Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Exchange 2003 - Activesync Connection Problems FAQ

Alan HardistyCo-Owner
CERTIFIED EXPERT
Published:
Updated:
On numerous occasions I was seeing questions pop up that involved Exchange 2003 and problems getting iPhones / Windows Mobile phones and now more recently, iPads, to work with Activesync, so after answering several questions, I decided to write the following article to assist others in answering their problems, covering all the possible scenarios that I had faced when tackling these problem.

So, here is my guide to solving (most) Exchange 2003 and Activesync issues:

Pre-Requisites:


1. Make sure that you have Exchange Server 2003 Service Pack 2 Installed.  Whilst Activesync will work with Exchange 2003 Service Pack 1, Service Pack 2 makes it a whole lot easier!

To check if you have it installed, open up Exchange System Manager (Start> Programs> Microsoft Exchange> System Manager).  Then expand Servers, Right-Click your server and choose Properties.  This will display whether you have SP2 installed or not.

Exchange 2003 Service Pack Level
If you do not have SP2 installed you can download it here –http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

2. Ensure that TCP Port 443 is open (and forwarded) on your firewall to your Exchange server.  You don't need to open up any other ports to get Activesync working, just TCP port 443.  You can check this on your Exchange Server at http://www.canyouseeme.org and you should see ‘Success’ if the port is open and forwarded correctly.  If it isn't open and forwarded, check your router and make sure you have the settings configured correctly.

3. Please check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).

Binding Order
4. Open up IIS Manager (Start> Programs> Administrative Tools> Internet Information Services (IIS) Manager), expand ‘Web Sites’ then ‘Default Web Site’ then right-click on the relevant Virtual Directory (see below) and choose properties, then click on the Directory Security Tab):

IIS Manager
Exchange 2003 (Not part of Small Business Server):

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany* (no more than 15 characters)
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany* (no more than 15 characters)
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked


Exchange 2003 (Part of Small Business Server):

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany*
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchange-oma Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•      IP Address Restrictions = Restricted to IP Address of Server
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

OMA Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

* yourcompany can be determined by opening up a command prompt (Start> Run> [type] cmd [press enter]) and then typing ‘SET’ and pressing enter.  The variable ‘USERDOMAIN’ is the info you should use for ‘yourcompany’.  Most often – this is not required, but I have seen instances where simply adding this info has made Activesync work.

5. ASP.NET should be set to version 1.1 for all virtual directories listed above.  If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.

ASP Dot Net
6. Make sure that you have HTTP Keep-Alives enabled.  Right-Click on the Default Web Site and choose Properties.  On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box and click OK

HTTP Keep Alives
7. Check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button.  This Virtual Directory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA).  If it is not there – no worries.

IPV6

Please make sure that IPV6 is NOT installed on your server as this is known to break Activesync.  (Start> Run> [type] ncpa.cpl [press enter]) Right-click on your Local Area Network Connection and choose Properties. Look under ‘This Connection Uses The Following Items:’ for Internet Protocol (TCP/IP) v6 – if it exists – uninstall it and reboot.

IPv6
8. Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS manager, Right-Click the Default Website and choose properties, then on the Advanced button).

Default Website Ports
If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync!  Also make sure that you are not using any Host Headers on the Default Website because this can also break Activesync.

If you make any changes to IIS, you will need to reset IIS settings.  Please click on Start, Run and type IISRESET then press enter.

SSL Certificate

Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync - for example, mail.microsoft.com.  To check, right-click on the Default Web Site in IIS, choose Properties, click on the Directory Security Tab and then on the View Certificate Button.

View SSL Certificate
SSL Certificate
If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.

If you have a Small Business Server and don’t want to buy a 3rd Party SSL certificate, just re-run the ‘Connect To The Internet Wizard’, (Start> Server Management> To-Do List> Connect to the Internet).

Connect To The Internet
Connect To The Internet Wizard
Click Next.  If the Wizard detects a Router – click No to leave the configuration alone.

Connect Internet Wizard Router Prompt
Make sure ‘Do not change connection type’ is selected and click Next.

Do Not Change Connection Type
Leave the Web Services Configuration Settings as they are and click Next.

Web Services Configuration
Select ‘Create a new Web server certificate’ and enter a ‘Web server name’ e.g., mail.yourdomain.com and click Next.

Web Server Certificate
Select ‘Do not change Internet e-mail configuration’ and click Next.

Internet Email
Click Finish to complete the Wizard

Complete Wizard
If you have Windows Mobile Phones, Activesync is much easier to get working with a purchased SSL certificate.  If you have a self-created SSL certificate and use Windows Mobile Phones, you will have to install the SSL certificate onto each and every Windows Mobile Phone that you want to use with your Exchange 2003 server.  If you only have a handful of devices, then it won’t take long to do, but if you have dozens, a £30 1-Year SSL certificate is probably a very good investment.  You can purchase a cheap, trusted SSL certificate from http://exchange-certificates.com that will work happily.

Windows Mobile Phone / iPhone Settings:


Email Address: Your Users Email Address
Server: Whatever name you have on your certificate e.g., mail.yourdomain.com (do not add /exchange or /oma or /anything)
Domain: Your internal Domain Name e.g., yourdomain (maximum 15 characters)
Username: Your Username e.g., User123
Password: The CORRECT password!
Description: Whatever you want to call the Account


Testing:


If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity.

Test Exchange Connectivity - Activeync
Please select ‘Specify Manual Server Settings’ (Exchange 2003 does not have native Autodiscover enabled so using the Autodiscover settings will fail).

3rd Party SSL Certificate:

Do NOT check the “Ignore Trust for SSL” check box

Self-Certified SSL Certificate:

Check the "Ignore Trust for SSL" checkbox.

Test Exchange Connectivity - Manual Settings
If you are trying to make an iPhone work, then you can also download the free iPhone App 'Activesync Tester' and this should identify any problems with your configuration, or download the version for your PC from https://store.accessmylan.com/main/diagnostic-tools

Various Activesync Errors / Solutions:


REMEMBER - If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.

Activesync Error 0x86000108:
Activesync is unsuccessful and you see the error 0x86000108 on your Windows Mobile Device:
Please read the following MS Article which checks that Authenticated Users has write permissions to the %TEMP% directory (usually c:\windows\temp) – http://support.microsoft.com/kb/950796/en-us

Application Event Log 3005 Errors:
A lot of 3005 errors can be resolved by changing the Default Website Timeout value from 120 (default) to something greater, such as 480 using IIS Manager.
For Small Business Server 2003 Users - please read this MS article - http://support.microsoft.com/kb/937635

Inconsistent Sync:
If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
ProactiveScanning      REG_DWORD      1

HTTP 401 Error:
If you are getting an HTTP 401 error when testing on https://testexchangeconnectivity.com then you are probably entering an incorrect username or password, or you may have IP Address restrictions setup on your virtual directories (see IIS Settings above under prerequisites).

HTTP 403 Error:
Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab).  If it is – please readhttp://support.microsoft.com/kb/817379 and create an exchange-oma virtual directory following the instructions in the KB article.

I have had Activesync work despite seeing "An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>" at the end of the test above.  To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.

I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)

Check to see if Activesync is enabled globally on your server - http://technet.microsoft.com/en-us/library/bb125073(EXCHG.65).aspx

Also check to see if it is enabled on a user by user basis - http://technet.microsoft.com/en-us/library/aa997489(EXCHG.65).aspx

HTTP 500 Error:
If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in Microsoft Knowledgebase Article KB883380 (http://support.microsoft.com/kb/883380) and this should resolve the issues. This essentially deletes the Exchange Virtual Directories from the IIS Metabase (which can be corrupted) and rebuilds them. When deleting the Exchange virtual Directories, please also delete the Exchange-OMA virtual directory if it exists.  Rebuilding those virtual directories often clears up problems that all the other steps above do not resolve.

If, after following KB 883380, Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:

• Disable Forms Based Authentication - Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected - hopefully this should work or give the OK result
• If okay - right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as 'EntireRegistry' and save the backup of the registry to the desktop
• In regedit - locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the 'Select a configuration to import' section and click on OK. Select 'Create a new virtual Directory' and name the directory 'exchange-oma' and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse - you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync – it should hopefully be working now!

If the above fails, please check you event logs for Event ID 9667 - Source MSExchangeIS.  If this event exists, please have a read of MS KB820379 - http://support.microsoft.com/default.aspx?kbid=820379

In a recent question on EE, I was advised that running the following command against the unmounted database solved an HTTP 500 error, so if you are still having issues, please try running the integrity check (from a command prompt):

Isinteg –s servername –fix –test alltests

Select the dismounted database and let the check run.  If you see 0 errors and 0 fixes, then all is well.  If not, please re-run the test until you do (as many times as it takes - two usually is ufficient).

If you are still reading this article and are still seeing HTTP 500 errors, then we need to check the settings on the EXCHWEB Virtual Directory in IIS Manager.

Exchweb Virtual Directory
•      Authentication = Anonymous
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin Directory
•      Authentication = Basic
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth Directory
•      Authentication = Anonymous
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth \ USA Directory
•      Authentication = Basic
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

REMEMBER - If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.

Hopefully if you are now at the bottom of my article, your mobile phones should now be synchronising happily.  If that is not the case, please review your IIS Settings carefully and start at the top of this article again.

RECENT UPDATE (10/01/12) - A piece of software called Hide Folders 2009 has been found to install a service called "FSPRO Filter Service"and a dll called FSPFltd.sys (in c:\windows\system32\drivers).  This program breaks Activesync.  If you have Activesync part working / part not working, please check your server for this software and if it is there - disable the service, move / delete the .dll file and restart your server.  Once restarted, Activesync should return to normal functionality!

If you are still not working – then you will probably have to call Microsoft to get support from them as something else not covered by this article is causing your problems.

So, in summary, you have reviewed and checked the settings in IIS to ensure that Activesync will work on your Exchange 2003 server, you have made sure that you have Exchange 2003 Service Pack 2 installed and you have run a test to make sure that your server is responding happily and by now, your iPhones and Windows Mobile phones should be happily synchronising.

Having got this far - and hopefully fixing your problems - if you have found this article helpful, please vote for it at the top of the page : )

This article has currently been accepted as the solution in 353 questions on Experts-Exchange.  If you use this article as a result of it being posted in a question on EE, please accept the comment that this article was posted in as the solution : )
158
113,686 Views
Alan HardistyCo-Owner
CERTIFIED EXPERT

Comments (158)

Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Author

Commented:
Exchange 2013 doesn't need an article - in Exchange 2010 you can reset the virtual directories really easily and I've only played with one 2013 server (in Italy - in Italian) and would imagine that you can do the same on that too, so not much effort required to get it working!  I need to build my own to play with but haven't had the chance yet.

Install a 3rd party SSL certificate on any Exchange server (from 2007 onwards) and Activesync just works out of the box.

Are you having problems?
ReeceICT Consultant
CERTIFIED EXPERT

Commented:
Hi Alan

I'm currently working on resolving a smartphone issue with AS for our 2003 exchange box (https://www.experts-exchange.com/questions/28475856/I-broke-ActiveSync-on-our-Exchange-2003-server-help.html) and as I read through your article, I just want to confirm that for the Microsoft-Server-ActiveSync authentication settings you mention that Realm: needs to be the NETBIOS name.

The NETBIOS domain name (same as default domain) or the NETBIOS computer name?  Or some other NETBIOS name?
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Author

Commented:
As per my slightly more updated Blog article:

http://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/

"The Domain / Realm parts can be left as “\” for the Domain and Blank (empty) for the Realm.  MS recommend it this way, but I have fixed some servers by adding the Domain / Realm as per the settings above."

The Realm is the NETBIOS domain name if you want / need to enter it.

Alan
Good post, thanks for the info.

Commented:
Are you looking for Math Assignment Help? Are you not able to choose the best experts? GotoAssignmenthelp is one of the famous Math Assignment providers in the world. We provide online assignment help to students in Australia in all subjects. Our online assignment makers provide quality assignment writing services but should be an option for all students. Which is why we are pleased to provide you with an urgent assignment help Australia.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.