sdreiske
asked on
iPhones stopped syncing with Exchange
I have a back end Exchange server 2003 and a front end Windows server 2003 that handles my OWA and iPhone stuff. The iPhones were working fine and then yesterday afternoon the iPhones popped up the error: "Cannot Get Mail" The connection to the server has failed. My Outlook web access is working fine. When I logged in to take a look at my front end sever I was critically low on C drive space so I'm wondering if something got corrupted?
I am getting the following 3 things in the event log:
Event Type: Error
Event Source: EXPROX
Event Category: None
Event ID: 1001
Microsoft Exchange Server has detected that Basic Authentication is being attempted between this server and server 'PXXX-YYYYVR'. This authentication mechanism is not secure and it is not supported between front-ends and back-ends. If this condition persists, please verify that server 'PXXX-YYYYVR' is properly configured to use Integrated Windows Authentication for each virtual directory used by Exchange. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers.
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3031
Description:
The mailbox server [PXXX-YYYYVR] does not allow "Negotiate" authentication to its [exchange] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme. For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379). For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383). This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: MTA Connections
Event ID: 2000
Description:
Verify that the Microsoft Exchange MTA service has started. Consecutive ma-open calls are failing with error 3051.
--------------------------
I had this happen once in the past and the solution was that Integrated Windows Authentication had been unchecked in the Authentication and Access control for my Exchange Virtual Directory. I have checked over my settings for Exchange Virtual directory and Microsoft ActiveSync and they are:
Exchange Virtual Directory
• Authentication = Integrated & Basic
Microsoft-Server-Activesyn
• Authentication = Basic
I have completely removed SSL from the picture just to see if I can get them connecting again.
Any help steering me in the right direction would be greatly appreciated. Thanks
I am getting the following 3 things in the event log:
Event Type: Error
Event Source: EXPROX
Event Category: None
Event ID: 1001
Microsoft Exchange Server has detected that Basic Authentication is being attempted between this server and server 'PXXX-YYYYVR'. This authentication mechanism is not secure and it is not supported between front-ends and back-ends. If this condition persists, please verify that server 'PXXX-YYYYVR' is properly configured to use Integrated Windows Authentication for each virtual directory used by Exchange. After applying any changes it may be necessary to restart Internet Information Services on both the front-end and back-end servers.
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3031
Description:
The mailbox server [PXXX-YYYYVR] does not allow "Negotiate" authentication to its [exchange] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme. For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379). For information about how to properly configure IIS to support Kerberos and NTLM authentication, see Microsoft Knowledge Base article 215383, "How To Configure IIS to Support Both Kerberos and NTLM Authentication" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=215383). This issue may occur after installing Windows SharePoint Services on a server running Exchange Server 2003. For information about how to properly configure a server to run both Windows SharePoint Services and Exchange Server 2003, see Microsoft Knowledge Base article 823265, "You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823265).
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: MTA Connections
Event ID: 2000
Description:
Verify that the Microsoft Exchange MTA service has started. Consecutive ma-open calls are failing with error 3051.
--------------------------
I had this happen once in the past and the solution was that Integrated Windows Authentication had been unchecked in the Authentication and Access control for my Exchange Virtual Directory. I have checked over my settings for Exchange Virtual directory and Microsoft ActiveSync and they are:
Exchange Virtual Directory
• Authentication = Integrated & Basic
Microsoft-Server-Activesyn
• Authentication = Basic
I have completely removed SSL from the picture just to see if I can get them connecting again.
Any help steering me in the right direction would be greatly appreciated. Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
waleeda
check if you changed you password and forgot to change it on iphone
You will probably find the logfiles are taking all the space under c:\windows\logfiles particularly the W3SVC folder (IIS logfiles) if you notice extremely large log files for recent days then this is normally caused by phones trying to synch a corrupt item over and over again...
I recommend installing this hotfix http://support.microsoft.com/kb/957191 and then if the problem persists to go through Alan's great article.
I recommend installing this hotfix http://support.microsoft.com/kb/957191 and then if the problem persists to go through Alan's great article.
ASKER
Thanks everyone. Alan I am working my way down your list and so far everything checks out but when I ran the connection test I got this feedback. Where in IIS to I tell it to Ingore Client Certificates?
Checking the IIS configuration for client certificate authentication.
Client certificate authentication was detected.
Additional Details
Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.pdsi.us in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.16.209.50
Testing TCP port 443 on host mail.pdsi.us to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.pdsi.us was found in the Certificate Subject Common name.
Validating certificate trust for Windows Mobile devices.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/21/2009 3:22:56 PM, NotAfter = 8/21/2011 3:22:56 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication was detected.
Additional Details
Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication was detected.
Additional Details
Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.pdsi.us in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.16.209.50
Testing TCP port 443 on host mail.pdsi.us to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.pdsi.us was found in the Certificate Subject Common name.
Validating certificate trust for Windows Mobile devices.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/21/2009 3:22:56 PM, NotAfter = 8/21/2011 3:22:56 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication was detected.
Additional Details
Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.
IIS Manager> Default Website> Microsft-exchange-activesy
ASKER
Thanks Alan, I fixed that and ran the test again and now I am getting this error. Any thoughts?
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.pdsi.us in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.16.209.50
Testing TCP port 443 on host mail.pdsi.us to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.pdsi.us was found in the Certificate Subject Common name.
Validating certificate trust for Windows Mobile devices.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/21/2009 3:22:56 PM, NotAfter = 8/21/2011 3:22:56 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://mail.pdsi.us/Microsoft-Server-Activesync/.
The HTTP authentication methods are correct.
Additional Details
ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.pdsi.us in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.16.209.50
Testing TCP port 443 on host mail.pdsi.us to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.pdsi.us was found in the Certificate Subject Common name.
Validating certificate trust for Windows Mobile devices.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/21/2009 3:22:56 PM, NotAfter = 8/21/2011 3:22:56 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://mail.pdsi.us/Microsoft-Server-Activesync/.
The HTTP authentication methods are correct.
Additional Details
ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
Okay - the 401 error is usually:
1. Incorrect username / password (might want to force a password change to one you know to make sure you are using the right one)
2. IP Address restrictions set incorrectly on the IIS Virtual Directories.
See my article for the right settings:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
1. Incorrect username / password (might want to force a password change to one you know to make sure you are using the right one)
2. IP Address restrictions set incorrectly on the IIS Virtual Directories.
See my article for the right settings:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
Please check if you have integrated authentication enabled on Exchange virtual directory in IIS manager on Backend server
Go to IIS manager-> Properties of Exchange virtual directory->Directory security
Go to IIS manager-> Properties of Exchange virtual directory->Directory security
My money is on the IP address restriction.
- please remove IP address restrictions on Exchange directories (and exchange-oma VD if you have them) on FE and BE. Once ActiveSync is working properly you can put them back on again.
- please remove IP address restrictions on Exchange directories (and exchange-oma VD if you have them) on FE and BE. Once ActiveSync is working properly you can put them back on again.
ASKER
Had to reset the default virtual directories and check the settings.