[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange OMA Failing

Posted on 2006-05-03
45
Medium Priority
?
3,018 Views
Last Modified: 2013-04-26
I am trying to get a Cingular 8125 device to work with my exchange server.  I've read many posts and haven't found the answers to my problem.  To begin with, I get an error when putting the HTTP://server.domainname.com/oma into my computer's web browser.  I get an 0x85010014 error on the device.  I'm running Exchange 2003 on a Win 2003 stndrd server.  I've already done the change of adding an additionl exchange virtual directory and so many other steps that I almost cannot remember everything I've tried.  I do have a self-made certificate on my exchange server and that certificate is on the device.  

Before I get ahead of myself, I'll start with the OMA / browser problem because it is most likely the root of all evil.  When I attempt to hit the exchange server OMA from the browser, I get the following applicaton logs:

An unknown error occurred while processing the current request:
Message: The remote server returned an error: (403) Forbidden.
Source: Microsoft.Exchange.OMA.ExchangeDataProvider
Stack trace:
   at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
   at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
   at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)

Message: Exception has been thrown by the target of an invocation.
Source: mscorlib
Stack trace:
   at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

Message: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.
EventMessage:
UserMessage: A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.
Source: Microsoft.Exchange.OMA.UserInterface
Stack trace:
   at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
   at System.Web.SessionState.SessionStateModule.RaiseOnStart(EventArgs e)
   at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
   at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
   at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


I've seen many entries with this same error but none of the suggestions have helped.
0
Comment
Question by:griswald65
  • 22
  • 18
  • 3
  • +2
45 Comments
 
LVL 18

Expert Comment

by:amaheshwari
ID: 16597300
Please look into this article it will surely help you:
http://support.microsoft.com/Default.aspx?kbid=817379
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16597309
I think that 403 in the OMA error message means that SSL was required when /OMA tried to open /Exchange (it can't cope with that).  If you created the extra VDir using http://support.microsoft.com/kb/817379/en-us , did you remember to make the registry entry to point OMA/AS at the new VDir?  Also, did you make sure that the new VDir did not have SSL required?
0
 

Author Comment

by:griswald65
ID: 16597358
I followed 817379 to the letter.  I'm fairly sure... I've read back over that article 4 times and do not see anything that I missed or anything.

The registry entry I used was exactly like the article said.  I set ExchangeVDir = /exchange-oma
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16597444
Well, I would reinstate the 817379 settings on the server, and then we'll have to look at your IIS logs to make sure that the /exchange-oma VDir gets accessed when you use OMA, and not the /Exchange VDir.
0
 

Author Comment

by:griswald65
ID: 16598627
I don't know if this helps, but it might show that the exchange-oma is getting hit and that is that when I was first configuring that VDir and while trying to figure out the problem, I had the Enable Anonymous Login box checked.  Well, that would start throwing up different errors in the Application log.  So at least, I would think, that that shows that it was hitting the appropriate VDir.  But, I am open for trying anything at this point.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16598856
The exchange-oma should not have Anonymous enabled.  It should be an exact clone of your Exchange VDir, but you can't create it in the usual way in IIS Manager, because there are hidden properties that aren't exposed to the IIS Manager GUI.  That's why you need to export it to an XML file, then import it.  The only things you should change/check are:

1. You need to change the name (can't have duplicates,obviously).
2. SSL is not required.
3. Integrated Auth is enabled.

You need to check 2 and 3, because if you do the KB817379 procedure ~after finding that OMA/AS don't work, then you are just duplicating the /Exchange settings that stopped it working in the first place.
0
 

Author Comment

by:griswald65
ID: 16598900
Ok.  I solved my OMA problem.  I cannot believe that I looked over this a million times and finally I saw the answer.  Weird that there weren't any good error messages to show this.  At any rate the OMA problem was that I had mis-typed the wrong IP address to be granted access to the VDir.  I had reversed 2 numbers.

Now... I can log into the OMA but the phone still has an error but it has change.  The error now is:

Your Account in Microsoft Exchange Server does not have permission to synchronize with your current settings.
0x85010004
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16598966
Try checking the points listed in this table:

http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
0
 
LVL 2

Expert Comment

by:lwoods56
ID: 16599007
Most issues I have faced with connecting to OMA/Active Sync come back to the Certificate especially when doing private certificates.

When you installed the certificate on the device, did you install the web servers certificate or the CA Root Certificate for your domain?  This usually makes a big difference.  You have to do the root certificate to make Windows Mobile 5 work properly.

Once you export the Certificate in .cer format from the CA in your domain:
http://support.microsoft.com/?kbid=915840&SD=tech
0
 
LVL 2

Expert Comment

by:lwoods56
ID: 16599038
also make sure when accessing OMA via IE put in the https://

 HTTPS://server.domainname.com/oma
0
 

Author Comment

by:griswald65
ID: 16599078
LeeDerbyshire:  I'm looking into that now.

Certificate is the CA Root Certificate.
0
 
LVL 2

Expert Comment

by:lwoods56
ID: 16599085
Check out the Export Root Certificate Section of the following document: http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm

0
 

Author Comment

by:griswald65
ID: 16599256
LeeDerbyshire:  According to that website, it says that my server requires SSL and walks through configuring it.  I already had SSL configured on the computer.  So for kicks, I disabled it and by doing that, I'm back to 85010014.  So, I re-enabled it on the device.  Any other ideas?
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16599303
Where did you disable it at the server end, on the Exchange-Server-Activesync VDir?  That's where your device will try to connect.  Try removing SSL at Exchange-Server-Activesync, and then unchecking it at the device end, to see if it is an SSL problem.  Unless you already tried that?  I'm not sure exactly where you mean when you say that you had SSL configured on the computer.
0
 

Author Comment

by:griswald65
ID: 16599309
Sorry... I meant on the device.  I'm going to try to disable it everywhere.
0
 

Author Comment

by:griswald65
ID: 16599407
Ok.... I removed SSL from all sites, VDir, etc... on my exch server and I get the same error message.  What next?  Should I look closer at the certificate?  Would there be any error messages on the certificate?  Everything with the certificate looks to be right.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16599668
It's time to check the IIS Logs, I think.  When you try to sync, you should see some lines that contain

POST and Exchange-Server-Activesync

followed by some PROPFINDs to /Exchange or /exchange-oma.  All within the space of a second or two.  Can you post the relevant lines?  It may take a minute or two for them to be logged, because IIS caches the entries.
0
 

Author Comment

by:griswald65
ID: 16599828
Also, just as check... I completely removed the certificate from the server and I'm getting the same error.

So, I'm going to set everything back.  This will take a moment.

Then, I'll clear my log and do a sync and try to capture all of the entries you need.
0
 

Author Comment

by:griswald65
ID: 16600258
Now, OMA is messed up again.  Its saying

No Basic credentials were found in the HTTP request. To fix this problem, verify that Basic authentication is turned on and all other authentication methods are turned off on the Outlook(R) Mobile Access virtual directory.

Basic credentials are checked in all websites.  So is Integrated Windows Authentication
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16600433
That is supposed to mean that the OMA Vdir does not have Basic Auth enabled.  Make sure in IIS Manager that OMA has Basic enabled, and that Anonymous and Integrated are NOT enabled.

The IIS logs we are interested in are the IIS logs in C:\Windows\System32\Logfiles\W3SVC1 on the server, not the device logs.
0
 

Author Comment

by:griswald65
ID: 16600611
Here is a snipet from today for the Post and PROPFIND entries.  I replaced some information

2006-05-03 02:35:05 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 02:35:05 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.14 MSFT-PPC/4.0 500 0 0
2006-05-03 02:35:12 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 02:35:12 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.16 MSFT-PPC/4.0 500 0 0
2006-05-03 13:51:16 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 13:51:16 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.10 MSFT-PPC/4.0 500 0 0
2006-05-03 13:51:20 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 13:51:20 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.22 MSFT-PPC/4.0 500 0 0
2006-05-03 14:17:35 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 14:17:35 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.15 MSFT-PPC/4.0 500 0 0
2006-05-03 14:17:39 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 14:17:39 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.17 MSFT-PPC/4.0 500 0 0
2006-05-03 14:19:06 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
2006-05-03 14:23:04 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=VNATNASNC:0A0C0D0FS:0A0C0D0SP:0C0I0S0R0S0L0H 80 - 66.102.186.22 MSFT-PPC/4.0+UP.Link/6.3.0.0.0 500 0 0
2006-05-03 14:23:06 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=VNATNASNC:0A0C0D0FS:0A0C0D0SP:0C0I0S0R0S0L0H 80 - 66.102.186.22 MSFT-PPC/4.0+UP.Link/6.3.0.0.0 500 0 0
2006-05-03 14:25:59 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 14:25:59 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.12 MSFT-PPC/4.0 500 0 0
2006-05-03 14:26:02 **ServerIP** PROPFIND /exchange-oma/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 403 6 0
2006-05-03 14:26:02 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S3420R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.17 MSFT-PPC/4.0 500 0 0
2006-05-03 15:09:41 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
2006-05-03 15:14:21 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
22006-05-03 20:22:17 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 401 1 0
2006-05-03 20:22:48 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 401 1 0
2006-05-03 20:23:17 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 NetBiosDomainName\username **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 500 0 0
2006-05-03 20:23:53 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 401 1 0
2006-05-03 20:24:16 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S1148R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.15 MSFT-PPC/4.0 403 0 0
2006-05-03 20:24:16 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 NetBiosDomainName\username **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 207 0 64
2006-05-03 20:24:16 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 NetBiosDomainName\username **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 207 0 0
2006-05-03 20:24:16 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S1148R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.16 MSFT-PPC/4.0 200 0 0
2006-05-03 20:25:17 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S0R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.16 MSFT-PPC/4.0 500 0 0
2006-05-03 20:35:25 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 401 1 0
2006-05-03 20:35:25 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 NetBiosDomainName\username **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 207 0 0
2006-05-03 20:35:25 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=Notify&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S1148R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.10 MSFT-PPC/4.0 200 0 0
2006-05-03 20:35:33 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 - **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 401 1 0
2006-05-03 20:35:33 **ServerIP** PROPFIND /Exchange-OMA/username@domainname.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/PocketPC/**DeviceID** - 80 NetBiosDomainName\username **ServerIP** Microsoft-Server-ActiveSync/6.5.7638.1 207 0 0
2006-05-03 20:35:33 **ServerIP** POST /Microsoft-Server-ActiveSync User=username&DeviceId=**DeviceID**&DeviceType=PocketPC&Cmd=FolderSync&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I481S1148R0S0L0H0P 443 NetBiosDomainName\username 66.102.186.10 MSFT-PPC/4.0 403 0 0
0
 
LVL 7

Expert Comment

by:vasanthgnb
ID: 16602055
Look at the 403 6 errors on the IIS log entries. It points you towards the same wrong IP address issue again. So change the radio button to Granted Access and see if ActiveSync works. By the way 0x85010004 means http_500.

Regards,
Vasanth.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16603495
Yes, from the earlier entries, it looks like you are blocking the server's IP address on teh /exchange-oma VDir.  It looks like this was fixed later (where you get 207, which is okay), but you now get 403 0 on /Microsoft-Server-Activesync .  Check the you are allowing the IP address that you replaced with **ServerIP** on the VDir /exchange-oma .  It's best to allow all IPs to access /Microsoft-Server-Activesync , since you won't know what the client IP address is going to be.

Any time you see a log entry where the 3rd from last number does not begin with a 2 , then you have a problem accessing the VDir.  If it's a 4xx, then it probably means that something in the IIS configuration is blocking it (like IP address restrictions, permissions, SSL).  If it's 500, then something external to IIS (but that OMA or AS rely on) is preventing the application code from running.  401's (an initial auth challenge) are normal, though, as long as they are immediately followed by a 20x
0
 

Author Comment

by:griswald65
ID: 16614121
Well.  I still haven't figured it out.  I am still getting the 403 entry in my logs.  I've opened up everything in IIS to all IPs on that server and still nothing is happening.

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16614147
Are both OMA and AS now broken?
0
 

Author Comment

by:griswald65
ID: 16614271
No.  Just AS.  OMA is fine

0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16614396
Have you tried this:
http://support.microsoft.com/kb/883380
It might help to delete the Microsoft-Server-ActiveSync VDir and let the server re-create it using one of the three methods described.  I think the 3rd method is easiest.
0
 

Author Comment

by:griswald65
ID: 16630862
Ok.  I've done all of that but am still getting:

Your account in Microsoft Exchange SErver does not have permission to synchronize with your current settings.  Contact your Exchange SErver Administrator

0x85010004
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16630922
You definitely have have no SSL anywhere?  Here's a similar issue:

http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21834153.html
0
 

Author Comment

by:griswald65
ID: 16631163
I've checked every Directory, site, or other and SSL is not enabled on anything.  What's interesting... is just for giggles, I tried the following from a web browser for that same user:

Http://server.domain.com/oma

and

http://server.domain.com/exchange-oma/mailbox

and both work fine from a browser.

Its almost as if the device iteself is struggling.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16631182
There's a few layers between ActiveSync and that /exchange-oma VDir, though.  Have you tried resetting the device?
0
 

Author Comment

by:griswald65
ID: 16661801
Ok.... let me go over my configurations and see if there is anything that you can see wrong.... I am getting very frustrated with this:

I have:

Removed all certificates from my Exchange server and my self-prepared cert from my device.
Created a new VDir named exchange-oma
Removed SSL from all sites and VDir
Allowed all IP address to all sites and VDir's
Currently am allowing all IPs through the firewall for all ports
Set Authentication to Basic Authentication for all sites and VDir's
Did/set NTAuthenticationProviders : (STRING) "Negotiate,NTLM"

Is there anything else you can think of to open this sucker wide open for a good starting point.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16662145
For a good starting point, I would not bother with the exchange-oma VDir, and just let it use the normal Exchange VDir, by removing the ExchangeVDir registry key you added at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters\ExchangeVDir

(remember to stop/start the IIS Admin service if you remove the key).  If SSL is not required on the normal Exchange VDir, then it should be okay with that, and using exchange-oma is complicating things.  Would you like to try that?
0
 

Author Comment

by:griswald65
ID: 16662178
I can start with that and then add things on as necessary.  I would like to get this thing to start working and then I can change settings one by one to make sure that they work before continuing.  After as much time that I've spent on this crazy thing... I think its time to go back to the beginning.
0
 
LVL 31

Accepted Solution

by:
LeeDerbyshire earned 2000 total points
ID: 16662253
Okay, then.  To get back to normal, I think you would need to:

Remove the exchange-oma VDir
Remove the registry key HKLM\SYSTEM\CurrentControlSet\Services\MasSync\Parameters\ExchangeVDir
Make sure FBA is off in ESM
Make sure SSL is not required on /Exchange
Make sure Integrated Auth (and Basic if you want it) is enabled on /Exchange, but nothing else.
stop/start the IIS Admin service (not just the WWW service)
Try OWA, and see if it is working okay.
Check the device settings - make sure it doesn't require SSL
Reset the device
Try Activesync

I think that's it.
0
 

Author Comment

by:griswald65
ID: 16662422
OWA works but OMA does not.
0
 

Author Comment

by:griswald65
ID: 16662497
Sorry... I stand corrected... All is working.

Now, I will start trying to add in security and make sure nothing breaks along the way.  I will make sure to document each and everything that I do to make sure I don't mess it up.  Just as a check:
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16662509
Even Activesync?  If so, then do the /exchange-oma 817379 thing now, before you change anything on Exchange.  Many people export the Exchange VDir after the changes (when they have the problems) - it's too late, then.
0
 

Author Comment

by:griswald65
ID: 16662523
That was my plan.  Everything worked and the phone synced... so that is what I am doing.
0
 

Author Comment

by:griswald65
ID: 16664137
What are your suggestions for adding security?  I've tried going through the steps and it stops working.  I've reversed everything and I'm ready to try something new.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16665343
Did something break it again?  If you are going to use SSL, you need that alternate exchange-oma VDir working before you change anything else.
0
 

Author Comment

by:griswald65
ID: 16667064
Here is where I am at....
I have an internal Certificate installed
I have SSL on /Exchange, OMA... well everything except exchange-oma and active-sync
I have SSL turned off on the device

The phone is working wonderfully but I would like to turn SSL on the device on so that I do not have to use a VPN and I can secure the mail server.  There is so much ramblings on the internet, its hard to tell what should work and what should not (I think that is where I got messed up before).  The jist that I got from re-reading several articles is that I should:  Turn on SSL on the device and on the firewall, forward anything from port 80 to port 443.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16667287
Okay, to use SSL on the device, you would need to enabled it on the Microsoft-Server-Activesync VDir, and activate the checkbox at the device end.  You don't need to redirect port 80 to 443 (I think that's what you were saying) - you just need to allow 443 straight through.

If the cert is self-issued, you will need to persuade the device to accept it.  I'm not sure how to do that yet, but I would rather find out if your cert is self-issued before I go and look for the articles regarding it.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 16667302
Actually, you probably don't need to ~require~ SSL on Microsoft-Server-Activesync - if the checkbox at the device end is selected, then it will just use it, whether it's required or not.
0
 

Author Comment

by:griswald65
ID: 16709468
Thank you for all of your help, LeeDerbyshire.  This issue was a particular pain.
I ended up going back to not requiring SSL and followed all of your direction on making sure that that is working properly.  I then added a VPN Tunnel from the device to my network.  It wasn't the best case scenario for me but it resolves all of my issues temporarily until I can get the SSL to work.  I do not think that the SSL problems were related to the device or the server but to the network that I am using for the device.  By tunnelling through, I resolve all of my issues.
You have been a great deal of help on this issue and I appreciate all of your prompt responses.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question