locked
ActiveSync Failure RRS feed

  • Question

  • Hi all,

    I have been unable to use activesync to attach any phones, and I am receiving the following information with regard to a 500 error from tge Exchange test site.  I have not been able too successfully authenticate to the activesync site, but have been using OWA successfully, and no other Exchange issues I am aware of.

    Attempting to Resolve the host name mail.osullivans.org in DNS.
      Host successfully Resolved
     Additional Details
      IP(s) returned: 173.9.250.98  
     
     Testing TCP Port 443 on host mail.osullivans.org to ensure it is listening/open.
      The port was opened successfully.
     
     Testing SSL Certificate for validity.
      The certificate passed all validation requirements.
     Test Steps
       Validating certificate name
      Successfully validated the certificate name
     Additional Details
      Found hostname mail.osullivans.org in Certificate Subject Common name  
     
     Testing certificate date to ensure validity
      Date Validation passed. The certificate is not expired.
     Additional Details
      Certificate is valid: NotBefore = 8/26/2009 4:53:42 PM, NotAfter = 8/26/2011 4:53:42 PM  
     
     
     
     Testing Http Authentication Methods for URL https://mail.osullivans.org/Microsoft-Server-Activesync/
      Http Authentication Methods are correct
     Additional Details
      Found all expected authentication methods and no disallowed methods. Methods Found: Basic  
     
     Attempting an Activesync session with server
      Errors were encountered while testing the ActiveSync session
     Test Steps
       Attempting to send OPTIONS command to server
      OPTIONS response was successfully received and is valid
     Additional Details
      Headers received: Allow: OPTIONS,POST
    MS-Server-ActiveSync: 14.0
    MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0
    MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
    Public: OPTIONS,POST
    Content-Length: 0
    Cache-Control: private
    Date: Fri, 04 Sep 2009 01:01:49 GMT
    Server: Microsoft-IIS/7.5
    X-AspNet-Version: 2.0.50727
    X-Powered-By: ASP.NET

     
     
     Attempting FolderSync command on ActiveSync session
      FolderSync command test failed
       Tell me more about this issue and how to resolve it
     
     Additional Details
      Exchange Activesync returned an HTTP 500 response.  
    Friday, September 4, 2009 2:23 AM

Answers

  • Two things.

    1) Is securtiy inheritence enabled on the AD account of the mailbox? Make sure it is on all OUs above the account as well.

    2) Try altering your EAS policy to "allow non-provisionable devices" for testing purposes to see if it works. I've run across a couple devices that even though we're using a relatively basic policy still wouldn't work unless we turned that off. I don't want to leave it off though, it's like dropping the gate across the moat. :)
    Brian Day / MCSA / CCNA, Exchange/AD geek.
    • Proposed as answer by Robbie_Roberts Wednesday, October 21, 2009 3:02 AM
    • Marked as answer by Mike Crowley Monday, March 21, 2011 11:48 PM
    Saturday, September 5, 2009 3:11 AM

All replies

  • Is this Exchange 2010 server? If not, you can use legacy Exchange forum - http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver/

    Refer below article if it is Exchange 2003...

    Exchange ActiveSync returned an HTTP 500 Error

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    Friday, September 4, 2009 5:52 AM
  • HI,

    This is Exchange 2010 RC, and the activesync is killing me!  I love everything else, but this is like obtaining Mid-East Peace and comprehensive healthcare reform simultaneously.

    Any ideas?

    Friday, September 4, 2009 11:58 AM
  • Two things.

    1) Is securtiy inheritence enabled on the AD account of the mailbox? Make sure it is on all OUs above the account as well.

    2) Try altering your EAS policy to "allow non-provisionable devices" for testing purposes to see if it works. I've run across a couple devices that even though we're using a relatively basic policy still wouldn't work unless we turned that off. I don't want to leave it off though, it's like dropping the gate across the moat. :)
    Brian Day / MCSA / CCNA, Exchange/AD geek.
    • Proposed as answer by Robbie_Roberts Wednesday, October 21, 2009 3:02 AM
    • Marked as answer by Mike Crowley Monday, March 21, 2011 11:48 PM
    Saturday, September 5, 2009 3:11 AM
  • 1. security inheritance in enabled, and was not when I made the account domain admin, and had it in another OU.  I have since moved it to the default OU and reset the permissions.

    I also have the non-provisionable devices allowed, too.

    I keep being prompted for credentials when I attempt to sync the device.  I have tried a few accounts, and they have activesync permission, but it is like the authentication is not being accepted.
    Saturday, September 5, 2009 6:33 PM
  • Is it still a domain admin? If so, recheck inheritence again. The OU doesn't matter, if the account is a member of a protected group in AD like Domain Admins, Backup Operators, Enterprise Admins (there's KB that lists them)  then inheritence will always be disabled every 1 hour.
    Brian Day / MCSA / CCNA, Exchange/AD geek.
    Sunday, September 6, 2009 1:45 AM
  • It is working!  I had to check the inheritance and sync and it works!  Thanks so much!
    Monday, September 7, 2009 11:19 PM
  • Sorry for the newbie question but can you post how to disable the inhertiance for the user account? I am having this same issue but for the life of me I can not figure out where to do this.

    Thanks in advance
    Monday, September 21, 2009 5:22 PM
  • RAddison,

    Check this...
    EAS issues after moving user mailboxes to Exchange 2010

    You can verify this in advance security setting of a user with ADUC or ADSIEdit or with ADModify.net for multiple users...

    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    Monday, September 21, 2009 5:34 PM
  • Thanks a million, I guess I was trying to over think it and digging around in the AD Group Policy Management tool.  Thanks again!
    Monday, September 21, 2009 5:43 PM
  • Thank you! this is REALLY useful!!

    Darren
    Monday, October 19, 2009 5:39 PM
  • This saved me from throwing my iphone and my new Exchange Server 2010 into the nearest dumpster!!!

    Thank you, thank you, thank you!
    Friday, January 15, 2010 3:42 AM
  • So we have an iphone user that we have migrated to over from our Exchange 2007 to our Exchange 2010 test area. When we check the box that Allows for Inheritable permissions following Henrik Walther's blog post, as soon as the iphone connects it resets the check box.  We know that this works because we have other iPhone users that are connected but for this one user the check box is reset when the iPhone connects.  Not that this matters but both iPhones are running 3.1.2, but the iPhone that resets the check box is a 1st Gen iPhone where as the iPhone that works is the latest 3GS.  However we are connecting over our internal wi-fi to the Exchange 2010 environment.  We are fully native Windows 2008 server on the Exchange 2010 environment.

    Thanks for any assistance.

    Josh
    Tuesday, January 19, 2010 6:58 PM
  • So we have an iphone user that we have migrated to over from our Exchange 2007 to our Exchange 2010 test area. When we check the box that Allows for Inheritable permissions following Henrik Walther's blog post, as soon as the iphone connects it resets the check box.

    The iPhone doesn't reset that box, being a member of an AD protected group does. Make sure the user isn't in a group like domain admins, enterprise admins, account operators, backup operators, etc....
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Exchange Server 2010 Configuration
    LMNOP
    Tuesday, January 19, 2010 8:39 PM
  • So we have gone back and validated that the user is not in any protected AD groups.  So I welcome any other thoughts.

    Thanks,
    Josh
    Thursday, January 21, 2010 3:33 PM
  • Thanks Brian Day! That fixed my problem. I installed and migrated my mailbox to Exchange 2010. My iPhone gave me a error.
    Best regards, Ivan Versluis http://www.networknet.nl
    Saturday, March 20, 2010 1:19 PM
  • You're quite welcome! :)
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Saturday, March 20, 2010 3:10 PM
  • Open the user in something like ADSIEdit or LDP and see if the attribute admincount is set to 0 or something higher. If it is set to 1 then at some point in the past they were a member of a protected group.

    You need to set it to 0 and then turn on inheritence again (if it is off again).

    You might find this blog helpful. :)

    http://www.shariqsheikh.com/blog/index.php/200908/use-powershell-to-look-up-admincount-from-adminsdholder-and-sdprop/


    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Saturday, March 20, 2010 3:12 PM
  • Hi Brian,

    I saw you are helping so many people with good solution , can you please look for this problem

    We have Exchange 2003 (SP1), and everything working fine except the exchange mail for iphone (we have not tested exchange email for any device other than iphone)

    We have recently configured RPC over HTTP and I have tested in a pc and it is working fine

    our OWA is working fine

    when I tested Exchange activesync  , there was one error

    "Exchange ActiveSync Returned an HTTP 500 Error"
    When I add a new account in iphone, it says, that account is verified, but when I go to the email folder i cant see anything, and I cant send email also. There is an error message, can not connect to the server
    • Proposed as answer by Im A PC Tuesday, May 25, 2010 8:49 PM
    Tuesday, May 11, 2010 11:45 AM
  • Try turning SSL off from iPhone mail setup.
    Tuesday, May 25, 2010 8:49 PM
  • no its not working
    Tuesday, June 1, 2010 12:28 PM
  • Amit Tank (Henrik Walther): EAS issues after moving user mailboxes to Exchange 2010
    This solved our problems with a new Exchange 2010 deployment :-)
    MCTS: Messaging | MCSE: S+M | Small Business Specialist
    Wednesday, June 2, 2010 8:34 AM
  • We are having similar problems after upgrading from Exchange 2003 to 2010 this last week.  We cannot get ActiveSync to work properly.  We have already made sure inheritance is enabled on all users, which was the case even before the upgrade.  We have gotten two domain admin phones to work, by checking the inheritance option and then adding the devices before AD had a chance to remove the inherited permissions.  However, we cannot get ANY of the normal user accounts to work.

    The devices are authenticating, but then don't download any messages.  When I check the event logs I see the following warning message every time the device tries to connect, "The device container ExchangeActiveSyncDevices for the user "*****" in Active Directory couldn't be created.  The weird part with this is that I can see the object in ADSI just fine, there's just no phone devices under it.  As a test I tried removing the container in ADSI and then reconnecting the device.  I was able to see the ExchangeActiveSyncDevices object show up again, but again their was no phone device underneath it.

    We have also tried removing inheritance options and then re-adding them, which did not help.  It also does not appear that new accounts are inheriting proper permissions either.  I just tested adding a new user, by doing so directly through the Add Mailbox screens, and still see the same errors.  In all cases we have verified that proper ActiveSync settings are shown in EMC, and it looks like the permission are showing in ADSI also.

    Does anyone have any ideas on where to go from here?  I've spent a whole day just reading through articles and forums, and have not found anything of use.  In our case the inheritance settings are already there, but it doesn't appear to be obeying them.


    Thanks,
    Kelly Shutt

    Vargo Adaptive Software

    Thursday, June 3, 2010 3:43 PM
  • Thanks for the solutions, Additionally I had to reset the permissions on some users (not all the users were effected by the problem) and solved the problem.

    cheers,

    Tuesday, June 22, 2010 12:50 PM
  • This one maybe ?

    FAQ 000087 - Exchange 2010 ActiveSync reports HTTP 500 error 

    http://www.exchangemaster.net/index.php?option=com_content&task=view&id=165&Itemid=57&lang=en 

    Regards,

    Dejan Foro

    Wednesday, November 17, 2010 1:38 AM
  • This one maybe ?

    FAQ 000087 - Exchange 2010 ActiveSync reports HTTP 500 error 

    http://www.exchangemaster.net/index.php?option=com_content&task=view&id=165&Itemid=57&lang=en 

    Regards,

    Dejan Foro

    Wednesday, November 17, 2010 1:39 AM
  • I'm posting this only because it's not documented yet and I spent the past few days wanting to kill myself figuring this out.

    Every other user in my organization was able to sync via AS... except me.

    My specific username was once part of all the above-mentioned "protected groups". However, even after checking inherit permissions and removing myself from every group imaginable that could cause this issue as an Admin, I still couldn't authenticate past the HTTP 500.

    I finally got my hands dirty and dug into LDP.exe

    After connecting to my parent OU, I realized that my user had a child of ActiveSync devices that were used in my test environment. They didn't show up in EMC either attached to my mailbox... so I deleted each device (leaf) then the parent AS container (see picture below)

    http://img195.imageshack.us/img195/4511/ldpk.jpg

    After doing that, my user was "empty" (effectively a leaf) and I went back to my AD users, restored to defaults and inherited permissions (checked the box)

    Ran the AS test and boom... perfect connection. My Droid Pro also sync'd within seconds.

    I don't know why this happens but I assume it was a left over from my test environment and it was screwing up my user specifically.

    I hope this helps someone one day, as nowhere on the internet did I find this fix. Maybe it was just me being sloppy as a tester, but whatever... it works :)

    • Proposed as answer by Epon Tuesday, January 11, 2011 6:40 AM
    Tuesday, January 11, 2011 6:35 AM
  • I have all the symptoms of this issue, ActiveSync doesn't work, HTTP error 500 logged on the device, the 'Inherited Permissions' not included because of admin groups, but have hit a brick wall. I've tried everything I can find.

    Epon,

    I'm tearing my hair out over here too. I've seen what you mentioned a couple of other places. I'm trying to check my user container, but there's no ExchangeActiveSyncDevices beneath it. Can you confirm that when you found the device container, that it was this path in ADSIedit? I want to ensure I'm looking in the right place, and move on to other troubleshooting options if I am...

    adsiedit> domain [dc.domain.local]> DC=domain,DC=local> (drill down to OU of the user)

    Thanks,

    Kara

    Tuesday, January 11, 2011 2:47 PM
  • I was using LDP.exe... which doesn't explicitly show you children/leafs until you double-click on the parent container. Funky... but I guess it doesn't waste time searching all the way down until you actually ask it to. Good luck.
    Tuesday, January 11, 2011 11:13 PM
  • Thanks Epon. LDP shows me the same thing that adsiedit does. I suspected it would but it was worth a try! On to other options then.

    Kara

    Wednesday, January 12, 2011 2:17 PM
  • I found the solution to my problem...which was partially because of inherited permissions but ALSO because I'd tried to connect without the inherited permissions before and it seemed no matter what I couldn't get my account to sync. I enabled inherited permissions and on and on.

     

    What I had to do was in Exchange 2010 Managment, browse to Recipient Configuration> Mailbox> User> Properties> Mailbox Features. Highlight Exchange ActiveSync and click Disable, then apply. This next part seems to be important. Try and connect your activesync while it is DISABLED on your account. After it fails, then re-enable activesync and try again.

    2/3 users I was having trouble with were fixed by this process. The other I've not had a chance to test with yet. Of course, you must ensure that the permissions are inherited as explained in countless other locations.

    Kara

    Wednesday, January 19, 2011 11:12 PM