asked on

Exchange 2010 ActiveSync Issues

We recentluy did a clean install of Exchange 2010 onto a new domain, but we are having problems trying to get our iPhones to sync up.

Here is the output from testexchangeconnectivity.com:

ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
ExRCA is attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
ExRCA is attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential AutoDiscover URL https://xxxxx.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name xxxxx.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: xxx.xxx.xxx.xxx

Testing TCP Port 443 on host xxxxx.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name xxxxx.com does not match any name found on the server certificate CN=www.xxxxx.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=GT89784362, O=www.xxxxx.com, C=GB

Attempting to test potential AutoDiscover URL https://autodiscover.xxxxx.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.xxxxx.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: xx.xxx.xxx.xxx

Testing TCP Port 443 on host autodiscover.xxxxx.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name autodiscover.xxxxx.com does not match any name found on the server certificate CN=FS01

ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.xxxxx.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: xx.xxx.xxx.xxx

Testing TCP Port 80 on host autodiscover.xxxxx.com to ensure it is listening and open.
The port was opened successfully.
Checking Host autodiscover.xxxxx.com for an HTTP redirect to AutoDiscover
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page.

ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method.
Failed to contact AutoDiscover using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.xxxxx.com in DNS.
The Autodiscover SRV record wasn't found in DNS.

sunnyc7

Steps same as E2007

Please use this to setup Autodiscover
http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/

Check the accepted solution on how to configure SSL
https://www.experts-exchange.com/questions/23807994/how-to-install-new-SSL-certificate-to-exchange-2007.html

Also this one

http://technet.microsoft.com/en-us/library/bb310764(EXCHG.80).aspx

Or you can use this tool to configure certificates
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

carlsilver

ASKER

Tried to follow the steps on that first link, and EMS give me the following error:
[quote]C:\Windows\system32>Get-clientAccessServer ¦ fl Name,AutoDiscoverServiceInternalUri
A positional parameter cannot be found that accepts argument 'fl'.
+ CategoryInfo : InvalidArgument: (:) [Get-ClientAccessServer], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Get-ClientAccessServer
[/quote]

dhruvarajp

the certificate set on the autodiscover virtual directory does not have the "autodiscover.xxxxx.com"
domain name added in the Subject Alternate Name on the certificate
you have two options
use a different certificate for autodiscover virtual directory that includes the name autodiscover.xxxxx.com

or to user a single certificate that has multiple names like including autodiscover.xxxxx.com

other urls might be... mail.yourdomain.com (for owa or outlookanywhere )
for detailed information please reffer to http://technet.microsoft.com/en-us/library/bb124251.aspx

revert if you have questions

Thank you

Jeff_Schertz

If you don't have autodiscover.domain.com on the current certificate you can utilize an SRV record to leverage the stanrd client access FQDN (e.g. mail.domain.com) for Autodiscover purposes. Not all Autodiscover-compatibile client types and versions support SRV lookup, but dependinong on what clients you are supporting you may be fine.

Take a look at this article for more details: http://support.microsoft.com/kb/940881

carlsilver

ASKER

i have setup yhe SRV record as per the MS KB, but still not working.
Would i wildcard SSL Certificate work?

sunnyc7

Can you re-run ExRCA and get a detailed error output please.

sunnyc7

Hi
check alan's guide for setting up Activesync correctly.

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Check the part specific to 403 error.

dhruvarajp

for SRV to work you must have the a certificate too.. for the autodiscover service..
i am sure you will get the same error as before in eXCRA unless certificate is taken care of

carlsilver

ASKER

Here is the ExRCA Result:

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed. 
   Test Steps 
   Attempting to resolve the host name owa.xxxxx.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: xx.xxx.xxx.xxx 
 
 Testing TCP Port 443 on host owa.xxxxx.com to ensure it is listening and open. 
  The specified port is either blocked, not listening, or not producing the expected response. 
   Tell me more about this issue and how to resolve it 
   Additional Details 
  A network error occurred while communicating with remote host
Exception details:
Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xxx.xxx.xxx:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Open in new window

dhruvarajp

is the port 443 open for owa.xxx.com ?

carlsilver

ASKER

Yep, port is open and forwarding to the Exchange Box

sunnyc7

2 things
a) on exchange box go to
https://localhost/owa
does it work ?
Do you get a login screen

Then your OWA and 443 port is working internally.
then we have to look at firewall etc and try to figure out where things are going wrong.

b) If https://localhost/owa - doesnt work.

Then on your exchange box go to
start > run > cmd
type
netstat -ab > c:\netstat.txt

Check for something like this

192.168.1.0:443
abc.exe

where 192.168.1.10 = ip address of exchange
> Let me know what is ABC.exe running on port 443
We are trying to figure out if HTTPSSL is running on 443 - if not what other app is running there.

c) Try restarting HTTP SSL service and see if that makes any difference

Let me know the updates.

thanks

carlsilver

ASKER

The above is working fine, and i get the OWA login screen when using https://localhost/owa

sunnyc7

can you restart your firewall.
And give me the screenshot of firewall where you have 443 open and forwarding to Exchange box.

thanks

carlsilver

ASKER

Firewall is working fine. i can access owa from internal and external using HTTPS
04-07-2010-20-33-47.png

sunnyc7

Download this tool and see what error codes come up
https://store.accessmylan.com/main/diagnostic-tools?pos=footer

sunnyc7

On your firewall is there a connection timeout set for port 443 / HTTP SSL
Does it reset the connection after X seconds etc.

carlsilver

ASKER

@sunnyc7, please see attached screenshot
ldjghdlgjd.png

sunnyc7

Are you running self signed certificate ?
This was an error in exRCA too earlier

Download Certificate manager from here and use it to install the cert. you purchased.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

It can be a wildcard cert (*.domain.com) or a cert issued to your FQDN - mail.domain.com

I am chcking activesync 505

carlsilver

ASKER

Downloaded the tool, but when i try to run i get the following error
error.png

carlsilver

ASKER

I am running Exchange 2010 not 2007

sunnyc7

http://technet.microsoft.com/en-us/library/bb232090.aspx

carlsilver

ASKER

I am not at the servers location at the moment, so i cant insert the exchange disk to install the management tools. I will do this tomorrow morning and update the question.

sunnyc7

ok.
I will check out HTTP 505 and let you know

sunnyc7

Just out of curiosity -- how did you install your exchange server and the hub transport / edge transport and the connectors without the Management Tools ?

You did that on powershell ?

carlsilver

ASKER

Installed Exchange, roles etc from the disk

sunnyc7

how did you setup exchange to receive emails and send emails.

carlsilver

ASKER

Using exchange Management console. i have EMS installed too

Shreedhar Ette

Please have a read of this article that might help:

https://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

carlsilver

ASKER

@sunnyc7. Exchange Management tools are already installed.
@shreedhar: Already checked that link and inherit is already checked

sunnyc7

did you install the certificates ?

Download Certificate manager from here and use it to install the cert. you purchased.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

carlsilver

ASKER

I have a wildcard SSL cert on order. But i cannot use that tool as it says:
error.png

sunnyc7

How are you logged in ?

Was this user used to setup Exchange sever in the first place ?

sunnyc7

Check this one too

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

carlsilver

ASKER

Logged in as admin, always been logged into admin to install software. Already checked that link and it is ticked.

sunnyc7

Can you restart the server ?
when was the last time you restarted the server after applying changes ?

I cant think of anything else -- why the installer wont run.

Did you run Windows updates ?
What updates are left.

carlsilver

ASKER

Restarted server today, all uptodate, still getting the same errors. on the test exchange connectivity page

sunnyc7

Import certificates
from this EE case
https://www.experts-exchange.com/questions/23807994/how-to-install-new-SSL-certificate-to-exchange-2007.html

Copy pasting here for your convenience.

. Import the certificate, Start > All Programs > Microsoft Exchang eServer 2007 > Exchange Management console

Import-ExchangeCertificate -Path c:\petenetlive.cer {enter}

Note: At this point Copy the thumbprint number to the clipboard (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C)

Enable the Certificate

Enable-ExchangeCertificate -Services "SMTP,POP,IMAP,IIS"

Enter the Thumbprint of your certificate (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C)

Select Yes To Overwrite

========
then configure exchange to use SSL
http://technet.microsoft.com/en-us/library/bb310764(EXCHG.80).aspx

============
After these 2 steps are done
Run ExRCA again
@
testexchangeconnectivity.com

carlsilver

ASKER

i get the following error when trying to use EMS to import the certificate:
[PS] C:\Windows\system32>Import-ExchangeCertificate -Path c:\wildcard.cer
A positional parameter cannot be found that accepts argument '-Path'.
+ CategoryInfo : InvalidArgument: (:) [Import-ExchangeCertificate], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Import-ExchangeCertificate

carlsilver

ASKER

Tried to "Complete Pending Certificate Request" via the EMC and get the following error:

05-07-2010-20-30-05.png

ASKER CERTIFIED SOLUTION

sunnyc7

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

carlsilver

ASKER

I get an error relating to a missing private key when i run the above command

sunnyc7

I am really sorry i havent responded. I have guests over. Give me about 3-4 hrs.
Just came in here to leave a quick msg.

sunnyc7

Carl My apologies for the delay in responding.

Let me handle your issues one by one

a) Error in Importing Cert http:#33139435
>> This command was for Exchange 2007. Sorry.
Exchange 2010 - you need to do this

Import-ExchangeCertificate -Path c:\certificates\import.pfx -Password:(Get-Credential).password

Ref:
http://technet.microsoft.com/en-us/library/dd351183.aspx

Please try this and see if it works.

Let me know.

carlsilver

ASKER

i dont seem to have the cert in .pfx format. it is installed on our webserver and i can see the .crt and they raw key, but i cant seem to get it in .pfx format.
Do i need to combine the key and cert to get the pfx?

carlsilver

ASKER

Recreated the CSR and re-issued the cert, all sorted now - Thanks :D

sunnyc7

ExRCA -- all cleared ? All tests passed for ActiveSync ?

Thanks for the points :-)

carlsilver

ASKER

Yep, ExRCA showing all green now! :)

sunnyc7

Good :-)