iPhone and Exchange 2010

See this article on how to configure iPhone for Exchange
http://support.apple.com/kb/HT2480

Use https://www.testexchangeconnectivity.com/ to check the connectivity and post the results ,Make sure Microsoft-Server-ActiveSync virtual directory has just Basic Authenication type selected.

Thank you for your response.

The article for how to configure it is the same procedure I ran through. The iPhone verifies to the Exchange account but when I actually open mail it errors with:

Cannot get mail
The connection to the server failed

As for exchange connectivity test it failed if it tries to autodiscover however if I put in my server address manually: www.mydomain.com.au then it mostly passes. It does generate one warning though of:

      Testing SSL Certificate for validity.
       The certificate passed all validation requirements.
       
      Test Steps
       
      Validating certificate name
       Successfully validated the certificate name
       
      Additional Details
      Validating certificate trust for Windows Mobile Devices
       The test passed with some warnings encountered. Please expand additional details.
       
*******Additional Details
        Certificate is only trusted on Windows Mobile 5.0 AKU2 (MSFP) and later. Windows Mobile 5.0 devices will not be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
********

      Testing certificate date to ensure validity
       Date Validation passed. The certificate is not expired.

Test is passing however there is some cert issue.
Can you export and then install the certificate on the iPhone and resatrt the device and try to configure the profile again.

Again thank you for your comments. I exported the certificate and sent it to myself and installed it. It is now installed on my iPhone profile. I restarted the device and recreated the profile.

Input email
Username
Password

Server name: www.mydomain.com.au

Exchange account verifies but same error when I hit mail:

Cannot get mail
The connection to the server failed

learning to hate that error ;D

is this the domain used for OWA "www.mydomain.com.au" , you need to type the name that is used for OWA.
and in domain name type your internal domain name .

correct that is the domain I use, I also tried putting in the domain name and it still sys it verifies the exchange correctly but still get the same error when I try to use mail.

Try to open owa from iphone and see if it gives you some kind of error.check if you can loginto th owa on iPhone.

already tested that. I can use the safari browser, navigate to :

https://www.mydomain.com.au/owa

it presents the Forms login screen, input my username and password and it loads my account fine.
No errors.

Can I ask a silly question :-)
Have you got SSL enabled on the profile?

When you configure iPhone by default it enables SSL.

Can you post result from Get-ActiveSyncVirtualDirectory | fl

Okay thanks guys, I ran that command and this is the return:

[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl


RunspaceId                                 : 2cb724e2-6e27-48f7-b07b-87c07a741640
MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled                    : True
SendWatsonReport                           : True
MailboxLoggingEnabled                      : False
MobileClientCertificateAuthorityURL        :
MobileClientCertTemplateName               :
ActiveSyncServer                           : https://www.firepixel.com.au/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUnknownServers     : Allow
RemoteDocumentsAllowedServers              : {}
RemoteDocumentsBlockedServers              : {}
RemoteDocumentsInternalDomainSuffixList    : {}
MetabasePath                               : IIS://GreatHunt.firepixel.com.au/W3SVC/1/ROOT/Microsoft-Server-ActiveSync
BasicAuthEnabled                           : True
WindowsAuthEnabled                         : False
CompressionEnabled                         : True
ClientCertAuth                             : Ignore
WebsiteName                                : Default Web Site
WebSiteSSLEnabled                          : True
VirtualDirectoryName                       : Microsoft-Server-ActiveSync
Path                                       :
Server                                     : GREATHUNT
InternalUrl                                : https://greathunt.firepixel.com.au/Microsoft-Server-ActiveSync
InternalAuthenticationMethods              : {}
ExternalUrl                                : https://www.firepixel.com.au/Microsoft-Server-ActiveSync
ExternalAuthenticationMethods              : {}
AdminDisplayName                           :
ExchangeVersion                            : 0.10 (14.0.100.0)
Name                                       : Microsoft-Server-ActiveSync (Default Web Site)

DistinguishedName                          : CN=Microsoft-Server-ActiveSync (Default Web Site),CN=HTTP,CN=Protocols,CN=GREATHUNT,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=firepixel,DC=com,DC=au

Identity                                   : GREATHUNT\Microsoft-Server-ActiveSync (Default Web Site)
Guid                                       : 97a390c6-d8a9-4073-95f8-3a178cb8fc13
ObjectCategory                             : firepixel.com.au/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory

ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged                                : 27/11/2009 9:36:31 AM
WhenCreated                                : 26/11/2009 10:10:45 PM
WhenChangedUTC                             : 26/11/2009 10:36:31 PM
WhenCreatedUTC                             : 26/11/2009 11:10:45 AM
OrganizationId                             :
OriginatingServer                          : GreatHunt.firepixel.com.au
IsValid                                    : True




I have left all my domain details in, will clear them out when I resolve this issue.

Cheers

We can try to recreate ActiveSync virtual directory

Remove
http://technet.microsoft.com/en-us/library/bb124752.aspx

New
http://technet.microsoft.com/en-us/library/aa998812.aspx

thanks mate, will give that a go now.

Exchange needs an SSL certificate to cover autodiscover.domain.com and mail.domain.com. What domains does you SSL certificate cover? Is it a wildcard cert?

Try the tests at the below web site, they can be very useful...

https://www.testexchangeconnectivity.com/

Seeing OWA works correctly, I would suspect that you SSL certificate doesn't cover all your subdomains. It is possible to buy the cheapest SSL certificate at godaddy and when creating your request set the common name as *.domain.com, this will give you unlimited subdomains without paying the highest price!

Run the autodiscover tools at the above web site and let us know the outcome!

Demazter is right for existing users that have been upgraded from previous versions of Exchange.  If you create a new user in Exchange 2010 IPhone sync will work without additional steps.  

When I went to check the security tab in AD, it was not visible.  I had to click the View menu then place a check beside Advanced Features.

When I checked the inheritable box, IPhone Sync worked for that existing user.

Note, I checked other users in my AD with mailboxes and some of them had this already checked.  The only two that didn't have this box checked were the users that were using the IPhone syncing and were upgraded from Exchange 2007.  

Just want to add here that i had the same exact issue and demazter is spot on, you have saved me loads of time.

been overseas, sorry for the delay in replying.

Thank you dmlavigne1 that was what it was! All setup now, cheers.

@Davetheking - Your selected answer is just agreeing with Demazter's comment (and adding the View / Advanced Features option), yet you didn't award Demazter anything, despite him providing you with the solution.  Did you close the question down correctly?

DaveTheKind,

Could you please followup here.

PAQ_Man
Community Support Moderator

Experts,

I have reviewed this question but am unable to decide on an equitable form of closure. I need your help in doing so.

Please make your recommendations as to how this request should be closed. Your recommendations may include:

1) Delete / No Refund
2) Delete / Points Refunded
3) Accept one or more comments as the solution.
4) PAQ the question and store it in the knowledgebase, refunding the points

In the case of #3, please be specific and include the specific comment ID(s) which answer this question. To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#CommentID. For example, http:#12345678.

When making your recommendation, or if you are unsure what you should recommend, please keep the following in mind:

* Was a solution to the original problem found? If so, points should be awarded to the comment(s) which solved the problem.
* Did the Author solve the problem themselves, with Expert input? If so, you should recommend the Author's comment become the 'Accepted' solution, but recommend other Expert comments which should receive a 'split' of their points for contributing to the final solution.
* Did the Author solve the problem without using any of the Expert's advice? If so, the question should be PAQ'ed with points refunded.
* If no solution was found, the question should be deleted. Points should not be refunded if the Author has not followed-up on any Expert suggestions or requests in the thread.

A Moderator will review this question in approximately 4 days, and will take action to close it at that time. Depending on the recommendations provided, the Moderator may either implement these recommendations, or they may select a more equitable form of closure for this question. If anyone participating in this question does not respond to this request, we will assume you are no longer interested in the final disposition of this question; this may affect how the question is closed and may disadvantage you in terms of points.

If you have any questions, please also post them below and a Moderator will be more than willing to address your concerns.

Thanks for using Experts Exchange!

SouthMod
Community Support Moderator

I provided the correct solution in comment ID: http:#26178619 18 days before the accepted answer.

Agree with Demazter - I even wrote a blog article about it!
http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/
Correct answer should be http:#a26178619

Well, I guess once you figure out HOW to make that permissions visible and look at the solution and determine WHY it is happening then it is the solution.

His suggestion led me to the solution and the conclusion, but it was not either and would not solve the problem for an organization, or tell you why it is happening.  It does solve the problem on a user by user basis.  

I guess the person that posts the rudimentary answer without instructions or reason or examples gets the full credit :rolleyes:

I posted the full solution because I thought it would save time for others and gave full answer.

I don't see any further explanation in your post.

The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

I don't see that in your entry?

http://discussions.apple.com/thread.jspa?threadID=2470316

Thanks demazter, saved thine bacon yet again.. Am going through the sbs migration article and that was a gotcha for me...  Thanks mate.

try this

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.

http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/

Thanks to demazter and to ExpertsExchange for your help. I had spent about an hour banging my head attempting to resolve this issue until I remembered to log in here to search.

demazter I sure hope that whom ever you work for recognizes your expertise. Thanks for you help with this one. it is resolution to issues like this that make my glad I subscribe to this portal.

Demazter works for himself (as I do) - but I am sure his boss recognises his expertise ;)

well he deserves to buy himself a nice dinner somewhere where he likes the ambiance.

Has setup a brand new 2008 R2 domain with 2010 Exchange. Experienced the same issue with Iphone not pulling email with active sync, allthough the account settings were correct.  After hours of trouble shooting all the usual suspects, it turns out that checking the inheritable permissions on the user profile did the trick. Excellent!!  Thank you much