the ActiveSync site

    stopped and restarted the App Pool sync object

    Bounced the server

    generated a new exchange self signed cert

    created a new test user with mailbox

    dismounted and remounted the information store

    Verified inheritable permissions on the active directory object

     

    The result doesn't change and the issue is Global

     

     


    Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
    Friday, April 1, 2011 5:23 PM

Answers

  • I assume that you have also checked ActiveSync feature on the mailbox, right?

    Get-CASMailbox -Identity TestUser | Fl *ActiveSync*

    Please browse the “Microsoft-Server-ActiveSync” virtual directory, the expected behavior should be “501/505” error

    The same error information still appears for test mailbox?

    Test-ActiveSyncConnectivity -MailboxCredential "TestMailbox" -AllowUnsecureAccess

    Please increase the diagnostic logging level of the ActiveSync component on the CAS server, reproduce the issue, and then check if there’s any related event in the application log

    Diagnostic Logging of Exchange Processes

    Please use the example 3 in this article to get ActiveSync mailbox log, which could help for troubleshooting


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Alan.Gim Friday, April 8, 2011 6:54 AM
    • Marked as answer by Alan.Gim Monday, April 11, 2011 1:43 AM
    Thursday, April 7, 2011 6:47 AM

All replies

  • Do not use the Exchange self-signed certificate for remote access. Your client should use a 3rd party certificate of course. The cost for the certificate is nothing compared to the management nightmare cost. You can use the Windows PKI cert, but then you have to ensure the mobile device trusts the certificate chain. 3rd party certs are the only real option here.

    http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

    The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.

     


    Friday, April 1, 2011 5:47 PM
  • We have informed the client of this however they do not care.  We set active sync to http and verified the iis site settings


    Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
    Friday, April 1, 2011 6:19 PM
  • and SSL is required is not checked in IIS?

    You can also test here:

    https://www.testexchangeconnectivity.com/

    Friday, April 1, 2011 7:36 PM
  • Correct SSL is not required and I have used the testexchangeconnectivity with no viable results to speak of.
    Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
    Friday, April 1, 2011 7:51 PM
  • Is it impossible to convince the customer to let you install an internal Certificate Authority (if not already present) and to issue a certificate to Exchange so that SSL encryption is possible. I'm always blown away by the fact that customers count nickels & dimes and in the process are willing to totally circumvent basic security protection measures.

    To continue down this unencrypted path, revealing passwords in clear text, is ... disastrous.


    Jesper Bernle | Blog: http://xchangeserver.wordpress.com
    Friday, April 1, 2011 8:32 PM
  • I am on board with you... ah the life of an MSP however.  I know that months from now when something bad goes down it will be our fault however what I have is what I have at the moment.
    Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
    Friday, April 1, 2011 9:39 PM
  • I assume that you have also checked ActiveSync feature on the mailbox, right?

    Get-CASMailbox -Identity TestUser | Fl *ActiveSync*

    Please browse the “Microsoft-Server-ActiveSync” virtual directory, the expected behavior should be “501/505” error

    The same error information still appears for test mailbox?

    Test-ActiveSyncConnectivity -MailboxCredential "TestMailbox" -AllowUnsecureAccess

    Please increase the diagnostic logging level of the ActiveSync component on the CAS server, reproduce the issue, and then check if there’s any related event in the application log

    Diagnostic Logging of Exchange Processes

    Please use the example 3 in this article to get ActiveSync mailbox log, which could help for troubleshooting


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Alan.Gim Friday, April 8, 2011 6:54 AM
    • Marked as answer by Alan.Gim Monday, April 11, 2011 1:43 AM
    Thursday, April 7, 2011 6:47 AM
  • How's the issue currently? Any further information?
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, April 9, 2011 11:16 AM