ActiveSync 2010 Errors: "The page cannot be displayed because the http version is not supported."

We are in the middle of a migration from Exchange 2003 to Exchange 2010 configured like this:  2 HUB/Transport servers using NLB.  1 Mailbox server.  No Edge server or ISA or Proxy involved.  Firewall policies are wide open for testing.  

ActiveSync for 2010 has been configured, but iphones are unable to sync.  If I add the ActiveSync 2010 URL to the config on an iphone, I get this:  "Exchange Account  Unable to verify account information."  If I try to browse to the URL using IE, I first get prompted for credentials.  After entering my credentials, I get the following error in IE "The page cannot be displayed because the http version is not supported."   If I disable friendly errors in my browser, I get this error "HTTP/1.1 501 Not Implemented"

I have checked the following:

The format of the URL is

We've tried administrative and non-admin user.

We have selected the option to inherit permissions on the user account in AD

We have turned off the requirement for SSL on the virtual directory

We tried to Enable the Certificate, Enable-ExchangeCertificate -Services "SMTP,POP,IMAP,IIS",
Enter the Thumbprint of your certificate (i.e. 9292D650DFFD7E055145E5CA5A29E08DFC07C53C),
Select Yes To Overwrite

We have the same behavior if we test internally on the LAN.  Same behavior if we test running directly on the HUB/Transports servers.  Same behavior when testing from the internet.

OWA 2010 is working as expected.

Exchange 2010 is running with a valid SAN certificate.

I tested using  Here are the results.

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x   --- verified this is the correct IP address
 Testing TCP port 443 on host to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name was found in the Certificate Subject Alternative Name entry.
 Validating certificate trust for Windows Mobile devices.
  The certificate is trusted and all certificates are present in the chain.
   Additional Details
  The certificate is trusted for Windows Mobile 5.0 and later versions. Root = CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
 Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  The certificate is valid. NotBefore = 3/18/2011 12:00:00 AM, NotAfter = 3/21/2014 12:00:00 PM
 Checking the IIS configuration for client certificate authentication.
  The test passed with some warnings encountered. Please expand the additional details.
   Additional Details
  Client certificate authentication couldn't be determined because an unexpected failure occurred. WinHttpSendRequest failed with error 12002.
 Testing HTTP Authentication Methods for URL
  The HTTP authentication methods are correct.
   Additional Details
  ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
 An ActiveSync session is being attempted with the server.
  Errors were encountered while testing the Exchange ActiveSync session.
   Test Steps
   Attempting to send the OPTIONS command to the server.
  Testing of the OPTIONS command failed. For more information, see Additional Details.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
#content{margin:0 0 0 2%;position:relative;}
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
Not sure what this means, but any suggestions would be appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sillzAuthor Commented:
Thanks for the reply.

We had tried to select the checkbox to inherit permissions, but tht didn't seem to make a difference.   I didn't think to try a migrated user versus a non-migrated user, so I tried that:

1.  A basic user with no special group membership who has been migrated to Exchange 2010  does work fine.
2.  A basic user with no special membership who has not been migrated does not work when pointing to the URL for ActiveSync 2010.

This is probably by design.  I was under the impression that there was a redirection for non-migrated users like there is for OWA.

I guess this makes sense.  I still don't understand why I can't hit the URL for ActiveSync 2010 with a browser.
So if you open the URL from the CaS server with a migrated user vs a new user the results are still different?

Try https://<CAS>/Microsoft-Server-ActiveSync
You should receive a prompt for credentials and then after entering valid credentials a blank page...
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

sillzAuthor Commented:
When I use the URL  https://<CAS>/Microsoft-Server-ActiveSync I am prompted to enter my credentials. I enter my credentials and I get the following message in a browser window:

"The page cannot be displayed because the HTTP version is not supported."

Maybe this is expected behavior?
Does it do that on both CAS servers?
sillzAuthor Commented:
Yes, I get the same error if I go to either CAS server or if I go to the virtual IP of the CAS array / NLB IP.
Ignore my earlier comment that was an E2k7 CAS -on a E2k10 CAS I get the same result as you
sillzAuthor Commented:
Our configuration was correct from the beginning.  We just weren't testing it correctly.

We had assumed that Exchange 2003 users would be able to use ActiveSync 2010 prior to being migrated to Exchange 2010.  We thought that they would be redirected in a way similar to OWA.

Exchange 2003 users will continue to use ActiveSync 2003.  Exchange 2010 users will use ActiveSync 2010.

We will just need to change the URL on the users' iphones after they have been migrated to Exchange 2010.

Thanks for your assistance
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.