iphone 3gs email with exchange server

Hi,

Can you download the iphone configuration tool?
http://www.apple.com/support/iphone/enterprise/

This tool will provide you with a console log. If you would provide us with the error message stated there it's a lot easier to see what is going wrong.

Regards,
Robin

You should clear out your email certificates. I have found the easiest way to do this is to delete the email account and re-create it to ensure the old certificate is not being used. A bit of a pain but in iOS3 and 4 this is the only way to be sure.

Regards
Barny

Is this SBS 2003 or 2008?

Either way please do the ActiveSync test at https://www.testexchangeconnectivity.com/
- manually specify server settings

Post results please

it says failed to the ips port when i try to run iphone config tool?


www.testexchangeconnectivity.com

ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.

Test Steps

Attempting to resolve the host name www.mydomain.biz in DNS.
Host successfully resolved

Additional Details
Testing TCP Port 443 on host www.mydomain.biz to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.

Test Steps

The certificate name is being validated.
Successfully validated the certificate name

Additional Details
Validating certificate trust for Windows Mobile Devices
Certificate trust validation failed.
Tell me more about this issue and how to resolve it

Additional Details

Ok - just to be clear - the reason blackberry works is it is a totally differebt technology.

The cert ceritifcate failing validation for Windows Mibile devices is because you are using a free certificate,this should not be an issue for the iPhone as it should just prompt you to to accept the cert.

Did you do as IPKON siggested and delete and recreate the account on your iphone? I inferred from your original post that you had done this, but would like to confirm

Can you please confirm OS version of iphone? IOS4.0 had some active sync issues that were resolved in 4.01. The result was very like the one you describe, account validates OK but no contents. This was due to a short activesync timeout in the IOS 4.0 firmware.

ther is a tickbox on the www.testexchangeconnectivity.com wizard to "syncronise inbox" "and "ignore ssl validity" or similar. please repeat with that ticked and post results.

please post results in file to keep the thread manageable

Andy

device log
device-log.txt

Every time I delete the account and create a new one on the iphone. I am using version 3.1.3 .

This time the log looks like this:

ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.

Test Steps

Attempting to resolve the host name www.mydomain.biz in DNS.
Host successfully resolved

Additional Details
Testing TCP Port 443 on host www.mydomain.biz to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.

Test Steps

The certificate name is being validated.
Successfully validated the certificate name

Additional Details
Validating certificate trust for Windows Mobile Devices
Certificate trust validation failed.
Tell me more about this issue and how to resolve it

Additional Details

any ideas ? thanks

I was hoping someone else would have a magic idea.
Did you tick the box "ignore SSL validation" errors and "syncronise inbox" on the second www.testexchangeconnectivity.com  test? is it looks like it still failed you at SSL validation....

still no luck

is this dead

not deat bud "still no luck" is not really an answer. Try to add some more info in your responses if you can.

Can you please confirm that you ticked the box "Ignore trust for SSL" see the attached image of what a successful test looks like with that tickbox ticked. and post the full output. This was with a Self-Signed-Cert

If you are still unsuccesful with the test remove the paid-for SSL CERT and put a self signed cert in its place and repeat the test.

Do you get any active sync errors in the Application/System log in event viewer on the server

What does it say if you click the link "Tell me more about this issue and how to resolve it?"

Andy

Untitled.jpg

Andy,

I confirm the i ticked the ssl box
the errors i get are at the end

      
log.jpg

Excellent. much better.
so we can see that the issue is a "401 - unauthorised" this is contradictory to what you were saying with the iphone. As you said the iPhone validates OK, but no email. so lets have a look at why they are contrdicting each other, and figure out which one is right.

Please confirm that you are entering the username/password into the test page as DOMAIN\user and they you are using a valid username and password.

Did you change anything else when you renewed the certificate

Can you log onto webmail https://www.mydomain.biz/exchange/ with the username and password you used in the exchangeconnectivity tester?

What errors do you get in the event logs on the server?

Sorry for the Domain\Username (or UPN): am i suppose to put in just my username? or email address?
the username and password is the same to log in via OWA.

event view there are a few of the following errors:

Event Type:      Error
Event Source:      MRxSmb
Event Category:      None
Event ID:      8003
Date:            8/18/2010
Time:            1:01:41 PM
User:            N/A
Computer:      
Description:
The master browser has received a server announcement from the computer SCANNER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{53C6ED46-28C2-46B0-8. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 4e 00   ......N.
0008: 00 00 00 00 43 1f 00 c0   ....C..À
0010: 00 00 00 00 00 00 00 00   ........
0018: 12 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........

-----------------------------------------------------------------------------------------------------------------------

Event Type:      Warning
Event Source:      KDC
Event Category:      None
Event ID:      20
Date:            8/18/2010
Time:            9:20:14 AM
User:            N/A
Computer:      
Description:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 14 00 00 00 13 20 09 80   ..... .?
0008: 00 00 00 00 00 00 00 00   ........

Neither of those errors is relevant to our case with active sync. But thanks for posting them.

the username should be your NETBIOS domain name followed by your username. This may be different from your email address. the password should be your password.

Test it with outlook web access as per the image below, make sure it works, and then put EXACTLY the same thing into ExRCA
Capture.JPG

in that box u just posted i put in my usernam password only and it works, I dont put my domain before my username

in the connectivity tester Domain\Username i put my email address  

Please put your domain in the OWA box. That is the whole point of asking you to test using OWA, it confirms the domain\userppass combo as you are using in ExRCA is 100% correct

once you have confirmed OWA then try OMA with the same domain\user\pass
https://www.mydomain.biz/oma/

just noticed this in your post
> in the connectivity tester Domain\Username i put my email address  

please use domain\username not your email address and re-post results.

unfortunatley getting late here.. but you have plenty to work on.

ok sorry for misx up, please see attached file.

by the way the https://www.mydomain.biz/oma/ does not work with domain name before
only with https://www.mydomain.biz/exchange
ExRCA-is-testing-Exchange-Active.doc

So what happens when you goto https://www.mydomain.biz/oma/
-do you get username and password prompt?
-if you do get prompt does it authenticate?
-if you do authenticate what do you see on the screen

Follow the instructions in method 2 to check all the exchange-oma VDIR.
http://support.microsoft.com/?kbid=817379

Then follow advice in http://mobile.experts-exchange.com/Q_24880984.html (you might have to manually search for that article, as mobile link posted.

Andy

it prompts me for username and password, with or without domain\ i get Directory Listed Denied.

i want to try method 3 in this article, it seems quote straight forward, can you advise after it is restarted everything should work again? don't want to mess it up , it says you have to wait 15 min for services to start up again? thanks
http://support.microsoft.com/kb/883380 

also i am running 2003 business server, is it ok to apply it to this? it is not listed on the page as supported

I have used Method 3 in that article (http://support.microsoft.com/kb/883380) many times. I have sometimes had to reboot the serevr afterwards, but that might have just been impatience.

On SBS the OMA functionality is altered by default to allow forms based authentication and ActiveSync so if you rebuild the OWA Virtual Directories, please also do method 2 from http://support.microsoft.com/?kbid=817379 afterwards.

To clarify your question:
> also i am running 2003 business server, is it ok to apply it to this? it is not listed on the page as supported

I think I was still typing when your last post came through. But following this will sort out any SBS specific issues.
On SBS the OMA functionality is altered by default to allow forms based authentication and ActiveSync so if you rebuild the OWA Virtual Directories, please also do method 2 from http://support.microsoft.com/?kbid=817379 afterwards.

But before you rebuild everything - did you do anything else when you renewed the cert? replacing a cert on its own would not normally break OMA

not sure if I should attempt this as method 2 can easily go wrong mm

I did not do the certificate, and i was informed he rebuilt everything, the admin guy has given up with this and for him to spend more time to fix it cost $$$. the fact that the system is running, blackbbery users are able to access though not iphone makes people think it is apple problem not exchange if you see what I mean.

Im thinking maybe forward a copy of emails from the exchnage to a google account or something though not really practical as i wont be able to send via the same email add.

If you browse to the OMA share with a browser and do not get the image attached: Then the issue is with exchange not the iPhone. Blackberry does not use ActiveSync so this is not a measure of anything.

If you are not the sys admin I might question whether you should be messing with your companies exchange server anyway?

I think the steps outlined will solve the issue
Method 3 in article http://support.microsoft.com/kb/883380
Then method 2 from http://support.microsoft.com/?kbid=817379

But if you are not confident doing them, then don't and get the IT guy back in. No shame here. You can always point him to the research you have done, or tell him "You broke it, fix it for free"

When you say "as method 2 can easily go wrong" which KB are you referring to? and what makes you think this is any more likely to wrong than anything else. Anything can go horribly wrong when you start playing with Exchange.

Untitled.jpg

I am referring to method 2 of http://support.microsoft.com/?kbid=817379 .
at the beg of atrcle method 2 it says Before you follow these steps, disable forms-based authentication in Exchange System Manager. Then restart Internet Information Services (IIS). this is the steps 1-7 ?

also I have just realised that yesterday I tried to send a test message from the iphon which fails and writes at the bottom 1 message unsent. When I deleted the account on the iphone and tried to setup again, it validates the credentials I enter though again not syncing with outlook, but it says 1 message unsent at the bottom even though I deleted the account. It must be storing this message somewhere?

I don't know what more you want me to tell you....

Yes you have to disable FBA, if you read down you use the non FBA folder to export and import a copy. You then re-enable FBA at the end. I do not see where it says "This can easily go wrong"

Perhaps a silly question, but does your SBS 2003 box have Exchange SP2 installed?

I've had numerous iPhone connectivity problems in the past that were resolved by installing Exchange SP2.

yes it has sp2, im going to run through the steps see if i can do this and then give it a go

ok I did:
Method 3 in article http://support.microsoft.com/kb/883380
Then method 2 from http://support.microsoft.com/?kbid=817379

but in the 2nd article (method 2) point 8. create a new virtual directory,  when i put in exchange-oma in the alias box it just disappears  and you cant press ok.

8. Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.

There is probably already an exchange-oma directory left over from before. Delete it first.

Still no luck after doing  article http://support.microsoft.com/kb/883380 and  http://support.microsoft.com/?kbid=817379  .

I think maybe its not meant to be.

OK so you got both completed OK in the end?
I take it OWA is working OK but OMA is not?
Have you reboted the server since completing the two KB articles?
- What happens when you browse to the OMA directory now?

yes I finished both to the end. I have not restarted the computer itself. i though they restarts at the end were enough?

when I browse to OMA and enter credentials with domain\user    i now get:
Your user account has not been enabled for wireless access. Please contact your system administrator for additional assistance.

Excellent! that's a big improvement.

Goto your user in AD users and computers, Right Click, Exchnage Tasks, Enable Features, Enable mobile access

ALSO - check mobile access is enabled on the exchange organisation.
- Exchange system manager
  - Global  Settings
   - Mobile services, right click properties
    - tick all the boxes
     - device security button - untick enforce password

I cannot find exchange task or exchange organisation in the AD .   is it because I have the following problem: http://support.microsoft.com/kb/834122   or maybe Im looking in wrong place? thanks

or this http://support.microsoft.com/kb/322836/en-us   

you are right clicking on your user aren't you? (screenshot attached)

I have never seen that with EX2003, and both the articles you referenced are for exchange 2000, though the KB article is listed as a fix in Exchange 2003 SP1 http://support.microsoft.com/kb/843363

Please try starting ADUC from:
Start -programs - microsoft exchange - ad users and computers

Please confirm Exchange 2003 SP2 has been applied?

Also Make sure Active Directory Users and Computers view is set to View>Advanced

Untitled.jpg

ok exchange tasks i found, the 2nd part exchange organisation? (sorry for asking)

Yes I confirm sp2 is installed

Start - Programs - Microsoft Exchange - System Manager
  - Global Settings
   - Mobile services, right click properties
    - tick all the boxes
     - device security button - untick enforce password

it is already as you say

though the two points under oulook mobile access i ticked is this correct

please be more descriptive or use screenshots.
Should look like this:
Capture1.JPG
Capture2.JPG

now try to browse to OMA

i just did,
The device type you are using is not supported. Press Ok to continue.
Ok
Ok, and do not warn me again

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

and then in goes to inbox

Excellent. That is what is meant to happen (see screenshot I sent earlier)

Now try your iPhone - delete account and recreate.

make sure you use proper domain name!

i did same thing happens syncs for 1 secound then nothing. When you say proper domain?

Well everything is OK on the server now. Previously when you were using DOMAIN\username to test logon to OWA etc, make sure you use DOMAIN in the DOMAIN field on the iphone NOT your email domain.

Try delete account, turn off iPhone, turn on iPhone, create new account.

I will try this now, also on the test connection website it gives me following error:
      ExRCA is attempting the FolderSync command on the Exchange ActiveSync session.
       The test of the FolderSync command failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Exchange ActiveSync returned an HTTP 500 response.


The folder sync fail which its referring to, is this not why it is not syncing?

OK, I gotta go to bed......
if you still cannot get it to work please re-run ExRCA, tick both boxes to ignore SSL and sync inbox and post results.

We have made good progress, before you could not browe to OMA, and that is fixed now, so i think ExRCA should also work.

When connecting via iPhone also check for errors in "event viewer - application/system log" to do with activesync.

if you want to email me some credentials (email addr in my profile) I can test with my iPhone for you.

sorry did not see previous post before my post.... yes fail of folder sync is why it is failing

i just restared, it doesn't sync anything. I dont get any errors creating an account, and when you open the inbox (only folder available)  it says sync at the bottom for a split second then nothing.

ok goodnight! thanks for your help I will try. Hope you not going to dream about syncing and oma owa

Ok - last post before bed. In this article http://support.microsoft.com/?kbid=817379 

13 On the Directory Security tab, under IP address and domain name restrictions, click Edit.
14 Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice.

It may seem incorrect but you have to set to DENIED
- add the ip address of the server eg 192.168.1.10
- add the loopback 172.0.0.1

Many people mix the above up. Yes we want to deny everything except the erver itself.

tried this aswell only thing added was the loopback . thanks

Do you have another active Sync device you can test with now?
another iPhone? Windows mobile?

Loopback address should be 127.0.0.1, surely?

Hi, I wanted to try this:
It says rmove ssl settings but I cant find this?

• Disable Forms Based Authentication - Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected - hopefully this should work or give the OK result
• If okay - right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as 'EntireRegistry' and save the backup of the registry to the desktop
• In regedit - locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the 'Select a configuration to import' section and click on OK. Select 'Create a new virtual Directory' and name the directory 'exchange-oma' and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse - you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync - should hopefully be working now

yes 127.0.0.1 - typo before..
I will review your other post and get back to you shortly

This is a variation on http://support.microsoft.com/?kbid=817379 which you have done but if you cannot find "rmove ssl settings but I cant find this" than I suspect you missed this step also the first time around.

screenshot attached
Untitled.jpg

Hi ITS FIXED!!!!   i cant beleiev it
From the article you sent me https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html  it states to keep the http alive boxed ticked.  I had not checked the default web site /properties . once I ticked this it was all go!   syncing! Thanks dude I coudnt have done it without you. ;-)

Glad you are working and glad my article was instrumental in getting you working.
I will go through this question and tidy up any mention of your domain name as I have seen some instances of it.  We don't want you getting any unwanted attention now do we?
Alan

No worries. That article from Alan is awesome, i really enjoyed working through this with you. It is sqatisfying to see a good result. I hope you have a much better understanding of how it all works now.

Andy

I was about to give up on this as I was starting to  go over the same points. In the article Enabling HTTP Keep-Alives (IIS 6.0) it states to make sure it is ticked on the website which when i checked it was already ticked. Though later when I checked default website it was not, when this was checked it was working.

This was very knowledgeable for me as now I have a better understanding of how it works.

Thanks Andy / Alan

Alan- yes if you can delete my domain that would be great!

Thanks Alan, I book marked your blog for future guidance