Exchange 2003 Activesync nightmares!

Amaze_IT
Amaze_IT used Ask the Experts™
on
I'm having a torrid time trying to get users syncing using the iPhones.   A couple of months ago we installed a front end server in our DMZ, and repointed all traffic through to this instead of the mailserver on the inside.  Mail still flows through SMTP to the existing server, but ONLY from our 3rd party AV/Spam providers (our default MX hits them, not us).  Previously, we had one exchange server doing everything, successfully!  We installed the hack to enable RPC over HTTP, change password functions through OWA, FBA etc.  Since adding the front end server we're having some weird and wonderful problems - certain users are unable to sync their iPhones with the server.  I myself have a 3GS and i can wipe my account and reset it without any problems.  However, seemingly random users are unable to do so - I can enter the details and it verifies them fine, but the moment i attempt to check the email, I get an error "The server cannot be contacted" on the device.  This happens on some old users, and now brand new users.  I have copied the profile from existing users that work, makes no difference; I have checked i can access them through OWA (Fine).  I have moved their mailboxes to different stores, makes no difference also.  I have run the exchange connectivity tester, and it verifies some users (the ones that sync), and others it reports a "403 Forbidden" error.  I have tried the ActiveSync Tester app on my iphone, and my user works fine, but with a user that doesn't it tells me that Activesync is detected, but access denied [HTTP 403: DIsabled for this user]".  I have checked the permissions on the folder on both front end and back end, and tried changing settings on the IIS folders, but not difference.  One peculiar thing is that if i make changes on virtual folders, and then do an iisreset, the permissions change back to what they were previously?  We are using SSL to connect to the front end server, and all the rules are in palce for the FE to talk to the BE server.  Both running latest updates with Exchange 2003 SP3 and Windows 2003 R2.

Can someone please help - i'm totally out of ideas!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Is there a specific error on the phones where you experiance the error (next to the 403 error)?

Commented:
You can check if exchange ActiveSync at the following location https://www.testexchangeconnectivity.com/

Commented:
Most of the time a specific account gives you the problem or the device can't handle SSL.
Could be that Microsoft-Server-ActiveSync virtual directory on your server is configured to require SSL and your device does not. Try to disable SSL.
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Author

Commented:
Thanks for the responses - the iPhones don't give any errors when setting up the accounts, but as soon as you come out of the config on the iPhone, and try to go into the mail client, i get the error "Cannot get mail. The connection to the server failed."  i get a 3005 , error 409 in the logs when this happens; when i use the exchange cinnectivity analyser, i get a 403 forbidden message.

Author

Commented:
Anyone any ideas here?  none of the usual fixes seem to be working at all.  I've created a new user this morning, made sure everything is the same as another user who has working iPhone syncing, and this fails as well.  In the logs, i keep seeing a 403 error for that user - it seems to do the first stage of authentication, then fails at the second stage.  I've turned logging up on the exchange server, and it shows the user logging onto account, Event ID 1016 appears "Windows 2000 User  MX2\IUSR_MX2 logged on to J.Doe@domain.com mailbox, and is not the primary Windows 2000 account on this mailbox" - it certainly is....!?!

Commented:
Did you try with ssl disabled yet?  If you disable ssl you and go to an external machine and browse fot http://mail.yourexchange.com/active-sync directory. What happens? You should get a popup for credentails. Fill in domainname\username. And pass and see if you get an connection error. If you don't try the iphone with ssl swtched off.

Author

Commented:
hmmm.....well thats really broekn things!  i've tried to disable SSL on the front end server completely - but every time i try to disable SSL on the exchange virtual directory root and do an iisreset, it resets SSL enabled again!  It seems to do this with settings on any virtual folder on the front end, no matter what i do!
Anyway - trying to access http://mail.domain.com prompts for a username and password, then just gives a blank screen, http://mail.domain.com/microsoft-server-activesync does the same.
 
Accessing http://mail.domain.com prompts for username and password (we have FBA enabled on the FE normally) - at whcih point we get the OWA page, minus anything except the dividing bar and a few red placemarkers in place of images!  navigating to http://mail.domain.com.microsoft-server-activesync gives the same prompt, then gives me an "HTTP 501 not implemented/HTTP 505 Version not supported error" (which would appear correct?)  Out of interest, i tried https://mail.domain.com and got the normal OWA GUI, and logged in as normal.  IF i try https://mail.domain.com/microsoft-server-activesync i get the same result as using http://

Help...?!

Author

Commented:
Correction - the blank screen issue was a remote server promblem (windows updates breaking everything!) - a remote server gives the same response as accessing through the FE for all scenarios....

Commented:
Do you have form based authentication enabled? You could test with form based disabled. Also check your redirections, could mail.domain.com be a catch all pointing to /owa by default.

Author

Commented:
@PenguinN I have tried disableing FBA and it makes no difference.  The really frustrating thing is that no matter what i do to the FE box IIS Settings (i.e. disabling SSL or changing access permissions on a virtual drive), the moment i do an iisreset, they change back to the previous settings?!  I currently have a redirect to the /exchange URL on the root of the VDir, and I tried turning that off last night and reconfiguring the owahttps.asp setup - if i started and stopped the service, then the https redirect worked great (as did the https://mail.domain.com > https://mail.domain.com/exchange), but the moment i performed the iisreset it put the old settings back, and they https redirect stopped working again - and i can't get it to work again?  Something doesn't make sense, i can't help wondering if this resetting permissions issue has something to do with the problem - has anyone seen this before?  I've even started the IS on the FE box and mounted the stores (no user mailboxes on them) to see if that helped - and lifted the restriction on the ports from FE to BE servers (this allowed System manager to start on the FE without failing with a "RPC Server unavailable" error)

Commented:
Is your frontend and backend configured correctly for active sync.
You get the popup for authentication (that works).
Then you connect to active sync and you get 403 eith basicly states a problem using ssl. Owa is working fine. Can you check the settings on both servers somehow.

Author

Commented:
I think part of the problem lies in this configuration resetting all the time - i can't get the front end to stay configured properly!  I think i'm going to attempt to reset the VDirs on the FE tonight - maybe followed by the BE.

OWA works fine - OMA works fine.  The strange thing is i use an iPhone and i can sync fine, there are multiple other users that can all sync with Androids/iPhones/iPads just fine, so i would have thought that means activesync is working great?

I tried using the accessmyLAN activeysnc tester for multiple accounts -all the ones that have this problem report the same: -

checking connection - OK
checking certificate - OK
checking application - OK
checking version (6.5.7638.1) - OK
checking protocols (1.0, 2.0, 2.1, 2.5) - OK
Checking user - OK
ActiveSync IS NOT available. (ActiveSync detected, but access denied. [HTTP 403: Disabled for this user])

I have checked an double checked - EVERY user and the Organisation are enabled for all mobile devices!

Commented:
Try to go into ad show advanced setting. Here you can select security. Check the inheret permission from perrent checkbox and see what happens.

Commented:
You do this setting for the user in question :-)

Author

Commented:
nope....already checked!
have u updated masssync.dll > let me know if not i will let you know how to do
Commented:
Ok well just an update really - due to the fact we were having these issues repeatedly, and due to the fact we had a lot of new Mac users who couldn't use Exchange 2003; we decided to push forward the Exchange 2010 migration...which solved this problem but added a few more!

Author

Commented:
Due to continuing issues with the old solution we pushed forward our Exchange upgrades, which resolved the issues

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial