griswald65
asked on
Exchange OMA Failing
I am trying to get a Cingular 8125 device to work with my exchange server. I've read many posts and haven't found the answers to my problem. To begin with, I get an error when putting the HTTP://server.domainname.com/oma into my computer's web browser. I get an 0x85010014 error on the device. I'm running Exchange 2003 on a Win 2003 stndrd server. I've already done the change of adding an additionl exchange virtual directory and so many other steps that I almost cannot remember everything I've tried. I do have a self-made certificate on my exchange server and that certificate is on the device.
Before I get ahead of myself, I'll start with the OMA / browser problem because it is most likely the root of all evil. When I attempt to hit the exchange server OMA from the browser, I get the following applicaton logs:
An unknown error occurred while processing the current request:
Message: The remote server returned an error: (403) Forbidden.
Source: Microsoft.Exchange.OMA.Exc
Stack trace:
at Microsoft.Exchange.OMA.Exc
at Microsoft.Exchange.OMA.Exc
at Microsoft.Exchange.OMA.Exc
Message: Exception has been thrown by the target of an invocation.
Source: mscorlib
Stack trace:
at System.Reflection.RuntimeC
at System.Reflection.RuntimeC
at System.RuntimeType.CreateI
at System.Activator.CreateIns
at Microsoft.Exchange.OMA.Use
Message: Exception of type Microsoft.Exchange.OMA.Dat
EventMessage:
UserMessage: A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.
Source: Microsoft.Exchange.OMA.Use
Stack trace:
at Microsoft.Exchange.OMA.Use
at System.Web.SessionState.Se
at System.Web.SessionState.Se
at System.Web.SessionState.Se
at System.Web.AsyncEventExecu
at System.Web.HttpApplication
I've seen many entries with this same error but none of the suggestions have helped.
Before I get ahead of myself, I'll start with the OMA / browser problem because it is most likely the root of all evil. When I attempt to hit the exchange server OMA from the browser, I get the following applicaton logs:
An unknown error occurred while processing the current request:
Message: The remote server returned an error: (403) Forbidden.
Source: Microsoft.Exchange.OMA.Exc
Stack trace:
at Microsoft.Exchange.OMA.Exc
at Microsoft.Exchange.OMA.Exc
at Microsoft.Exchange.OMA.Exc
Message: Exception has been thrown by the target of an invocation.
Source: mscorlib
Stack trace:
at System.Reflection.RuntimeC
at System.Reflection.RuntimeC
at System.RuntimeType.CreateI
at System.Activator.CreateIns
at Microsoft.Exchange.OMA.Use
Message: Exception of type Microsoft.Exchange.OMA.Dat
EventMessage:
UserMessage: A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.
Source: Microsoft.Exchange.OMA.Use
Stack trace:
at Microsoft.Exchange.OMA.Use
at System.Web.SessionState.Se
at System.Web.SessionState.Se
at System.Web.SessionState.Se
at System.Web.AsyncEventExecu
at System.Web.HttpApplication
I've seen many entries with this same error but none of the suggestions have helped.
I think that 403 in the OMA error message means that SSL was required when /OMA tried to open /Exchange (it can't cope with that). If you created the extra VDir using http://support.microsoft.com/kb/817379/en-us , did you remember to make the registry entry to point OMA/AS at the new VDir? Also, did you make sure that the new VDir did not have SSL required?
ASKER
I followed 817379 to the letter. I'm fairly sure... I've read back over that article 4 times and do not see anything that I missed or anything.
The registry entry I used was exactly like the article said. I set ExchangeVDir = /exchange-oma
The registry entry I used was exactly like the article said. I set ExchangeVDir = /exchange-oma
Well, I would reinstate the 817379 settings on the server, and then we'll have to look at your IIS logs to make sure that the /exchange-oma VDir gets accessed when you use OMA, and not the /Exchange VDir.
ASKER
I don't know if this helps, but it might show that the exchange-oma is getting hit and that is that when I was first configuring that VDir and while trying to figure out the problem, I had the Enable Anonymous Login box checked. Well, that would start throwing up different errors in the Application log. So at least, I would think, that that shows that it was hitting the appropriate VDir. But, I am open for trying anything at this point.
The exchange-oma should not have Anonymous enabled. It should be an exact clone of your Exchange VDir, but you can't create it in the usual way in IIS Manager, because there are hidden properties that aren't exposed to the IIS Manager GUI. That's why you need to export it to an XML file, then import it. The only things you should change/check are:
1. You need to change the name (can't have duplicates,obviously).
2. SSL is not required.
3. Integrated Auth is enabled.
You need to check 2 and 3, because if you do the KB817379 procedure ~after finding that OMA/AS don't work, then you are just duplicating the /Exchange settings that stopped it working in the first place.
1. You need to change the name (can't have duplicates,obviously).
2. SSL is not required.
3. Integrated Auth is enabled.
You need to check 2 and 3, because if you do the KB817379 procedure ~after finding that OMA/AS don't work, then you are just duplicating the /Exchange settings that stopped it working in the first place.
ASKER
Ok. I solved my OMA problem. I cannot believe that I looked over this a million times and finally I saw the answer. Weird that there weren't any good error messages to show this. At any rate the OMA problem was that I had mis-typed the wrong IP address to be granted access to the VDir. I had reversed 2 numbers.
Now... I can log into the OMA but the phone still has an error but it has change. The error now is:
Your Account in Microsoft Exchange Server does not have permission to synchronize with your current settings.
0x85010004
Now... I can log into the OMA but the phone still has an error but it has change. The error now is:
Your Account in Microsoft Exchange Server does not have permission to synchronize with your current settings.
0x85010004
Try checking the points listed in this table:
http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
Most issues I have faced with connecting to OMA/Active Sync come back to the Certificate especially when doing private certificates.
When you installed the certificate on the device, did you install the web servers certificate or the CA Root Certificate for your domain? This usually makes a big difference. You have to do the root certificate to make Windows Mobile 5 work properly.
Once you export the Certificate in .cer format from the CA in your domain:
http://support.microsoft.com/?kbid=915840&SD=tech
When you installed the certificate on the device, did you install the web servers certificate or the CA Root Certificate for your domain? This usually makes a big difference. You have to do the root certificate to make Windows Mobile 5 work properly.
Once you export the Certificate in .cer format from the CA in your domain:
http://support.microsoft.com/?kbid=915840&SD=tech
ASKER
LeeDerbyshire: I'm looking into that now.
Certificate is the CA Root Certificate.
Certificate is the CA Root Certificate.
Check out the Export Root Certificate Section of the following document: http://www.petri.co.il/adding_root_certificates_to_windows_mobile_2003_ppc.htm
ASKER
LeeDerbyshire: According to that website, it says that my server requires SSL and walks through configuring it. I already had SSL configured on the computer. So for kicks, I disabled it and by doing that, I'm back to 85010014. So, I re-enabled it on the device. Any other ideas?
Where did you disable it at the server end, on the Exchange-Server-Activesync
ASKER
Sorry... I meant on the device. I'm going to try to disable it everywhere.
ASKER
Ok.... I removed SSL from all sites, VDir, etc... on my exch server and I get the same error message. What next? Should I look closer at the certificate? Would there be any error messages on the certificate? Everything with the certificate looks to be right.
It's time to check the IIS Logs, I think. When you try to sync, you should see some lines that contain
POST and Exchange-Server-Activesync
followed by some PROPFINDs to /Exchange or /exchange-oma. All within the space of a second or two. Can you post the relevant lines? It may take a minute or two for them to be logged, because IIS caches the entries.
POST and Exchange-Server-Activesync
followed by some PROPFINDs to /Exchange or /exchange-oma. All within the space of a second or two. Can you post the relevant lines? It may take a minute or two for them to be logged, because IIS caches the entries.
ASKER
Also, just as check... I completely removed the certificate from the server and I'm getting the same error.
So, I'm going to set everything back. This will take a moment.
Then, I'll clear my log and do a sync and try to capture all of the entries you need.
So, I'm going to set everything back. This will take a moment.
Then, I'll clear my log and do a sync and try to capture all of the entries you need.
ASKER
Now, OMA is messed up again. Its saying
No Basic credentials were found in the HTTP request. To fix this problem, verify that Basic authentication is turned on and all other authentication methods are turned off on the Outlook(R) Mobile Access virtual directory.
Basic credentials are checked in all websites. So is Integrated Windows Authentication
No Basic credentials were found in the HTTP request. To fix this problem, verify that Basic authentication is turned on and all other authentication methods are turned off on the Outlook(R) Mobile Access virtual directory.
Basic credentials are checked in all websites. So is Integrated Windows Authentication
That is supposed to mean that the OMA Vdir does not have Basic Auth enabled. Make sure in IIS Manager that OMA has Basic enabled, and that Anonymous and Integrated are NOT enabled.
The IIS logs we are interested in are the IIS logs in C:\Windows\System32\Logfil
The IIS logs we are interested in are the IIS logs in C:\Windows\System32\Logfil
ASKER
Here is a snipet from today for the Post and PROPFIND entries. I replaced some information
2006-05-03 02:35:05 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 02:35:05 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 02:35:12 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 02:35:12 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 13:51:16 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 13:51:16 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 13:51:20 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 13:51:20 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:17:35 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:17:35 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:17:39 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:17:39 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:19:06 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
2006-05-03 14:23:04 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:23:06 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:25:59 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:25:59 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:26:02 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:26:02 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 15:09:41 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
2006-05-03 15:14:21 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
22006-05-03 20:22:17 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:22:48 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:23:17 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:23:53 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:24:16 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:24:16 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:24:16 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:24:16 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:25:17 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:35:25 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:25 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:25 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:35:33 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:33 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:33 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 02:35:05 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 02:35:05 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 02:35:12 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 02:35:12 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 13:51:16 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 13:51:16 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 13:51:20 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 13:51:20 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:17:35 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:17:35 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:17:39 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:17:39 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:19:06 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
2006-05-03 14:23:04 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:23:06 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:25:59 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:25:59 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 14:26:02 **ServerIP** PROPFIND /exchange-oma/username@dom
2006-05-03 14:26:02 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 15:09:41 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
2006-05-03 15:14:21 **ServerIP** PROPFIND /exchange-oma/username/ - 80 - **ServerIP** - 403 6 0
22006-05-03 20:22:17 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:22:48 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:23:17 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:23:53 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:24:16 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:24:16 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:24:16 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:24:16 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:25:17 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:35:25 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:25 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:25 **ServerIP** POST /Microsoft-Server-ActiveSy
2006-05-03 20:35:33 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:33 **ServerIP** PROPFIND /Exchange-OMA/username@dom
2006-05-03 20:35:33 **ServerIP** POST /Microsoft-Server-ActiveSy
Look at the 403 6 errors on the IIS log entries. It points you towards the same wrong IP address issue again. So change the radio button to Granted Access and see if ActiveSync works. By the way 0x85010004 means http_500.
Regards,
Vasanth.
Regards,
Vasanth.
Yes, from the earlier entries, it looks like you are blocking the server's IP address on teh /exchange-oma VDir. It looks like this was fixed later (where you get 207, which is okay), but you now get 403 0 on /Microsoft-Server-Activesy
Any time you see a log entry where the 3rd from last number does not begin with a 2 , then you have a problem accessing the VDir. If it's a 4xx, then it probably means that something in the IIS configuration is blocking it (like IP address restrictions, permissions, SSL). If it's 500, then something external to IIS (but that OMA or AS rely on) is preventing the application code from running. 401's (an initial auth challenge) are normal, though, as long as they are immediately followed by a 20x
Any time you see a log entry where the 3rd from last number does not begin with a 2 , then you have a problem accessing the VDir. If it's a 4xx, then it probably means that something in the IIS configuration is blocking it (like IP address restrictions, permissions, SSL). If it's 500, then something external to IIS (but that OMA or AS rely on) is preventing the application code from running. 401's (an initial auth challenge) are normal, though, as long as they are immediately followed by a 20x
ASKER
Well. I still haven't figured it out. I am still getting the 403 entry in my logs. I've opened up everything in IIS to all IPs on that server and still nothing is happening.
Are both OMA and AS now broken?
ASKER
No. Just AS. OMA is fine
Have you tried this:
http://support.microsoft.com/kb/883380
It might help to delete the Microsoft-Server-ActiveSyn
http://support.microsoft.com/kb/883380
It might help to delete the Microsoft-Server-ActiveSyn
ASKER
Ok. I've done all of that but am still getting:
Your account in Microsoft Exchange SErver does not have permission to synchronize with your current settings. Contact your Exchange SErver Administrator
0x85010004
Your account in Microsoft Exchange SErver does not have permission to synchronize with your current settings. Contact your Exchange SErver Administrator
0x85010004
You definitely have have no SSL anywhere? Here's a similar issue:
https://www.experts-exchange.com/questions/21834153/ActiveSync-Issue-with-Cingular-8125-Pocket-PC-running-Windows-Mobile-V5.html
https://www.experts-exchange.com/questions/21834153/ActiveSync-Issue-with-Cingular-8125-Pocket-PC-running-Windows-Mobile-V5.html
ASKER
I've checked every Directory, site, or other and SSL is not enabled on anything. What's interesting... is just for giggles, I tried the following from a web browser for that same user:
Http://server.domain.com/oma
and
http://server.domain.com/exchange-oma/mailbox
and both work fine from a browser.
Its almost as if the device iteself is struggling.
Http://server.domain.com/oma
and
http://server.domain.com/exchange-oma/mailbox
and both work fine from a browser.
Its almost as if the device iteself is struggling.
There's a few layers between ActiveSync and that /exchange-oma VDir, though. Have you tried resetting the device?
ASKER
Ok.... let me go over my configurations and see if there is anything that you can see wrong.... I am getting very frustrated with this:
I have:
Removed all certificates from my Exchange server and my self-prepared cert from my device.
Created a new VDir named exchange-oma
Removed SSL from all sites and VDir
Allowed all IP address to all sites and VDir's
Currently am allowing all IPs through the firewall for all ports
Set Authentication to Basic Authentication for all sites and VDir's
Did/set NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
Is there anything else you can think of to open this sucker wide open for a good starting point.
I have:
Removed all certificates from my Exchange server and my self-prepared cert from my device.
Created a new VDir named exchange-oma
Removed SSL from all sites and VDir
Allowed all IP address to all sites and VDir's
Currently am allowing all IPs through the firewall for all ports
Set Authentication to Basic Authentication for all sites and VDir's
Did/set NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
Is there anything else you can think of to open this sucker wide open for a good starting point.
For a good starting point, I would not bother with the exchange-oma VDir, and just let it use the normal Exchange VDir, by removing the ExchangeVDir registry key you added at
HKEY_LOCAL_MACHINE\SYSTEM\
(remember to stop/start the IIS Admin service if you remove the key). If SSL is not required on the normal Exchange VDir, then it should be okay with that, and using exchange-oma is complicating things. Would you like to try that?
HKEY_LOCAL_MACHINE\SYSTEM\
(remember to stop/start the IIS Admin service if you remove the key). If SSL is not required on the normal Exchange VDir, then it should be okay with that, and using exchange-oma is complicating things. Would you like to try that?
ASKER
I can start with that and then add things on as necessary. I would like to get this thing to start working and then I can change settings one by one to make sure that they work before continuing. After as much time that I've spent on this crazy thing... I think its time to go back to the beginning.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OWA works but OMA does not.
ASKER
Sorry... I stand corrected... All is working.
Now, I will start trying to add in security and make sure nothing breaks along the way. I will make sure to document each and everything that I do to make sure I don't mess it up. Just as a check:
Now, I will start trying to add in security and make sure nothing breaks along the way. I will make sure to document each and everything that I do to make sure I don't mess it up. Just as a check:
Even Activesync? If so, then do the /exchange-oma 817379 thing now, before you change anything on Exchange. Many people export the Exchange VDir after the changes (when they have the problems) - it's too late, then.
ASKER
That was my plan. Everything worked and the phone synced... so that is what I am doing.
ASKER
What are your suggestions for adding security? I've tried going through the steps and it stops working. I've reversed everything and I'm ready to try something new.
Did something break it again? If you are going to use SSL, you need that alternate exchange-oma VDir working before you change anything else.
ASKER
Here is where I am at....
I have an internal Certificate installed
I have SSL on /Exchange, OMA... well everything except exchange-oma and active-sync
I have SSL turned off on the device
The phone is working wonderfully but I would like to turn SSL on the device on so that I do not have to use a VPN and I can secure the mail server. There is so much ramblings on the internet, its hard to tell what should work and what should not (I think that is where I got messed up before). The jist that I got from re-reading several articles is that I should: Turn on SSL on the device and on the firewall, forward anything from port 80 to port 443.
I have an internal Certificate installed
I have SSL on /Exchange, OMA... well everything except exchange-oma and active-sync
I have SSL turned off on the device
The phone is working wonderfully but I would like to turn SSL on the device on so that I do not have to use a VPN and I can secure the mail server. There is so much ramblings on the internet, its hard to tell what should work and what should not (I think that is where I got messed up before). The jist that I got from re-reading several articles is that I should: Turn on SSL on the device and on the firewall, forward anything from port 80 to port 443.
Okay, to use SSL on the device, you would need to enabled it on the Microsoft-Server-Activesyn
If the cert is self-issued, you will need to persuade the device to accept it. I'm not sure how to do that yet, but I would rather find out if your cert is self-issued before I go and look for the articles regarding it.
If the cert is self-issued, you will need to persuade the device to accept it. I'm not sure how to do that yet, but I would rather find out if your cert is self-issued before I go and look for the articles regarding it.
Actually, you probably don't need to ~require~ SSL on Microsoft-Server-Activesyn
ASKER
Thank you for all of your help, LeeDerbyshire. This issue was a particular pain.
I ended up going back to not requiring SSL and followed all of your direction on making sure that that is working properly. I then added a VPN Tunnel from the device to my network. It wasn't the best case scenario for me but it resolves all of my issues temporarily until I can get the SSL to work. I do not think that the SSL problems were related to the device or the server but to the network that I am using for the device. By tunnelling through, I resolve all of my issues.
You have been a great deal of help on this issue and I appreciate all of your prompt responses.
I ended up going back to not requiring SSL and followed all of your direction on making sure that that is working properly. I then added a VPN Tunnel from the device to my network. It wasn't the best case scenario for me but it resolves all of my issues temporarily until I can get the SSL to work. I do not think that the SSL problems were related to the device or the server but to the network that I am using for the device. By tunnelling through, I resolve all of my issues.
You have been a great deal of help on this issue and I appreciate all of your prompt responses.
http://support.microsoft.com/Default.aspx?kbid=817379
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003