Solved

Exchange ActiveSync (2010) connectivity test fails with HTTP 401

Posted on 2010-11-29
6
2,218 Views
Last Modified: 2012-06-27
Hello,

We just buil a new 2010 CAS server after a problem with our original one and everything is working fine except activesync.  Mobile users cannot connect and using https://www.testexchangeconnectivity.com/, we get the following:

ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting the Autodiscover and Exchange ActiveSync test (if requested).
 Autodiscover was successfully tested for Exchange ActiveSync.
 Test Steps
 Attempting each method of contacting the Autodiscover service.
 The Autodiscover service was tested successfully.
 Test Steps
 Attempting to test potential Autodiscover URL https://mydomaiin.com/AutoDiscover/AutoDiscover.xml
 Testing of this potential Autodiscover URL failed.
 Test Steps
 Attempting to resolve the host name mydomain.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: 64.29.x.x

Testing TCP port 443 on host mydomain.com to ensure it's listening and open.
 The specified port is either blocked, not listening, or not producing the expected response.
  Tell me more about this issue and how to resolve it
 Additional Details
 A network error occurred while communicating with the remote host.
Exception details:
Message: No connection could be made because the target machine actively refused it 64.29.x.x:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Attempting to test potential Autodiscover URL https://autodiscover.mydomain.com/AutoDiscover/AutoDiscover.xml
 Testing of the Autodiscover URL was successful.
 Test Steps
 Attempting to resolve the host name autodiscover.mydomain.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: 67.111.x.x

Testing TCP port 443 on host autodiscover.mydomain.com to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name autodiscover.mydomain.com was found in the Certificate Subject Alternative Name entry.

Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Additional Details
 The certificate chain has been validated up to a trusted root. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US.

Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 11/29/2010 12:00:00 AM, NotAfter = 8/13/2011 11:59:59 PM

Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
 Test Steps
 ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.mydomain.com/AutoDiscover/AutoDiscover.xml for user user@mydomain.com.
 The Autodiscover XML response was successfully retrieved.
 Additional Details
 Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:us</Culture>
<User>
<DisplayName>User</DisplayName>
<EMailAddress>user@mydomain.com</EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url>https://mail.mydomain.com/Microsoft-Server-ActiveSync</Url>
<Name>https://mail.mydomain.com/Microsoft-Server-ActiveSync</Name>
</Server>
</Settings>
</Action>
</Response>
</Autodiscover>

Validating Exchange ActiveSync settings.
 Exchange ActiveSync URL https://mail.mydomain.com/Microsoft-Server-ActiveSync was validated successfully.
Attempting to resolve the host name mail.mydomain.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: 67.111.x.x

Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name mail.mydomain.com was found in the Certificate Subject Alternative Name entry.

Validating certificate trust for Windows Mobile devices.
 The certificate is trusted and all certificates are present in the chain.
 Additional Details
 The certificate is trusted for Windows Mobile 5.0 and later versions. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 11/29/2010 12:00:00 AM, NotAfter = 8/13/2011 11:59:59 PM

Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.

Testing HTTP Authentication Methods for URL https://mail.mydomain.com/Microsoft-Server-ActiveSync.
 The HTTP authentication methods are correct.
 Additional Details
 ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic

An ActiveSync session is being attempted with the server.
 Errors were encountered while testing the Exchange ActiveSync session.
 Test Steps
 Attempting to send the OPTIONS command to the server.
 Testing of the OPTIONS command failed. For more information, see Additional Details.
 Additional Details
 A Web exception occurred because an HTTP 401 - Unauthorized response was received from IIS7.



Any ideas as to what the culprit is would be greatly appreciated.

Thanks.
0
Comment
Question by:partners1998
  • 2
  • 2
6 Comments
 
LVL 2

Accepted Solution

by:
cclancy45 earned 500 total points
ID: 34233306
IIS Virtual Directory permissions problem would be my guess.

Is this server just a standalone CAS server (MB / HT on other servers)
0
 

Author Comment

by:partners1998
ID: 34233624
Hi cclancy45,

This is a CAS/HT server with MB on another server.

Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34234751
If I click on the link to https://mail.yourdomain.com/Microsoft-Server-Activesync I get the following:

Meow! There has been an error.
Microsoft-Server-ActiveSync could not be found.  It also appears to not allow HTTPS to this site.

It looks like you have completely customised the default website (or someone has) and as a result, you may be redirecting items all over the place and causing yourself problems.

Does this sound about right?
0
 

Author Closing Comment

by:partners1998
ID: 34235482
Whoops, sorry but I changed our domain name to "mydomain" in order to disguise it. I had no idea it would lead to a real website. In any case, I figured out that I had conflicting permissions on the activesync virtual directory. So, cclancy45, you get the nod. Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34235497
Good accidental choice of website name - I will disguise it to protect their identity : )

Alan
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question