bboitano
asked on
Exchange Activesync - FolderSync command test failed
Getting this error when using testexchangeconnectivity.c
Attempting to Resolve the host name domainmail.dynalias.com in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: 213.xx.xx.xx
Testing TCP Port 443 on host domainmail.dynalias.com to ensure it is listening/open.
The port was opened successfully.
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname domainmail.dynalias.com in Certificate Subject Common name
Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Additional Details
Certificate is valid: NotBefore = 9/17/2009 8:59:08 AM, NotAfter = 9/17/2014 8:59:08 AM
Testing Http Authentication Methods for URL https://domainmail.dynalias.com/Microsoft-Server-Activesync/
Http Authentication Methods are correct
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic
Attempting an Activesync session with server
Errors were encountered while testing the ActiveSync session
Test Steps
Attempting to send OPTIONS command to server
OPTIONS response was successfully received and is valid
Additional Details
Headers received: MicrosoftOfficeWebServer: 5.0_Pub
Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward
Content-Length: 0
Date: Thu, 17 Sep 2009 15:59:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Attempting FolderSync command on ActiveSync session
FolderSync command test failed
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
Testing so that I can set up iPhone Activesync (once the problems with the 3.1 OS are ironed out!) so that the MD anf FD of our company can get email.
We are running SBS 2003 fully patched.
How do I fix it :) Thanks
Attempting to Resolve the host name domainmail.dynalias.com in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: 213.xx.xx.xx
Testing TCP Port 443 on host domainmail.dynalias.com to ensure it is listening/open.
The port was opened successfully.
Testing SSL Certificate for validity.
The certificate passed all validation requirements.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname domainmail.dynalias.com in Certificate Subject Common name
Testing certificate date to ensure validity
Date Validation passed. The certificate is not expired.
Additional Details
Certificate is valid: NotBefore = 9/17/2009 8:59:08 AM, NotAfter = 9/17/2014 8:59:08 AM
Testing Http Authentication Methods for URL https://domainmail.dynalias.com/Microsoft-Server-Activesync/
Http Authentication Methods are correct
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic
Attempting an Activesync session with server
Errors were encountered while testing the ActiveSync session
Test Steps
Attempting to send OPTIONS command to server
OPTIONS response was successfully received and is valid
Additional Details
Headers received: MicrosoftOfficeWebServer: 5.0_Pub
Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward
Content-Length: 0
Date: Thu, 17 Sep 2009 15:59:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Attempting FolderSync command on ActiveSync session
FolderSync command test failed
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
Testing so that I can set up iPhone Activesync (once the problems with the 3.1 OS are ironed out!) so that the MD anf FD of our company can get email.
We are running SBS 2003 fully patched.
How do I fix it :) Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi bboitano - Had a lovely one thanks - hope you did too.
If you get stuck anywhere - please let me know but hopefully I have covered all eventualities in my FAQ and it should get you going unless your server is really poorly.
If you get stuck anywhere - please let me know but hopefully I have covered all eventualities in my FAQ and it should get you going unless your server is really poorly.
ASKER
Hi Alan,
Ran through your FAQ and ensured that everything is configured as you suggest.
And it works like a charm :)
You are a start - thank you very much
Ran through your FAQ and ensured that everything is configured as you suggest.
And it works like a charm :)
You are a start - thank you very much
ASKER
I meant star, not start :S
Glad it helped - thanks for the points.
Alan
Alan
The link can now be found at Google Cache
http://74.125.77.132/search?q=cache:http://www.it-eye.co.uk/faqs/readQuestion.php?qid=1
http://74.125.77.132/search?q=cache:http://www.it-eye.co.uk/faqs/readQuestion.php?qid=1
Top job!! Big thanks for taking the time to make a definative FAQ A*
Thanks - I have added your comments to the bottom of the FAQ!
ok i really hate when people post links to external sources for the answer - those links go away. thanks for the google cache, but that doesnt seem to work right for me, so, i'll just paste it here for future reference:
FAQ
FAQs > Exchange Question: Why can't I get my iPhone / Windows Mobile Phone to sync to my Exchange 2003 Server? Answer
Firstly, you need to make sure that you have Exchange Server 2003 Service Pack 2 Installed. To check if you have it installed, open up Exchange System Manager - Start, Programs, Microsoft Exchange, System Manager. Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not. If you do not have SP2 installed you can download it here - http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en
If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity. The test will fail if you use a self-signed SSL certificate, in which case, you'll need to check the "Ignore Trust for SSL" checkbox. On the ActiveSync test page, you are asked whether you wish to use Autodiscover to detect the settings or to manually specify server settings. Exchange 2003 does not have native autodiscover, so you will most likely need to choose the latter option and provide the server name.
If you are trying to make an iPhone work, then you can also download the free iPhone App 'Activesync Tester' and this should identify any problems with your configuration or you can click on the following link: https://store.accessmylan.com/main/diagnostic-tools
You also need to ensure that TCP Port 443 is open and forwarded on your firewall to your Exchange server. You don't need to open up any other ports to get Activesync working, just TCP port 443.
Please check and mirror the settings below (Open up IIS, expand the default website then expand the relevant Virtual Directory, right-click on the Virtual Directory and choose properties, then click on the Directory Security Tab):
Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name - e.g., yourcompany
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Require SSL NOT ticked
Microsoft-Server-Activesyn
• Authentication = Basic
• Default Domain = NETBIOS domain name - e.g., yourcompany
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked
ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.
No other virtual directories are involved when using Activesync (apart from exchange-oma on SBS 2003 or when Forms Based Authentication is enabled) - despite having seen other postings suggesting that there are.
Although requiring SSL on the virtual directories mentioned above would be recommended, Microsoft actually recommend disabling it as per the following article in their knowledgebase: http://support.microsoft.com/kb/817379 Nevertheless, ActiveSync and OWA access should still run over a secure HTTPS session (port 443), as standard procedure states you should not open port 80 to the Exchange Server through your firewall.
Please also check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Direcory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA).
For Small Business Server 2003 Users - please check this MS article - http://support.microsoft.com/kb/937635
Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync - for example, mail.microsoft.com. If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.
Activesync is much easier to get working with a purchased SSL certificate (installed on the default website but you can generate your own and still make it work). GoDaddy seem to be offering the cheapest SSL certificates (at the time of writing this article).
Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS, Right-Click the Default Website). If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync!
If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.
Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is -- read http://support.microsoft.com/kb/817379
Once all of the above has been checked, if you have made any changes, please re-visit https://testexchangeconnectivity.com and your test should now pass all checks and Activesync should be working happily for you.
If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in KB Article 883380 http://support.microsoft.com/kb/883380 and this should resolve the issues. This essentially deletes the Metabase (which can be corrupted) and rebuilds it. Rebuilding it often clears up problems that all the other steps above does not resolve.
After following KB883380 and if Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:
• Disable Forms Based Authentication - Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test activesync without SSL selected - hopefully this should work or give the OK result
• If okay - right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as 'EntireRegistry' and save the backup of the registry to the desktop
• In regedit - locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the 'Select a configuration to import' section and click on OK. Select 'Create a new virtual Directory' and name the directory 'exchange-oma' and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse - you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory
• Enable Forms Based Authentication (if you want to use it) on Exchange> Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync - should hopefully be working now
Please also check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).
I have had Activesync work despite seeing "An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: HTTP/1.1 403 Forbidden" at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.
Comments received relating to this FAQ:
From Charles:
Just wanted to say what a fantastic guide this was.
Having spent an hour or so getting nowhere yesterday, I had it up and running within 15 minutes of reading your webpage.
From Raheem:
I was pulling my hair out when I first setup iphone / exchange. Took nearly 4 days before I landed on your post and was up and running in mins!
From iopadmin:
I want to let you know that your FAQ on Activesync Connection problems saved the day! After going through your document and also using the tools you provided I was able to successfully get activesync working on our existing Exchange server. I can't thank you enough for your thorough and detailed info. We are now successfully delivering Exchange mail to iPhones!
From TecJosh:
Top job!! Big thanks for taking the time to make a definitive FAQ A*
FAQ
FAQs > Exchange Question: Why can't I get my iPhone / Windows Mobile Phone to sync to my Exchange 2003 Server? Answer
Firstly, you need to make sure that you have Exchange Server 2003 Service Pack 2 Installed. To check if you have it installed, open up Exchange System Manager - Start, Programs, Microsoft Exchange, System Manager. Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not. If you do not have SP2 installed you can download it here - http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en
If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity. The test will fail if you use a self-signed SSL certificate, in which case, you'll need to check the "Ignore Trust for SSL" checkbox. On the ActiveSync test page, you are asked whether you wish to use Autodiscover to detect the settings or to manually specify server settings. Exchange 2003 does not have native autodiscover, so you will most likely need to choose the latter option and provide the server name.
If you are trying to make an iPhone work, then you can also download the free iPhone App 'Activesync Tester' and this should identify any problems with your configuration or you can click on the following link: https://store.accessmylan.com/main/diagnostic-tools
You also need to ensure that TCP Port 443 is open and forwarded on your firewall to your Exchange server. You don't need to open up any other ports to get Activesync working, just TCP port 443.
Please check and mirror the settings below (Open up IIS, expand the default website then expand the relevant Virtual Directory, right-click on the Virtual Directory and choose properties, then click on the Directory Security Tab):
Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name - e.g., yourcompany
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Require SSL NOT ticked
Microsoft-Server-Activesyn
• Authentication = Basic
• Default Domain = NETBIOS domain name - e.g., yourcompany
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked
ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.
No other virtual directories are involved when using Activesync (apart from exchange-oma on SBS 2003 or when Forms Based Authentication is enabled) - despite having seen other postings suggesting that there are.
Although requiring SSL on the virtual directories mentioned above would be recommended, Microsoft actually recommend disabling it as per the following article in their knowledgebase: http://support.microsoft.com/kb/817379 Nevertheless, ActiveSync and OWA access should still run over a secure HTTPS session (port 443), as standard procedure states you should not open port 80 to the Exchange Server through your firewall.
Please also check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Direcory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA).
For Small Business Server 2003 Users - please check this MS article - http://support.microsoft.com/kb/937635
Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync - for example, mail.microsoft.com. If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.
Activesync is much easier to get working with a purchased SSL certificate (installed on the default website but you can generate your own and still make it work). GoDaddy seem to be offering the cheapest SSL certificates (at the time of writing this article).
Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS, Right-Click the Default Website). If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync!
If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.
Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is -- read http://support.microsoft.com/kb/817379
Once all of the above has been checked, if you have made any changes, please re-visit https://testexchangeconnectivity.com and your test should now pass all checks and Activesync should be working happily for you.
If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in KB Article 883380 http://support.microsoft.com/kb/883380 and this should resolve the issues. This essentially deletes the Metabase (which can be corrupted) and rebuilds it. Rebuilding it often clears up problems that all the other steps above does not resolve.
After following KB883380 and if Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:
• Disable Forms Based Authentication - Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test activesync without SSL selected - hopefully this should work or give the OK result
• If okay - right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as 'EntireRegistry' and save the backup of the registry to the desktop
• In regedit - locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the 'Select a configuration to import' section and click on OK. Select 'Create a new virtual Directory' and name the directory 'exchange-oma' and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse - you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory
• Enable Forms Based Authentication (if you want to use it) on Exchange> Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync - should hopefully be working now
Please also check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).
I have had Activesync work despite seeing "An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: HTTP/1.1 403 Forbidden" at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.
Comments received relating to this FAQ:
From Charles:
Just wanted to say what a fantastic guide this was.
Having spent an hour or so getting nowhere yesterday, I had it up and running within 15 minutes of reading your webpage.
From Raheem:
I was pulling my hair out when I first setup iphone / exchange. Took nearly 4 days before I landed on your post and was up and running in mins!
From iopadmin:
I want to let you know that your FAQ on Activesync Connection problems saved the day! After going through your document and also using the tools you provided I was able to successfully get activesync working on our existing Exchange server. I can't thank you enough for your thorough and detailed info. We are now successfully delivering Exchange mail to iPhones!
From TecJosh:
Top job!! Big thanks for taking the time to make a definitive FAQ A*
Technically we are not allowed to post external content on EE as it can breach copyright laws, so that is why we can only post the link.
There is also an EE article here:
https://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2003-Activesync-Connection-Problems-FAQ.html
Also - my FAQ will get updated from time to time and if you post the article, that post won't get updated, so it is a better idea to just leave the link and not copy / paste.
There is also an EE article here:
https://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2003-Activesync-Connection-Problems-FAQ.html
Also - my FAQ will get updated from time to time and if you post the article, that post won't get updated, so it is a better idea to just leave the link and not copy / paste.
That's all well and fine, until the link rots :/
I see what you mean though - just can't win I guess
I see what you mean though - just can't win I guess
Damned if you do and damned if you don't.
FYI - the link to the IT-Eye site is on my own server, so as long as I am alive and the electricity company doesn't pull the plug that should be fine.
FYI - the link to the IT-Eye site is on my own server, so as long as I am alive and the electricity company doesn't pull the plug that should be fine.
oh - i see it's up now... i got 404 earlier today - maybe it was firefox and flashblock and noscript that did it, or something
using internet explorer, i really like the look of your site - alot :)
ok done turning this thread into a chat room bye
using internet explorer, i really like the look of your site - alot :)
ok done turning this thread into a chat room bye
Thanks - it was done professionally.
Site was down for a short while today but back again now. Needed to install FTP, installation required a CD and killed web sites until it had the CD. I was working remotely.
Site was down for a short while today but back again now. Needed to install FTP, installation required a CD and killed web sites until it had the CD. I was working remotely.
vg jm
Thanks for the FAQ.
Does it have 2007 version also, please share the link OR doc itself..
Does it have 2007 version also, please share the link OR doc itself..
YOU ARE A LIFE SAVER !
ASKER
Hope you had a good weekend, I'll go over your FAQ today and report back.
Many thanks