Solved

KB817379 looks insainly dangerous to do. mobile access to exchange server

Posted on 2007-03-26
16
2,916 Views
Last Modified: 2013-11-13
I am trying to get my mobile device to access the Exchange server, and I get a "85010014" error message. I looked in the event log, and the message below was there. I read the suggested fix  (KB817379) for it, and also the fix from a dude on [ http://groups.google.com/group/microsoft.public.pocketpc.activesync/browse_frm/thread/96a012d52673c49b/22bdad20f97e9745?lnk=st&q=activesync+3005+http+400&rnum=1]
but that seems insainly difficult and dangerous. COuld anyone please help me tell me what this is all about?

// Jo

ERROR MESSAGE IN EVENT LOG:
The mailbox server [SERVERNAME] has its [exchange] virtual directory set to require SSL.  Exchange ActiveSync cannot access the server if SSL is set to be required.  For information about how to correctly configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).
0
Comment
Question by:somewhereinafrica
  • 9
  • 7
16 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 18792120
I have to say that solution on Google Groups is a bit over the top.

What makes you think that 817379 is dangerous? It is a few registry changes and an export import of a virtual folder. Takes about 15 minutes I do it three or four times a week, often on remote control.

I do find that 817379 misses some steps that can cause problems so I have my own variation of the article here: http://www.amset.info/exchange/mobile-85010014.asp

Simon.
0
 

Author Comment

by:somewhereinafrica
ID: 18792220
I have read that one too. Way more organized and easy to overview :-)

Here are my concerns:

step 1 - When I do this on a live server, what will the implacation be? If i disable the formbase, will that not disable the whole darn thing?

Step 2 - Again, if i remove the SSL certificate, what will happen to people that are trying to work on it? (I understand that a few minutes later I will put the thing back, but what happens during that time, I'm just asking...)

Step 3 - Removing 'require SSL' means that people could access via port 80 using http://servername, but that is not a secuirty risk in it self? I mean if someone uses it over port 80, the information might be tapped in to. But in it self it is not a security risk (i could close down port 80 on the firewall as you suggest further down to combat that)


My OMA has never worked (as in that the dude before me probably did a bad job), is having OMA not working going to be solved by this step too, or should i concentrate on getting OMA to work first and then deal with this?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18792282
There will be some disruption to users of OWA while you make the changes. That cannot be helped.
If you disable forms based authentication then users get the standard username/password pop up box if they try to access the server during that time.

If you remove the SSL certificate then anyone accessing the server on SSL will have their connection dropped.

I don't use require SSL on any of my deployments because I don't open port 80 to the world. The simple fact is that require SSL on the directories is not compatible with OMA/EAS because it makes calls on port 80. That is partly what the additional virtual directory is supposed to fix.
As with everything in security, you secure what can be secured without impacting the use of the service too much. I personally prefer to secure the server by not allowing port 80 in than relying on require SSL to force the users on to https.

Simon.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:somewhereinafrica
ID: 18792294
Simon, I have just sent you a request on your contact address on your site, please contact me a.s.a.p.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18792390
I believe one of my staff has responded to the email.
I also need to draw your attention to this section of the help guide regarding assistance outside of the site.
http://www.experts-exchange.com/help.jsp#hi99

Simon.
0
 

Author Comment

by:somewhereinafrica
ID: 18792427
ok, sorry about that. I did not mean to get you in to trouble.
0
 

Author Comment

by:somewhereinafrica
ID: 18792475
ok, so these steps that you suggest that I make. What will be the impact on people connecting with OWA and the 'real' outlook client? does any of these changes affect that?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18792498
The full Outlook clients, as long as they are not using RPC over HTTPS will not be affected.
Anyone using OWA will be kicked out while you are working on the server. Once the changes are made, OWA will operate as before.

Simon.
0
 

Author Comment

by:somewhereinafrica
ID: 18792519
Do you think our inability to use OMA is linked with this too?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18792617
OMA and EAS share the same backend. In most cases if OMA doesn't work then EAS will not work either.

Simon.
0
 

Author Comment

by:somewhereinafrica
ID: 18799474
Simon, what is it in effect that this maneuver does?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18800407
When you access EAS or OMA it makes an internal call to the /exchange virtual directory to read the contents of the mailbox being accessed. The change redirects that call to another folder which has a different configuration which allows the internal process access while maintaining the security of the folders and forms based authentication.

Simon.
0
 

Author Comment

by:somewhereinafrica
ID: 18800469
and this only affects the OMA/mobile devices access?
Not the rest of the people accessing RPC over HTTPS or the OWA?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18800950
It will affect those people while you do the work, but after that there is no change in the operation of either feature.

Simon.
0
 

Author Comment

by:somewhereinafrica
ID: 18801001
thanks oodles dude, apprechiate it, really do...
0
 

Author Comment

by:somewhereinafrica
ID: 18805911
Simon, dude, it worked, thanks a million...
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question