[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 680
  • Last Modified:

iPhone/Exchange "authentication reluctance".

Exchange mail high dependency user's iphone user reports wi-fi password changed at relatives home. User changes password to access relative's wi-fi - all is good. User then gets the following message on the iPhone; "Please Enter password for Exchange email". He does but it would not recognize his password for exchange email. User leaves relatives home to return to his own wi-fi system at his home.  When he tries to authenticate, he got; "The User name or password for "Exchange" is incorrect" (which may have been true for password). User believes relative's wi-fi somehow caused this blockage. However, the user also saw similar behavior with his iPhone last Thursday while away from the office.  User finally reset his iPhone and was able to successfully authenticate.  User would like to know why this happened so any thoughts/speculations welcome.

Footnotes:

1) the user had about four different devices (2 laptops, an iPad and an iPhone), accessing the Exchange server at different times last week.

2) I noticed similar problems with my own iPhone last week - briefly - a sort of "authentication reluctance" between the device and the server.

3) At least 18 other users have reported no problems.
0
LTWadmin
Asked:
LTWadmin
  • 5
  • 4
  • 3
  • +3
3 Solutions
 
nsx106052Commented:
More than likely it might have been a connectivity issue.  Did you check to see if the user account locked out during the time they couldn't access exchange? If the user experiences a problem you might just want to advise them to temporarily disable Wi-Fi.
0
 
mrbrain646Commented:
it might be an outage or maitnenace on att network.
Also upgrade the devices to the latest IOS 4.0.2. It addresses alot of the Exchange Active Sync Issues



0
 
robbeCommented:
Check if active sync is working properly.

You can use this url: https://www.testexchangeconnectivity.com/

Consider using a test account or change the password to test. It's microsoft but you still don't want to send passwords over the internet :)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
sunnyc7Commented:
User believes relative's wi-fi somehow caused this blockage
>> Not possible.

a) what version of iPhone OS are you running ?

b) Answer can be upgrading to 4.0.2 IOS as pointed by mbrain646

c) You can also install mobileAdmin to monitor partnerships with device.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Make sure you install it within Default Website, otherwise this will create another directory called DefaultWebsite and install it there.
That wont work.
0
 
LTWadminAuthor Commented:
sunnyc7: before installing mobileAdmin, is this the feature you're suggesting?

"View a list of all devices that are being used by any enterprise user".  

If so, how does the list of devices used yield information pertinent to the issue at hand?  Thanks.
0
 
sunnyc7Commented:
I want to see if a partnership is established between the 2 devices @ through mobileadmin.

you can also check SMTPSVC1 logs at
c:\windows\system32\logs\SMTPSVC1\
and use logparser to bring out cs-uri-stem for ExchangeActivesync
0
 
LTWadminAuthor Commented:
robbe: The ActiveSync failed with lots of "test itself" failures but did report:

"Testing TCP Port 443 on host mydomain.org to ensure it is listening and open. The specified port is either blocked, not listening, or not producing the expected response."

Is this a port I should open on our firewall?
0
 
sunnyc7Commented:
443 is blocked ?
Yes you should open port 443 in firewall and port forward it to Exchange internal IP

thanks
0
 
LTWadminAuthor Commented:
sunnyc7:

So... it asks for a source IP (SonicWall).  What would that be?

Destination is the outside IP
Port is 443

How about the protocol, SRC and DRC interfaces (default is all protocols and all interfaces)?
0
 
sunnyc7Commented:
I will ask the sonicwall expert to drop in on this case :)
0
 
digitapCommented:
@LTWadmin :: sunny asked me to have a look.  Are you running the Public Server Wizard to generate the rules?  That's the best thing to do.  What's the model of Sonicwall?  Are you running enhanced or standard?  You can find this out by logging onto your sonicwall and going to System > Status.

The public server wizard will create all the address objects, firewall access rules and NAT rules.  When you originally run the wizard, it will ask you to list a service.  I typically pick one of the services like SMTP that will be used.  Then, I go back to Firewall > Services.  Create a Service Group, then add all the services that will be required...SMTP, HTTPS, etc.  Then, go to your firewall rules and NAT rules changing the service listed to the new Service Group.

Does that make sense?
0
 
LTWadminAuthor Commented:
digitap: I just got off the phone with SonicWall regarding this.  Port 443 IS open (we use OWA etc) - just didn't know that was associated with that port.  The SonicWall tech had me adjust the timeout setting from 5 min to 30 min. for that if that makes any sense.  He seemed to understand what I was trying to accoomplish.

Regarding your questions:

- we are not using (did not use) the public server wizard.
- We're on a Pro 2040 Standard (the tech asked about standard/enhanced).

I'm sure what you're saying makes sense but I'm a General Practitioner overseeing an O.R. when it comes to Firewalls...

The ActiveSync test still fails but the tech told me that's because the Sonicwall doesn't allow port scans...  

I personally think NSX or MrBrain was correct in the first place with the proximity theory or AT&T hiccup...  I have other iPhones on the network with no reported problems.  Just one pesky Droid HTC but that may just be needing a software update...  The user has had no further complaints either.  Unless anyone has any further thoughts/ideas, I'll close this one out later this afternoon...
0
 
digitapCommented:
Regarding the TCP timeout increase, if the timeout is set too low then it's possible the phone won't connect properly to the server.  This is resolved by increasing the TCP timeout within the Firewall Access Rule used for the port 443 connection.  Microsoft blurb:

The heartbeat interval is how much time that a mobile device calculates should pass between pings to the server from the mobile device. The session between the server and the mobile device ends if one of the following conditions is true:

    * No e-mail messages arrive in the mailbox to initiate a notification.
    * There is no response from the server before the heartbeat interval elapses.

Exchange Direct Push Technology uses this heartbeat interval so that the server and the mobile device can maintain connectivity. Therefore, a session is open for the server to use to notify the mobile device when an e-mail message arrives.


Regarding the Public Server Wizard, I believe this is on the Standard.  I haven't been in a standard OS in a while.  The Wizard is important to configuring connectivity such that your using with port 443.  It creates all the Firewall Access Rules and NAT rules necessary.


I agree thus far with Sonicwall support, except with the port scan comment.  The sonicwall does block port scans, but if this is truly what was happening then no device would be able to connect.


Summary: It sounds like the sonicwall is configured properly.  You have other devices connecting successfully which implies the single phone.  I agree with your assessment that it's probably a firmware/software update needed on the phone.

Hope that has helped clear things up!
0
 
LTWadminAuthor Commented:
I agree with nsx106052 given the fact that other phones are working, and the user was able to authenticate after a reset. mrbrain646 may likely also be correct.  Kudos to digitap on the heartbeat info.  Thanks to all.
0
 
digitapCommented:
you're welcome and thanks for the points!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now