Solved

Configuring Active Sync on Exchange 2003 for iPhones

Posted on 2011-02-15
36
1,033 Views
Last Modified: 2012-05-11
We are running Exchange 2003 w/ SP2 on a Server 2003 box.  We are currently running FBA, using HTTPS with a Self signed certificate that we host on our server and all clients are able to connect with OWA.  We do not have a company BES server, so all users running Blackberry devices use Blackberry Internet Mail to get and receive emails on their phones.

We have a series of users that would like to begin using iPhones over Blackberry's for email.  We still want to make sure that all OWA connections are using SSL.  I have seen many articles and posts and confirmed my settings for the Exchange Virtual Directory and the ActiveSync Virtual directory.  But because I need to still have users access OWA via SSL, I needed to keep certificates enabled on the Exchange VD.  Is this going to be a problem???

Other than that, everything looks good.  Our internal domain is companyA.local while our public mail is CompanyB.com and our OWA is webmail.companyb.com/exchange.

I have run the Exchange Remote Connectivity Analyzer and it fails each time.  What am I missing?
0
Comment
Question by:itg_admin
  • 19
  • 17
36 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Please work your way through my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

OWA and Activesync are not related and both can happily use SSL (same certificate).

What errors are you getting on the test site?  My article covers what to do for the regular 401 / 403 / 500 errors.
0
 

Author Comment

by:itg_admin
Comment Utility
Alanhardisty,

Thanks for the reply.  I reviewed your steps and will list below.  We are using OWA via SSL on a self certificate using SelfSSL.  On the Exchange Virtual Directory > Directory Security > Secure Communication we have "Require SSL and 128-bit checked" in order to use HTTPS.  Your instructions call for unchecking these two for this directory.  How will this work and still force HTTPS?

Steps
1.   Running Exchange V6.5 w/ SP2
2.   Confirmed port 443 is open using tool
3.   Active NIC is at top of binding order
4.   Exchange VD
          Authentication - good
          Default Domain - NETBIOS domain name (Contoso)
          Realm - should this match my certificate name we use for OWA?  (webmail.traders.com)
          IP Restrictions - good
          Security - listed concerns above about this
     Active Sync VD
          Authentication - good
          Default Domain - NETBIOS domain name (Contoso)
          Realm - Contoso
          IP Restrictions - good
          Security - SSL and 128-bit enabled
5.     ASP - v1.1.1322
6.     Keep Alives - good
7.     Not there and no IPV6
8.     Good          
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If you want HTTPS on the Exchange virtual directory - you need to follow KB817379 (detailed in my article), to create an Exchange-OMA virtual Directory that doesn't use HTTPS.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Don't sweat the Realm / Domain - leave them as they are and only change if there is a problem.
0
 

Author Comment

by:itg_admin
Comment Utility
Alanhardisty,

Ok, so I went through KB817379 and created the exchange-oma virtual directory from a copy of the original Exchange Virtual directory.  I disabled SSL and FBA before I copied to file.  I then created the new directory using the file and named it per article.  I then setup as described and went back to original Exchange VD and enabled SSL and 128 bit.  I restarted IIS and WWW services.  I then ran the Remote Connectivity Analyzer and below is what I get:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name webmail.xxxxxxxx.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host webmail.xxxxxxxx.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing HTTP Authentication Methods for URL https://webmail.xxxxxxxx.com/Microsoft-Server-Activesync/.
       The HTTP authentication test failed.
       
      Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from IIS6. Body of the response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
</ul>
<h2>HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>About Security</b>, <b>Limiting Access by IP Address</b>, <b>IP Address Access Restrictions</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
>> HTTP Error 403.6 - Forbidden: IP address of the client has been rejected <<

Suggests the virtual directories have IP Address restrictions configured on them.
0
 

Author Comment

by:itg_admin
Comment Utility
Exchange VD - No IP Security settings

Exchange-OMA - Granted IP Address of Mail Server - per article

Microsoft -Server-ActiveSync - Granted IP Address of Mail Server - per article

Am I missing something else?
0
 

Author Comment

by:itg_admin
Comment Utility
Just ran the test again and this time I am getting different results.  I chose the following:

Manual Settings
     Server - webmail.xxxxxxxx.com
     User - NETBIOS\username
     Password - confirmed

Sync not checked
Ignore Trust - checked

Results this time:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name webmail.xxxxxxxx.com in DNS.
       The host name couldn't be resolved.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host webmail.xxxxxxxx.com couldn't be resolved in DNS Exception details:
Message: The requested name is valid, but no data of the requested type was found
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
0
 

Author Comment

by:itg_admin
Comment Utility
Ok, I closed the site and relaunched the tool and ran it again and received similiar results from the earlier test with it failing at the ActiveSync Virtual Directory.  I removed the IP Granted permission pointing to the Mail Server and restarted IIS and tried again and it still failed.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - so what results are you getting now?
0
 

Author Comment

by:itg_admin
Comment Utility
New problem now.....I cant send email via OWA.  I create a message to by myself and an outside account and when I click send the message is not delivered and does not appear in the Sent Items box.  I am trying to get someone in the office to see if this problem is happening with Outlook client as well.  Any idea's on what changes that were made would cause this?
0
 

Author Comment

by:itg_admin
Comment Utility
Disregard the mail issue.  I rebooted the server and OWA is now working without issue.  

Thanks again for your help on this Sync issue, but as I mentioned in my earlier post where it failed at ActiveSync, thats were I am stuck now.

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - please can you post the full expanded results from the test site.
0
 

Author Comment

by:itg_admin
Comment Utility
Just ran the test and here are the results:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name webmail.xxxxxxxx.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 207.239.xxx.yy
      Testing TCP port 443 on host webmail.xxxxxxxx.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name webmail.xxxxxxxxx.com was found in the Certificate Subject Common name.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       The certificate is valid. NotBefore = 2/16/2011 12:55:52 AM, NotAfter = 2/15/2014 12:55:52 AM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Testing HTTP Authentication Methods for URL https://webmail.xxxxxxxx.com/Microsoft-Server-Activesync/.
       The HTTP authentication test failed.
       
      Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from IIS6. Body of the response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
</ul>
<h2>HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>About Security</b>, <b>Limiting Access by IP Address</b>, <b>IP Address Access Restrictions</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - seems to still be an IP restriction on one of the virtual directories:

"HTTP Error 403.6 - Forbidden: IP address of the client has been rejected"

Please check again and make sure all are unrestricted apart from exchange-oma which should only be the internal server IP and 127.0.0.1
0
 

Author Comment

by:itg_admin
Comment Utility
Exchange VD
     Authentication and Access - Integrated and Basic
     IP Restrictions - Nothing listed
     Required SSL and 128-bit checked

Exchange-OMA VD
     Authentication and Access - Integrated and Basic
     IP Restrictions - 127.0.0.1 and SERVER IP listed as GRANTED
     Required SSL and 128-bit NOT checked

Microsoft-Server-ActiveSync VD
     Authentication and Access - Integrated and Basic
     IP Restrictions - Nothing listed
     Required SSL and 128-bit checked

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - good, but there is an IP Address restrictions somewhere.  Is it on the Default Website or maybe your firewall / router?
0
 

Author Comment

by:itg_admin
Comment Utility
I checked every directory under Web Sites including Default Web Site and nothing but Exchange-OMA has an IP restriction showing.  As far as our firewall goes, we had no issues using OWA in the past on port 443 so what would I be looking at as far as ports required to be open?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Sounds like the router / firewall would be fine as Activesync uses port 443 as does OWA.

Do you have any other websites on your server and are they using port 80 / 443?
0
 

Author Comment

by:itg_admin
Comment Utility
This server is a dedicated Exchange Server.  The only other rule I think we have in the firewall is allowing RDP from the outside directly to this server.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Ignore the firewall - what about my other question?
0
 

Author Comment

by:itg_admin
Comment Utility
Sorry, I thought I did when I said the server was a dedicated Exchange Server.  No, I am not running any other websites via IIS on this server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - something isn't right.

Can you please run the Connect to the Internet Wizard - change nothing and let the wizard complete.  Then re-test and see what results you get.

Thanks

Alan
0
 

Author Comment

by:itg_admin
Comment Utility
Connect to Internet Wizard?? This is not SBS
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Oh - sorry.  Working on too many questions!

Can you follow KB883380 then please - also delete exchange-oma virtual directory, restart the Exchange System Attendant service, the directories should re-appear and then follow KB817379 to create the Exchange-oma virtual directory again please.

http://support.microsoft.com/kb/883380

http://support.microsoft.com/kb/817379
0
 

Author Comment

by:itg_admin
Comment Utility
So just to confirm what you want me to do here.  I should go ahead and delete the Exchange-OMA VD that I created.  Should I also go in and delete the registry key that was created?

Which method do you want me to use from KB883380?  Will this cause any issues with my current OWA environment that will require me to fix?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Yes - please delete the exchange OMA VDir and the registry key.

I use method 2 over and above any other method.

Worst case - you should be without OWA for 15 minutes whilst the VDir's are regenerated.

Disable FBA, disable SSL on the Exchange VDir, run IISRESET and then export the Exchange VDir to use for creating the exchange-oma VDir.

Then re-create exchange-oma and add the registry key.

Enable FBA and SSL on the Exchange VDir and then check IIS permissions as per my article, then test on the test site again please.

Need to get this wrapped up tonight / tomorrow as I am on holiday for a week from Friday morning and can't guarantee to be online much whilst I am away.
0
 

Author Comment

by:itg_admin
Comment Utility
Ok, I completed all the steps from both articles and OWA was back up in a few minutes.  I am able to send emails without issue.  Below is the results of the test I just peformed:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name webmail.xxxxxxxx.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 207.239.xxx.yy
      Testing TCP port 443 on host webmail.xxxxxxxx.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name webmail.xxxxxxxx.com was found in the Certificate Subject Common name.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       The certificate is valid. NotBefore = 2/16/2011 12:55:52 AM, NotAfter = 2/15/2014 12:55:52 AM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Testing HTTP Authentication Methods for URL https://webmail.xxxxxxxx.com/Microsoft-Server-Activesync/.
       The HTTP authentication methods are correct.
       
      Additional Details
       ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
0
 

Author Comment

by:itg_admin
Comment Utility
AlanHardisty,

Thanks for all your help so far, but hoping to get this last failure resolved and find out why the OPTIONS command failed, if its needed and how to resolve it.

Thanks,
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
401 error is usually incorrect username / password or IP address restrictions on one of the virtual directories being used.

Please check the settings and make sure all is configured correctly and you are entering the info in correctly.

FYI - I'm on holiday so replies will be slower than usual.
0
 

Author Comment

by:itg_admin
Comment Utility
I checked the VD's and the permissions look correct.

Default Web Site
Anonymous Access - Enabled
Integrated Windows Authentication - Enabled
Basic Authentication - Not Enabled
No IP Restrictions
No SSL

Exchange VD
Anonymous Access - Not Enabled
Integrated Windows Authentication - Enabled
Basic Authentication - Enabled
No IP Restrictions
SSL - Enabled
128-bit - Enabled

Exchange-oma VD
Anonymous Access - Enabled
Integrated Windows - Enabled
Basic Authentication - Enabled
IP Restrictions set to Exchange Server IP and 127.0.0.1 (GRANTED)
SSL - Not Enabled

ExchWeb VD
Enable Anonymous Access - Enabled
Integrated - Not Enabled
Basic - Not Enabled
No IP Restrictions
No SSL

Microsoft-Server-ActiveSync VD
Anonymous Access - Not Enabled
Integrated Auth - Not Enabled
Basic Authen - Enabled
No IP Restrictions
No SSL

OMA VD
Anonymous Access - Not Enabled
Integrated Auth - Not Enabled
Basic Auth - Enabled
No IP Restrictions
No SSL

Please let me know if these are correct.

One other thing I have noticed is that when I get to my OWA logon screen (we are using FBA), if I enter just the username and then password and select Private I am able to login without issue.  But if I put it in the domain\username or username@domain format with the same password it fails to login.  The domain\username is the same format that the Sync Test application uses.  


0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
What you should have set in IIS is as follows:

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany* (no more than 15 characters)
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany* (no more than 15 characters)
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked

Exchange-oma Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•      IP Address Restrictions = Restricted to IP Address of Server
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

As you are using FBA, you need Exchange-oma without SSL enabled and Exchange should have SSL enabled.
0
 

Author Comment

by:itg_admin
Comment Utility
I was checking other references online (articles written about this) and in some they recommended changing some settings.  But I followed your original articles and posted the results earlier prior to making any changes I listed above.  I have gone ahead and changed everything so that it looks exactly like what you have listed above and rebooted the Exchange Server.

I have two questions for you.
1.   My company's internal domain name is xxxx.local.
2.   My company's external domain registered, and what we use for OWA is yyyyy.com.  Or for OWA, is webmail.yyyy.com/exchange

We publish our own SSL certificate, which appears in all the Virtual directories as webmail.yyyy.com.

When you listed above the NETBIOS name for Default Domain and REALM, that would be just xxxx correct?  And when you listed yourcompanyname.com, should that be again my DOMAIN name of xxxx or would that be yyyy.com?  

Also, when I re-ran the Sync Test, I entered xxxx.local\username with the password, instead of just xxxx\username and this time the results passed the OPTIONS response test, but failed with 403 forbiddden response error.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The domain and realm are not mission critical, but yes, what you have said is correct.

Are you using ports 80 and 443 on your default website?  Using any other ports will break Activesync.

Have you added the registry key for the exchange-oma virtual directory mentioned in kb817379?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
FYI - you may read other articles about Activesync but without sounding too big-headed, mine is probably the best resource available on the web and has been plagiarised many times and has been accepted in over 200 questions on EE and is the top visited page on my blog (alanhardisty.wordpress.com).
0
 

Author Closing Comment

by:itg_admin
Comment Utility
Never replied back to finish resolving the errors
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now