Solved

iPhone/Exchange "authentication reluctance".

Posted on 2010-08-23
15
675 Views
Last Modified: 2012-05-10
Exchange mail high dependency user's iphone user reports wi-fi password changed at relatives home. User changes password to access relative's wi-fi - all is good. User then gets the following message on the iPhone; "Please Enter password for Exchange email". He does but it would not recognize his password for exchange email. User leaves relatives home to return to his own wi-fi system at his home.  When he tries to authenticate, he got; "The User name or password for "Exchange" is incorrect" (which may have been true for password). User believes relative's wi-fi somehow caused this blockage. However, the user also saw similar behavior with his iPhone last Thursday while away from the office.  User finally reset his iPhone and was able to successfully authenticate.  User would like to know why this happened so any thoughts/speculations welcome.

Footnotes:

1) the user had about four different devices (2 laptops, an iPad and an iPhone), accessing the Exchange server at different times last week.

2) I noticed similar problems with my own iPhone last week - briefly - a sort of "authentication reluctance" between the device and the server.

3) At least 18 other users have reported no problems.
0
Comment
Question by:LTWadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +3
15 Comments
 
LVL 12

Accepted Solution

by:
nsx106052 earned 400 total points
ID: 33500885
More than likely it might have been a connectivity issue.  Did you check to see if the user account locked out during the time they couldn't access exchange? If the user experiences a problem you might just want to advise them to temporarily disable Wi-Fi.
0
 
LVL 4

Assisted Solution

by:mrbrain646
mrbrain646 earned 50 total points
ID: 33500960
it might be an outage or maitnenace on att network.
Also upgrade the devices to the latest IOS 4.0.2. It addresses alot of the Exchange Active Sync Issues



0
 
LVL 6

Expert Comment

by:robbe
ID: 33500981
Check if active sync is working properly.

You can use this url: https://www.testexchangeconnectivity.com/

Consider using a test account or change the password to test. It's microsoft but you still don't want to send passwords over the internet :)
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33501979
User believes relative's wi-fi somehow caused this blockage
>> Not possible.

a) what version of iPhone OS are you running ?

b) Answer can be upgrading to 4.0.2 IOS as pointed by mbrain646

c) You can also install mobileAdmin to monitor partnerships with device.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Make sure you install it within Default Website, otherwise this will create another directory called DefaultWebsite and install it there.
That wont work.
0
 

Author Comment

by:LTWadmin
ID: 33503367
sunnyc7: before installing mobileAdmin, is this the feature you're suggesting?

"View a list of all devices that are being used by any enterprise user".  

If so, how does the list of devices used yield information pertinent to the issue at hand?  Thanks.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33503968
I want to see if a partnership is established between the 2 devices @ through mobileadmin.

you can also check SMTPSVC1 logs at
c:\windows\system32\logs\SMTPSVC1\
and use logparser to bring out cs-uri-stem for ExchangeActivesync
0
 

Author Comment

by:LTWadmin
ID: 33505020
robbe: The ActiveSync failed with lots of "test itself" failures but did report:

"Testing TCP Port 443 on host mydomain.org to ensure it is listening and open. The specified port is either blocked, not listening, or not producing the expected response."

Is this a port I should open on our firewall?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33505037
443 is blocked ?
Yes you should open port 443 in firewall and port forward it to Exchange internal IP

thanks
0
 

Author Comment

by:LTWadmin
ID: 33505835
sunnyc7:

So... it asks for a source IP (SonicWall).  What would that be?

Destination is the outside IP
Port is 443

How about the protocol, SRC and DRC interfaces (default is all protocols and all interfaces)?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33505876
I will ask the sonicwall expert to drop in on this case :)
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 50 total points
ID: 33506015
@LTWadmin :: sunny asked me to have a look.  Are you running the Public Server Wizard to generate the rules?  That's the best thing to do.  What's the model of Sonicwall?  Are you running enhanced or standard?  You can find this out by logging onto your sonicwall and going to System > Status.

The public server wizard will create all the address objects, firewall access rules and NAT rules.  When you originally run the wizard, it will ask you to list a service.  I typically pick one of the services like SMTP that will be used.  Then, I go back to Firewall > Services.  Create a Service Group, then add all the services that will be required...SMTP, HTTPS, etc.  Then, go to your firewall rules and NAT rules changing the service listed to the new Service Group.

Does that make sense?
0
 

Author Comment

by:LTWadmin
ID: 33512711
digitap: I just got off the phone with SonicWall regarding this.  Port 443 IS open (we use OWA etc) - just didn't know that was associated with that port.  The SonicWall tech had me adjust the timeout setting from 5 min to 30 min. for that if that makes any sense.  He seemed to understand what I was trying to accoomplish.

Regarding your questions:

- we are not using (did not use) the public server wizard.
- We're on a Pro 2040 Standard (the tech asked about standard/enhanced).

I'm sure what you're saying makes sense but I'm a General Practitioner overseeing an O.R. when it comes to Firewalls...

The ActiveSync test still fails but the tech told me that's because the Sonicwall doesn't allow port scans...  

I personally think NSX or MrBrain was correct in the first place with the proximity theory or AT&T hiccup...  I have other iPhones on the network with no reported problems.  Just one pesky Droid HTC but that may just be needing a software update...  The user has had no further complaints either.  Unless anyone has any further thoughts/ideas, I'll close this one out later this afternoon...
0
 
LVL 33

Expert Comment

by:digitap
ID: 33512819
Regarding the TCP timeout increase, if the timeout is set too low then it's possible the phone won't connect properly to the server.  This is resolved by increasing the TCP timeout within the Firewall Access Rule used for the port 443 connection.  Microsoft blurb:

The heartbeat interval is how much time that a mobile device calculates should pass between pings to the server from the mobile device. The session between the server and the mobile device ends if one of the following conditions is true:

    * No e-mail messages arrive in the mailbox to initiate a notification.
    * There is no response from the server before the heartbeat interval elapses.

Exchange Direct Push Technology uses this heartbeat interval so that the server and the mobile device can maintain connectivity. Therefore, a session is open for the server to use to notify the mobile device when an e-mail message arrives.


Regarding the Public Server Wizard, I believe this is on the Standard.  I haven't been in a standard OS in a while.  The Wizard is important to configuring connectivity such that your using with port 443.  It creates all the Firewall Access Rules and NAT rules necessary.


I agree thus far with Sonicwall support, except with the port scan comment.  The sonicwall does block port scans, but if this is truly what was happening then no device would be able to connect.


Summary: It sounds like the sonicwall is configured properly.  You have other devices connecting successfully which implies the single phone.  I agree with your assessment that it's probably a firmware/software update needed on the phone.

Hope that has helped clear things up!
0
 

Author Closing Comment

by:LTWadmin
ID: 33513042
I agree with nsx106052 given the fact that other phones are working, and the user was able to authenticate after a reset. mrbrain646 may likely also be correct.  Kudos to digitap on the heartbeat info.  Thanks to all.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33513471
you're welcome and thanks for the points!
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email is way too noisy, prone to hiding the important stuff, and really becoming unreliable for critical/timely communications. There are better ways to communicate.
Is your phone running out of space to hold pictures?  This article will show you quick tips on how to solve this problem.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question