Solved

iPhone/Exchange "authentication reluctance".

Posted on 2010-08-23
15
669 Views
Last Modified: 2012-05-10
Exchange mail high dependency user's iphone user reports wi-fi password changed at relatives home. User changes password to access relative's wi-fi - all is good. User then gets the following message on the iPhone; "Please Enter password for Exchange email". He does but it would not recognize his password for exchange email. User leaves relatives home to return to his own wi-fi system at his home.  When he tries to authenticate, he got; "The User name or password for "Exchange" is incorrect" (which may have been true for password). User believes relative's wi-fi somehow caused this blockage. However, the user also saw similar behavior with his iPhone last Thursday while away from the office.  User finally reset his iPhone and was able to successfully authenticate.  User would like to know why this happened so any thoughts/speculations welcome.

Footnotes:

1) the user had about four different devices (2 laptops, an iPad and an iPhone), accessing the Exchange server at different times last week.

2) I noticed similar problems with my own iPhone last week - briefly - a sort of "authentication reluctance" between the device and the server.

3) At least 18 other users have reported no problems.
0
Comment
Question by:LTWadmin
  • 5
  • 4
  • 3
  • +3
15 Comments
 
LVL 12

Accepted Solution

by:
nsx106052 earned 400 total points
ID: 33500885
More than likely it might have been a connectivity issue.  Did you check to see if the user account locked out during the time they couldn't access exchange? If the user experiences a problem you might just want to advise them to temporarily disable Wi-Fi.
0
 
LVL 4

Assisted Solution

by:mrbrain646
mrbrain646 earned 50 total points
ID: 33500960
it might be an outage or maitnenace on att network.
Also upgrade the devices to the latest IOS 4.0.2. It addresses alot of the Exchange Active Sync Issues



0
 
LVL 6

Expert Comment

by:robbe
ID: 33500981
Check if active sync is working properly.

You can use this url: https://www.testexchangeconnectivity.com/

Consider using a test account or change the password to test. It's microsoft but you still don't want to send passwords over the internet :)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33501979
User believes relative's wi-fi somehow caused this blockage
>> Not possible.

a) what version of iPhone OS are you running ?

b) Answer can be upgrading to 4.0.2 IOS as pointed by mbrain646

c) You can also install mobileAdmin to monitor partnerships with device.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Make sure you install it within Default Website, otherwise this will create another directory called DefaultWebsite and install it there.
That wont work.
0
 

Author Comment

by:LTWadmin
ID: 33503367
sunnyc7: before installing mobileAdmin, is this the feature you're suggesting?

"View a list of all devices that are being used by any enterprise user".  

If so, how does the list of devices used yield information pertinent to the issue at hand?  Thanks.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33503968
I want to see if a partnership is established between the 2 devices @ through mobileadmin.

you can also check SMTPSVC1 logs at
c:\windows\system32\logs\SMTPSVC1\
and use logparser to bring out cs-uri-stem for ExchangeActivesync
0
 

Author Comment

by:LTWadmin
ID: 33505020
robbe: The ActiveSync failed with lots of "test itself" failures but did report:

"Testing TCP Port 443 on host mydomain.org to ensure it is listening and open. The specified port is either blocked, not listening, or not producing the expected response."

Is this a port I should open on our firewall?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33505037
443 is blocked ?
Yes you should open port 443 in firewall and port forward it to Exchange internal IP

thanks
0
 

Author Comment

by:LTWadmin
ID: 33505835
sunnyc7:

So... it asks for a source IP (SonicWall).  What would that be?

Destination is the outside IP
Port is 443

How about the protocol, SRC and DRC interfaces (default is all protocols and all interfaces)?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33505876
I will ask the sonicwall expert to drop in on this case :)
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 50 total points
ID: 33506015
@LTWadmin :: sunny asked me to have a look.  Are you running the Public Server Wizard to generate the rules?  That's the best thing to do.  What's the model of Sonicwall?  Are you running enhanced or standard?  You can find this out by logging onto your sonicwall and going to System > Status.

The public server wizard will create all the address objects, firewall access rules and NAT rules.  When you originally run the wizard, it will ask you to list a service.  I typically pick one of the services like SMTP that will be used.  Then, I go back to Firewall > Services.  Create a Service Group, then add all the services that will be required...SMTP, HTTPS, etc.  Then, go to your firewall rules and NAT rules changing the service listed to the new Service Group.

Does that make sense?
0
 

Author Comment

by:LTWadmin
ID: 33512711
digitap: I just got off the phone with SonicWall regarding this.  Port 443 IS open (we use OWA etc) - just didn't know that was associated with that port.  The SonicWall tech had me adjust the timeout setting from 5 min to 30 min. for that if that makes any sense.  He seemed to understand what I was trying to accoomplish.

Regarding your questions:

- we are not using (did not use) the public server wizard.
- We're on a Pro 2040 Standard (the tech asked about standard/enhanced).

I'm sure what you're saying makes sense but I'm a General Practitioner overseeing an O.R. when it comes to Firewalls...

The ActiveSync test still fails but the tech told me that's because the Sonicwall doesn't allow port scans...  

I personally think NSX or MrBrain was correct in the first place with the proximity theory or AT&T hiccup...  I have other iPhones on the network with no reported problems.  Just one pesky Droid HTC but that may just be needing a software update...  The user has had no further complaints either.  Unless anyone has any further thoughts/ideas, I'll close this one out later this afternoon...
0
 
LVL 33

Expert Comment

by:digitap
ID: 33512819
Regarding the TCP timeout increase, if the timeout is set too low then it's possible the phone won't connect properly to the server.  This is resolved by increasing the TCP timeout within the Firewall Access Rule used for the port 443 connection.  Microsoft blurb:

The heartbeat interval is how much time that a mobile device calculates should pass between pings to the server from the mobile device. The session between the server and the mobile device ends if one of the following conditions is true:

    * No e-mail messages arrive in the mailbox to initiate a notification.
    * There is no response from the server before the heartbeat interval elapses.

Exchange Direct Push Technology uses this heartbeat interval so that the server and the mobile device can maintain connectivity. Therefore, a session is open for the server to use to notify the mobile device when an e-mail message arrives.


Regarding the Public Server Wizard, I believe this is on the Standard.  I haven't been in a standard OS in a while.  The Wizard is important to configuring connectivity such that your using with port 443.  It creates all the Firewall Access Rules and NAT rules necessary.


I agree thus far with Sonicwall support, except with the port scan comment.  The sonicwall does block port scans, but if this is truly what was happening then no device would be able to connect.


Summary: It sounds like the sonicwall is configured properly.  You have other devices connecting successfully which implies the single phone.  I agree with your assessment that it's probably a firmware/software update needed on the phone.

Hope that has helped clear things up!
0
 

Author Closing Comment

by:LTWadmin
ID: 33513042
I agree with nsx106052 given the fact that other phones are working, and the user was able to authenticate after a reset. mrbrain646 may likely also be correct.  Kudos to digitap on the heartbeat info.  Thanks to all.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33513471
you're welcome and thanks for the points!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now