Link to home
Start Free TrialLog in
Avatar of academynetworks

asked on

iPad will not sync for some users


We have an SBS 2003 server with Exchange SP2 that will not sync certain users on iPad and presumably iPhone too. Outlook anywhere is fine, as is OWA. No newly created users will sync as well as users created after a certain date (no idea what that date might be, but the original users all seem fine - users created in the last 6 months to a year seem to be affected)

Have been working on this for several days so have tried lots of things too numerous to list in full (or even remember!) Some of these below:

Checked over IIS virtual directory permissions, SSL settings, and IP block lists
Tried various accounts inc creating new accounts and copying existing accounts that work to try and ensure permissions are the same
Checked AD security is being inherited (allow inheritable permissions tick box on AD account security)
Used to test: On good accounts, all tests passed. On bad accounts all ok except for this entry:
Attempting the FolderSync command on the Exchange ActiveSync session.
       The test of the FolderSync command failed.       
      Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
Tried various google searches based on the above testexch error and event in notes section below.

I am currently suspecting this may be down to the answer in this thread: 

I'm guessing the very last post could be the answer but i'm blowed if I can work out how to access the NON_IPM_SUBTREE as he managed to do - tried to access it both via explorer using "subst m: \\.\BackOfficeStorage" to temporarily create the M drive but via explorer it seems to be hidden and via HTTP I either get a blank page or I get permission denied.

Whenever a the iPad tries to sync I get:
Event ID: 3005 - Unexpected Exchange mailbox Server error: Server: [] User: [] HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.
IIS log:
2010-12-31 17:59:22 W3SVC1 OPTIONS /Microsoft-Server-ActiveSync &Log=VNATNASNC:0A0C0D0FS:0A0C0D0SP:0C0I0S0R0S0L0H 443 company\ Apple-iPad1C1/803.148 200 0 0
2010-12-31 17:59:22 W3SVC1 PROPFIND /exchange-oma/ - 80 - Microsoft-Server-ActiveSync/6.5.7638.1 401 1 0
2010-12-31 17:59:22 W3SVC1 PROPFIND /exchange-oma/ - 80 company\ Microsoft-Server-ActiveSync/6.5.7638.1 409 0 0
2010-12-31 17:59:22 W3SVC1 MKCOL /exchange-oma/ - 80 - Microsoft-Server-ActiveSync/6.5.7638.1 403 0 0
2010-12-31 17:59:22 W3SVC1 POST /Microsoft-Server-ActiveSync 443 company\ Apple-iPad1C1/803.148 403 0 0

Any thoughts gratefully recieved!

Many thanks

Stephan Torcy
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Please have a read of my Exchange 2003 / Activesync article and check your IIS settings.  It sounds like something is not configured correctly and although it works for some, I have seen this happen when the configuration is wrong.

If you get stuck anywhere, please ask.

Avatar of academynetworks


Ah I was working through your guide earlier from your blog! Just noticed I didnt get to the end though  - I got distracted when I ran the tests. I went off trying to find fixes for the errors myself. I will finish working through that tomorrow as I see there is an area that specifically mentions some of the errors I am getting.

Many thanks

The errors you will get (generally) are HTTP 400 / HTTP 401 or HTTP 500.  The 400 errors are usually fixed by KB817379 - the 401 Errors are usually incorrect username / Password or IP Address Restrictions and the HTTP 500 errors are numerous and I have some more to add to my article and Blog as of the end of a telephone conversation with Microsoft which I have about 5 questions / customers holding on for!

My article should hopefully get you resolved unless you have a persistent HTTP 500 error - in which case, the New Year should bring some more assistance.

Shout if you need more help - I am not too far away : )

Best wishes

This may be very simple, but, please check that you have allowed access to the Outlook Web Access, for the users created where this doesn't work, and also in the Microsoft-AcyiveSync web site in IIS, check the access permissions of that site.  Are the new users in a group that has access to this site?
I worked through your FAQ again Alan and double checked all the settings are ok. Couple of questions though:

When you list permissions of the IIS virtual folders, you dont mention whether anon access should be enabled / disabled for each one so I have left them as is. Will they not affect anything if they are set wrongly?

Also, you say for the Exchange virtual dir, the realm should be set to "" - is this the local domain or web domain I.E. company.local or (as in the same domain as the HTTPS URL would be set to?) I'm  guessing its the .local address as thats whats on offer if I click the realm select button.

More for my interest than anything, is there a simple reason that the settings for SSL for Exchange & SBS Exchange are exact opposites? (Exchange = require SSL not ticked, SBS Exchange = require SSL is ticked) I didnt think they were that different?

Didnt mention before, but the cert is a proper purchased cert.

I installed activesync tester on my iPad - great tool! It said "Activesync is NOT available. (Activesync detected, but access denied. [HTTP 403: Disabled for this user])

I ran through the pages to check mobilesync is switched on for the user & domain (although we know its on for the domain as this only affects certain users) and its ok for both.

Checked forms based auth which seems to be off - its all greyed out but only basic seems to be selected.

Also as noted, I do indeed get the
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
errors on the exch tests, but only for the affected users from what I can see.

Its almost as if it shows as having mobile switched on but its actually off for certain users.

I dont really fancy running isinteg / eseutil if at all possible. I think we might just decide to go with IMAP if it comes to all that! This is one user on an iPad - everyone else is on BES so if it comes to it we might decide its not worth the work. Would be nice to have it available though.

Many thanks

CSIPComputing: As above, I've checked the users have access and that seems to be ok. When you say check access permissions for the site, do you mean for the dir that the activesync virtual dir links too in Explorer? If so it points to: C:\Program Files\Exchsrvr\OMA\Sync. This dir has permissions for:

admins (full control)
authenticated users (read)
creator owner (special)
server ops (everything except full)
system (full control)

I'm guessing this means they have read access but not write - is this ok?
Hi again,

What i mean is: in the IIS site (which I've now had a chance to check) make sure that you have no ip address restrictions and turn off anonymous accesss, turn on basic authentication.

Looking closer at your error, check that in ADUC your affected users are allowed access to all protocols and features.

I.e. Properties of the user, then exchange features, then check all are enabled. If some users have no problems, but all others created recently have problems, this is the setting I'd be checking.

If you've checked this already, apologies.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

And I am dumb. I checked forms based auth in the wrong place - I mistakenly checked it under Exchange system manager > blah blah > HTTP > exchange virtual server > exchange when I should have checked it just under exchange virtual server. It was ticked on. Ticked it off then reset IIS and its all ok now.

I also unchecked anon at the same time in IIS for three of the four IIS virtial dirs you mention so it could have been that but I think the above forms auth was the biggest change I made so i'm guessing that was key.

Thanks to both for your suggestions & patience! :)