DavetheKing
asked on
iPhone and Exchange 2010
Good Morning,
I have setup my own Exchange 2010 server on Server 2008 x64 machine. I have setup owa with a SSL certificate from Go Daddy so if I open my browser and go to:
https://www.mydomain.com.au/owa
it works fine, the cert works fine. On my machine I have setup Outlook to connect and it pulls everything across correctly.
However while setting up my iPhone I choose add email account -> Exchange account.
put in my email address
username
password
next
it then brings up the server field (I think my autodiscover is broken)
in that field I put in:
www.mydomain.com.au
it thinks then says Exchange account verified. Done.
When I then hit "Mail" on the iPhone it pops up:
Cannot get mail
The connection to the server failed
I used to have an exchange 2007 server setup and Kieren_b was nice enough to help me out and get it fixed, sadly that machine died.
I have tried everything I can think of but I am out of ideas, any help would be much appreciated.
Thank you
I have setup my own Exchange 2010 server on Server 2008 x64 machine. I have setup owa with a SSL certificate from Go Daddy so if I open my browser and go to:
https://www.mydomain.com.au/owa
it works fine, the cert works fine. On my machine I have setup Outlook to connect and it pulls everything across correctly.
However while setting up my iPhone I choose add email account -> Exchange account.
put in my email address
username
password
next
it then brings up the server field (I think my autodiscover is broken)
in that field I put in:
www.mydomain.com.au
it thinks then says Exchange account verified. Done.
When I then hit "Mail" on the iPhone it pops up:
Cannot get mail
The connection to the server failed
I used to have an exchange 2007 server setup and Kieren_b was nice enough to help me out and get it fixed, sadly that machine died.
I have tried everything I can think of but I am out of ideas, any help would be much appreciated.
Thank you
ASKER
Thank you for your response.
The article for how to configure it is the same procedure I ran through. The iPhone verifies to the Exchange account but when I actually open mail it errors with:
Cannot get mail
The connection to the server failed
As for exchange connectivity test it failed if it tries to autodiscover however if I put in my server address manually: www.mydomain.com.au then it mostly passes. It does generate one warning though of:
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Validating certificate trust for Windows Mobile Devices
The test passed with some warnings encountered. Please expand additional details.
*******Additional Details
Certificate is only trusted on Windows Mobile 5.0 AKU2 (MSFP) and later. Windows Mobile 5.0 devices will not be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
********
Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
The article for how to configure it is the same procedure I ran through. The iPhone verifies to the Exchange account but when I actually open mail it errors with:
Cannot get mail
The connection to the server failed
As for exchange connectivity test it failed if it tries to autodiscover however if I put in my server address manually: www.mydomain.com.au then it mostly passes. It does generate one warning though of:
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Validating certificate trust for Windows Mobile Devices
The test passed with some warnings encountered. Please expand additional details.
*******Additional Details
Certificate is only trusted on Windows Mobile 5.0 AKU2 (MSFP) and later. Windows Mobile 5.0 devices will not be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
********
Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Test is passing however there is some cert issue.
Can you export and then install the certificate on the iPhone and resatrt the device and try to configure the profile again.
Can you export and then install the certificate on the iPhone and resatrt the device and try to configure the profile again.
ASKER
Again thank you for your comments. I exported the certificate and sent it to myself and installed it. It is now installed on my iPhone profile. I restarted the device and recreated the profile.
Input email
Username
Password
Server name: www.mydomain.com.au
Exchange account verifies but same error when I hit mail:
Cannot get mail
The connection to the server failed
learning to hate that error ;D
Input email
Username
Password
Server name: www.mydomain.com.au
Exchange account verifies but same error when I hit mail:
Cannot get mail
The connection to the server failed
learning to hate that error ;D
is this the domain used for OWA "www.mydomain.com.au" , you need to type the name that is used for OWA.
and in domain name type your internal domain name .
and in domain name type your internal domain name .
ASKER
correct that is the domain I use, I also tried putting in the domain name and it still sys it verifies the exchange correctly but still get the same error when I try to use mail.
Try to open owa from iphone and see if it gives you some kind of error.check if you can loginto th owa on iPhone.
ASKER
already tested that. I can use the safari browser, navigate to :
https://www.mydomain.com.au/owa
it presents the Forms login screen, input my username and password and it loads my account fine.
No errors.
https://www.mydomain.com.au/owa
it presents the Forms login screen, input my username and password and it loads my account fine.
No errors.
Can I ask a silly question :-)
Have you got SSL enabled on the profile?
Have you got SSL enabled on the profile?
When you configure iPhone by default it enables SSL.
Can you post result from Get-ActiveSyncVirtualDirec tory | fl
Can you post result from Get-ActiveSyncVirtualDirec
ASKER
Okay thanks guys, I ran that command and this is the return:
[PS] C:\Windows\system32>Get-Ac tiveSyncVi rtualDirec tory | fl
RunspaceId : 2cb724e2-6e27-48f7-b07b-87 c07a741640
MobileClientFlags : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificatePro visioningE nabled : False
BadItemReportingEnabled : True
SendWatsonReport : True
MailboxLoggingEnabled : False
MobileClientCertificateAut horityURL :
MobileClientCertTemplateNa me :
ActiveSyncServer : https://www.firepixel.com.au/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUn knownServe rs : Allow
RemoteDocumentsAllowedServ ers : {}
RemoteDocumentsBlockedServ ers : {}
RemoteDocumentsInternalDom ainSuffixL ist : {}
MetabasePath : IIS://GreatHunt.firepixel. com.au/W3S VC/1/ROOT/ Microsoft- Server-Act iveSync
BasicAuthEnabled : True
WindowsAuthEnabled : False
CompressionEnabled : True
ClientCertAuth : Ignore
WebsiteName : Default Web Site
WebSiteSSLEnabled : True
VirtualDirectoryName : Microsoft-Server-ActiveSyn c
Path :
Server : GREATHUNT
InternalUrl : https://greathunt.firepixel.com.au/Microsoft-Server-ActiveSync
InternalAuthenticationMeth ods : {}
ExternalUrl : https://www.firepixel.com.au/Microsoft-Server-ActiveSync
ExternalAuthenticationMeth ods : {}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Microsoft-Server-ActiveSyn c (Default Web Site)
DistinguishedName : CN=Microsoft-Server-Active Sync (Default Web Site),CN=HTTP,CN=Protocols ,CN=GREATH UNT,CN=Ser vers,CN=Ex change Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co nfiguratio n,DC=firep ixel,DC=co m,DC=au
Identity : GREATHUNT\Microsoft-Server -ActiveSyn c (Default Web Site)
Guid : 97a390c6-d8a9-4073-95f8-3a 178cb8fc13
ObjectCategory : firepixel.com.au/Configura tion/Schem a/ms-Exch- Mobile-Vir tual-Direc tory
ObjectClass : {top, msExchVirtualDirectory, msExchMobileVirtualDirecto ry}
WhenChanged : 27/11/2009 9:36:31 AM
WhenCreated : 26/11/2009 10:10:45 PM
WhenChangedUTC : 26/11/2009 10:36:31 PM
WhenCreatedUTC : 26/11/2009 11:10:45 AM
OrganizationId :
OriginatingServer : GreatHunt.firepixel.com.au
IsValid : True
I have left all my domain details in, will clear them out when I resolve this issue.
Cheers
[PS] C:\Windows\system32>Get-Ac
RunspaceId : 2cb724e2-6e27-48f7-b07b-87
MobileClientFlags : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificatePro
BadItemReportingEnabled : True
SendWatsonReport : True
MailboxLoggingEnabled : False
MobileClientCertificateAut
MobileClientCertTemplateNa
ActiveSyncServer : https://www.firepixel.com.au/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUn
RemoteDocumentsAllowedServ
RemoteDocumentsBlockedServ
RemoteDocumentsInternalDom
MetabasePath : IIS://GreatHunt.firepixel.
BasicAuthEnabled : True
WindowsAuthEnabled : False
CompressionEnabled : True
ClientCertAuth : Ignore
WebsiteName : Default Web Site
WebSiteSSLEnabled : True
VirtualDirectoryName : Microsoft-Server-ActiveSyn
Path :
Server : GREATHUNT
InternalUrl : https://greathunt.firepixel.com.au/Microsoft-Server-ActiveSync
InternalAuthenticationMeth
ExternalUrl : https://www.firepixel.com.au/Microsoft-Server-ActiveSync
ExternalAuthenticationMeth
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Microsoft-Server-ActiveSyn
DistinguishedName : CN=Microsoft-Server-Active
Identity : GREATHUNT\Microsoft-Server
Guid : 97a390c6-d8a9-4073-95f8-3a
ObjectCategory : firepixel.com.au/Configura
ObjectClass : {top, msExchVirtualDirectory, msExchMobileVirtualDirecto
WhenChanged : 27/11/2009 9:36:31 AM
WhenCreated : 26/11/2009 10:10:45 PM
WhenChangedUTC : 26/11/2009 10:36:31 PM
WhenCreatedUTC : 26/11/2009 11:10:45 AM
OrganizationId :
OriginatingServer : GreatHunt.firepixel.com.au
IsValid : True
I have left all my domain details in, will clear them out when I resolve this issue.
Cheers
We can try to recreate ActiveSync virtual directory
Remove
http://technet.microsoft.com/en-us/library/bb124752.aspx
New
http://technet.microsoft.com/en-us/library/aa998812.aspx
Remove
http://technet.microsoft.com/en-us/library/bb124752.aspx
New
http://technet.microsoft.com/en-us/library/aa998812.aspx
ASKER
thanks mate, will give that a go now.
Exchange needs an SSL certificate to cover autodiscover.domain.com and mail.domain.com. What domains does you SSL certificate cover? Is it a wildcard cert?
Try the tests at the below web site, they can be very useful...
https://www.testexchangeconnectivity.com/
Seeing OWA works correctly, I would suspect that you SSL certificate doesn't cover all your subdomains. It is possible to buy the cheapest SSL certificate at godaddy and when creating your request set the common name as *.domain.com, this will give you unlimited subdomains without paying the highest price!
Run the autodiscover tools at the above web site and let us know the outcome!
Try the tests at the below web site, they can be very useful...
https://www.testexchangeconnectivity.com/
Seeing OWA works correctly, I would suspect that you SSL certificate doesn't cover all your subdomains. It is possible to buy the cheapest SSL certificate at godaddy and when creating your request set the common name as *.domain.com, this will give you unlimited subdomains without paying the highest price!
Run the autodiscover tools at the above web site and let us know the outcome!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Demazter is right for existing users that have been upgraded from previous versions of Exchange. If you create a new user in Exchange 2010 IPhone sync will work without additional steps.
When I went to check the security tab in AD, it was not visible. I had to click the View menu then place a check beside Advanced Features.
When I checked the inheritable box, IPhone Sync worked for that existing user.
Note, I checked other users in my AD with mailboxes and some of them had this already checked. The only two that didn't have this box checked were the users that were using the IPhone syncing and were upgraded from Exchange 2007.
When I went to check the security tab in AD, it was not visible. I had to click the View menu then place a check beside Advanced Features.
When I checked the inheritable box, IPhone Sync worked for that existing user.
Note, I checked other users in my AD with mailboxes and some of them had this already checked. The only two that didn't have this box checked were the users that were using the IPhone syncing and were upgraded from Exchange 2007.
Just want to add here that i had the same exact issue and demazter is spot on, you have saved me loads of time.
ASKER
been overseas, sorry for the delay in replying.
Thank you dmlavigne1 that was what it was! All setup now, cheers.
Thank you dmlavigne1 that was what it was! All setup now, cheers.
@Davetheking - Your selected answer is just agreeing with Demazter's comment (and adding the View / Advanced Features option), yet you didn't award Demazter anything, despite him providing you with the solution. Did you close the question down correctly?
DaveTheKind,
Could you please followup here.
PAQ_Man
Community Support Moderator
Could you please followup here.
PAQ_Man
Community Support Moderator
Experts,
I have reviewed this question but am unable to decide on an equitable form of closure. I need your help in doing so.
Please make your recommendations as to how this request should be closed. Your recommendations may include:
1) Delete / No Refund
2) Delete / Points Refunded
3) Accept one or more comments as the solution.
4) PAQ the question and store it in the knowledgebase, refunding the points
In the case of #3, please be specific and include the specific comment ID(s) which answer this question. To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#CommentID. For example, http:#12345678.
When making your recommendation, or if you are unsure what you should recommend, please keep the following in mind:
* Was a solution to the original problem found? If so, points should be awarded to the comment(s) which solved the problem.
* Did the Author solve the problem themselves, with Expert input? If so, you should recommend the Author's comment become the 'Accepted' solution, but recommend other Expert comments which should receive a 'split' of their points for contributing to the final solution.
* Did the Author solve the problem without using any of the Expert's advice? If so, the question should be PAQ'ed with points refunded.
* If no solution was found, the question should be deleted. Points should not be refunded if the Author has not followed-up on any Expert suggestions or requests in the thread.
A Moderator will review this question in approximately 4 days, and will take action to close it at that time. Depending on the recommendations provided, the Moderator may either implement these recommendations, or they may select a more equitable form of closure for this question. If anyone participating in this question does not respond to this request, we will assume you are no longer interested in the final disposition of this question; this may affect how the question is closed and may disadvantage you in terms of points.
If you have any questions, please also post them below and a Moderator will be more than willing to address your concerns.
Thanks for using Experts Exchange!
SouthMod
Community Support Moderator
I have reviewed this question but am unable to decide on an equitable form of closure. I need your help in doing so.
Please make your recommendations as to how this request should be closed. Your recommendations may include:
1) Delete / No Refund
2) Delete / Points Refunded
3) Accept one or more comments as the solution.
4) PAQ the question and store it in the knowledgebase, refunding the points
In the case of #3, please be specific and include the specific comment ID(s) which answer this question. To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#CommentID. For example, http:#12345678.
When making your recommendation, or if you are unsure what you should recommend, please keep the following in mind:
* Was a solution to the original problem found? If so, points should be awarded to the comment(s) which solved the problem.
* Did the Author solve the problem themselves, with Expert input? If so, you should recommend the Author's comment become the 'Accepted' solution, but recommend other Expert comments which should receive a 'split' of their points for contributing to the final solution.
* Did the Author solve the problem without using any of the Expert's advice? If so, the question should be PAQ'ed with points refunded.
* If no solution was found, the question should be deleted. Points should not be refunded if the Author has not followed-up on any Expert suggestions or requests in the thread.
A Moderator will review this question in approximately 4 days, and will take action to close it at that time. Depending on the recommendations provided, the Moderator may either implement these recommendations, or they may select a more equitable form of closure for this question. If anyone participating in this question does not respond to this request, we will assume you are no longer interested in the final disposition of this question; this may affect how the question is closed and may disadvantage you in terms of points.
If you have any questions, please also post them below and a Moderator will be more than willing to address your concerns.
Thanks for using Experts Exchange!
SouthMod
Community Support Moderator
I provided the correct solution in comment ID: http:#26178619 18 days before the accepted answer.
Agree with Demazter - I even wrote a blog article about it!
http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/
Correct answer should be http:#a26178619
http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/
Correct answer should be http:#a26178619
Well, I guess once you figure out HOW to make that permissions visible and look at the solution and determine WHY it is happening then it is the solution.
His suggestion led me to the solution and the conclusion, but it was not either and would not solve the problem for an organization, or tell you why it is happening. It does solve the problem on a user by user basis.
I guess the person that posts the rudimentary answer without instructions or reason or examples gets the full credit :rolleyes:
I posted the full solution because I thought it would save time for others and gave full answer.
His suggestion led me to the solution and the conclusion, but it was not either and would not solve the problem for an organization, or tell you why it is happening. It does solve the problem on a user by user basis.
I guess the person that posts the rudimentary answer without instructions or reason or examples gets the full credit :rolleyes:
I posted the full solution because I thought it would save time for others and gave full answer.
I don't see any further explanation in your post.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
I don't see that in your entry?
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
I don't see that in your entry?
Thanks demazter, saved thine bacon yet again.. Am going through the sbs migration article and that was a gotcha for me... Thanks mate.
try this
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/
Thanks to demazter and to ExpertsExchange for your help. I had spent about an hour banging my head attempting to resolve this issue until I remembered to log in here to search.
demazter I sure hope that whom ever you work for recognizes your expertise. Thanks for you help with this one. it is resolution to issues like this that make my glad I subscribe to this portal.
demazter I sure hope that whom ever you work for recognizes your expertise. Thanks for you help with this one. it is resolution to issues like this that make my glad I subscribe to this portal.
Demazter works for himself (as I do) - but I am sure his boss recognises his expertise ;)
well he deserves to buy himself a nice dinner somewhere where he likes the ambiance.
Has setup a brand new 2008 R2 domain with 2010 Exchange. Experienced the same issue with Iphone not pulling email with active sync, allthough the account settings were correct. After hours of trouble shooting all the usual suspects, it turns out that checking the inheritable permissions on the user profile did the trick. Excellent!! Thank you much
http://support.apple.com/kb/HT2480
Use https://www.testexchangeconnectivity.com/ to check the connectivity and post the results ,Make sure Microsoft-Server-ActiveSyn