ActiveSync 2010 Errors: "The page cannot be displayed because the http version is not supported."

We are in the middle of a migration from Exchange 2003 to Exchange 2010 configured like this:  2 HUB/Transport servers using NLB.  1 Mailbox server.  No Edge server or ISA or Proxy involved.  Firewall policies are wide open for testing.  

ActiveSync for 2010 has been configured, but iphones are unable to sync.  If I add the ActiveSync 2010 URL to the config on an iphone, I get this:  "Exchange Account  Unable to verify account information."  If I try to browse to the URL using IE, I first get prompted for credentials.  After entering my credentials, I get the following error in IE "The page cannot be displayed because the http version is not supported."   If I disable friendly errors in my browser, I get this error "HTTP/1.1 501 Not Implemented"

I have checked the following:

The format of the URL is https://domainname.com/Microsoft-Server-ActiveSync.

We've tried administrative and non-admin user.

We have selected the option to inherit permissions on the user account in AD

We have turned off the requirement for SSL on the virtual directory

We tried to Enable the Certificate, Enable-ExchangeCertificate -Services "SMTP,POP,IMAP,IIS",
Enter the Thumbprint of your certificate (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C),
Select Yes To Overwrite

We have the same behavior if we test internally on the LAN.  Same behavior if we test running directly on the HUB/Transports servers.  Same behavior when testing from the internet.

OWA 2010 is working as expected.

Exchange 2010 is running with a valid SAN certificate.

I tested using https://www.testexchangeconnectivity.com.  Here are the results.

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name autodiscover.domain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x   --- verified this is the correct IP address
 
 Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
 
 Validating certificate trust for Windows Mobile devices.
  The certificate is trusted and all certificates are present in the chain.
   Additional Details
  The certificate is trusted for Windows Mobile 5.0 and later versions. Root = CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
 
 Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  The certificate is valid. NotBefore = 3/18/2011 12:00:00 AM, NotAfter = 3/21/2014 12:00:00 PM
 
 
 
 Checking the IIS configuration for client certificate authentication.
  The test passed with some warnings encountered. Please expand the additional details.
   Additional Details
  Client certificate authentication couldn't be determined because an unexpected failure occurred. WinHttpSendRequest failed with error 12002.
 
 Testing HTTP Authentication Methods for URL https://autodiscover.domain.com/Microsoft-Server-Activesync/.
  The HTTP authentication methods are correct.
   Additional Details
  ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
 
 An ActiveSync session is being attempted with the server.
  Errors were encountered while testing the Exchange ActiveSync session.
   Test Steps
   Attempting to send the OPTIONS command to the server.
  Testing of the OPTIONS command failed. For more information, see Additional Details.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
 
Not sure what this means, but any suggestions would be appreciated.
sillzAsked:
Who is Participating?
 
sillzAuthor Commented:
Thanks for the reply.

We had tried to select the checkbox to inherit permissions, but tht didn't seem to make a difference.   I didn't think to try a migrated user versus a non-migrated user, so I tried that:

1.  A basic user with no special group membership who has been migrated to Exchange 2010  does work fine.
2.  A basic user with no special membership who has not been migrated does not work when pointing to the URL for ActiveSync 2010.

This is probably by design.  I was under the impression that there was a redirection for non-migrated users like there is for OWA.

I guess this makes sense.  I still don't understand why I can't hit the URL for ActiveSync 2010 with a browser.
0
 
MegaNuk3Commented:
So if you open the URL from the CaS server with a migrated user vs a new user the results are still different?

Try https://<CAS>/Microsoft-Server-ActiveSync
You should receive a prompt for credentials and then after entering valid credentials a blank page...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
sillzAuthor Commented:
When I use the URL  https://<CAS>/Microsoft-Server-ActiveSync I am prompted to enter my credentials. I enter my credentials and I get the following message in a browser window:

"The page cannot be displayed because the HTTP version is not supported."

Maybe this is expected behavior?
0
 
MegaNuk3Commented:
Does it do that on both CAS servers?
0
 
sillzAuthor Commented:
Yes, I get the same error if I go to either CAS server or if I go to the virtual IP of the CAS array / NLB IP.
0
 
MegaNuk3Commented:
Ignore my earlier comment that was an E2k7 CAS -on a E2k10 CAS I get the same result as you
0
 
sillzAuthor Commented:
Our configuration was correct from the beginning.  We just weren't testing it correctly.

We had assumed that Exchange 2003 users would be able to use ActiveSync 2010 prior to being migrated to Exchange 2010.  We thought that they would be redirected in a way similar to OWA.

Exchange 2003 users will continue to use ActiveSync 2003.  Exchange 2010 users will use ActiveSync 2010.

We will just need to change the URL on the users' iphones after they have been migrated to Exchange 2010.

Thanks for your assistance
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.