Solved

KB817379 looks insainly dangerous to do. mobile access to exchange server

Posted on 2007-03-26
16
2,907 Views
Last Modified: 2013-11-13
I am trying to get my mobile device to access the Exchange server, and I get a "85010014" error message. I looked in the event log, and the message below was there. I read the suggested fix  (KB817379) for it, and also the fix from a dude on [ http://groups.google.com/group/microsoft.public.pocketpc.activesync/browse_frm/thread/96a012d52673c49b/22bdad20f97e9745?lnk=st&q=activesync+3005+http+400&rnum=1]
but that seems insainly difficult and dangerous. COuld anyone please help me tell me what this is all about?

// Jo

ERROR MESSAGE IN EVENT LOG:
The mailbox server [SERVERNAME] has its [exchange] virtual directory set to require SSL.  Exchange ActiveSync cannot access the server if SSL is set to be required.  For information about how to correctly configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).
0
Comment
Question by:somewhereinafrica
  • 9
  • 7
16 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
I have to say that solution on Google Groups is a bit over the top.

What makes you think that 817379 is dangerous? It is a few registry changes and an export import of a virtual folder. Takes about 15 minutes I do it three or four times a week, often on remote control.

I do find that 817379 misses some steps that can cause problems so I have my own variation of the article here: http://www.amset.info/exchange/mobile-85010014.asp

Simon.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
I have read that one too. Way more organized and easy to overview :-)

Here are my concerns:

step 1 - When I do this on a live server, what will the implacation be? If i disable the formbase, will that not disable the whole darn thing?

Step 2 - Again, if i remove the SSL certificate, what will happen to people that are trying to work on it? (I understand that a few minutes later I will put the thing back, but what happens during that time, I'm just asking...)

Step 3 - Removing 'require SSL' means that people could access via port 80 using http://servername, but that is not a secuirty risk in it self? I mean if someone uses it over port 80, the information might be tapped in to. But in it self it is not a security risk (i could close down port 80 on the firewall as you suggest further down to combat that)


My OMA has never worked (as in that the dude before me probably did a bad job), is having OMA not working going to be solved by this step too, or should i concentrate on getting OMA to work first and then deal with this?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
There will be some disruption to users of OWA while you make the changes. That cannot be helped.
If you disable forms based authentication then users get the standard username/password pop up box if they try to access the server during that time.

If you remove the SSL certificate then anyone accessing the server on SSL will have their connection dropped.

I don't use require SSL on any of my deployments because I don't open port 80 to the world. The simple fact is that require SSL on the directories is not compatible with OMA/EAS because it makes calls on port 80. That is partly what the additional virtual directory is supposed to fix.
As with everything in security, you secure what can be secured without impacting the use of the service too much. I personally prefer to secure the server by not allowing port 80 in than relying on require SSL to force the users on to https.

Simon.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
Simon, I have just sent you a request on your contact address on your site, please contact me a.s.a.p.
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I believe one of my staff has responded to the email.
I also need to draw your attention to this section of the help guide regarding assistance outside of the site.
http://www.experts-exchange.com/help.jsp#hi99

Simon.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
ok, sorry about that. I did not mean to get you in to trouble.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
ok, so these steps that you suggest that I make. What will be the impact on people connecting with OWA and the 'real' outlook client? does any of these changes affect that?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
The full Outlook clients, as long as they are not using RPC over HTTPS will not be affected.
Anyone using OWA will be kicked out while you are working on the server. Once the changes are made, OWA will operate as before.

Simon.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:somewhereinafrica
Comment Utility
Do you think our inability to use OMA is linked with this too?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
OMA and EAS share the same backend. In most cases if OMA doesn't work then EAS will not work either.

Simon.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
Simon, what is it in effect that this maneuver does?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
When you access EAS or OMA it makes an internal call to the /exchange virtual directory to read the contents of the mailbox being accessed. The change redirects that call to another folder which has a different configuration which allows the internal process access while maintaining the security of the folders and forms based authentication.

Simon.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
and this only affects the OMA/mobile devices access?
Not the rest of the people accessing RPC over HTTPS or the OWA?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
It will affect those people while you do the work, but after that there is no change in the operation of either feature.

Simon.
0
 

Author Comment

by:somewhereinafrica
Comment Utility
thanks oodles dude, apprechiate it, really do...
0
 

Author Comment

by:somewhereinafrica
Comment Utility
Simon, dude, it worked, thanks a million...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now