We help IT Professionals succeed at work.

Exchange 2010 ActiveSync Issues

carlsilver
carlsilver used Ask the Experts™
on
We recentluy did a clean install of Exchange 2010 onto a new domain, but we are having problems trying to get our iPhones to sync up.

Here is the output from testexchangeconnectivity.com:

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   ExRCA is attempting the Autodiscover and Exchange ActiveSync test (if requested).
  Testing of Autodiscover for Exchange ActiveSync failed.
   Test Steps
   ExRCA is attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
   Test Steps
   Attempting to test potential AutoDiscover URL https://xxxxx.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name xxxxx.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: xxx.xxx.xxx.xxx
 
 Testing TCP Port 443 on host xxxxx.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   The certificate name is being validated.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name xxxxx.com does not match any name found on the server certificate CN=www.xxxxx.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=GT89784362, O=www.xxxxx.com, C=GB  
 
 
 Attempting to test potential AutoDiscover URL https://autodiscover.xxxxx.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name autodiscover.xxxxx.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: xx.xxx.xxx.xxx
 
 Testing TCP Port 443 on host autodiscover.xxxxx.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   The certificate name is being validated.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name autodiscover.xxxxx.com does not match any name found on the server certificate CN=FS01  
 
 
 ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
   Test Steps
   Attempting to resolve the host name autodiscover.xxxxx.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: xx.xxx.xxx.xxx
 
 Testing TCP Port 80 on host autodiscover.xxxxx.com to ensure it is listening and open.
  The port was opened successfully.
 Checking Host autodiscover.xxxxx.com for an HTTP redirect to AutoDiscover
  ExRCA failed to get an HTTP redirect response for Autodiscover.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page.
 
 
 
 ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method.
  Failed to contact AutoDiscover using the DNS SRV redirect method.
   Test Steps
   Attempting to locate SRV record _autodiscover._tcp.xxxxx.com in DNS.
  The Autodiscover SRV record wasn't found in DNS.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:

Author

Commented:
Tried to follow the steps on that first link, and EMS give me the following error:
[quote]C:\Windows\system32>Get-clientAccessServer ¦ fl Name,AutoDiscoverServiceInternalUri
A positional parameter cannot be found that accepts argument 'fl'.
    + CategoryInfo          : InvalidArgument: (:) [Get-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Get-ClientAccessServer
[/quote]
the certificate set on the autodiscover virtual directory does not have the "autodiscover.xxxxx.com"
domain name added in the Subject Alternate Name on the certificate
you have two options
use a different certificate for autodiscover  virtual directory that includes the name autodiscover.xxxxx.com

or to user a single certificate that has multiple names like including autodiscover.xxxxx.com

other urls might be... mail.yourdomain.com (for owa or outlookanywhere )
for detailed information please reffer to http://technet.microsoft.com/en-us/library/bb124251.aspx 

revert if you have questions

Thank you
If you don't have autodiscover.domain.com on the current certificate you can utilize an SRV record to leverage the stanrd client access FQDN (e.g. mail.domain.com) for Autodiscover purposes.  Not all Autodiscover-compatibile client types and versions support SRV lookup, but dependinong on what clients you are supporting you may be fine.

Take a look at this article for more details: http://support.microsoft.com/kb/940881

Author

Commented:
i have setup yhe SRV record as per the MS KB, but still not working.
Would i wildcard SSL Certificate work?
Top Expert 2010

Commented:
Can you re-run ExRCA and get a detailed error output please.
Top Expert 2010

Commented:
Hi
check alan's guide for setting up Activesync correctly.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Check the part specific to 403 error.
for SRV to work you must have the a certificate too.. for the autodiscover service..
i am sure you will get the same error as before in eXCRA unless certificate is taken care of

Author

Commented:
Here is the ExRCA Result:
 

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed. 
   Test Steps 
   Attempting to resolve the host name owa.xxxxx.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: xx.xxx.xxx.xxx 
 
 Testing TCP Port 443 on host owa.xxxxx.com to ensure it is listening and open. 
  The specified port is either blocked, not listening, or not producing the expected response. 
   Tell me more about this issue and how to resolve it 
   Additional Details 
  A network error occurred while communicating with remote host
Exception details:
Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xxx.xxx.xxx:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Open in new window

is the port 443 open  for owa.xxx.com ?

Author

Commented:
Yep, port is open and forwarding to the Exchange Box
Top Expert 2010

Commented:
2 things
a) on exchange box go to
https://localhost/owa
does it work ?
Do you get a login screen

Then your OWA and 443 port is working internally.
then we have to look at firewall etc and try to figure out where things are going wrong.

b) If https://localhost/owa - doesnt work.

Then on your exchange box go to
start > run > cmd
type
netstat -ab > c:\netstat.txt

Check for something like this

192.168.1.0:443
abc.exe

where 192.168.1.10 = ip address of exchange
> Let me know what is ABC.exe running on port 443
We are trying to figure out if HTTPSSL is running on 443 - if not what other app is running there.

c) Try restarting HTTP SSL service and see if that makes any difference

Let me know the updates.

thanks

Author

Commented:
The above is working fine, and i get the OWA login screen when using https://localhost/owa
 
Top Expert 2010

Commented:
can you restart your firewall.
And give me the screenshot of firewall where you have 443 open and forwarding to Exchange box.

thanks

Author

Commented:
Firewall is working fine. i can access owa from internal and external using HTTPS
04-07-2010-20-33-47.png
Top Expert 2010

Commented:
Download this tool and see what error codes come up
https://store.accessmylan.com/main/diagnostic-tools?pos=footer

Top Expert 2010

Commented:
On your firewall is there a connection timeout set for port 443 / HTTP SSL
Does it reset the connection after X seconds etc.

Author

Commented:
@sunnyc7, please see attached screenshot
ldjghdlgjd.png
Top Expert 2010

Commented:
Are you running self signed certificate ?
This was an error in exRCA too earlier

Download Certificate manager from here and use it to install the cert. you purchased.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

It can be a wildcard cert (*.domain.com) or a cert issued to your FQDN - mail.domain.com

I am chcking activesync 505

Author

Commented:
Downloaded the tool, but when i try to run i get the following error
error.png

Author

Commented:
I am running Exchange 2010 not 2007
Top Expert 2010

Commented:

Author

Commented:
I am not at the servers location at the moment, so i cant insert the exchange disk to install the management tools. I will do this tomorrow morning and update the question.
Top Expert 2010

Commented:
ok.
I will check out HTTP 505 and let you know
Top Expert 2010

Commented:
Just out of curiosity -- how did you install your exchange server and the hub transport / edge transport and the connectors without the Management Tools ?

You did that on powershell ?

Author

Commented:
Installed Exchange, roles etc from the disk
Top Expert 2010

Commented:
how did you setup exchange to receive emails and send emails.

Author

Commented:
Using exchange Management console. i have EMS installed too
Shreedhar EtteTechnical Manager
Top Expert 2010

Commented:

Author

Commented:
@sunnyc7. Exchange Management tools are already installed.
@shreedhar: Already checked that link and inherit is already checked
Top Expert 2010

Commented:
did you install the certificates ?

Download Certificate manager from here and use it to install the cert. you purchased.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

Author

Commented:
I have a wildcard SSL cert on order. But i cannot use that tool as it says:
error.png
Top Expert 2010

Commented:
How are you logged in ?

Was this user used to setup Exchange sever in the first place ?
Top Expert 2010

Commented:

Author

Commented:
Logged in as admin, always been logged into admin to install software. Already checked that link and it is ticked.
Top Expert 2010

Commented:
Can you restart the server ?
when was the last time you restarted the server after applying changes ?

I cant think of anything else -- why the installer wont run.

Did you run Windows updates ?
What updates are left.

Author

Commented:
Restarted server today, all uptodate, still getting the same errors. on the test exchange connectivity page
Top Expert 2010

Commented:
Import certificates
from this EE case
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23807994.html

Copy pasting here for your convenience.

. Import the certificate, Start > All Programs > Microsoft Exchang eServer 2007 > Exchange Management console

 Import-ExchangeCertificate -Path c:\petenetlive.cer {enter}

Note: At this point Copy the thumbprint number to the clipboard (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C)

Enable the Certificate
 
Enable-ExchangeCertificate -Services "SMTP,POP,IMAP,IIS"

Enter the Thumbprint of your certificate (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C)

Select Yes To Overwrite

========
then configure exchange to use SSL
http://technet.microsoft.com/en-us/library/bb310764(EXCHG.80).aspx

============
After these 2 steps are done
Run ExRCA again
@
testexchangeconnectivity.com

Author

Commented:
i get the following error when trying to use EMS to import the certificate:
[PS] C:\Windows\system32>Import-ExchangeCertificate -Path c:\wildcard.cer
A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [Import-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Import-ExchangeCertificate

Author

Commented:
Tried to "Complete Pending Certificate Request" via the EMC and get the following error:
 

05-07-2010-20-30-05.png
Top Expert 2010
Commented:
did you try the follow-up steps

Enable the Certificate
 
Enable-ExchangeCertificate -Services "SMTP,POP,IMAP,IIS"

Enter the Thumbprint of your certificate (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C)

Select Yes To Overwrite

========
then configure exchange to use SSL
http://technet.microsoft.com/en-us/library/bb310764(EXCHG.80).aspx

Author

Commented:
I get an error relating to a missing private key when i run the above command
 
Top Expert 2010

Commented:
I am really sorry i havent responded. I have guests over. Give me about 3-4 hrs.
Just came in here to leave a quick msg.
Top Expert 2010

Commented:
Carl My apologies for the delay in responding.

Let me handle your issues one by one

a) Error in Importing Cert http:#33139435
>> This command was for Exchange 2007. Sorry.
Exchange 2010 - you need to do this

Import-ExchangeCertificate -Path c:\certificates\import.pfx -Password:(Get-Credential).password

Ref:
http://technet.microsoft.com/en-us/library/dd351183.aspx

Please try this and see if it works.

Let me know.

Author

Commented:
i dont seem to have the cert in .pfx format. it is installed on our webserver and i can see the .crt and they raw key, but i cant seem to get it in .pfx format.
Do i need to combine the key and cert to get the pfx?

Author

Commented:
Recreated the CSR and re-issued the cert, all sorted now - Thanks :D
Top Expert 2010

Commented:
ExRCA -- all cleared ? All tests passed for ActiveSync ?

Thanks for the points :-)

Author

Commented:
Yep, ExRCA showing all green now! :)
Top Expert 2010

Commented:
Good :-)