Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7929
  • Last Modified:

ActiveSync Error when setting up iPhone

I'm having a problem setting up ActiveSync on an iPhone in a new Exchange 2010 SP1 environment. This phone has been set up and worked properly once before in a previous failed Exchange 2010 install.

I have made sure that my Active Directory account has the Inherited Permissions box checked, it was working previously in this Domain. I had completely re-installed the Windows 2008R2 server, and re-installed Exchange.

In the Application log on the Exchange Server, I get the following Event ID 1008: (I x'd out some of the confidential info)

An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.

URL=/Microsoft-Server-ActiveSync/default.eas?User=bxxxxx&DeviceId=Appl87924Y70Y7H&DeviceType=iPhone&Cmd=FolderSync
--- Exception start ---
Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
Exception message: Security settings couldn't be applied to the user device container 'CN=ExchangeActiveSyncDevices,CN=Bxxxx Exxxx,OU=Ixxxxx Sxxxx Users,OU=Ixxxxx Sxxxxx,DC=cxxxx,DC=local' in Active Directory. Delete the container if it's empty.
Exception level: 0
HttpStatusCode: 500
AirSyncStatusCode: 111
XmlResponse:
This request does not contain a WBXML response.
Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows below:
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on DC2.cuzone.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Exception level: 1
Exception stack trace:    at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)
   at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
Inner exception follows below:
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.
Exception level: 2
Exception stack trace:    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- Exception end ---.

Any help is appreciated

Thanks!
0
jr4235
Asked:
jr4235
  • 5
  • 4
  • 2
  • +2
2 Solutions
 
Alan HardistyCo-OwnerCommented:
Is this a fresh Exchange install or a migration from a previous version?
Either way - please check your inherited permissions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html 
0
 
jr4235Author Commented:
Thanks so much for your reply.

Fresh install... second attempt. First install was aborted but iPhone was working properly. Also, I did state that the inherited permission was checked.
0
 
Alan HardistyCo-OwnerCommented:
Sorry - lots to read and I only skimmed : (
Has the account got Exchange Activesync enabled in Exchange Management Console> Recipient Configuration> Mailbox> Mailbox Properties> Mailbox Features Tab?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
jr4235Author Commented:
Not a problem, I appreciate all the answers I can get.

Yes it does. I have a feeling that the account has an attribute hidden somewhere in AD that still contains info from a previous install but I can't seem to find it.
0
 
Alan HardistyCo-OwnerCommented:
Have you tried un-checking the inherit permissions, applying the settings, then re-checking the permission and applying the settings?
Have you installed a 3rd party SSL certificate?
What is the result of:
get-activesyncvirtualdirectory | fl
0
 
ranakularCommented:
a different angle. try running the following as the user, does it show up anything?
https://www.testexchangeconnectivity.com/
0
 
Shreedhar EtteCommented:
Have you checked this setting:
Go to the Properties/Security of the user account, click on Advanced and enable the checkbox "Include inheritable permissions from this object's parent"



0
 
jr4235Author Commented:
Thanks again Alan, I do have the cert and running that command returns nohing. When I go to that site it tells me everything is set up correctly. I'm thinkin there is some reference to the serial number of my iPhone hidden in AD somewhere, just can't seem to find anything digging around in adsiedit.

I think I'm going to borrow a coworkers iPhone and try to set it up wih my exchange account after the holiday, just to see what happens.


Shreedhar, thank you for your reply but that was addresses in my initial question and in subsequent answers.
0
 
Alan HardistyCo-OwnerCommented:
If using another phone does not work, I would recommend removing the Activesync virtual directory and re-creating a new one.
You can use the following commands to achieve this:
Remove-ActiveSyncVirtualDirectory domain\Microsoft-Server-ActiveSync
Reference : http://technet.microsoft.com/en-us/library/aa996916.aspx
New-ActiveSyncVirtualDirectory -WebSiteName "Default Web Site" -ExternalURL http://www.domain.com/Microsoft-Server-ActiveSync 
Reference : http://technet.microsoft.com/en-us/library/aa997160.aspx 
 
0
 
ranakularCommented:
I would also recommend looking at the following article:
http://discussions.apple.com/thread.jspa?threadID=1728784
0
 
jr4235Author Commented:
Ok, finally found the solution. Seemed to be a combination of problems... biggest was something left over from the failed install.

Had to go into the user container inside of ADSIEdit and delete the Activesync device. Here were the exact steps I took.

1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.

I may not have needed to replicate AD, but did anyway for good measure. I re-created the steps a second time just to be sure the solution worked too.

Thank you all for your help.

0
 
jr4235Author Commented:
Very helpful
0
 
FontanaITCommented:
I had a corrupt device listed in my CN=ExchangeActiveSyncDevices container and followed jr4235 directions for the resolution to the issue:


1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now