Solved

Cannot Connect to Exchange 2010 Servr using Active Sync

Posted on 2010-09-08
20
627 Views
Last Modified: 2012-05-10
I have a new Exchange 2010 server that I am trying to connect to via active sync.  Presently I am still using my old Exchange 2003 server for this with out any trouble.  When I go into my firewall and point port 80 to the new Exchange IP Address I get a  cannot connect to server error.  As soon as I switch back to the old server I can with out any issues.   Outlook Web access does work when I make the IP switch for port 80 on the new server.

Thoughts?  The error says cannot connect to server.
0
Comment
Question by:stacystyles
  • 10
  • 6
  • 3
  • +1
20 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33629473
Why are you using port 80 (HTTP - not secure) for Activesync - you should be using port 443 (HTTPS - Secure HTTP).
Have you forwarded port 443 too?
0
 
LVL 6

Expert Comment

by:Gunter17
ID: 33629557
Alanhardisty is correct, by default Exchange 2010 will use HTTPS(443) for OWA. You can manually change it in the Client Access portion of Exchange Management Console.
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33629566
test activesync with following url and post logs here

https://www.testexchangeconnectivity.com/

0
 

Author Comment

by:stacystyles
ID: 33629572
Right now I am testing it this way as we do not have a ssl enabled on our old server and just want to get connectivity working.
0
 

Author Comment

by:stacystyles
ID: 33630039
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
 
Test Steps
        
Attempting to resolve the host name mail.acuotech.com in DNS.
       Host successfully resolved
        
Additional Details

 
Testing TCP Port 443 on host mail.acuotech.com to ensure it is listening and open.
       The port was opened successfully.
 
ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Test Steps
        
The certificate name is being validated.
       Certificate name validation failed.
         Tell me more about this issue and how to resolve it

        
Additional Details
       Host name mail.acuotech.com does not match any name found on the server certificate CN=WMSvc-EXCHANGE





0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33630476
You would be best advised to purchase a 3rd party SSL certificate from somewhere like GoDaddy.com (about the cheapest) and install that on your server to make life easier.

You will need a Multi-Name cert (SAN / UCC) to work properly and will need the following names included:

mail.yourdomain.com
Autodiscover.yourdomain.com
Internalservername.internaldomain.local
Internalservername

An SSL certificate will make life much easier and will mean no certificate errors for any Exchange functions.

The default Exchange 2010 SSL certificate is not ideal.
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33631014
that looks like certificate problem. try to ignore certificate trust and check again if that works.

And alanhardisty is correct on rest of the part.
0
 

Author Comment

by:stacystyles
ID: 33631741
I did check ignore certs and it still did that.  I have ordered a cert from Go Daddy and will let you know tomorrow when I get it how it looks
0
 

Author Comment

by:stacystyles
ID: 33637956
Ok I purchased a Cert from Go Daddy and this is what I get now.

 ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail.acuotech.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 173.11.47.241
 
 Testing TCP Port 443 on host mail.acuotech.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   The certificate name is being validated.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
 
 
 
 
 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33638054
Your certificate is issued to acuotech.com and you are trying to access mail.acuotech.com - they need to match and they need to resolve to the IP of your Exchange server.
Did you buy a SAN / UCC certificate (Multi-Name) certificate - minimum 5 names, or a single name certificate as per my previous comment?
Your certificate should be named mail.acuotech.com for things to work properly.  You can either re-key the certificate if it is a SAN / UCC certificate or if only a single name certificate, you bought the wrong certificate.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:stacystyles
ID: 33638175
I bought the Multi Name min 5 names cert.  Where do I rekey the cert at?  
0
 
LVL 3

Expert Comment

by:SangramGohil
ID: 33638290
you got subject alternative names as

DNS Name=acuotech.com
DNS Name=www.acuotech.com


you need to correct subject alternative name

you will need to add

DNS Name=mail.acuotech.com
DNS Name=autodiscover.acuotech.com
DNS Name=<internalserverrname>required for internal use outlook etc
DNS Name=<internalserver FQDN>
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33638317
Thanks SangramGohil - I covered that here http:#a33630476
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33638368
Visit https://www.digicert.com/easy-csr/exchange2007.htm
Follow the prompts to put in the correct details.  Copy the output to a file, copy the file to the server, run the output in the Exchange Management Shell and this will generate a new Certifcate Signing Request.
Copy the contents of the Certificate Signing Request into GoDaddy's website where you can re-key the certificate, wait for the certificate, import the certificate, repair the private key (it won't have one and won't allow you to enable it), then enable the certificate and then test again.
Take it step by step and I'll offer relevant instructions at each stage.
0
 

Author Comment

by:stacystyles
ID: 33639480
I called Go Daddy and the problem was that none of the names took.  I am awaiting approval for the new one to be downloaded.
0
 

Author Comment

by:stacystyles
ID: 33639656
Summary: 2 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:00


Read file
Completed

Exchange Management Shell command completed:
Read binary stream from the file 'C:\Users\administrator.GALAXY\Desktop\certs\acuotech.com.crt'.

Elapsed Time: 00:00:00


acuotech.com.crt
Failed

Error:
Cannot import certificate. A certificate with the thumbprint A0FFF5041BCB4E5012C74AF93FE6D337C4B6CD4E already exists.

Exchange Management Shell command attempted:
Import-ExchangeCertificate -Server 'EXCHANGE' -FileData '<Binary Data>'

Elapsed Time: 00:00:00

0
 

Author Comment

by:stacystyles
ID: 33640630
Talked with GD and now the cert is installed and going to test the connection
0
 

Author Comment

by:stacystyles
ID: 33640670
ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name mail.acuotech.com in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: 173.11.47.241

Testing TCP Port 443 on host mail.acuotech.com to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 The certificate name is being validated.
 Successfully validated the certificate name
 Additional Details
 Found hostname mail.acuotech.com in Certificate Subject Alternative Name entry

Validating certificate trust for Windows Mobile Devices
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 Certificate is only trusted on Windows Mobile 5.0 AKU2 (MSFP) and later. Windows Mobile 5.0 devices will not be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

The certificate date is being confirmed to ensure the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 Certificate is valid: NotBefore = 9/9/2010 7:31:06 PM, NotAfter = 9/9/2013 2:08:54 PM"



The IIS configuration is being checked for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates not configured.

Testing Http Authentication Methods for URL https://mail.acuotech.com/Microsoft-Server-Activesync/
 The HTTP authentication methods are correct.
 Additional Details
 Found all expected authentication methods and no disallowed methods. Methods Found: Basic

An ActiveSync session is being attempted with the server.
 Errors were encountered while testing the ActiveSync session
 Test Steps
 ExRCA is attempting to send the OPTIONS command to the server.
 OPTIONS response was successfully received and is valid
 Additional Details
 Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.0
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Thu, 09 Sep 2010 19:41:08 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET



ExRCA is attempting the FolderSync command on the Exchange ActiveSync session.
 The test of the FolderSync command failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 Exchange ActiveSync returned an HTTP 500 response.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 33640805
Please check your inherited permissions (have a read through my article) and make sure that the Inherited check box is selected then run the test again:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
0
 

Author Closing Comment

by:stacystyles
ID: 33646039
Thank you very much.  This did the trick.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now