Solved

your account does not have permission to sync with current settings for some users only

Posted on 2009-05-11
12
5,099 Views
Last Modified: 2012-05-06
Hi All,

I have been struggling for the past one month with this strange problem.

I have an exchange server 2003 with about 100+ users.  Out of which, there are about 20-30 users are using mobile phones for push emails.  The phones are HTC S710, Nokia E63 and E71.

Until last month, any user i setup in the mobile device, i was able to do sync with my exchange server from the phones.  Since last month, i can't configure a phone with a new user email whether that user id itself is there for few years or created in the last month.  In the same month, if i setup my mail id, it works.  It means the phone is alright.  In the same way, if i setup the same user email in my phone, the sync does not work and comes up with the above error
' your account does not have permission to sync with current settings'.

I have tried the following already without luck:

1. checked the active directory properties 'Exchange features' and all are enabled.
2. Unticked 'Secure layer only' & ticked 'Secure layer only' under server certificate option in IIS-MS Activesync Directory security property.
3. ticked/unticked 'Anonymous access' using 'IUSR_Computername' userid.
4. ticked/unticked ' Integrated authentication'
5. ticked/unticked ' basic authentication'.

Restarting IIS services after 2,3,4 & 5 above.  No luck.

I did the above for 'OMA' and 'Mobile' as well. no luck.

Only thing i haven't tried is deleting and recreating MS-Activesync virtual directory. This is because there are about 20 users who are using this and it is working for them.  I'm bit scared of trying to delete virtual directory as this may cause problem for them as well.

Please help as i have ran out of ideas.

Thank you in advance.

Regards
RK
0
Comment
Question by:ramavenu
12 Comments
 

Author Comment

by:ramavenu
ID: 24357759
Just add to my question,  I have tried the problematic users email ids in more than 2/3 phones where if i setup my email, it works.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24359601
Anything that connects the users? Email addresses for example? Are you running additional email addresses on the server?

Simon.
0
 
LVL 4

Expert Comment

by:aletjolly
ID: 24363191
Hello,
What kinda Certificate you are having? (internal/ external or public)
In case you are having a public certificate try testing it with site www.testexchangeconnectivity.com
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:ramavenu
ID: 24366983
I'm using public certificate issued by Geotrust/equifax.  I will check with the link you sent.

ta
RK
0
 

Author Comment

by:ramavenu
ID: 24428855
Hi aletjolly,

I tried the link you gave me.  It doesn't help much.  

I'm still having trouble setting up new users for email connectivity in mobile phones.

Please help.

Thanks & Regards
RK
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24429720
When you ran the test on the Microsoft site, was the test successful, or did it fail?
It provides a lot of troubleshooting information if the test was unsuccessful. If the tests all passed then it is not a setup problem with the server, but has to be related to the user account.

Simon.
0
 

Author Comment

by:ramavenu
ID: 24440658
Hi Mestha,

When i ran the test with my user id and password, the test was successful, whereas if i try with any other new users (not necessarily a new user in AD - the new user means, never set up push email in windows mobile devices), the test failed with the following error:  

An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>

Is there any limit on no. of users i can configure to use windows active sync to in exchange 2003 server?

RK
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24443517
Forbidden is an annoying error, as there is no single reason for it. There are no limits on the number ActiveSync clients, and if you were hitting some other kid of error I would expect to have a different error message - access denied rather than forbidden.

I would start by looking at the http logs for when you do the test, verify the attempt is being made by the correct account as Exchange sees it. I have seen some odd configurations that means only users with certain permissions can access the directory.

Simon.
0
 

Author Comment

by:ramavenu
ID: 24450229
When i check the event log (application) when the connection fails, i get this event id 3005.

Unexpected Exchange mailbox Server error: Server: [leb-ex001.GBR.lebara] User: [username@domain.com] HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.    


0
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24455604
The first thing to check is whether the users generating the error have an email address in the default domain. The default domain matches your Windows domain. It does not have to be the default email address.

For example, if your WINDOWS domain is example.local and your SMTP domain is example.com, then the users need to have an email address in both domains.

Simon.
0
 
LVL 1

Assisted Solution

by:pcguy-za
pcguy-za earned 250 total points
ID: 24930484
I have been dealing with this exact problem and seem to have found the answer.

This link here gives a full list of things to try:

http://davidschrag.com/schlog/245/troubleshooting-0x85010004-for-exchange-2003-and-windows-mobile-5

BUT most people, myself included seem to have cracked it with 'step 4' see below.

GL - David

Step four:
Please check the following IIS settings:

For Exchange/Exchange-oma virtual directory:
1. Open IIS Manager
2. Open properties of virtual directory Exchange/Exchange-oma
3. Select Directory Security tab
4. Select Edit in Authentication and access control box. Make sure the authentication setting as below:
Authentication Methods
Enabled Basic authentication
Enabled Integrated Windows authentication
Disabled anonymous access

For OMA virtual directory and Microsoft-Server-ActiveSync virtual directory:
1. Open IIS Manager
2. Open properties of OMA virtual directory and Microsoft-Server-ActiveSync virtual directory respectively.
3. Select Directory Security tab
4. Select Edit in Authentication and access control box. Make sure the
authentication setting as below:
Authentication Methods
Uncheck Enable anonymous access
Uncheck Integrated Windows authentication
Check Basic authentication

**-IIS Excnge, enabled integrated windows auth
-Exch-OMA, disabled anonymous access
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
In-place Upgrading Dirsync to Azure AD Connect
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question