locked
active sync failure RRS feed

  • Question

  • Dears,

    I have an 2016 exchange server configured in a DAG envionment, and i have a public certificate issued from go daddy to the server. My exchange organization is not published to the internet ( just internal urls are configured)

    I'm following the below isse:

    i connected my phone to the lan network, my phone can reach the exchange servers and i tried to add my exchange account on the mobile it is failing.

    Went to the shell and executed the test-activesyncconnectivity it is returning the following error:

    the underlying connection was closed: could not establish trust relationship for the ssl/tls secure channel. inner error.. the remote certificate is invalid according to the validation procedure.

    can you advise please?

    thank you

    Monday, January 21, 2019 2:48 PM

All replies

  • and autodiscover for outlook is working properly and it's not returning that the certificate is invalid.

    any suggestions guys?

    Tuesday, January 22, 2019 6:25 AM
  • Hello,

    >>i connected my phone to the lan network, my phone can reach the exchange servers and i tried to add my exchange account on the mobile it is failing.

    How did you determine that your phone can reach the Exchange server?

    You may try testing with a specific URL to see the result:

    Test-ActiveSyncConnectivity -URL "https://mail.contoso.com/Microsoft-Server-ActiveSync"

    Here is an article described a similar issue you are encountering, you may have a look at it and see whether it matches your situation:

    The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

    Besides, you can try using the ActiveSync troubleshooter and see whether it helps:

    Troubleshoot ActiveSync with Exchange Server

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, January 22, 2019 8:21 AM
  • Hello,

    ,>>i connected my phone to the lan network, my phone can reach the exchange servers and i tried to add my exchange account on the mobile it is failing.

    i meant that i connected my phone to the wifi and the wifi is routed to use the same network connection used by the clients.

    the thing is that the certificate is valid as outlook is working properly on the client side, and the certficate contains the webmail.domain.com and autodiscover.domain.com and it is installed on the exchange servers using the ECP


    Tuesday, January 22, 2019 9:06 AM
  • hey again,

    i have an update on the error:

    i used the following: test-activesyncconnectivity -url "https://webmail.xx"  and it rertuned another error:

    the user and the mailbox are in different active directory sites.

    however, i just have on ad site that makes nonsense throwing this error.

    could you advise please.


    Tuesday, January 22, 2019 4:58 PM
  • the issue is giving me a headache, i even created a new activesyncpolicy allowing all the devices and assign it to a specific user and then test-active.. with the credentials of the user and it returning failure with: the remote server returned an error : (403) forbidden

    http response headers:

    content-length: 0

    date:

    server: microsoft-iis/8.5

    ......  

    best regards

    Wednesday, January 23, 2019 9:12 AM
  • Thank you for the update.

    Have you tried using the ActiveSync troubleshooter to see whether it helps?

    Besides, please run Get-ActiveSyncVirtualDirectory and get back to us with the result.

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, January 24, 2019 9:31 AM
  • hey dear,

    i have an update.

    Users were migrated from an exchange server 2007 to 2013 before getting migrated to 2016.

    i just realized that activesync is working perfecly on users automatically created on exch 2016.

    the issue is just from the migrated users.

    moreover, activesyn was not tested before neither on the 2007 or 2013.

    it is now on the 2016 that we began to test it.

    tried to enable inheritance on some migrated users and it is not working.

    can you advise please

    Thursday, January 24, 2019 9:59 AM
  • dears,

    i'm working in an environment where exchange server was migrated from 2007 to 2013 and now to 2016.

    i have an issue only on activesync on exchange 2016, all other virtual directories are working and outlook is working too.

    the thing is if i create a new user on exchange 2016, the activesync works.

    but with all the previous migrated users it does not work, and activesync is enabled on all the mbx.

    tried to enable inheritance on some users to test but it still not working.

    your help would be appreciated as im stuck on this for the past 3 days.

    nb: exchange server is not published to the internet, it just works internally.

    thank you

    • Merged by Steve Fan Friday, January 25, 2019 2:05 AM duplicate post
    Thursday, January 24, 2019 10:03 AM
  • Hello , 

    What does the IIS logs in exchange server 2016 reports ?  Does it reports any error codes about the active sync connectivity for the mailboxes migrated to exchange server 2016 ? 

    What is the status for the below mentioned commands ? 

    $credential = Get-Credential -UserName nithya -Message "Enter password"
     
    Test-ActiveSyncConnectivity -MailboxCredential $credential


    Thanks & Regards S.Nithyanandham

    Thursday, January 24, 2019 3:36 PM
  • dears,

    i'm working in an environment where exchange server was migrated from 2007 to 2013 and now to 2016.

    i have an issue only on activesync on exchange 2016, all other virtual directories are working and outlook is working too.

    the thing is if i create a new user on exchange 2016, the activesync works.

    but with all the previous migrated users it does not work, and activesync is enabled on all the mbx.

    tried to enable inheritance on some users to test but it still not working.

    your help would be appreciated as im stuck on this for the past 3 days.

    nb: exchange server is not published to the internet, it just works internally.

    thank you

    What does this mean?

    "tried to enable inheritance on some users to test but it still not working."

    You mean it wasnt enabled before? It failed when you tried to enable it? 

    Thursday, January 24, 2019 9:40 PM
  • Hi andy,

    What does this mean?

    "tried to enable inheritance on some users to test but it still not working."

    You mean it wasnt enabled before? It failed when you tried to enable it

    enabling inheritance on the user level could be a solution for this kind of issue, i meant that activesync or migrated users from 2013 to 2016 are not working in the inheritance is enabled or not.

    any more ideas?

    Friday, January 25, 2019 6:25 AM
  • this is the output of 

    credential = Get-Credential -UserName nithya -Message "Enter password"
     
    Test-ActiveSyncConnectivity -MailboxCredential $credential

     for a migrated user.

    best regards,


    Friday, January 25, 2019 7:34 AM
  • hi guys,

    the issue was fixed by editing the security for RSA and ISA servers and activesync is working for all devices with the mail application embedded in mobile phones.

    but with the outlook app the activesync isn't working.

    anyone has an idea about that?

    thank you

    Friday, January 25, 2019 12:42 PM
  • Thank you for the updated info. Do you mean within the native mail app of your mobile phones, the account can be added successfully but it doesn't work when using Outlook for Android/IOS app? What error did you get when it failed to connect in Outlook for Android/IOS app?

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, January 28, 2019 9:43 AM
  • hi steve,

    yes that's true, it shows that it couldn't retrieve the server setting for the account, i tried it on many devices and many users the outlook app is the only thing not working with activesync

    Monday, January 28, 2019 9:47 AM
  • Thank you for the update.

    You may try the following steps to assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects, then see whether this issue continues:

    1. Start Active Directory Users and Computers.
    2. Click View, and then click to enable Advanced Features.
    3. Right-click the object where you want to change the Exchange Server permissions, and then click Properties. Note You can change permissions against a user, an organizational unit, or a domain.
    4. On the Security tab, click Advanced.
    5. Click Add, type Exchange Servers, and then click OK.
    6. In the Apply to box, click Descendant msExchActiveSyncDevices objects.
    7. Under Permissions, click to enable Modify Permissions.
    8. Click OK three times.

    Regards,
    Steve Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Steve Fan Thursday, January 31, 2019 1:33 AM
    Tuesday, January 29, 2019 8:55 AM