After installing Exchange Server 2003 SP2 OMA quit working

After I installed SP2 for Exchange Server 2003, OMA has quit working.  I am getting an error with I try to activesync.  I can access it through the web, but I am getting error code HTTP_500.

I tried to enable anonymous access in IIS, but that didn't work.  Any ideas?

Thanks,
Jo
LVL 1
jab56Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SembeeCommented:
This has come up very frequently in the last couple of weeks.

Are you using Forms Based Authentication?
Are you using SSL?

Browse to the OMA page with a regular web browser with Friendly HTTP error messages turned off. See what error it throws back.

It is usually either authentication or application pool that is the cause of the problem.

Simon.
jab56Author Commented:
Honestly, I am not sure if we are using Forms Based Authentication.  How can I check?

Also, I know we have a certificate on our Exchange Server, but we are requiring users to install it to access email.  We usually setup activesync to not use certification.

I did go to OMA with a web browser and I got no error message.  In fact, I got a logon screen, so I logged in and got the email tree.  I am not sure how to see if Friendly HTTP error messages are turned off.

I looks like we are getting authenticated, because when I try to sync my smartphone, it connects, then when it is looking for changes is when I get the HTTP_500 error.

Sorry this is so vague, I wasn't involved with the setup of OMA, and I don't understand a lot it.

Jo
SembeeCommented:
Forms Based Authentication means that when you login to OWA, you get a page to enter your username and password, rather than the popup box that you might get with OMA.
If OMA works, then ActiveSync should also work.

As for certificates - asking users to install a certificate I think is a very poor way to deploy OWA. I wouldn't want my users downloading the certificate here there and everywhere. They could expose more information than is required. By not using SSL with your handhelds you are sending username and password information across a mobile phone network in the clear.

Simon.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

jab56Author Commented:
OWA we do get a login page and have to enter our username/password.  

OMA we just enter our username/password and it works.

We did purchase a Certificate that we use for OWA (so people didn't have to answer yes to the security question), so I guess that means we are using SSL, but for OMA we disable certchk.  It use the certificate, don't I have to create something that needs to be downloaded to the smartphone?
 
Also, I thought since we have the Certificate on our Exchange, that even if we disable certchk that it is still using SSL, is that not right?

Jo
SembeeCommented:
Where did the certificate come from?
If possible it would be better to use the SSL certificate for all of your remote use.

In IIS Manager, check the following are set correctly:

Authentication Settings
/exchange - basic and integrated ONLY
/exchweb - anonymous ONLY
/exadmin - integrated ONLY
/public  - basic and integrated ONLY
/oma - basic ONLY
/Exchange-Server-ActiveSync - basic and integrated only


Application Pools

/exchange - ExchangeApplicationPool*
/exchweb - ExchangeApplicationPool*
/exadmin - ExchangeApplicationPool*
/public  - ExchangeApplicationPool*
/oma - ExchangeMobileBrowseApplicationPool
/Exchange-Server-ActiveSync - ExchangeApplicationPool

* will probably show ExchangeApplicationPool but greyed out.

Also ensure that require SSL is NOT enabled on the /exchange virtual directory.

Simon.
jab56Author Commented:
We have a front-end server that also has OMA on it.  I looked at it, and I have errors in the error log (which I don't have on our back-end server).  I think I have been looking at the wrong server all this time.

The error I am getting is Server ActiveSync event ID 3031.

Should I check the same things on this server?

Jo
jab56Author Commented:
OK.  Here are the settings for both our front-end server and back-end server.  Both are using Forms Based Authentacation using SSL.
Front-End
  /exchange - basic only
  /exchweb - anonymous only
  /exadmin - integrated only
  /public - basic only
  /oma - basic only
  /Exchange-Server-ActiveSync - basic only with a default domain name

Back-End Server
  /exchange - basic only
  /exchweb - anonymous only
  /exadmin - integrated only
  /public - basic only
  /oma - basic only
  /Exchange-Server-ActiveSync - basic only with a default domain name

How did ActiveSync work before, if my settings are wrong?

How do I fix it?

Thanks,
Jo
SembeeCommented:
The service pack will have reset things - the OMA and ActiveSync components were replaced during the service pack to introduce the new push technology. Therefore settings that might have worked before will not work now.

The settings I have posted above are from a live working server, I would suggest that make the changes on your frontend and see whether it fixes the problem.
You may also want to look in the event log for any authentication issues.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jab56Author Commented:
So far I am not seeing any authentication errors in the evert log.  Just the active sync, MTAtransport error and EXPROX error.  

Does both the front-end and back-end servers need to be set for integrated authentication like you had me check above?  I read something on the EXPROX error that said to only set integrated authentication on the back-end server?

Jo
SembeeCommented:
Windows Mobile uses Integrated Authentication, so I would be looking at setting it on the frontends to start with.

Simon.
jab56Author Commented:
OK.  I am going to change IIS authentication to be setup like you suggested above.  I will let you know what happens.

Jo
jab56Author Commented:
I changed the settings in IIS like you said.  Now I am getting a new error.  It is Error code: HTTP_400.

Now what?

Jo
jab56Author Commented:
Depending on how I setup my smartphone (using ssl or not using ssl), I would either get the HTTP_400 error, or the HTTP_500 error.

I decided to try setting the authentication like you said on the back-end server too.  I don't know if it is OK to be that way, but I though I would try.

If you have any other ideas, let me know.

Jo
SembeeCommented:
HTTP_500 is usually caused by the option to REQUIRE SSL set on the /exchange virtual directory. Make sure that is not enabled. I have also seen it occur when you have more than one SMTP email address on the user account. This KB article explains more on that problem: http://support.microsoft.com/default.aspx?kbid=886346

HTTP_400 is usually caused by the authentication settings being wrong. After making the changes, did you do anything to IIS? If not, try an IISRESET (drop in to a command prompt and type iisreset) see if that makes any difference.

Simon.
jab56Author Commented:
After making the changes to IIS on the back-end server like you said above, activesync started working for the Treo, and I finally got it to work on my Motorola MPX220 by checking the SSL, but then running certchk.exe off to turn off certchecking.

How can I get the phones to use the SSL?  We had changed our SSL to a purchased one, but I think the one it sees is the old one which it says is invalid.

Also,  we have some Mobile 5.0 users, and certchk does not work for them.  How can I either create a new .cer file, or turn off certchk?

Thanks,
Jo
SembeeCommented:
Who is the certificate from? Some certificates have the root installed, others do not. If you have a certificate from a root that isn't installed in the Pocket PC, then you will have to import it.

I have some information on working with certificates on my web site: http://www.amset.info/pocketpc/certificates.asp

Simon.
jab56Author Commented:
Our certificate if from GeoTrust.  I went to the Geotrust, and I was able to download the .crt file that we have from their website.  I added those files to the trusted certificates on both front-end and back-end servers.  I don't know if there is something else that I need to do on the server?

Now I am trying to figure out how to get the phone to see it.

Jo
SembeeCommented:
The root needs to be installed on the device - not the server.

Simon
jab56Author Commented:
I finally figured that out after about 3 tries.  Everything and everyone is working now.  

Do you think I should change the IIS setting on the front-end server to not use Integrated Authentication, or is it OK?

Jo

 
SembeeCommented:
If it is working, don't touch it. Having integrated authentication set on the virtual servers will be fine. If there is a problem with the authentication it is very quickly flagged in the event viewer.

Simon.
jab56Author Commented:
Ok, I will leave well enough alone.

Simon, thank you so much for all you help.  I don't think I could have gotten it fixed without your help.  You deserse all points and more.  Thanks again.



Jo Ann
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.