Solved

Setup iPhone and Exchange 2003 SP2 ActiveSync (Single Server)

Posted on 2009-07-02
23
2,266 Views
Last Modified: 2012-05-07
Hey All,

Need help setting up iPhone 3.0 and ActiveSync with Exchange 2003 SP2 single server configuration.  I have started the process with assistance of other references and various MS KBs.  Not sure if I'm heading in the right direction since I've be around the process tooo many times and still no luck.

Don't assume anything is correct or valid at this point, since some information may have been for specific cases.  So to that end where shall we start?

I can give you  this for now...  The tool at https://www.testexchangeconnectivity.com still errors on FolderSync command test failed.  HTTP 403 forbidden response was received...  also receive an Event 3005 Unexpected Exchange mailbox Server error: Server: ... Status code [409]

Is this a permission error?

The phone appears to be setup correctly but only produces messages.  Cannot Connect to Server or something like that.  (I do not have immediate access to the phone) so I am depending on the MS web tool above (hopefully it works).

Also, have and SSL certificate from GoDaddy.com still not sure if that is correctly installed/setup...

Again, please ask what you need as I have done/un-done so much that triple checking can't hurt.

Thanks in advance, I know you can do it!
0
Comment
Question by:DoDebug
  • 11
  • 4
  • 4
  • +2
23 Comments
 
LVL 30

Expert Comment

by:renazonse
Comment Utility
Can you browse to https://mail.yourserver.com/exchange without certificate errors? If you can, view the certificate within the browser and make sure it's the godaddy cert. If you can't, you've not imported it into IIS properly.
0
 

Author Comment

by:DoDebug
Comment Utility
renazonse,
I can access https://mail.yourserver.com/exchange and have no errors, but, I am not sure if the certification is there or where to find it.  I checked Internet Explorer, Tools->Internet Options->Content->Certificates but not sure which cert would be the one.  Is there another place to check or confirm if it is there?
Also, if this adds to the problem (I know it does)... On IE 7.0 (XP Pro) I receive a "Choose a digital certificate" dialog, but know certificate is there.  IE 8.0 (Windows Vista) does not show the dialog box.  They both open the OWA email fine beyond that.
Thanks for your assistance it is greatly appreciated!
0
 
LVL 30

Expert Comment

by:renazonse
Comment Utility
If you open IE 7 and look to the end of the address bar at the lock icon >> click it >> the click on view certificate

sounds like you're correct in assuming your cert is setup incorrectly. here's exact instructions on how to do it properly:

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
Picture-7.png
0
 

Author Comment

by:DoDebug
Comment Utility
renazonse,
I do have the lock, and when clicked, it shows the GoDaddy cert with option to install.  Which I have not done yet.
Also, the link you provided for setup of the cert, do you know if this is valid for a Standard Edition?  I do not have SBS.
Thanks.
0
 
LVL 30

Expert Comment

by:renazonse
Comment Utility
Same process for Standard and SBS in this case... It's IIS that the same version.

Funny, you shouldn't have to install the cert since Godaddy is a trusted CA.

When you browse to your server say: https://mail.mycompany.com/exchange   is  mail.mycompany.com the "issued to" domain on the cert? If not, that's what it needs to be.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Have you discovered / read the following KB article?  Have you got forms based authentication enabled?
http://support.microsoft.com/kb/817379
0
 
LVL 6

Assisted Solution

by:evan021702
evan021702 earned 500 total points
Comment Utility
First make sure your SSL cert is installed and that your Outlook Web Access is in working order.   Then check the user account in Active Directory to be sure that they have outlook mobile access granted:
http://technet.microsoft.com/en-us/library/aa995874(EXCHG.65).aspx
If both OWA and OMA work without a hitch, then more than likely you have an issue with the actual phone.
On the iPhone you should just have to setup the account under the exchange mail wizard.  
Do you have the same issue with a normal Windows Mobile Phone?
0
 

Author Comment

by:DoDebug
Comment Utility
renazonse,
Ok, I will check that reference regarding the installation of the SSL cert.  I originally followed the document provided by GoDaddy.com which seemed to be clear.  I guess a question here would be, what directory or virtual directory do you apply or enable the SSL under the Default Web Site?  I am only trying to activate the ActiveSync, but leaving OWA accessible is ok.
Regarding the domain on the cert, Yes, it is the correct domain.
0
 

Author Comment

by:DoDebug
Comment Utility
alanhardisty:
No, forms based authentication is not enabled.  KB 817379 checked.
Thanks.
0
 
LVL 30

Expert Comment

by:renazonse
Comment Utility
The cert needs to be imported from the Default Web Site.
0
 

Author Comment

by:DoDebug
Comment Utility
evan021702:
First, I know OMA and OWA are different, but how are they accessed to verify if they do work?  
OWA, I use https://mail.yourserver.com/exchange.  OMA, never used since it never did anything until recently.  if I open https://mail.yourserver.com/oma I get a runtime error (see attached jpg)
Second, this is a single user (iPhone 3.0).  Never had ActiveSync working.  Previously had a BlackBerry Storm running BlackBerry Server but that was uninstalled and tossed out the window.

OMA-Error.jpg
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 6

Expert Comment

by:evan021702
Comment Utility
Yes you should just go to https://mail.yourserver.com/oma to access the OMA site.  It looks like either there is a problem with the web.config file or permission setting in IIS.  
We had this problem when setting it up as well.  Let me ask the other sys admin to find out what we did.
0
 

Author Comment

by:DoDebug
Comment Utility
All,
OMA and OWA are enabled at the User Level and Enterprise Level.  The settings at the Enterprise level are shown in the attached jpgs.

MobileServices1.jpg
DeviceSecurity.jpg
0
 
LVL 6

Expert Comment

by:evan021702
Comment Utility
Okay see this post there were two things we did:
1. reregister .Net framework on the server (we used 2.0 not 1.1).
2. Make sure that the IIS Admin COM server was using the Network Service Account.  This post suggests the LOCAL SYSTEM, but either should work:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_21436386.html  
0
 
LVL 6

Expert Comment

by:evan021702
Comment Utility

Also be sure your settings are correct on your virtual directories as far as security goes (Basic, Windows Auth, etc).  See Here:

http://www.msexchange.org/tutorials/Resetting-OWA-Folder-IIS-security-permissions-Exchange-2003.html
0
 

Author Comment

by:DoDebug
Comment Utility
Okay, reinstalled the .NET 2.0 Framework and check file permissions all ok - no change.
Also check the virtual directories and all appear ok, as well.
The last document reference indicates to reset OWA which I have done many times.  What I think I will do, if it sounds ok is remove the SSL and anything related and also reset the OWA and permissions again.  This way I will eliminate the certificate to see if OWA (was working) and OMA (not working) come back.
Also, performed a reboot since I had the window time.
Keep in mind this is a Single Server (no front/back) only Front End or is it Back End (I think that matters too)
0
 
LVL 12

Expert Comment

by:Saakar
Comment Utility
+ Check and see if you have Anonymous Access on Exchange Virtual Directory in IIS
+ It should be Basic and Windows Integrated on Exchange VDIR
+ Microsoft-Server-ActiveSync should have Basic Authentication
+ If you have SSL or FBA enabled either or, make sure that you follow KB 817379
0
 

Author Comment

by:DoDebug
Comment Utility
Changed the \OMA vdir .net to 1.1.4322 and now when trying to access OMA I get
Unable to connect to your mailbox on server YOURSERVER. Please try again later. If the problem persists contact your administrator.
Looks like the SSL cert.  Any clue with the cert?  I can access https://mail.mycompany.com/exchange okay I guess.  It opens the OWA fine but, the Certificate is never downloaded.  On IE 7.0 from a Windows XP system I get "Choose a digital certificate" dialog every time.  Does IIS not have the cert installed in the correct location or setting?
0
 
LVL 12

Expert Comment

by:Saakar
Comment Utility
We don't need OMA to work to make Exchange ActiveSync work, OMA is a dead technology and NO longer in use, what is the URL that you are using on phone and what are the authentication settings on various VDIR's in IIS

I believe the status code 409 indicates some authentication settings those are incorrect...

Also KB817379 not only applies if FBA is enabled, its also applicable if you have SSL on default web site
0
 

Author Comment

by:DoDebug
Comment Utility
saakar rao,
Thanks, I stopped looking at OMA since it still does not work.
All,
Since I have only a single server config and SSL (FBA disabled) I am following document references for a Back End configuration.  Hopefully that is correct?
Also, can anyone confirm that the https://www,testexchangeconnectivity.com tool does work and return a Successful response if the server is actually configured correctly?
I am using the Exchange ActiveSync option.
Here is what I currently have set for "Default Web Site" and all the Virtual Directories.  If someone can validate this and tell me what is wrong/right I would be a happy person and not have to look at these settings again.  (see attached)

Permissions.jpg
0
 

Author Comment

by:DoDebug
Comment Utility
In case this helps too, the result of the last test at https://testexchangeconnectivity.com

 Attempting to Resolve the host name mobile.smsesq.com in DNS.
 Host successfully Resolved
Additional Details
 IP(s) returned: 75.99.117.154
Testing TCP Port 443 on host mobile.smsesq.com to ensure it is listening/open.
 The port was opened successfully.
Testing SSL Certificate for validity.
 The certificate passed all validation requirements.
Test Steps
 Validating certificate name
 Successfully validated the certificate name
Additional Details
 Found hostname mobile.smsesq.com in Certificate Subject Common name
Validating certificate trust for Windows Mobile Devices
 The test passed with some warnings encountered. Please expand additional details.
Additional Details
 Certificate is only trusted on Windows Mobile 5.0 AKU2 (MSFP) and later. Windows Mobile 5.0 devices will not be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Testing certificate date to ensure validity
 Date Validation passed. The certificate is not expired.
Additional Details
 Certificate is valid: NotBefore = 6/30/2009 8:26:48 AM, NotAfter = 6/30/2010 8:26:48 AM
 
Testing Http Authentication Methods for URL https://mobile.smsesq.com/Microsoft-Server-Activesync/
 The test passed with some warnings encountered. Please expand additional details.
 Tell me more about this issue and how to resolve it
Additional Details
 The following authentication methods are enabled but are not allowed Authentication methods for this service. Methods: Negotiate, NTLM
Attempting an Activesync session with server
 Errors were encountered while testing the ActiveSync session
Test Steps
 Attempting to send OPTIONS command to server
 OPTIONS response was successfully received and is valid
Additional Details
 Headers received: Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7651.19
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,ResolveRecipients,ValidateCert,Provision,Search,Notify,Ping
Content-Length: 0
Date: Fri, 03 Jul 2009 18:32:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
 
Attempting FolderSync command on ActiveSync session
 FolderSync command test failed
Additional Details
 An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>  
0
 

Accepted Solution

by:
DoDebug earned 0 total points
Comment Utility
This had to be the most difficult resolve I had to find.  But, the information everyone provided I have visited multiple times prior to using EE.  Sorry no one actually resolved the problem.  I actually found the solution because I never quite and now I'm bald.  The solution was...
saakar_rao:  ActiveSync does appear to require OMA to work, when I fixed OMA, ActiveSync works flawlessly!
1) Change the .NET version from 2.0 to 1.1.4322 on OMA and Microsoft-Server-ActiveSync
2) Followed these instructions. When I got to #17 it was actually working. http://www.amset.info/exchange/mobile-85010014.asp
Thanks all for your help.
Oh yeah, one more thing... https://www.TestExchangeConnectivity.com does actually work!

Success.jpg
0
 
LVL 12

Expert Comment

by:Saakar
Comment Utility
Good to know that your issue is Resolved at last :-)

Well fixing OMA CANNOT resolve your ActiveSync issue, since they are not related at all...

Enabling NET version from 2.0 to 1.1.4322 on Microsoft-Server-ActiveSync

Resolved your issue.

Anyways all is well that ends well

Cheers!!!
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now