locked
ActiveSync Connectivity Test failed: WinHttpSendRequest failed with error 12030 RRS feed

  • Question

  • Exchange 2010 SP1:  From the www.testexchangeconnectivity.com site, did an ActiveSync test.

    The 1st event warning is:

    Checking the IIS configuration for client certificate authentication.

      The test passed with some warnings encountered. Please expand the additional details.

    Additional Details

    Client certificate authentication couldn't be determined because an unexpected failure occurred.

    WinHttpSendRequest failed with error 12030.

     

    The 2nd event failure is:

    Testing HTTP Authentication Methods for URL https://mail.dnsdomain.com/Microsoft-Server-ActiveSync/.

    The HTTP authentication test failed.

    Message: The underlying connection was closed: An unexpected error occurred on a receive.

     

    Have read numerous threads from msexchange.com, technet, experts-exchnage, etc and none have worked or they do not apply.

    Thanking you in advance - Mike

    Monday, August 1, 2011 5:25 PM

Answers

  • Solution can be found in the following www.experts-exchange.com thread:

    Title:  "failure recreating ActiveSync Virtual Directory (Exchange 2010 SP1)"

    Communications between MikeH392 and Akhater.




    Mike
    • Marked as answer by mhunter392 Tuesday, September 6, 2011 1:54 AM
    Tuesday, September 6, 2011 1:54 AM

All replies

  • What kind of authentication settings are configured in IIS? Are you running a reverse proxy in front of Exchange like ISA/TMG?
    Monday, August 1, 2011 6:47 PM
  • Only Basic Authentication.  There is no reverse proxy, isa or tmg.

    External DNS points all traffic to router, which forwards all port 443 traffic to Exchange 2010 server.

    OWA works fine.  The Connectivity test passes name resolution, port 443 and SSL certificate tests.


    Michael S. Hunter
    Monday, August 1, 2011 7:17 PM
  • And it is like this for all users?

    Check "inheritable permissions" if you haven't already:
    http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspx

    If you go to my blog there's a diagnostic tool for ActiveSync that I've made - http://mobilitydojo.net/downloads. Run a test with that and see what kind of error it returns. (Not sure what that will reveal, but at least I know on a code level what my own utility does.)

    Monday, August 1, 2011 7:27 PM
  • Andreas,  Thank you.

    1)  On the article, Exchange Server already had the inherited permissions to Create & Delete msExchActiveSyncDevices.  Per my interpretation of the article, I added List, Create Child objects, Delete Child objects.

    2)  I then ran your utility (Basic Connectivity Test) and with only checking "Use SSL" and "Trust all certificates".

    Test response was 2 items:

    =>  Testing HTTP GET:
    Response: The underlying connection was closed: An unexpected error occurred on a receive.

    =>  Testing HTTP OPTIONS:
    Response: The underlying connection was closed: An unexpected error occurred on a receive.
    HTTP OPTIONS failed. See results of HTTP GET above for possible reasons.

    Thanks - Mike

     


    Mike
    Monday, August 1, 2011 8:08 PM
  • Andreas,

    Forgot to add:  This only affects a Plant Manager using an iPhone iOS 4. 

    All other users work fine, but they have Blackberries thru Verizon BIS.

     


    Mike
    Monday, August 1, 2011 8:19 PM
  • Ok, let's see what else we've got :)

    Is it the plant manager's account you're testing with, or a different test account? (Just to be sure it's not something special with that account. BIS doesn't use ActiveSync for communication with Exchange as far as I know.)

    Are you seeing a similar issue if you try to open https://mail.dnsdomain.com/Microsoft-Server-ActiveSync/ in your browser? Or does it just load for a long time before getting a timeout?

    Are you able to telnet to port 443?

    Does my utility give the same error if you test it against the internal address of Exchange? (To rule out the router on the external side.)

    While it's not unlikely that you'll see the very same issue, could you try loading up Fiddler (http://www.fiddler2.com) in the background while re-running EAS-MD?

    Monday, August 1, 2011 8:50 PM
  • Yes, I am only testing with the Plant Manager's account.  He does not have administrator level priv/perms.

    Yes, BIS does not use ActiveSync, but instead uses OWA.

    From the Exchange 2010 server, I ran the testexchangeconnectivity.com and your utility ... result = exact same error messages.  No problems with port 443.

    Note:  Previously, I have been doing all testing remotely from XP SP3 and Vista Business SP1, using Firefox 5.0 and IE 9.
    Note:  I did your test based on internal name of server, the external name, and the IP Address.

    On the internal test from the Exchange server, I ran fiddler2 first before starting your utility.
    Your utility had the same results.  Fiddler2 showed 4 results of HTTP 200 with the closed padlock.

    *** Then I closed both utilities, opened Fiddler2 and modified Fillder Options to decrypt HTTPS, then ran your utility, using internal server dns name.

    => Your utility gave me different results this time:

    Testing HTTP GET:
    Response: The remote server returned an error: (504) Gateway Timeout.
    Inspect the HTTP code given above.
    501/505: This is correct behaviour, and means it is responding!
    403: The server requires SSL and will not let you connect over HTTP.
    401: Wrong username/password. May also occur if you're using a reverse proxy which performs authentication.451: Redirect request. Mailbox is located on a different server. Run "Full Sync Test" for further details.

    Testing HTTP OPTIONS:
    Response: The remote server returned an error: (504) Gateway Timeout.
    HTTP OPTIONS failed. See results of HTTP GET above for possible reasons.

     

    =>  Fiddlers gave me different results too:

    2 each HTTP 200
    2 each HTTPS 504 pointing to the http//mail........com/microsoft-server-activesync

    =>  I checked the Gateway (Router/Firewall).  All 443 traffic gets forwarded to this Exchange server.
    Incoming log:  port 445 traffic is blocked.  All 443 traffic is OK,
    Outgoing log:  Outbound id OK.
    System log:  ICMP type 8 code from external IP source to router/firewall is blocked.

     

     


    Mike
    Monday, August 1, 2011 9:52 PM
  • The only times I've seen error 504 before is when hitting network level connectivity issues. Had a DNS issue once causing it.

    Since you tested with the IP address as well it shouldn't be a DNS issue. I'd run a tracert just to verify the route the packets are going, though I don't think that's the issue if your firewall is forwarding the traffic correctly.

    There shouldn't be any firewall blocking port 443 by default on the Exchange server, but doublecheck that to be sure.

    Other than that... I dunno at the moment (it's late at night in my time zone)... It does seem like a network issue, but I'm not able to pinpoint it.

    Monday, August 1, 2011 10:34 PM
  • Andreas,

    I verified OK the Internal DNS (Active Directory 2008) and the DNS entries that the communications ISP has registered. 

    The Exchange server has the following internal DNS entries;  MX, NS, SRV, A, PTR.  As this tells you, due to the topology of this company network, I needed a GC on this site, but only had 1 Win server to use ... the Exchange server.  The other servers are AIX & NetWare 6.5.  I do not like this but I had no choice. 

    The other site has the PDC DC, etc plus several other Win servers.  Connectivity is via Wireless Radio approx 1/2 mile distance and this "bridged" link works well.  (T-1, T-3, Fiber were not options).

    The gateway (Router/firewall) is on the same switch as the Exchange server 2010 SP1 (Win 2008R2). 

    Tracert run to internal and external IPs or urls were all successful, with no unusual times.

    Port 443 incoming has not been an issue, as https://..../OWA, etc is working fine.

    Note: I have to go to another site ... I will be back on this issue in about 9 hours.
    Thank you Andreas for your continued great insight and assistance.

     

     


    Mike
    Tuesday, August 2, 2011 3:47 PM
  • Ah, that is an interesting tidbit of info.

    Because a 504 error often means that while the server the client contacts is reachable there is a problem with the server needing to get info/data from other servers on the back-end.

    When I run a Wireshark on Exchange while trying to run the basic test in EAS-MD I can see that Exchange fires off traffic to the GC before it returns the HTTP 200. So I'd assume GC connectivity is needed. I'm not sure if it matters that the GC is in a different site. (Well, I know it's not optimal of course...) Are the two locations separate sites in AD as well? Is the GC port open between Exchange and the DC? (Port 3268 tcp/udp.)

    Tuesday, August 2, 2011 5:46 PM
  • I guess I needed to add some more info.  The Exchange 2010 SP1 server is the DC, GC, DHCP, WINS for the physical site that it is at.  This is NOT recommended, but I only have the one Windows server at that site.  So The Exchange Server gets it's GC info from itself.

    The Exchange server looks to the AD PDC as a secondary source.

    There is only one AD Site, as the company insisted on keeping all IPs on 1 IP subnet.  Hence the Wireless Radio link is in "Bridged" mode, with no routing capability.


    Mike
    Tuesday, August 2, 2011 6:40 PM
  • Ah, I thought you meant that you used the GC in the other site.

    I do know that there's a bunch of problems that might occur when running DC and Exchange on the same box.

    Here's a few things you might want to check out:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/4f478cb7-09b1-4eb1-bc40-d229db977fa6/

    I can see the missing HTTP bind being relevant to IIS communications at least, but it could be any of the other things as well I guess.

    Tuesday, August 2, 2011 7:17 PM
  • Hello,

     

    Can you access the ActiveSync url on the CAS server? You could enter the URL: https://localhost/Microsoft-Server-ActiveSync

     

    If it still does not work, you can try rebuilding the ActiveSync Vdir to refresh the settings:

     

    http://www.arconi.com/solutions-articles/solutions/144-recreating-active-sync-virtual-directories.html

     

    Thanks,

    Simon

     

     

    Wednesday, August 3, 2011 7:50 AM
  • @ Andreas,

    Last night starting at 11 pm, I followed your last suggestions.

    Here's a few things you might want to check out:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/4f478cb7-09b1-4eb1-bc40-d229db977fa6/

    Following to the letter actually caused more issues and brought down the OWA too.  It was 3:30 am before I got things running as they were before (back to the original error issue).

     

    Today, I have spent working numerous other issues, however, I have seen a new problem(s) with Autodiscover in the =>

    1)  Application Event Viewer => "Removal of privileges from process "c:\windows\system32\inetsrv\w3wp.exe" (PID=8560, LABEL=MSExchangeAutodiscoverAppPool) failed with error code 0x80070005."

    2)  System Event Viewer => "A process serving application pool 'MSExchangeAutodiscoverAppPool' suffered a fatal communication error with the Windows Process Activation Service. The process id was '1864'. The data field contains the error number."

    So I am going back and reviewing all EMC and IIS configurations, settings, plus the Win2008R2 server network & dns configs.

     

    @ Simon;

    Using the ActiveSync pointing to the local host URL failed.

    • Internet connectivity has been lost.
    • The website is temporarily unavailable.
    • The Domain Name Server (DNS) is not reachable.
    • The Domain Name Server (DNS) does not have a listing for the website's domain.
    • There might be a typing error in the address.
    • If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section

    I ran the mmc for RSoP (Resultant Set of Policy, and I found that 3 Exchange/IIS items were incorrectly listed in various GPOs for teh Default Domain Controller Policy:  Classic .NET AppPool, DefaultAppPool, WdiService Host.  I know that I did not add them to the GPO, and I removed their membership to certain sub-policies.

    But not immediate impact on the original issue.

    Thanks ... I will keep pluggin away.

    If anyone has other ideas, please suggest.
    I will post updates when I have worthy notes/actions to inform the rest of.

     

     


    Mike
    Wednesday, August 3, 2011 7:46 PM
  • Hello Mike,

     

    Have you tried recreating the ActiveSync VD by running:

     

    Remove-ActiveSyncVirtualDirectory –id “CASServer\Microsoft-Server-ActiveSync (Default Web Site)”

     

    IISRest

     

    New-ActiveSyncVirtualDirectory

     

    IISReset

     

    Please try accessing https://localhost/Microsoft-Server-ActiveSync on the CAS server again. If it still fails, please collect the IIS log for further research.

     

    [Collect the IIS log]

    ==============

    1)    One the Exchange Client Access Server, locate the folder “c:\inetpub\logs\logfiles\W3SVC1” (If the IIS log is not enabled, please enable it and try to reproduce this issue.)

    2)    Collect the log files inside the folder.

     

    You can reach me at: v-simwu@microsoft.com

     

    Thanks,

    Simon


    Thursday, August 4, 2011 9:35 AM
  • Simon,

    Sorry for the delay, but other network, etc issues arose that needed addressing.  This issue only affects ActiveSync & iPhones.  There was a problem which I had to resolve, and now the testexchangeconnectivity.com error is different.

    I did the "Remove-ActiveSyncVirtualDirectory" as you specified followed by iisreset.  However, ever since I have been unable to recreate the ActiveSync VD.

    An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
          Additional Details
          An HTTP 500 response was returned from IIS7.

    I have been thru numerous articles, etc and I have not been able to solve this.

    I reviewed the W3SVC1 log file, and I found the following after doing a testexchangeconnectivity test.
    2011-08-08 02:47:17 192.168.0.19 OPTIONS /Microsoft-Server-ActiveSync/ - 443 - 207.46.14.62 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) 401 2 5 842
    2011-08-08 02:47:17 192.168.0.19 OPTIONS /Microsoft-Server-ActiveSync/ - 443 - 207.46.14.62 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) 401 2 5 77
    2011-08-08 02:47:17 192.168.0.19 OPTIONS /Microsoft-Server-ActiveSync/ - 443 - 207.46.14.62 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) 401 2 5 77
    2011-08-08 02:47:17 192.168.0.19 OPTIONS /Microsoft-Server-ActiveSync/ &Log=Error:NotRunningAsLocalSystem_ 443 "domain name"\"username" 207.46.14.62 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) 500 0 0 311

    Thanks

     


    Mike
    Monday, August 8, 2011 3:10 AM
  • Simon,

    I also noticed after doing your instructions that in the Exchange 2010 EMC > Server Configuration > Client Access > Exchange ActiveSync no longer has an entry.


    Mike
    Monday, August 8, 2011 3:24 AM
  • UPDATE:  based on MS direction, I tried recreating the ActiveSync VD in EMS by running:

    =>Remove-ActiveSyncVirtualDirectory –id “CASServer\Microsoft-Server-ActiveSync (Default Web Site)”

    =>IISRest

    =>New-ActiveSyncVirtualDirectory

    =>IISReset

     

    Failed !

     

    Situation now:

    1)  In EMC> Server Configuration>Client Access>Exchange ActiveSync tab, there is no entry now.

    2)  In EMS> If I try the "Remove" string again, I get the following failure message:

    The operation could not be performed because object “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” could not be found on 'CASServer.mydomain.org'.

    3)  In IIS 7.5 Manager, I verified that no Virtual Directory exists for the application "Microsoft-Server-ActiveSync"

    4)  In EMS> I ran the cmdlet "New-ActiveSyncVirtualDirectory".  Error message:

    The virtual directory 'Microsoft-Server-ActiveSync' already exists under 'CASServer.mydomain.org/Default Web Site'.

     

    How do I correct this situation ?

    Thanks, Mike



    Mike
    Monday, September 5, 2011 8:23 PM
  • Solution can be found in the following www.experts-exchange.com thread:

    Title:  "failure recreating ActiveSync Virtual Directory (Exchange 2010 SP1)"

    Communications between MikeH392 and Akhater.




    Mike
    • Marked as answer by mhunter392 Tuesday, September 6, 2011 1:54 AM
    Tuesday, September 6, 2011 1:54 AM