[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Microsoft Exchange ActiveSync Event ID: 3005 ... how to resolve?

Posted on 2006-03-21
26
Medium Priority
?
80,040 Views
Last Modified: 2011-08-18
Hi folks,

I hope someone can help me troubleshoot this. I have been having a constant HTTP 500 problem getting users to have DirectPush technology on our exchange server 2003.

Here are some hardware background information:

Front-End server:
Exchagne 2003 SP2 with Windows Server 2003

Back-End Server:
Exchange 2003 SP2 with Windows Server 2003

We have tried the following articles
Deleting and recreating Microsoft-Server-ActiveSync in IIS
http://hardware.mcse.ms/archive35-2005-12-262517.html

Problems in Synchronizing a Pocket PC with Exchange Server 2003 when using SSL and Forms-Based Authentication in OWA
http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

And ..
How did we setup our Exchange for OWA, OMA, ActiveSync and RPC over HTTPS
http://www.howtonetworking.com/email/oma1.htm

But we still seem to have the problem.. The exact event ID error is the common:

Event Type:      Error
Event Source:      Server ActiveSync
Event Category:      None
Event ID:      3005
Date:            3/21/2006
Time:            10:02:53 AM
User:            XXX\YYY
Computer:      FRONT-END
Description:
Unexpected Exchange mailbox Server error: Server: [XXX.XXX.XXX] User: [XXXX@ZZZ.com] HTTP status code: [400]. Verify that the Exchange mailbox Server is working correctly.

I know this has been severly discussed before, but it seems that all available options do not work.  I almost feel compelled to call M$ and pay some money, but hopefully this answer can be the 'end all solution' to everyone's problem.

Thanks and look forward to your responses,
Kit
0
Comment
Question by:kitkit201
  • 11
  • 9
  • 4
  • +2
26 Comments
 

Author Comment

by:kitkit201
ID: 16250280
BTW, The event ID error is shown on the Front end server
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16250601
Those instructions you followed were for an SBS system - the rules are slightly different with a frontend/backend. As such, this will not be the end all solution question because most people don't run frontend/backend scenarios.

The articles on forms based authentication and EAS don't apply to you - because you are on FE/BE.

Does OMA work? EAS uses the OMA infrastructure to connect and it is easier to diagnose.
Is the frontend server working correctly? If you connect to OWA does the URL stay the same or does it redirect you to the backend server?

Simon.

0
 

Author Comment

by:kitkit201
ID: 16250971
Hi Simon-

Does OMA work?
-->OMA works on a PC and works on the mobile we are trying to configure (Tmobile MDA)

If you connect to OWA does the URL stay the same or does it redirect you to the backend server?
-->When we type http://weboutlook.website.com/exchange , it transfers us to https://weboutlook.website.com/exchweb/bin/auth/owalogon.asp?url=https://weboutlook.website.com/exchange/&reason=1 for the FBA login page. After logging it, it goes back to https://weboutlook.website.com/exchange . We have it force to HTTPS and FBA for OWA.

Thank you,
Kit
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 104

Expert Comment

by:Sembee
ID: 16251161
You need to remove the require SSL. That breaks EAS.

What I was more interested in was whether the URL did something like...

https://webmail.domain.com
http://server1.domain.com

ie redirected to a different server altogether. That is an indication that the frontend feature isn't' working.

Simon.
0
 

Author Comment

by:kitkit201
ID: 16251973
Simon-

Not sure why I would remove the SSL for? What does EAS stand for? SSL is on OWA for PC user access and that has been working fine.

ie redirected to a different server altogether. That is an indication that the frontend feature isn't' working.
-->This is not happening. When it gets into the mailbox from the front-end server, the URL stays as https://weboutlook.website.com/exchange (no server name)

Kit
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16252066
EAS = Exchange Active Sync

There is a quirk with EAS. It makes an internal communication over http to the /exchange virtual folder. Forcing SSL on the /exchange virtual folder breaks EAS. It is buried in this article: http://support.microsoft.com/default.aspx?kbid=817379

I am not asking you to remove SSL, just remove the setting that REQUIRES SSL on that virtual folder.

Simon.
0
 

Author Comment

by:kitkit201
ID: 16252452
I see Simon

From what I can see, on the front-end server, it has /exchange, /exchange-oma (the virtual server created of an offspring of /exchange.
/exchange has Basic Authentication, SSL
/exchange-oma Integrated and Basic Authentation, No SSL

The back-end server has the same virtual folders: /exchange /exchange-oma.
/exchange has Integrated and Basic Authentication, No SSL
/exchange-oma has Integrtated and Basic Authentication, No SSL

My Mobile user says now there is a 409 error on his page. He gets an error when he deletes an email on his pda and then does a send/receive....

Feeling we are getting close, but not close enough
0
 

Author Comment

by:kitkit201
ID: 16252538
Is my settings correct Simon?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16252767
By SSL what do you mean?
Do you mean that the there is a requirement for SSL to be used to connect?

Simon.
0
 

Author Comment

by:kitkit201
ID: 16252812
WHen I say "SSL", i meant that the checkbox in IIS Properities of /exchange, Directory Security, Secure Communications, Edit "Require Secure channel (SSL)" is checked.

0
 

Author Comment

by:kitkit201
ID: 16252838
I changed 1 setting and my PDA user to sync and his error code changed from 409 to 400.

The change I made was in the front-end server /exchange. I checked the "Integrated Authentication" which changed his error from 409 to 400...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16252846
Ok - that needs to be removed on the /exchange virtual directory.
It causes problems with EAS when it is enabled.

The site will still use SSL for communications.
To give you an idea - I usually refuse to open port 80 to production sites, including my home Exchange server. However with the requirement for SSL off, but only port 443 open, everything works correctly.

Simon.
0
 

Author Comment

by:kitkit201
ID: 16252883
Changed exchange on the front-end back to not having it be Integrated Authentication

On our firewall, weboutlook.website.com is open to 80 and 443... what now?
0
 

Expert Comment

by:kitster510
ID: 16263279
ActiveSync over the air works fine (meaning it updates the device and exchange server) but then throws the 3005 error (Http 400)... on the device and on the front-end server.
0
 
LVL 1

Expert Comment

by:gizmobug
ID: 16263515
Just a clarification here. No error is thrown on the device, only on the front-end exchange server. Initiating a sync wirelessly on the device works fine (things are updated) but then the event error is thrown.
Also, no DirectPush works. Just the 15 minute normal over the air activesync (with event error).
We tried the same process with a newer exchange user and had the same results, although interestingly, we had a 409 error then followed by the usual 400 errors.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16263936
With the direct push, do you have a device that has that feature enabled? If so, I suspect that direct push is not working because the connection is being dropped by the error. Direct push works by maintaining a connection between your server and the handheld.

The latest issue I have heard is with multiple homed or multiple IP addresses on the machine.
Something about the Active Sync process having to find the server itself to connect correctly. This would tally up with the requirement to ensure that Require SSL connection is not enabled on certain folders that would appear at first glance not to have anything to do with the sync process.

Simon.
0
 
LVL 1

Expert Comment

by:gizmobug
ID: 16271997
The feature on the MDA is enabled. The CommManager has the Microsoft DirectPush button. We are still getting errors from the BE server (the HTTP 400 error - event 3005). We tried some other items and that killed OWA and we had to roll back. Any more advice?
0
 
LVL 1

Expert Comment

by:gizmobug
ID: 16274208
Update. We did have 2 IP addresses on the single NIC. We deleted one and still get the same issue.

Also, something interesting. If I turn OFF the DirectPush, and initiate an over the air sync or a send and receive on the device, we do NOT get the 3005 error.

If I turn ON the DirectPush on the device, we DO get the error. In fact, we get it as soon as the DirectPush button is clicked.

Grrrrrr!
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16274850
Does the sync actually complete successfully with Direct Push disabled?

If so, then it might be a problem with the Direct Sync mechanism and your firewall.
I have heard that some firewalls cannot cope with the extended length of the packet that is used for Direct Sync. If the firewall has any kind of http inspection facility enabled it may cause a problem.

As you can probably appreciate it is early days with this technology, and troubleshooting is a challenge.

Simon.
0
 
LVL 1

Expert Comment

by:gizmobug
ID: 16274994
yes. with directpush disabled there is no problem doing an ota sync and no entry in the event log. I will have IT check about the firewall. thanks for your help!
0
 

Author Comment

by:kitkit201
ID: 16276658
THank you for your help thus far Simon-

As for our firewall, we are using a cisco firewall and the we set the UDP timeout to be 15 mins. (I'm assuming Direct Push Technology is using this protocol).
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16285667
It is standard http packets, so should be TCP not UDP.
There isn't much from Microsoft on the firewall configuration.
So far this is all we have to go on (that I can share with you anyway) http://support.microsoft.com/default.aspx?kbid=905013

Simon.
0
 

Author Comment

by:kitkit201
ID: 16336917
Hi Simon,

We have a good update, but are ever so close to solving this situation. After finding an article (http://groups.google.com/group/microsoft.public.pocketpc.activesync/browse_frm/thread/96a012d52673c49b/22bdad20f97e9745?lnk=st&q=activesync+3005+http+400&rnum=1#22bdad20f97e9745) that said that described our HTTP400 problem, we at least resolved the error, but it now the DirectPushTechnolgoy is not working.

We had to do this on our end
1) Edit a host file at c:\windows\system32\drivers\etc\hosts with an entry for the public IP address of the weboutlook, but with the Windows name + Domain as a DNS entry.
2) Added local DNS for the weboutlook and back-end exchange servers with their FQDN and internal IP address

These two changes have resolved the problem, but when I send an email to my co-worker, the emails are still not "directly pushed" like you would expect a BlackBerry to be like.  Although we are not getting any errors, he has to wait 5 mins for send/receive or manual sync in order to get the email.

I believe you have a point in that they are standard HTTP packets. Running Ethereal on the WebOutlook Server, we noticed that they are https packets using TCP, rather than UDP.  In our case, we have a CIsco 515 Pix but it's not clear how to change the timeout to not timeout so quickly with https. We believe that is the issue at this moment.

Maybe you ran into something this week that could shed some more light on this situation. Thanks and hope to hear from you soon.

Kit
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16339632
I had seen that resolution before.

What I couldn't work out is what that poster had done to their server to make all of the IP addresses go in to DNS.
My Exchange server at home has 40 IP addresses on it as I put each web site that I work with on to its own IP address rather than use host headers. Yet the only IP address that appears in the AD DNS is the master one of the server - as such I don't have to make any of the changes that are outlined in that posting.

I also dislike hosts files with a passion and will do everything that I can to avoid using them in any deployment I am involved in.

I have deployed push through a couple of PIX 501s recently, without any problems. However it is still early days with this technology and if there have been any changes required, they aren't in the public domain yet.

Simon.
0
 

Author Comment

by:kitkit201
ID: 16421201
Thanks Simon for all your help,

Well, it seems like we have resolved the issue.. my co-worker was out of office last week so we could not test it since his GSM network lacked coverage..

We last left off at the heartbeat situation, and this morning, he mentioned that there was the Event ID: 3033 error. Googling lead to the MS article (http://support.microsoft.com/Default.aspx?kbid=905013) so I looked at the 4 registry hacks...

The Outlook server had the MaxhearbeatInterval set as 2700 (secs) while the Back End Exchange Server was only set to 900 (secs). Changing the BE-ES to 2700 secs. Restarted IIS and then my co-worker informed me that it just started to work. Sending an email to him, it pushed out in less than 10 secs to him.

Great! I am estatic this finally worked out...

For those that want to read what we did, please read this entire thread and it should work.

Cheers,
Kit
0
 

Expert Comment

by:GarrethSpeer
ID: 24649542
We had a similar situation where DirectPush would not work and would log (Event ID 3005) HTTP 501 and 400 errors only on the Front-end server. We only had the issue on our Exchange 2003 SP2 back-end clusters.

Solution: Remove all additional Host headers under Default website in IIS except
-Unassigned, port 80, blank
-IP Address, port 80, host name (Netbios name)
Also installed Hotfix Exchange2003-KB941439 on front-end and back-end servers.

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question