Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2293
  • Last Modified:

Setup iPhone and Exchange 2003 SP2 ActiveSync (Single Server)

Hey All,

Need help setting up iPhone 3.0 and ActiveSync with Exchange 2003 SP2 single server configuration.  I have started the process with assistance of other references and various MS KBs.  Not sure if I'm heading in the right direction since I've be around the process tooo many times and still no luck.

Don't assume anything is correct or valid at this point, since some information may have been for specific cases.  So to that end where shall we start?

I can give you  this for now...  The tool at https://www.testexchangeconnectivity.com still errors on FolderSync command test failed.  HTTP 403 forbidden response was received...  also receive an Event 3005 Unexpected Exchange mailbox Server error: Server: ... Status code [409]

Is this a permission error?

The phone appears to be setup correctly but only produces messages.  Cannot Connect to Server or something like that.  (I do not have immediate access to the phone) so I am depending on the MS web tool above (hopefully it works).

Also, have and SSL certificate from GoDaddy.com still not sure if that is correctly installed/setup...

Again, please ask what you need as I have done/un-done so much that triple checking can't hurt.

Thanks in advance, I know you can do it!
0
DoDebug
Asked:
DoDebug
  • 11
  • 4
  • 4
  • +2
2 Solutions
 
Britt ThompsonSr. Systems EngineerCommented:
Can you browse to https://mail.yourserver.com/exchange without certificate errors? If you can, view the certificate within the browser and make sure it's the godaddy cert. If you can't, you've not imported it into IIS properly.
0
 
DoDebugAuthor Commented:
renazonse,
I can access https://mail.yourserver.com/exchange and have no errors, but, I am not sure if the certification is there or where to find it.  I checked Internet Explorer, Tools->Internet Options->Content->Certificates but not sure which cert would be the one.  Is there another place to check or confirm if it is there?
Also, if this adds to the problem (I know it does)... On IE 7.0 (XP Pro) I receive a "Choose a digital certificate" dialog, but know certificate is there.  IE 8.0 (Windows Vista) does not show the dialog box.  They both open the OWA email fine beyond that.
Thanks for your assistance it is greatly appreciated!
0
 
Britt ThompsonSr. Systems EngineerCommented:
If you open IE 7 and look to the end of the address bar at the lock icon >> click it >> the click on view certificate

sounds like you're correct in assuming your cert is setup incorrectly. here's exact instructions on how to do it properly:

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
Picture-7.png
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
DoDebugAuthor Commented:
renazonse,
I do have the lock, and when clicked, it shows the GoDaddy cert with option to install.  Which I have not done yet.
Also, the link you provided for setup of the cert, do you know if this is valid for a Standard Edition?  I do not have SBS.
Thanks.
0
 
Britt ThompsonSr. Systems EngineerCommented:
Same process for Standard and SBS in this case... It's IIS that the same version.

Funny, you shouldn't have to install the cert since Godaddy is a trusted CA.

When you browse to your server say: https://mail.mycompany.com/exchange   is  mail.mycompany.com the "issued to" domain on the cert? If not, that's what it needs to be.
0
 
Alan HardistyCommented:
Have you discovered / read the following KB article?  Have you got forms based authentication enabled?
http://support.microsoft.com/kb/817379 
0
 
evan021702Commented:
First make sure your SSL cert is installed and that your Outlook Web Access is in working order.   Then check the user account in Active Directory to be sure that they have outlook mobile access granted:
http://technet.microsoft.com/en-us/library/aa995874(EXCHG.65).aspx
If both OWA and OMA work without a hitch, then more than likely you have an issue with the actual phone.
On the iPhone you should just have to setup the account under the exchange mail wizard.  
Do you have the same issue with a normal Windows Mobile Phone?
0
 
DoDebugAuthor Commented:
renazonse,
Ok, I will check that reference regarding the installation of the SSL cert.  I originally followed the document provided by GoDaddy.com which seemed to be clear.  I guess a question here would be, what directory or virtual directory do you apply or enable the SSL under the Default Web Site?  I am only trying to activate the ActiveSync, but leaving OWA accessible is ok.
Regarding the domain on the cert, Yes, it is the correct domain.
0
 
DoDebugAuthor Commented:
alanhardisty:
No, forms based authentication is not enabled.  KB 817379 checked.
Thanks.
0
 
Britt ThompsonSr. Systems EngineerCommented:
The cert needs to be imported from the Default Web Site.
0
 
DoDebugAuthor Commented:
evan021702:
First, I know OMA and OWA are different, but how are they accessed to verify if they do work?  
OWA, I use https://mail.yourserver.com/exchange.  OMA, never used since it never did anything until recently.  if I open https://mail.yourserver.com/oma I get a runtime error (see attached jpg)
Second, this is a single user (iPhone 3.0).  Never had ActiveSync working.  Previously had a BlackBerry Storm running BlackBerry Server but that was uninstalled and tossed out the window.

OMA-Error.jpg
0
 
evan021702Commented:
Yes you should just go to https://mail.yourserver.com/oma to access the OMA site.  It looks like either there is a problem with the web.config file or permission setting in IIS.  
We had this problem when setting it up as well.  Let me ask the other sys admin to find out what we did.
0
 
DoDebugAuthor Commented:
All,
OMA and OWA are enabled at the User Level and Enterprise Level.  The settings at the Enterprise level are shown in the attached jpgs.

MobileServices1.jpg
DeviceSecurity.jpg
0
 
evan021702Commented:
Okay see this post there were two things we did:
1. reregister .Net framework on the server (we used 2.0 not 1.1).
2. Make sure that the IIS Admin COM server was using the Network Service Account.  This post suggests the LOCAL SYSTEM, but either should work:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_21436386.html  
0
 
evan021702Commented:

Also be sure your settings are correct on your virtual directories as far as security goes (Basic, Windows Auth, etc).  See Here:

http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html
0
 
DoDebugAuthor Commented:
Okay, reinstalled the .NET 2.0 Framework and check file permissions all ok - no change.
Also check the virtual directories and all appear ok, as well.
The last document reference indicates to reset OWA which I have done many times.  What I think I will do, if it sounds ok is remove the SSL and anything related and also reset the OWA and permissions again.  This way I will eliminate the certificate to see if OWA (was working) and OMA (not working) come back.
Also, performed a reboot since I had the window time.
Keep in mind this is a Single Server (no front/back) only Front End or is it Back End (I think that matters too)
0
 
SaakarCommented:
+ Check and see if you have Anonymous Access on Exchange Virtual Directory in IIS
+ It should be Basic and Windows Integrated on Exchange VDIR
+ Microsoft-Server-ActiveSync should have Basic Authentication
+ If you have SSL or FBA enabled either or, make sure that you follow KB 817379
0
 
DoDebugAuthor Commented:
Changed the \OMA vdir .net to 1.1.4322 and now when trying to access OMA I get
Unable to connect to your mailbox on server YOURSERVER. Please try again later. If the problem persists contact your administrator.
Looks like the SSL cert.  Any clue with the cert?  I can access https://mail.mycompany.com/exchange okay I guess.  It opens the OWA fine but, the Certificate is never downloaded.  On IE 7.0 from a Windows XP system I get "Choose a digital certificate" dialog every time.  Does IIS not have the cert installed in the correct location or setting?
0
 
SaakarCommented:
We don't need OMA to work to make Exchange ActiveSync work, OMA is a dead technology and NO longer in use, what is the URL that you are using on phone and what are the authentication settings on various VDIR's in IIS

I believe the status code 409 indicates some authentication settings those are incorrect...

Also KB817379 not only applies if FBA is enabled, its also applicable if you have SSL on default web site
0
 
DoDebugAuthor Commented:
saakar rao,
Thanks, I stopped looking at OMA since it still does not work.
All,
Since I have only a single server config and SSL (FBA disabled) I am following document references for a Back End configuration.  Hopefully that is correct?
Also, can anyone confirm that the https://www,testexchangeconnectivity.com tool does work and return a Successful response if the server is actually configured correctly?
I am using the Exchange ActiveSync option.
Here is what I currently have set for "Default Web Site" and all the Virtual Directories.  If someone can validate this and tell me what is wrong/right I would be a happy person and not have to look at these settings again.  (see attached)

Permissions.jpg
0
 
DoDebugAuthor Commented:
In case this helps too, the result of the last test at https://testexchangeconnectivity.com

 Attempting to Resolve the host name mobile.smsesq.com in DNS.
 Host successfully Resolved
Additional Details
 IP(s) returned: 75.99.117.154
Testing TCP Port 443 on host mobile.smsesq.com to ensure it is listening/open.
 The port was opened successfully.
Testing SSL Certificate for validity.
 The certificate passed all validation requirements.
Test Steps
 Validating certificate name
 Successfully validated the certificate name
Additional Details
 Found hostname mobile.smsesq.com in Certificate Subject Common name
Validating certificate trust for Windows Mobile Devices
 The test passed with some warnings encountered. Please expand additional details.
Additional Details
 Certificate is only trusted on Windows Mobile 5.0 AKU2 (MSFP) and later. Windows Mobile 5.0 devices will not be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Testing certificate date to ensure validity
 Date Validation passed. The certificate is not expired.
Additional Details
 Certificate is valid: NotBefore = 6/30/2009 8:26:48 AM, NotAfter = 6/30/2010 8:26:48 AM
 
Testing Http Authentication Methods for URL https://mobile.smsesq.com/Microsoft-Server-Activesync/
 The test passed with some warnings encountered. Please expand additional details.
 Tell me more about this issue and how to resolve it
Additional Details
 The following authentication methods are enabled but are not allowed Authentication methods for this service. Methods: Negotiate, NTLM
Attempting an Activesync session with server
 Errors were encountered while testing the ActiveSync session
Test Steps
 Attempting to send OPTIONS command to server
 OPTIONS response was successfully received and is valid
Additional Details
 Headers received: Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7651.19
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,ResolveRecipients,ValidateCert,Provision,Search,Notify,Ping
Content-Length: 0
Date: Fri, 03 Jul 2009 18:32:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
 
Attempting FolderSync command on ActiveSync session
 FolderSync command test failed
Additional Details
 An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>  
0
 
DoDebugAuthor Commented:
This had to be the most difficult resolve I had to find.  But, the information everyone provided I have visited multiple times prior to using EE.  Sorry no one actually resolved the problem.  I actually found the solution because I never quite and now I'm bald.  The solution was...
saakar_rao:  ActiveSync does appear to require OMA to work, when I fixed OMA, ActiveSync works flawlessly!
1) Change the .NET version from 2.0 to 1.1.4322 on OMA and Microsoft-Server-ActiveSync
2) Followed these instructions. When I got to #17 it was actually working. http://www.amset.info/exchange/mobile-85010014.asp
Thanks all for your help.
Oh yeah, one more thing... https://www.TestExchangeConnectivity.com does actually work!

Success.jpg
0
 
SaakarCommented:
Good to know that your issue is Resolved at last :-)

Well fixing OMA CANNOT resolve your ActiveSync issue, since they are not related at all...

Enabling NET version from 2.0 to 1.1.4322 on Microsoft-Server-ActiveSync

Resolved your issue.

Anyways all is well that ends well

Cheers!!!
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 11
  • 4
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now