IPhone on Exchange 2003 (SBS 2003)

Hi Guys

Hope someone is out there. I've been working on this all week now to the early hours with no resolution in sight!

I have followed all of the instructions and suggestions from various people and still have no luck with the Exchange Remote Connectivity Analyser. I've modified my GoDaddy certificate a number of times and finally got to the following impasse:

      Testing Exchange ActiveSync
       Exchange ActiveSync test Failed
      Test Steps
      Attempting to resolve the host name ehl-sbs-01.estiohealthcare.co.uk in DNS.
       Host successfully resolved
      Additional Details
      Testing TCP Port 443 on host ehl-sbs-01.estiohealthcare.co.uk to ensure it is listening and open.
       The port was opened successfully.
      Testing SSL Certificate for validity.
       The certificate passed all validation requirements.
      Test Steps
      Testing Http Authentication Methods for URL https://ehl-sbs-01.estiohealthcare.co.uk/Microsoft-Server-Activesync/
       Http Authentication Methods are correct
      Additional Details
      Attempting an ActiveSync session with server
       Errors were encountered while testing the ActiveSync session
      Test Steps
      Attempting to send OPTIONS command to server
       Testing the OPTIONS command failed. See Additional Details for more info
      Additional Details
        A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown

I'm beginning to suspect that the certificate is not configured correctly although I can use RWW and OWA to this server.

My certificate is registered to estiohealthcare.co.uk and I have added two more domains to it:

Do I need to use mail.estiohealthcare.co.uk for ActiveSync?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
As per my article, check your IP address restrictions on the Exchange / microsoft-server-activesync virtual directories.
If I try to go to https://ehl-sbs-01.estiohealthcare.co.uk  I get the following:
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Classic case of IP restrictions being set up on your virtual directories.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
3D2KAuthor Commented:

I've checked the IP address restrictions as you describe and they look OK but still not passing the tests, however can I ask a couple of questions regards you instructions:

For the Exchange VD do I need to tick "Require 128-bit encryption"?

I'm not sure what to put in the "Default Domain" and "Realm" boxes for the property sheets. The server is called ehl-sbs-01 and  the domain is estiohealthcare.local also is ESTIOHEALTHCARE the NetBios name? the web site www.estiohealthcare.co.uk is hosted externally by a 3rd party provider.

Alan HardistyCo-OwnerCommented:
Yes to 128-bit encryption
Default Domain - estiohealthcare
Realm - estiohealthcare.local
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Alan HardistyCo-OwnerCommented:
I saw that the website was hosted elsewhere, but going to https://ehl-sbs-01.estiohealthcare.co.uk if that is the URL you are using to access your server, will resolve to your server, so that is why I checked it and the IP settings somewhere are stopping access to the server.
It may be your router not allowing port 443 from all sources.
3D2KAuthor Commented:
Still no joy.

Ive set each Default Domain as ESTIOHEALTHCARE
and each Realm to estiohealthcare.local.

Still test returns:

A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown

I have previously used the instructions to recreate the virtual directories in the Default Web Site.
3D2KAuthor Commented:
The router is configured to port forward all traffic on 443 to the internal NIC on ehl-sbs-01.
Alan HardistyCo-OwnerCommented:
Best bet as this is SBS is to re-run the Connect to the Internet Wizard which should reset all the settings correctly (Start> Server Management> To-Do-List> Connect To The Internet)
When you run the Wizard, change nothing and then complete the wizard.
Once completed, re-test on the test site and see what you get.
3D2KAuthor Commented:
OK rerun ICWW and still no go.

I can use http://ehl-sbs-01.estiohealthcare.co.uk to get to the router remote login page but https://ehl-sbs-01.estiohealthcare.co.uk results in a 403 error so looks like the traffic is being passed through the router but being bounced by the server. I'm in unknown territory now...
3D2KAuthor Commented:
I did some MS updates a couple of days ago and the server is still waiting for a reboot. I'm not sure if that would be causing these types of issues but I may do a reboot after hours just in case.
Alan HardistyCo-OwnerCommented:
I would get rebooting if I were you and then try again.  If it is pending a reboot - settings may have changed and not taken effect properly.
3D2KAuthor Commented:
OK, probably get back on the case late evening or tomorrow. As we say in Yorkshire "You don't get owt for nowt" as is proven by a free IPhone upgrade which my customer has availed herself of :-).
Alan HardistyCo-OwnerCommented:
Whereabout's in Yorkshire are you from?  My ancestors are from Yorkshire!
Starts from about 4 generations back with my GG Grandfather until about 12 generations back (1577).
Try going to  https://ehl-sbs-01.estiohealthcare.co.uk/exchange. You cannot go to the https root with sbs and will get a 403 error, however adding the /exchange will give you access to Outlook web access.

I tried it on my machine and it worked, so your router is forwarding port 443 correctly.

If I had to guess, it would be the way the certificate is setup.  I've only ever used self issued certs with sbs and iphones.

However you state you have registered the cert with the ehl-sbs-01 prefix so it "should" work with the iphone.

The details you use in the phone would be -

email address - administrator@estiohealthcare.co.uk
domain - [the netbios domain, not the FQDN - so maybe it's estiohealthcare]
username - administrator
password - AD login password for the admin account.

Once you enter these into the phone, it will then prompt for the server address, which will be ehl-sbs-01.estiohealthcare.co.uk (you don't need the /exchange when entering in the phone)

Hope this helps.
should have added, you don't need to use the administrator details, can be any valid network user, was just using that as an example.
3D2KAuthor Commented:

In answer to your first question - Halifax (West Yorkshire).

Did the reboot last night and still no joy, but I modified my input to the Exchange Remote Connectivity Analyser and got a little bit further. I notice that you also have something to say on this in various support sites. I've attached the output FYI

3D2KAuthor Commented:
Should have said I used 'local rather than .co.uk in Domain/Username in screen 1.
Alan HardistyCo-OwnerCommented:
When you are testing - drop the .local from the domain name and test again please.
Might get different results, then I can respond accordingly, but if the 500 error persists, then Method 2 of KB883380 should be the next course of action as per my article.
3D2KAuthor Commented:
Pretty much the same response, see attached screen shot.

I'll have a go at KB883380 and report back.
3D2KAuthor Commented:
Done that and went back to a previous error, so I then rest the properties on the Default Web as per your instructions.

Now back to 500 response error.

This sucks....

I haven't got enough days left in my life to be messing about trying to fix this...I want to be enjoying myself on a river somewhere...

Another poster has stated that the IPhone/ActiveSync should work now even though the Analyser is still failing so I may visit the site and have a go.
3D2KAuthor Commented:
One other point is that the Analyser also tells me that my SSL certificate will only allow Mobile V6 devices to authenticate. Presumably that's not an issue at the moment or with the IPhone?
Please confirm that the
exchange-oma virtual directory has Basic & Integrated authentication with NO SSL

Also when you test it, create a test user (no special rights) just a mailbox and send it a single message.

Then use the testexchangeconnectivity.com tool to test again against the test user.
Are you using forms based authentication? If so, can you try turning that OFF-->test ActiveSync and then turn it back ON and test again?
Lastly are you seeing any "Server ActiveSync" events in the event log when you do the test?
Alan HardistyCo-OwnerCommented:
If you can't get rid of the 500 error, then please follow the other 500 error option in my article and if that does not work, re-run the Connect to the Internet Wizard, change nothing and then complete the wizard.
Check settings and test again.
If that fails, then it is a call to Microsoft I'm afraid.
3D2KAuthor Commented:

The exchange-oma only had Basic authentication enable. I added Integrated and ran the test again and this time it's worked - hallelujah!

Is life meant to be this hard?

I'll be visiting the end user this afternoon and seeing where I get to with this.


You need to update your article, cause you say:
"Exchange-oma Virtual Directory
•      Authentication = Basic"

it should be Basic & Integrated as per the article you even mentioned (http://support.microsoft.com/kb/937635)
3D2K - Glad to hear we a getting somewhere. Did you test with a brand new test user or with a proper (old) account with lots of mail?

Alan HardistyCo-OwnerCommented:
@Meganuke - Thanks - changes made (had copied and pasted after re-writing the article).
Sorry for the incorrect info in my recently amended article.  It is now showing correctly.
@Alan - no problem
3D2KAuthor Commented:
alanhardisty instructions have been amended to correct property sheets in IIS.
Alan HardistyCo-OwnerCommented:
Sorry about that - previously the SBS was just referencing the KB article and I decided to be helpful by adding the IIS settings from the article!
That'll teach me.
Thankfully it is okay now.
3D2KAuthor Commented:

Thanks for your able assistance.

I used a regular account to check the ActiveSync with lots of email.

Still had fun & games getting the IPhone to sync correctly though. Needed to trial a number of combinations of domain/user names etc before it would work correctly.

Is this a problem with using a .local domain name on the server and .co.uk externally?
Alan HardistyCo-OwnerCommented:
No - that's perfectly normal.
iPhone settings should be:
Email Address
Server e.g., www.yourdomain.com
Domain e.g., yourdomain
DOMAIN should always be the NETBIOS name of the AD domain (so basically it's internal name)

the external server name should match what's on your certificate.

Thanks for the points
Alan HardistyCo-OwnerCommented:
and thanks again to MegaNuke for spotting my deliberate mistake ; )
no problem. I want to tell people to read your article so it is best that it is correct ;-)
Alan HardistyCo-OwnerCommented:
Absolutely - couldn't agree more.
Feel free to reference the article anytime you like.  Same goes for anyone else.
Have you done Service Pack 2 for exchange?
3D2KAuthor Commented:

Yes SP2 for Exchange was installed.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.