none
Email not syncing to mobile devices with ActiveSync RRS feed

  • Question

  • Currently migrating from Exchange 2010 to 2013 and are in coexistence.  I moved my mailbox from 2010 to 2013 and email within Outlook 2013 on Windows 10 is working without any problems.  However my iPhone and Windows 10 mobile won't sync any email, they connect but no email will sync.  The setup is as follows: Exchange 2013 2 node DAG servers.  2 CAS servers setup in a Windows NLB.  External certificate for email.domain.com installed on both CAS servers.  Virtual Directories setup on both CAS servers for ActiveSync with external name using the email.domain.com name and the internal of mail.domain.com.  Split DNS setup.  Firewall rule created to allow anything to connect to the CAS NLB IP address, via HTTPS only, which has a NAT on for external connection and public DNS setup to point to the external NAT address.  On the iPhone if I add an Exchange email account and configure the settings manually, enter the Server address as email.domain.com, enter the Domain and the Username, it verifies the account and puts ticks next to everything.  Then when you open the Mail app nothing syncs and I get the error message Cannot Get Mail The connection to the server failed.  What could I be doing wrong???

    Thursday, September 13, 2018 1:41 PM

Answers

  • Thanks.  Please ignore my last comment about the certificate been used, I was testing on a Laptop that had been on the internal network.

    After getting the Autodiscover.domain.com DNS record setup yesterday I proceeded to test using the testconnectivity.microsoft.com website.  The only error I was getting was "Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication."  I set the Client Certificates in IIS on both CAS servers to Ignore and email started to sync.  What impact does having this set to ignore have on security or what other setting should I change so this setting can be on Accept?

    Thanks

    If we select Accept, we need to issue a client certificate to each user, then we need to configure certificate based authentication for Exchange ActiveSync clients and install the client certificate on the local device.

    Configure certificate based authentication in Exchange 2016

    So if you don't want to enable certificate based authentication, just select "Ignore".

    Hope it helps.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, September 19, 2018 2:18 PM
    Moderator

All replies

  • Hello!

    First - check if problem account is (or was) the member of system protected AD groups (Domain Admins, Account Operators, etc.)
    If yes - remove account from these groups, enable security inheritance, and change "Admin Count" attribute from 1 to 0. It will resolve your problem.
    • Proposed as answer by Evgeny Vovney Thursday, September 13, 2018 1:57 PM
    • Unproposed as answer by Goldleader80wb Thursday, September 13, 2018 2:18 PM
    Thursday, September 13, 2018 1:57 PM
  • Thanks for the reply.  The user was a member of Domain Admins but hasn't been for years now.  The only other group I can think of that it is still a member of is Organization Management - would that cause a problem?

    I don't seem to be able to enable security inheritance - I have advanced features turned on but when I go to the properties of any user in the domain and go to Security and Advanced the tick box doesn't appear?  Our AD is 2012 R2.  I have changed the "Admin Count" to 0 and that didn't work.

    I had this user working fine on Exchange 2010, its only when the mailbox was moved to 2013 that the problem started.

    Thursday, September 13, 2018 2:18 PM
  • "and go to Security and Advanced the tick box doesn't appear?"

    Ok, have you got UAC turned on in ADUC console, may be it prevents to access all of AD settings needed?

    If changing inheritance will not help - please check ActiveSync here for  errors: https://testconnectivity.microsoft.com
    Thursday, September 13, 2018 2:22 PM
  • Thanks for the reply again.

    Dont have UAC turned on on the DC.  Maybe on 2012 R2 you dont get the tick box.  There is a button that says Disable inheritance in the same location as the tick box so maybe inheritance is already enabled?

    I have tried the testconnectivity website however the Activesnyc tester doesn;t work because it doesn't let you specify an address and only tries and uses your email address domain.  Our CAS servers have public DNS of email.domain.com and the test only tries to use domain.com which doesn't work.

    Thursday, September 13, 2018 2:32 PM
  • "Our CAS servers have public DNS of email.domain.com and the test only tries to use domain.com which doesn't work."

    Well, but how external Autodiscover service is published in your organization?
    By external SRV DNS entry, or by autodiscover.domain.com A DNS entry?
    Thursday, September 13, 2018 2:41 PM
  • We don't have a public DNS entry for autodiscover.domain.com and we never have.  I have set the virtual directory for autodiscover externally to be email.domain.com.  Internally we are using mail rather that email for the name and has been set to mail.domain.com
    Thursday, September 13, 2018 2:54 PM
  • Hi,

    First test the scenario providing "Exchange Trusted Sub System" group to have modify access on the user you are trying to sync emails. If this also not work go to web https://testconnectivity.microsoft.com/ and make test of "Exchange ActiveSync Autodiscover". This will tell you what is problem and where.


    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Thursday, September 13, 2018 3:30 PM
  • i have made "Exchange Trusted Sub System" have modify to the user and that hasn't worked.  Please see post above about not been able to use the testconnectivity website.

    Thanks


    Thursday, September 13, 2018 3:45 PM
  • Mobility service should use path via internet, you should setup your autodiscover records properly in public DNS.

    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Friday, September 14, 2018 5:52 AM
  • Thanks, I will setup a Public DNS record for Autodiscover and see if that helps.  Will that have any knock on effect to the current mobile users we have still connecting to our Exchange 2010 Activesync?
    Friday, September 14, 2018 7:56 AM
  • Hi,

    It is not recommended to manually configure the Exchange type account since Exchange 2013, use Autodiscover instead.

    The Exchange Autodiscover service provides an easy way for your client application to configure itself with minimal user input. Most users know their email address and password, and with those two pieces of information, you can retrieve all the other details you need to get up and running. 

    Autodiscover for Exchange

    Besides, use Outlook mobile app instead of the default mail app in your mobile phones. 

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, September 14, 2018 8:51 AM
    Moderator
  • I have just requested the autodiscover.domain.com public DNS entry to be added so should have that to test by tomorrow.  I have just found something strange though.  If I browse to https://email.domain.com/microsoft-server-activesync I get a pop up asking me to select a certificate.  There are about 5 or 6 listed and when I view each one the friendly name is that of our Skype for Business 2015 server and none of our Exchange servers, any ideas why it is asking me to select that certificate?  They are all internal certs as we don't publish Skype for Business externally.

    Thanks

    Tuesday, September 18, 2018 3:35 PM
  • can you check in exchange CAS server which certificate is actually assigned to Exchange webservices.

    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Tuesday, September 18, 2018 6:19 PM
  • Thanks.  Please ignore my last comment about the certificate been used, I was testing on a Laptop that had been on the internal network.

    After getting the Autodiscover.domain.com DNS record setup yesterday I proceeded to test using the testconnectivity.microsoft.com website.  The only error I was getting was "Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication."  I set the Client Certificates in IIS on both CAS servers to Ignore and email started to sync.  What impact does having this set to ignore have on security or what other setting should I change so this setting can be on Accept?

    Thanks

    Wednesday, September 19, 2018 8:48 AM
  • Thanks.  Please ignore my last comment about the certificate been used, I was testing on a Laptop that had been on the internal network.

    After getting the Autodiscover.domain.com DNS record setup yesterday I proceeded to test using the testconnectivity.microsoft.com website.  The only error I was getting was "Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication."  I set the Client Certificates in IIS on both CAS servers to Ignore and email started to sync.  What impact does having this set to ignore have on security or what other setting should I change so this setting can be on Accept?

    Thanks

    If we select Accept, we need to issue a client certificate to each user, then we need to configure certificate based authentication for Exchange ActiveSync clients and install the client certificate on the local device.

    Configure certificate based authentication in Exchange 2016

    So if you don't want to enable certificate based authentication, just select "Ignore".

    Hope it helps.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, September 19, 2018 2:18 PM
    Moderator
  • Hi,

    Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to shareexplore and talk to experts about Microsoft Teams.

    Friday, September 21, 2018 4:16 AM
    Moderator