[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

After installing Exchange Server 2003 SP2 OMA quit working

Posted on 2006-04-10
21
Medium Priority
?
602 Views
Last Modified: 2009-12-16
After I installed SP2 for Exchange Server 2003, OMA has quit working.  I am getting an error with I try to activesync.  I can access it through the web, but I am getting error code HTTP_500.

I tried to enable anonymous access in IIS, but that didn't work.  Any ideas?

Thanks,
Jo
0
Comment
Question by:jab56
  • 12
  • 9
21 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16419662
This has come up very frequently in the last couple of weeks.

Are you using Forms Based Authentication?
Are you using SSL?

Browse to the OMA page with a regular web browser with Friendly HTTP error messages turned off. See what error it throws back.

It is usually either authentication or application pool that is the cause of the problem.

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16419770
Honestly, I am not sure if we are using Forms Based Authentication.  How can I check?

Also, I know we have a certificate on our Exchange Server, but we are requiring users to install it to access email.  We usually setup activesync to not use certification.

I did go to OMA with a web browser and I got no error message.  In fact, I got a logon screen, so I logged in and got the email tree.  I am not sure how to see if Friendly HTTP error messages are turned off.

I looks like we are getting authenticated, because when I try to sync my smartphone, it connects, then when it is looking for changes is when I get the HTTP_500 error.

Sorry this is so vague, I wasn't involved with the setup of OMA, and I don't understand a lot it.

Jo
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16419792
Forms Based Authentication means that when you login to OWA, you get a page to enter your username and password, rather than the popup box that you might get with OMA.
If OMA works, then ActiveSync should also work.

As for certificates - asking users to install a certificate I think is a very poor way to deploy OWA. I wouldn't want my users downloading the certificate here there and everywhere. They could expose more information than is required. By not using SSL with your handhelds you are sending username and password information across a mobile phone network in the clear.

Simon.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:jab56
ID: 16419867
OWA we do get a login page and have to enter our username/password.  

OMA we just enter our username/password and it works.

We did purchase a Certificate that we use for OWA (so people didn't have to answer yes to the security question), so I guess that means we are using SSL, but for OMA we disable certchk.  It use the certificate, don't I have to create something that needs to be downloaded to the smartphone?
 
Also, I thought since we have the Certificate on our Exchange, that even if we disable certchk that it is still using SSL, is that not right?

Jo
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16419963
Where did the certificate come from?
If possible it would be better to use the SSL certificate for all of your remote use.

In IIS Manager, check the following are set correctly:

Authentication Settings
/exchange - basic and integrated ONLY
/exchweb - anonymous ONLY
/exadmin - integrated ONLY
/public  - basic and integrated ONLY
/oma - basic ONLY
/Exchange-Server-ActiveSync - basic and integrated only


Application Pools

/exchange - ExchangeApplicationPool*
/exchweb - ExchangeApplicationPool*
/exadmin - ExchangeApplicationPool*
/public  - ExchangeApplicationPool*
/oma - ExchangeMobileBrowseApplicationPool
/Exchange-Server-ActiveSync - ExchangeApplicationPool

* will probably show ExchangeApplicationPool but greyed out.

Also ensure that require SSL is NOT enabled on the /exchange virtual directory.

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16420246
We have a front-end server that also has OMA on it.  I looked at it, and I have errors in the error log (which I don't have on our back-end server).  I think I have been looking at the wrong server all this time.

The error I am getting is Server ActiveSync event ID 3031.

Should I check the same things on this server?

Jo
0
 
LVL 1

Author Comment

by:jab56
ID: 16420573
OK.  Here are the settings for both our front-end server and back-end server.  Both are using Forms Based Authentacation using SSL.
Front-End
  /exchange - basic only
  /exchweb - anonymous only
  /exadmin - integrated only
  /public - basic only
  /oma - basic only
  /Exchange-Server-ActiveSync - basic only with a default domain name

Back-End Server
  /exchange - basic only
  /exchweb - anonymous only
  /exadmin - integrated only
  /public - basic only
  /oma - basic only
  /Exchange-Server-ActiveSync - basic only with a default domain name

How did ActiveSync work before, if my settings are wrong?

How do I fix it?

Thanks,
Jo
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16420615
The service pack will have reset things - the OMA and ActiveSync components were replaced during the service pack to introduce the new push technology. Therefore settings that might have worked before will not work now.

The settings I have posted above are from a live working server, I would suggest that make the changes on your frontend and see whether it fixes the problem.
You may also want to look in the event log for any authentication issues.

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16420724
So far I am not seeing any authentication errors in the evert log.  Just the active sync, MTAtransport error and EXPROX error.  

Does both the front-end and back-end servers need to be set for integrated authentication like you had me check above?  I read something on the EXPROX error that said to only set integrated authentication on the back-end server?

Jo
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16420782
Windows Mobile uses Integrated Authentication, so I would be looking at setting it on the frontends to start with.

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16420806
OK.  I am going to change IIS authentication to be setup like you suggested above.  I will let you know what happens.

Jo
0
 
LVL 1

Author Comment

by:jab56
ID: 16420926
I changed the settings in IIS like you said.  Now I am getting a new error.  It is Error code: HTTP_400.

Now what?

Jo
0
 
LVL 1

Author Comment

by:jab56
ID: 16421638
Depending on how I setup my smartphone (using ssl or not using ssl), I would either get the HTTP_400 error, or the HTTP_500 error.

I decided to try setting the authentication like you said on the back-end server too.  I don't know if it is OK to be that way, but I though I would try.

If you have any other ideas, let me know.

Jo
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16426245
HTTP_500 is usually caused by the option to REQUIRE SSL set on the /exchange virtual directory. Make sure that is not enabled. I have also seen it occur when you have more than one SMTP email address on the user account. This KB article explains more on that problem: http://support.microsoft.com/default.aspx?kbid=886346

HTTP_400 is usually caused by the authentication settings being wrong. After making the changes, did you do anything to IIS? If not, try an IISRESET (drop in to a command prompt and type iisreset) see if that makes any difference.

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16427543
After making the changes to IIS on the back-end server like you said above, activesync started working for the Treo, and I finally got it to work on my Motorola MPX220 by checking the SSL, but then running certchk.exe off to turn off certchecking.

How can I get the phones to use the SSL?  We had changed our SSL to a purchased one, but I think the one it sees is the old one which it says is invalid.

Also,  we have some Mobile 5.0 users, and certchk does not work for them.  How can I either create a new .cer file, or turn off certchk?

Thanks,
Jo
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16427647
Who is the certificate from? Some certificates have the root installed, others do not. If you have a certificate from a root that isn't installed in the Pocket PC, then you will have to import it.

I have some information on working with certificates on my web site: http://www.amset.info/pocketpc/certificates.asp

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16428106
Our certificate if from GeoTrust.  I went to the Geotrust, and I was able to download the .crt file that we have from their website.  I added those files to the trusted certificates on both front-end and back-end servers.  I don't know if there is something else that I need to do on the server?

Now I am trying to figure out how to get the phone to see it.

Jo
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16428954
The root needs to be installed on the device - not the server.

Simon
0
 
LVL 1

Author Comment

by:jab56
ID: 16430322
I finally figured that out after about 3 tries.  Everything and everyone is working now.  

Do you think I should change the IIS setting on the front-end server to not use Integrated Authentication, or is it OK?

Jo

 
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16430587
If it is working, don't touch it. Having integrated authentication set on the virtual servers will be fine. If there is a problem with the authentication it is very quickly flagged in the event viewer.

Simon.
0
 
LVL 1

Author Comment

by:jab56
ID: 16430793
Ok, I will leave well enough alone.

Simon, thank you so much for all you help.  I don't think I could have gotten it fixed without your help.  You deserse all points and more.  Thanks again.



Jo Ann
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
How to effectively resolve the number one email related issue received by helpdesks.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month18 days, 18 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question