Solved

iPhones stopped syncing with Exchange

Posted on 2011-03-16
10
1,123 Views
Last Modified: 2012-05-11
I have a back end Exchange server 2003 and a front end Windows server 2003 that handles my OWA and iPhone stuff. The iPhones were working fine and then yesterday afternoon the iPhones popped up the error: "Cannot Get Mail" The connection to the server has failed. My Outlook web access is working fine. When I logged in to take a look at my front end sever I was critically low on C drive space so I'm wondering if something got corrupted?

I am getting the following 3 things in the event log:



Event Type:      Error
Event Source:      EXPROX

Event Category:      None
Event ID:      1001

 Microsoft Exchange Server has detected that Basic Authentication is being attempted between this server and server 'PXXX-YYYYVR'.  This authentication mechanism  is not secure and it is not supported between front-ends and back-ends.  If this condition persists, please verify that server 'PXXX-YYYYVR' is properly  configured to use Integrated Windows Authentication for each virtual directory  used by Exchange.  After applying any changes it may be necessary to restart Internet Information  Services on both the front-end and back-end servers.  



Event Type:      Error
Event Source:      Server ActiveSync

Event Category:      None
Event ID:      3031

Description:
The mailbox server [PXXX-YYYYVR] does not allow "Negotiate" authentication to its [exchange] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.  For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).   For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383).   This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).

Event Type:      Warning
Event Source:      MSExchangeIS Mailbox Store

Event Category:      MTA Connections
Event ID:      2000

Description:
Verify that the Microsoft Exchange MTA service has started. Consecutive ma-open calls are failing with error 3051.

-------------------------------------------------------------------------------------------------
I had this happen once in the past and the solution was that Integrated Windows Authentication had been unchecked in the Authentication and Access control for my Exchange Virtual Directory. I have checked over my settings for Exchange Virtual directory and Microsoft ActiveSync and they are:

Exchange Virtual Directory
• Authentication = Integrated & Basic

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic

I have completely removed SSL from the picture just to see if I can get them connecting again.

Any help steering me in the right direction would be greatly appreciated. Thanks


0
Comment
Question by:sdreiske
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
Please compare your IIS settings to my Exchange 2003 / Activesync Article and make sure they are correct:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Once checked - run the test on the test site mentioned and fix any errors from the relevant section and if you get stuck or have any questions, please feel free to ask.

Alan
0
 
LVL 7

Expert Comment

by:waleeda
Comment Utility
check if you changed you password and forgot to change it on iphone
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
You will probably find the logfiles are taking all the space under c:\windows\logfiles particularly the W3SVC folder (IIS logfiles) if you notice extremely large log files for recent days then this is normally caused by phones trying to synch a corrupt item over and over again...

I recommend installing this  hotfix http://support.microsoft.com/kb/957191 and then if the problem persists to go through Alan's great article.

0
 

Author Comment

by:sdreiske
Comment Utility
Thanks everyone. Alan I am working my way down your list and so far everything checks out but when I ran the connection test I got this feedback. Where in IIS to I tell it to Ingore Client Certificates?


Checking the IIS configuration for client certificate authentication.
       Client certificate authentication was detected.
       
      Additional Details
       Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.


      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.pdsi.us in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 72.16.209.50
      Testing TCP port 443 on host mail.pdsi.us to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name mail.pdsi.us was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       The test passed with some warnings encountered. Please expand the additional details.
       
      Additional Details
       The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       The certificate is valid. NotBefore = 8/21/2009 3:22:56 PM, NotAfter = 8/21/2011 3:22:56 PM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication was detected.
       
      Additional Details
       Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.



0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
IIS Manager> Default Website> Microsft-exchange-activesync virtual directory, properties, directory security, 3rd edit button.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:sdreiske
Comment Utility
Thanks Alan, I fixed that and ran the test again and now I am getting this error. Any thoughts?

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.pdsi.us in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 72.16.209.50
      Testing TCP port 443 on host mail.pdsi.us to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name mail.pdsi.us was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       The test passed with some warnings encountered. Please expand the additional details.
       
      Additional Details
       The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       The certificate is valid. NotBefore = 8/21/2009 3:22:56 PM, NotAfter = 8/21/2011 3:22:56 PM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Testing HTTP Authentication Methods for URL https://mail.pdsi.us/Microsoft-Server-Activesync/.
       The HTTP authentication methods are correct.
       
      Additional Details
       ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - the 401 error is usually:

1. Incorrect username / password (might want to force a password change to one you know to make sure you are using the right one)

2. IP Address restrictions set incorrectly on the IIS Virtual Directories.

See my article for the right settings:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
0
 
LVL 9

Expert Comment

by:ash007
Comment Utility
Please check if you have integrated authentication enabled on Exchange virtual directory in IIS manager on Backend server

Go to IIS manager-> Properties of Exchange virtual directory->Directory security
0
 
LVL 31

Expert Comment

by:MegaNuk3
Comment Utility
My money is on the IP address restriction.

- please remove IP address restrictions on Exchange directories (and exchange-oma VD if you have them) on FE and BE. Once ActiveSync is working properly you can put them back on again.
0
 

Author Closing Comment

by:sdreiske
Comment Utility
Had to reset the default virtual directories and check the settings.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now