Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ActiveSync Error when setting up iPhone

Posted on 2010-09-03
13
Medium Priority
?
7,849 Views
Last Modified: 2016-01-25
I'm having a problem setting up ActiveSync on an iPhone in a new Exchange 2010 SP1 environment. This phone has been set up and worked properly once before in a previous failed Exchange 2010 install.

I have made sure that my Active Directory account has the Inherited Permissions box checked, it was working previously in this Domain. I had completely re-installed the Windows 2008R2 server, and re-installed Exchange.

In the Application log on the Exchange Server, I get the following Event ID 1008: (I x'd out some of the confidential info)

An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.

URL=/Microsoft-Server-ActiveSync/default.eas?User=bxxxxx&DeviceId=Appl87924Y70Y7H&DeviceType=iPhone&Cmd=FolderSync
--- Exception start ---
Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
Exception message: Security settings couldn't be applied to the user device container 'CN=ExchangeActiveSyncDevices,CN=Bxxxx Exxxx,OU=Ixxxxx Sxxxx Users,OU=Ixxxxx Sxxxxx,DC=cxxxx,DC=local' in Active Directory. Delete the container if it's empty.
Exception level: 0
HttpStatusCode: 500
AirSyncStatusCode: 111
XmlResponse:
This request does not contain a WBXML response.
Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows below:
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on DC2.cuzone.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Exception level: 1
Exception stack trace:    at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)
   at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
Inner exception follows below:
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.
Exception level: 2
Exception stack trace:    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- Exception end ---.

Any help is appreciated

Thanks!
0
Comment
Question by:jr4235
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 750 total points
ID: 33600621
Is this a fresh Exchange install or a migration from a previous version?
Either way - please check your inherited permissions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html 
0
 

Author Comment

by:jr4235
ID: 33600655
Thanks so much for your reply.

Fresh install... second attempt. First install was aborted but iPhone was working properly. Also, I did state that the inherited permission was checked.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33600705
Sorry - lots to read and I only skimmed : (
Has the account got Exchange Activesync enabled in Exchange Management Console> Recipient Configuration> Mailbox> Mailbox Properties> Mailbox Features Tab?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:jr4235
ID: 33601444
Not a problem, I appreciate all the answers I can get.

Yes it does. I have a feeling that the account has an attribute hidden somewhere in AD that still contains info from a previous install but I can't seem to find it.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 750 total points
ID: 33601488
Have you tried un-checking the inherit permissions, applying the settings, then re-checking the permission and applying the settings?
Have you installed a 3rd party SSL certificate?
What is the result of:
get-activesyncvirtualdirectory | fl
0
 

Expert Comment

by:ranakular
ID: 33603702
a different angle. try running the following as the user, does it show up anything?
https://www.testexchangeconnectivity.com/
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33603834
Have you checked this setting:
Go to the Properties/Security of the user account, click on Advanced and enable the checkbox "Include inheritable permissions from this object's parent"



0
 

Author Comment

by:jr4235
ID: 33607716
Thanks again Alan, I do have the cert and running that command returns nohing. When I go to that site it tells me everything is set up correctly. I'm thinkin there is some reference to the serial number of my iPhone hidden in AD somewhere, just can't seem to find anything digging around in adsiedit.

I think I'm going to borrow a coworkers iPhone and try to set it up wih my exchange account after the holiday, just to see what happens.


Shreedhar, thank you for your reply but that was addresses in my initial question and in subsequent answers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33607996
If using another phone does not work, I would recommend removing the Activesync virtual directory and re-creating a new one.
You can use the following commands to achieve this:
Remove-ActiveSyncVirtualDirectory domain\Microsoft-Server-ActiveSync
Reference : http://technet.microsoft.com/en-us/library/aa996916.aspx
New-ActiveSyncVirtualDirectory -WebSiteName "Default Web Site" -ExternalURL http://www.domain.com/Microsoft-Server-ActiveSync 
Reference : http://technet.microsoft.com/en-us/library/aa997160.aspx 
 
0
 

Expert Comment

by:ranakular
ID: 33613021
I would also recommend looking at the following article:
http://discussions.apple.com/thread.jspa?threadID=1728784
0
 

Author Comment

by:jr4235
ID: 33617828
Ok, finally found the solution. Seemed to be a combination of problems... biggest was something left over from the failed install.

Had to go into the user container inside of ADSIEdit and delete the Activesync device. Here were the exact steps I took.

1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.

I may not have needed to replicate AD, but did anyway for good measure. I re-created the steps a second time just to be sure the solution worked too.

Thank you all for your help.

0
 

Author Closing Comment

by:jr4235
ID: 33617854
Very helpful
0
 

Expert Comment

by:FontanaIT
ID: 41432747
I had a corrupt device listed in my CN=ExchangeActiveSyncDevices container and followed jr4235 directions for the resolution to the issue:


1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am posting this in case anyone runs into similar issues that I did, this may save you a lot of grief: Condition: 1. Your NetBIOS domain name contains an ampersand " & " character.  (e.g. AT&T) 2. You've tried to run any Microsoft installation…
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question