Google Nexus Android 4.1 and Active Sync

All replies

  • What is the issue you're having.

    Test via -

    Is it only for mailboxes on 2003?


    Tuesday, April 17, 2012 6:29 PM
  • Are these administrative users you are testing with?  If so, you may need to check the permissions inheritence box on their advanced security properties page.

    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Tuesday, April 17, 2012 9:38 PM
  • Hi,

    The problem so far reported by only 1 user using this model and version of Android. Other people with Android and iPhones are fine. RCA results are also good.

    @Mike: there is no inheritance block for this user and no permission issue event in event viewer.



    Wednesday, April 18, 2012 2:49 AM
  • Hi
        Maybe you need do test on your exchange 2003.
        If other Android client can connect to exchange 2003 through activesync, it is client problem or account problem.
       1. It is Android 4.1 os problem. I can’t find special hotfix for this Android version. You can create test account (you can make sure it works well) and let user connect to exchange 2003 by this account.  
       2. It is user account problem. You need to compare permission of this user with permission of other.

    Terence Yu

    TechNet Community Support

    Wednesday, April 18, 2012 6:18 AM
  • Hi Terence,

    Thanks for your repsonse, I will do the tests you asked and will let you know.

    The problem came after the frontend was changed to Exchange 2010 CAS from Exchange 2003 FE. Not sure if it has something to do with proxying?



    Wednesday, April 18, 2012 8:26 AM
  • Do you have a legacy URL for co-existence or just the one external URL which points to the 2010 CAS?

    What if you move this user to 2010 and test?

    Is the Andriod using the latest firware/OS update?


    Wednesday, April 18, 2012 8:45 AM
  • I have legacy URL, but it is only used for OWA.

    I cannot move to 2010, anyways we have thousand of users, so need to find the cause.

    Yes, there is no update for phone.



    Wednesday, April 18, 2012 12:29 PM
  • Since I don't see it listed above, can you confirm that you have made the required change to the EAS VDIR on the Exchange 2003 box?  It will not work with the default Exchange 2003 configuration, and you will need to tweak the auth flags or install a hotfix to do it in the EMS.  Do NOT change it in the IIS manager. 

    • Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access Server and the Exchange 2003 back end server to communicate using Kerberos authentication.

      To enable this authentication change on Exchange 2003 you need to either:

        • Install and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory. Repeat this for each Exchange 2003 mailbox server in your organization.
        • Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at

      Note: It is important that you do not use IIS Manager to change the authentication setting on the Microsoft-Server-ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

    Cheers, Rhoderick NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, April 18, 2012 12:52 PM
  • Hi Rhoderick,

    Yes, I applied one patch and then enabled integrated auth on all Exch BE servers.

    Do you think that if this is not enabled Active Sync will work for some and will not for some?

    If so, I will cross check again. As RCA results are pass, for the mailboxes on this Exch2003 BE.

    I was under impression that it will not work without patch, so I did it before changing the front-end to exch2010.



    Wednesday, April 18, 2012 1:12 PM
  • Hi there = that is correct the patch or tweaking the auth flag is required.  So you were totally correct in doing that upfront.

    if this is not working for this one phone, and the other users are OK, then you will have to start looking in the IIS logs on the 2010 server and also on 2003 to see what is happening. 

    Out of curiosity have you implemented any allow/block/quarantine lists on 2010?  When did you flip the front end over, on what date?

    Cheers, Rhoderick NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, April 18, 2012 1:31 PM
  • As mentioned can you check the IIS Logs?

    Can you also, test the same device with a test account on 2003?  Same results?


    • Proposed as answer by stpchakri Thursday, April 18, 2013 2:33 PM
    Wednesday, April 18, 2012 2:29 PM
  • Hi there,

    thanks for your inputs, will check and post back.


    Thursday, April 19, 2012 11:10 AM