Cell Phones not receiving email from Exchange

As far as I know from the phone we tested it just says something to the effect of cannot find server.

Exchange runs on an existing server that was the only DNS server. The new DC that was added was to replicate AD and DNS which it is doing. I have not seen any activesync errors on the server. The only exchange related error I see in event log is an ldap bind error because its for some reason looking for a server we took off the network. event id 8026 Source: MSExchangeAL. We did take this off the network a few days before we realized that there were phone synching issues. The sync issues seemed to be timed right around the time we ran netdiag.

Adding a new domain controller should have had nothing to do with the phones being able to sync (or not). Phone sync is from outside the network.

Does OMA work? That is the usual test for sync type issues.
http://host.domain.com/oma

Login as domain\username
and then password

Simon.

Not sure what OMA is but I receive an error shown here (running from outside the network):
Server Error in '/OMA' Application.
--------------------------------------------------------------------------------

Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>
 

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.


<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>
 

here is the full error running inside the network:

Server Error in '/OMA' Application.
--------------------------------------------------------------------------------

Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\oma\55aaeb43\5ef66257" is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\oma\55aaeb43\5ef66257" is denied.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace:


[UnauthorizedAccessException: Access to the path "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\oma\55aaeb43\5ef66257" is denied.]
   System.IO.__Error.WinIOError(Int32 errorCode, String str) +393
   System.IO.Directory.InternalCreateDirectory(String fullPath, String path) +632
   System.IO.Directory.CreateDirectory(String path) +195
   System.Web.Compilation.PreservedAssemblyEntry.DoFirstTimeInit(HttpContext context) +85
   System.Web.Compilation.PreservedAssemblyEntry.EnsureFirstTimeInit(HttpContext context) +97
   System.Web.Compilation.PreservedAssemblyEntry.GetPreservedAssemblyEntry(HttpContext context, String virtualPath, Boolean fApplicationFile) +29
   System.Web.UI.TemplateParser.GetParserCacheItemFromPreservedCompilation() +91
   System.Web.UI.TemplateParser.GetParserCacheItemInternal(Boolean fCreateIfNotFound) +178
   System.Web.UI.TemplateParser.GetParserCacheItemWithNewConfigPath() +125
   System.Web.UI.TemplateParser.GetParserCacheItem() +99
   System.Web.UI.ApplicationFileParser.GetCompiledApplicationType(String inputFile, HttpContext context, ApplicationFileParser& parser) +171
   System.Web.HttpApplicationFactory.CompileApplication(HttpContext context) +43
   System.Web.HttpApplicationFactory.Init(HttpContext context) +485
   System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext context) +170
   System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +414

 


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2300; ASP.NET Version:1.1.4322.2300

When you added this new domain controller to the network, did you do anything to Exchange, such as add/remove domain controller or other roles from it?

You are getting access denied, which usually means authentication is stuffed up.

My standard response for that at the moment is reset virtual directories.
http://support.microsoft.com/default.aspx?kbid=883380

Simon.

You said your Exchange server was the only DNS server.  Does that mean that it is or was also a DC.  Did you happen to demote the Exchange server or change its domain membership from DC to member server?

If that is not the case, make sure you have the ASP account still on the server or in AD if the server is a DC.

The exchange server was a DC and was the only DNS. I had another DC that did not replicated dns, only AD but it was removed from the network 5 days ago. Nothing has changed on the exchange server other then I had to run netdiag /fix on it so that the new DC I added could install Active Directory because it stated DNS was missing a SRV record.

I don't see anything called ASP in the users group of AD.

yes its still a DC and as far as I know is still marked as Master. I believe its been rebooted, but I can do that now as a test.

rebooted and still receive same OMA error.

what is the asp username that is supposed to show up in AD ?

I just went through http://support.microsoft.com/default.aspx?kbid=883380 and still receive an error when I run the OMA test.

On an Exchange Server that is not a DC there will be a local account called ASPNET.  This is a limited account used to launch the asp application.  Using ASP.NET 1 uses the IWAM_Machine account.  2 uses the ASPNET account.  On a DC I beilive it will just use the system account.  Not having that account on a DC is ok, as there are no local accounts.

I also notice that you are using an older version of ASP.NET 1.1.

Add/remove programs shows .Net 2.0 installed and I'm downloading 3.0 now to do the update. Exchange is on a DC.

Well before you do that you should probably look into this problem a little bit more.  Adding software to a broken install isn't always a good idea unless it is goign to fix something specific.  Try resetting the virtual directories before you do this.

okay

I found out that in the temporary files path of the error that oma\55aaeb43\5ef66257 directory didn't exist
so I went to the Microsoft.Net folder, checked permissions and the Everyone group listed as well as Creator Owner didn't have any boxes checked, not even read, so I checked all boxes for both applied it and now the OMA page comes up without error. I'm not sure what the correct permissions are supposed to be for that folder. Now I have to test an email to a phone.

That is what the error message talked about was the permissions not being correct.

OMA is working but cell phones are not receiving emails. Also noticed (not sure if its because of the MS KB I followed above) that the exchange webpage now requires https. the http use to redirect you to the https side which its not doing now, it brings up an NT authentication pop up and loads email up but the inbox window just says "loading" and never shows email. the url stays as http.  Everything works fine if I make the url https

Is this something that you have just recently changed?  If so that very well is going to cause problems if used in conjuction with Forms Based Authentication.  Here is the KB with info on that as well as a workaround.

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

Take a look at that article and see if your enviroment fits that descritpion.  If so you can take a look at the workarounds listed to get ActiveSync working.

Read the article. I did not create the /exchdav they talk about but I checked my exchange IIS site settings to make sure they match and I have Integrated Windows authentication and Basic authentication checked and SSL required is unchecked like the article states.  Port 80 Exchange webmail prompts me for a login now, I don't get forwarded to the https side to get the exchange screen that has a form login anymore. Not sure what happened here. According to the MS article that was linked from Petri I should have errors in my application event log on the server about exchange activesync and I have no errors from Exchange at all in the event log.

On the mobile device what are you putting in for the address?  Should be something similar to host.domain.com.  Also do you have the require ssl set on the phone?  If so does your Exchange server have a commercial SSL cert?  What about trying uncheckign the require ssl on the phone if it is set.

Also, just as a connectivity test make sure you get to the oma page from the phone.

the phone is set to server.domain.com. Exchange generated its own SSL. I'll check the phone SSL settings but what changed since this was once working on the 8 employees who need it and they all stopped at the same time. Like I said it all stopped after I ran netdiag/fix

Cell phone is accessing the OMA page fine

The box for SSL is not checked on the phone. We checked the box just as a test and get an error that the certificate on the server is invalid.

That would be expected as the certificate is home grown.  Since you are having problems using http this could be the problem.  Under the virtual directories do any of them have the box checked for require https?

You can try adding the cert to teh mobile device so that you can use https on the phone and see if it works.

To do this I usually package the cert via a cab file for install on mobile devices.
http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx

I'd rather not use SSL if I don't have to. I see no box under the virtual directory tab for any of the current VD's in IIS manager that says require https. I don't see anything at all that says https on the virtual directory tab.

If you click on the vitual directory, go under directory security, secure communications, the edit.

See if require secure channel is checked.  Do that for your /exchange, /oma, /exadmin directories.

oh, already checked this in an earlier post. Box is not checked for any of them.

Any ideas on what to check for or do I just start over?