Solved

ActiveSync Error when setting up iPhone

Posted on 2010-09-03
13
7,513 Views
Last Modified: 2016-01-25
I'm having a problem setting up ActiveSync on an iPhone in a new Exchange 2010 SP1 environment. This phone has been set up and worked properly once before in a previous failed Exchange 2010 install.

I have made sure that my Active Directory account has the Inherited Permissions box checked, it was working previously in this Domain. I had completely re-installed the Windows 2008R2 server, and re-installed Exchange.

In the Application log on the Exchange Server, I get the following Event ID 1008: (I x'd out some of the confidential info)

An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.

URL=/Microsoft-Server-ActiveSync/default.eas?User=bxxxxx&DeviceId=Appl87924Y70Y7H&DeviceType=iPhone&Cmd=FolderSync
--- Exception start ---
Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
Exception message: Security settings couldn't be applied to the user device container 'CN=ExchangeActiveSyncDevices,CN=Bxxxx Exxxx,OU=Ixxxxx Sxxxx Users,OU=Ixxxxx Sxxxxx,DC=cxxxx,DC=local' in Active Directory. Delete the container if it's empty.
Exception level: 0
HttpStatusCode: 500
AirSyncStatusCode: 111
XmlResponse:
This request does not contain a WBXML response.
Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows below:
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on DC2.cuzone.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Exception level: 1
Exception stack trace:    at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)
   at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
Inner exception follows below:
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.
Exception level: 2
Exception stack trace:    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- Exception end ---.

Any help is appreciated

Thanks!
0
Comment
Question by:jr4235
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 33600621
Is this a fresh Exchange install or a migration from a previous version?
Either way - please check your inherited permissions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
0
 

Author Comment

by:jr4235
ID: 33600655
Thanks so much for your reply.

Fresh install... second attempt. First install was aborted but iPhone was working properly. Also, I did state that the inherited permission was checked.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33600705
Sorry - lots to read and I only skimmed : (
Has the account got Exchange Activesync enabled in Exchange Management Console> Recipient Configuration> Mailbox> Mailbox Properties> Mailbox Features Tab?
0
 

Author Comment

by:jr4235
ID: 33601444
Not a problem, I appreciate all the answers I can get.

Yes it does. I have a feeling that the account has an attribute hidden somewhere in AD that still contains info from a previous install but I can't seem to find it.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 33601488
Have you tried un-checking the inherit permissions, applying the settings, then re-checking the permission and applying the settings?
Have you installed a 3rd party SSL certificate?
What is the result of:
get-activesyncvirtualdirectory | fl
0
 

Expert Comment

by:ranakular
ID: 33603702
a different angle. try running the following as the user, does it show up anything?
https://www.testexchangeconnectivity.com/
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33603834
Have you checked this setting:
Go to the Properties/Security of the user account, click on Advanced and enable the checkbox "Include inheritable permissions from this object's parent"



0
 

Author Comment

by:jr4235
ID: 33607716
Thanks again Alan, I do have the cert and running that command returns nohing. When I go to that site it tells me everything is set up correctly. I'm thinkin there is some reference to the serial number of my iPhone hidden in AD somewhere, just can't seem to find anything digging around in adsiedit.

I think I'm going to borrow a coworkers iPhone and try to set it up wih my exchange account after the holiday, just to see what happens.


Shreedhar, thank you for your reply but that was addresses in my initial question and in subsequent answers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33607996
If using another phone does not work, I would recommend removing the Activesync virtual directory and re-creating a new one.
You can use the following commands to achieve this:
Remove-ActiveSyncVirtualDirectory domain\Microsoft-Server-ActiveSync
Reference : http://technet.microsoft.com/en-us/library/aa996916.aspx
New-ActiveSyncVirtualDirectory -WebSiteName "Default Web Site" -ExternalURL http://www.domain.com/Microsoft-Server-ActiveSync
Reference : http://technet.microsoft.com/en-us/library/aa997160.aspx
 
0
 

Expert Comment

by:ranakular
ID: 33613021
I would also recommend looking at the following article:
http://discussions.apple.com/thread.jspa?threadID=1728784
0
 

Author Comment

by:jr4235
ID: 33617828
Ok, finally found the solution. Seemed to be a combination of problems... biggest was something left over from the failed install.

Had to go into the user container inside of ADSIEdit and delete the Activesync device. Here were the exact steps I took.

1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.

I may not have needed to replicate AD, but did anyway for good measure. I re-created the steps a second time just to be sure the solution worked too.

Thank you all for your help.

0
 

Author Closing Comment

by:jr4235
ID: 33617854
Very helpful
0
 

Expert Comment

by:FontanaIT
ID: 41432747
I had a corrupt device listed in my CN=ExchangeActiveSyncDevices container and followed jr4235 directions for the resolution to the issue:


1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now