[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


iPhone/Exchange "authentication reluctance".

Posted on 2010-08-23
Medium Priority
Last Modified: 2012-05-10
Exchange mail high dependency user's iphone user reports wi-fi password changed at relatives home. User changes password to access relative's wi-fi - all is good. User then gets the following message on the iPhone; "Please Enter password for Exchange email". He does but it would not recognize his password for exchange email. User leaves relatives home to return to his own wi-fi system at his home.  When he tries to authenticate, he got; "The User name or password for "Exchange" is incorrect" (which may have been true for password). User believes relative's wi-fi somehow caused this blockage. However, the user also saw similar behavior with his iPhone last Thursday while away from the office.  User finally reset his iPhone and was able to successfully authenticate.  User would like to know why this happened so any thoughts/speculations welcome.


1) the user had about four different devices (2 laptops, an iPad and an iPhone), accessing the Exchange server at different times last week.

2) I noticed similar problems with my own iPhone last week - briefly - a sort of "authentication reluctance" between the device and the server.

3) At least 18 other users have reported no problems.
Question by:LTWadmin
  • 5
  • 4
  • 3
  • +3
LVL 12

Accepted Solution

nsx106052 earned 1200 total points
ID: 33500885
More than likely it might have been a connectivity issue.  Did you check to see if the user account locked out during the time they couldn't access exchange? If the user experiences a problem you might just want to advise them to temporarily disable Wi-Fi.

Assisted Solution

mrbrain646 earned 150 total points
ID: 33500960
it might be an outage or maitnenace on att network.
Also upgrade the devices to the latest IOS 4.0.2. It addresses alot of the Exchange Active Sync Issues


Expert Comment

ID: 33500981
Check if active sync is working properly.

You can use this url: https://www.testexchangeconnectivity.com/

Consider using a test account or change the password to test. It's microsoft but you still don't want to send passwords over the internet :)
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 28

Expert Comment

ID: 33501979
User believes relative's wi-fi somehow caused this blockage
>> Not possible.

a) what version of iPhone OS are you running ?

b) Answer can be upgrading to 4.0.2 IOS as pointed by mbrain646

c) You can also install mobileAdmin to monitor partnerships with device.


Make sure you install it within Default Website, otherwise this will create another directory called DefaultWebsite and install it there.
That wont work.

Author Comment

ID: 33503367
sunnyc7: before installing mobileAdmin, is this the feature you're suggesting?

"View a list of all devices that are being used by any enterprise user".  

If so, how does the list of devices used yield information pertinent to the issue at hand?  Thanks.
LVL 28

Expert Comment

ID: 33503968
I want to see if a partnership is established between the 2 devices @ through mobileadmin.

you can also check SMTPSVC1 logs at
and use logparser to bring out cs-uri-stem for ExchangeActivesync

Author Comment

ID: 33505020
robbe: The ActiveSync failed with lots of "test itself" failures but did report:

"Testing TCP Port 443 on host mydomain.org to ensure it is listening and open. The specified port is either blocked, not listening, or not producing the expected response."

Is this a port I should open on our firewall?
LVL 28

Expert Comment

ID: 33505037
443 is blocked ?
Yes you should open port 443 in firewall and port forward it to Exchange internal IP


Author Comment

ID: 33505835

So... it asks for a source IP (SonicWall).  What would that be?

Destination is the outside IP
Port is 443

How about the protocol, SRC and DRC interfaces (default is all protocols and all interfaces)?
LVL 28

Expert Comment

ID: 33505876
I will ask the sonicwall expert to drop in on this case :)
LVL 33

Assisted Solution

digitap earned 150 total points
ID: 33506015
@LTWadmin :: sunny asked me to have a look.  Are you running the Public Server Wizard to generate the rules?  That's the best thing to do.  What's the model of Sonicwall?  Are you running enhanced or standard?  You can find this out by logging onto your sonicwall and going to System > Status.

The public server wizard will create all the address objects, firewall access rules and NAT rules.  When you originally run the wizard, it will ask you to list a service.  I typically pick one of the services like SMTP that will be used.  Then, I go back to Firewall > Services.  Create a Service Group, then add all the services that will be required...SMTP, HTTPS, etc.  Then, go to your firewall rules and NAT rules changing the service listed to the new Service Group.

Does that make sense?

Author Comment

ID: 33512711
digitap: I just got off the phone with SonicWall regarding this.  Port 443 IS open (we use OWA etc) - just didn't know that was associated with that port.  The SonicWall tech had me adjust the timeout setting from 5 min to 30 min. for that if that makes any sense.  He seemed to understand what I was trying to accoomplish.

Regarding your questions:

- we are not using (did not use) the public server wizard.
- We're on a Pro 2040 Standard (the tech asked about standard/enhanced).

I'm sure what you're saying makes sense but I'm a General Practitioner overseeing an O.R. when it comes to Firewalls...

The ActiveSync test still fails but the tech told me that's because the Sonicwall doesn't allow port scans...  

I personally think NSX or MrBrain was correct in the first place with the proximity theory or AT&T hiccup...  I have other iPhones on the network with no reported problems.  Just one pesky Droid HTC but that may just be needing a software update...  The user has had no further complaints either.  Unless anyone has any further thoughts/ideas, I'll close this one out later this afternoon...
LVL 33

Expert Comment

ID: 33512819
Regarding the TCP timeout increase, if the timeout is set too low then it's possible the phone won't connect properly to the server.  This is resolved by increasing the TCP timeout within the Firewall Access Rule used for the port 443 connection.  Microsoft blurb:

The heartbeat interval is how much time that a mobile device calculates should pass between pings to the server from the mobile device. The session between the server and the mobile device ends if one of the following conditions is true:

    * No e-mail messages arrive in the mailbox to initiate a notification.
    * There is no response from the server before the heartbeat interval elapses.

Exchange Direct Push Technology uses this heartbeat interval so that the server and the mobile device can maintain connectivity. Therefore, a session is open for the server to use to notify the mobile device when an e-mail message arrives.

Regarding the Public Server Wizard, I believe this is on the Standard.  I haven't been in a standard OS in a while.  The Wizard is important to configuring connectivity such that your using with port 443.  It creates all the Firewall Access Rules and NAT rules necessary.

I agree thus far with Sonicwall support, except with the port scan comment.  The sonicwall does block port scans, but if this is truly what was happening then no device would be able to connect.

Summary: It sounds like the sonicwall is configured properly.  You have other devices connecting successfully which implies the single phone.  I agree with your assessment that it's probably a firmware/software update needed on the phone.

Hope that has helped clear things up!

Author Closing Comment

ID: 33513042
I agree with nsx106052 given the fact that other phones are working, and the user was able to authenticate after a reset. mrbrain646 may likely also be correct.  Kudos to digitap on the heartbeat info.  Thanks to all.
LVL 33

Expert Comment

ID: 33513471
you're welcome and thanks for the points!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month18 days, 20 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question