Solved

ActiveSync Error when setting up iPhone

Posted on 2010-09-03
13
7,533 Views
Last Modified: 2016-01-25
I'm having a problem setting up ActiveSync on an iPhone in a new Exchange 2010 SP1 environment. This phone has been set up and worked properly once before in a previous failed Exchange 2010 install.

I have made sure that my Active Directory account has the Inherited Permissions box checked, it was working previously in this Domain. I had completely re-installed the Windows 2008R2 server, and re-installed Exchange.

In the Application log on the Exchange Server, I get the following Event ID 1008: (I x'd out some of the confidential info)

An exception occurred and was handled by Exchange ActiveSync. This may have been caused by an outdated or corrupted Exchange ActiveSync device partnership. This can occur if a user tries to modify the same item from multiple computers. If this is the case, Exchange ActiveSync will re-create the partnership with the device. Items will be updated at the next synchronization.

URL=/Microsoft-Server-ActiveSync/default.eas?User=bxxxxx&DeviceId=Appl87924Y70Y7H&DeviceType=iPhone&Cmd=FolderSync
--- Exception start ---
Exception type: Microsoft.Exchange.AirSync.AirSyncPermanentException
Exception message: Security settings couldn't be applied to the user device container 'CN=ExchangeActiveSyncDevices,CN=Bxxxx Exxxx,OU=Ixxxxx Sxxxx Users,OU=Ixxxxx Sxxxxx,DC=cxxxx,DC=local' in Active Directory. Delete the container if it's empty.
Exception level: 0
HttpStatusCode: 500
AirSyncStatusCode: 111
XmlResponse:
This request does not contain a WBXML response.
Exception stack trace:    at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
   at Microsoft.Exchange.AirSync.Command.UpdateADDevice(GlobalInfo globalInfo)
   at Microsoft.Exchange.AirSync.Command.CompleteDeviceAccessProcessing()
   at Microsoft.Exchange.AirSync.Command.WorkerThread()
Inner exception follows below:
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on DC2.cuzone.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Exception level: 1
Exception stack trace:    at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner)
   at Microsoft.Exchange.AirSync.ADDeviceManager.SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
   at Microsoft.Exchange.AirSync.ADDeviceManager.CreateActiveSyncDevice(GlobalInfo globalInfo, ExDateTime syncStorageCreationTime, Boolean retryIfFailed)
Inner exception follows below:
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.
Exception level: 2
Exception stack trace:    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
--- Exception end ---.

Any help is appreciated

Thanks!
0
Comment
Question by:jr4235
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 33600621
Is this a fresh Exchange install or a migration from a previous version?
Either way - please check your inherited permissions:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html 
0
 

Author Comment

by:jr4235
ID: 33600655
Thanks so much for your reply.

Fresh install... second attempt. First install was aborted but iPhone was working properly. Also, I did state that the inherited permission was checked.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33600705
Sorry - lots to read and I only skimmed : (
Has the account got Exchange Activesync enabled in Exchange Management Console> Recipient Configuration> Mailbox> Mailbox Properties> Mailbox Features Tab?
0
 

Author Comment

by:jr4235
ID: 33601444
Not a problem, I appreciate all the answers I can get.

Yes it does. I have a feeling that the account has an attribute hidden somewhere in AD that still contains info from a previous install but I can't seem to find it.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 33601488
Have you tried un-checking the inherit permissions, applying the settings, then re-checking the permission and applying the settings?
Have you installed a 3rd party SSL certificate?
What is the result of:
get-activesyncvirtualdirectory | fl
0
 

Expert Comment

by:ranakular
ID: 33603702
a different angle. try running the following as the user, does it show up anything?
https://www.testexchangeconnectivity.com/
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33603834
Have you checked this setting:
Go to the Properties/Security of the user account, click on Advanced and enable the checkbox "Include inheritable permissions from this object's parent"



0
 

Author Comment

by:jr4235
ID: 33607716
Thanks again Alan, I do have the cert and running that command returns nohing. When I go to that site it tells me everything is set up correctly. I'm thinkin there is some reference to the serial number of my iPhone hidden in AD somewhere, just can't seem to find anything digging around in adsiedit.

I think I'm going to borrow a coworkers iPhone and try to set it up wih my exchange account after the holiday, just to see what happens.


Shreedhar, thank you for your reply but that was addresses in my initial question and in subsequent answers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33607996
If using another phone does not work, I would recommend removing the Activesync virtual directory and re-creating a new one.
You can use the following commands to achieve this:
Remove-ActiveSyncVirtualDirectory domain\Microsoft-Server-ActiveSync
Reference : http://technet.microsoft.com/en-us/library/aa996916.aspx
New-ActiveSyncVirtualDirectory -WebSiteName "Default Web Site" -ExternalURL http://www.domain.com/Microsoft-Server-ActiveSync 
Reference : http://technet.microsoft.com/en-us/library/aa997160.aspx 
 
0
 

Expert Comment

by:ranakular
ID: 33613021
I would also recommend looking at the following article:
http://discussions.apple.com/thread.jspa?threadID=1728784
0
 

Author Comment

by:jr4235
ID: 33617828
Ok, finally found the solution. Seemed to be a combination of problems... biggest was something left over from the failed install.

Had to go into the user container inside of ADSIEdit and delete the Activesync device. Here were the exact steps I took.

1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.

I may not have needed to replicate AD, but did anyway for good measure. I re-created the steps a second time just to be sure the solution worked too.

Thank you all for your help.

0
 

Author Closing Comment

by:jr4235
ID: 33617854
Very helpful
0
 

Expert Comment

by:FontanaIT
ID: 41432747
I had a corrupt device listed in my CN=ExchangeActiveSyncDevices container and followed jr4235 directions for the resolution to the issue:


1. Disable Activesync on the Exchange account.
2. Uncheck inheritable permissions
3. Delete CN=ExchangeActiveSyncDevices from under my user container in ADSIEdit
4. Force AD Replication
5. Enable Activesync on my Exchange account
6. Check Inheritable permissions
7. Force AD Replication
8. Create Exchange profile on my iPhone.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now