Link to home
Start Free TrialLog in
Avatar of Amaze_IT
Amaze_ITFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Exchange 2003 Activesync nightmares!

I'm having a torrid time trying to get users syncing using the iPhones.   A couple of months ago we installed a front end server in our DMZ, and repointed all traffic through to this instead of the mailserver on the inside.  Mail still flows through SMTP to the existing server, but ONLY from our 3rd party AV/Spam providers (our default MX hits them, not us).  Previously, we had one exchange server doing everything, successfully!  We installed the hack to enable RPC over HTTP, change password functions through OWA, FBA etc.  Since adding the front end server we're having some weird and wonderful problems - certain users are unable to sync their iPhones with the server.  I myself have a 3GS and i can wipe my account and reset it without any problems.  However, seemingly random users are unable to do so - I can enter the details and it verifies them fine, but the moment i attempt to check the email, I get an error "The server cannot be contacted" on the device.  This happens on some old users, and now brand new users.  I have copied the profile from existing users that work, makes no difference; I have checked i can access them through OWA (Fine).  I have moved their mailboxes to different stores, makes no difference also.  I have run the exchange connectivity tester, and it verifies some users (the ones that sync), and others it reports a "403 Forbidden" error.  I have tried the ActiveSync Tester app on my iphone, and my user works fine, but with a user that doesn't it tells me that Activesync is detected, but access denied [HTTP 403: DIsabled for this user]".  I have checked the permissions on the folder on both front end and back end, and tried changing settings on the IIS folders, but not difference.  One peculiar thing is that if i make changes on virtual folders, and then do an iisreset, the permissions change back to what they were previously?  We are using SSL to connect to the front end server, and all the rules are in palce for the FE to talk to the BE server.  Both running latest updates with Exchange 2003 SP3 and Windows 2003 R2.

Can someone please help - i'm totally out of ideas!
Avatar of PenguinN

Is there a specific error on the phones where you experiance the error (next to the 403 error)?
You can check if exchange ActiveSync at the following location
Most of the time a specific account gives you the problem or the device can't handle SSL.
Could be that Microsoft-Server-ActiveSync virtual directory on your server is configured to require SSL and your device does not. Try to disable SSL.
Avatar of Amaze_IT


Thanks for the responses - the iPhones don't give any errors when setting up the accounts, but as soon as you come out of the config on the iPhone, and try to go into the mail client, i get the error "Cannot get mail. The connection to the server failed."  i get a 3005 , error 409 in the logs when this happens; when i use the exchange cinnectivity analyser, i get a 403 forbidden message.
Anyone any ideas here?  none of the usual fixes seem to be working at all.  I've created a new user this morning, made sure everything is the same as another user who has working iPhone syncing, and this fails as well.  In the logs, i keep seeing a 403 error for that user - it seems to do the first stage of authentication, then fails at the second stage.  I've turned logging up on the exchange server, and it shows the user logging onto account, Event ID 1016 appears "Windows 2000 User  MX2\IUSR_MX2 logged on to mailbox, and is not the primary Windows 2000 account on this mailbox" - it certainly is....!?!
Did you try with ssl disabled yet?  If you disable ssl you and go to an external machine and browse fot directory. What happens? You should get a popup for credentails. Fill in domainname\username. And pass and see if you get an connection error. If you don't try the iphone with ssl swtched off.
hmmm.....well thats really broekn things!  i've tried to disable SSL on the front end server completely - but every time i try to disable SSL on the exchange virtual directory root and do an iisreset, it resets SSL enabled again!  It seems to do this with settings on any virtual folder on the front end, no matter what i do!
Anyway - trying to access prompts for a username and password, then just gives a blank screen, does the same.
Accessing prompts for username and password (we have FBA enabled on the FE normally) - at whcih point we get the OWA page, minus anything except the dividing bar and a few red placemarkers in place of images!  navigating to gives the same prompt, then gives me an "HTTP 501 not implemented/HTTP 505 Version not supported error" (which would appear correct?)  Out of interest, i tried and got the normal OWA GUI, and logged in as normal.  IF i try i get the same result as using http://

Correction - the blank screen issue was a remote server promblem (windows updates breaking everything!) - a remote server gives the same response as accessing through the FE for all scenarios....
Do you have form based authentication enabled? You could test with form based disabled. Also check your redirections, could be a catch all pointing to /owa by default.
@PenguinN I have tried disableing FBA and it makes no difference.  The really frustrating thing is that no matter what i do to the FE box IIS Settings (i.e. disabling SSL or changing access permissions on a virtual drive), the moment i do an iisreset, they change back to the previous settings?!  I currently have a redirect to the /exchange URL on the root of the VDir, and I tried turning that off last night and reconfiguring the owahttps.asp setup - if i started and stopped the service, then the https redirect worked great (as did the >, but the moment i performed the iisreset it put the old settings back, and they https redirect stopped working again - and i can't get it to work again?  Something doesn't make sense, i can't help wondering if this resetting permissions issue has something to do with the problem - has anyone seen this before?  I've even started the IS on the FE box and mounted the stores (no user mailboxes on them) to see if that helped - and lifted the restriction on the ports from FE to BE servers (this allowed System manager to start on the FE without failing with a "RPC Server unavailable" error)
Is your frontend and backend configured correctly for active sync.
You get the popup for authentication (that works).
Then you connect to active sync and you get 403 eith basicly states a problem using ssl. Owa is working fine. Can you check the settings on both servers somehow.
I think part of the problem lies in this configuration resetting all the time - i can't get the front end to stay configured properly!  I think i'm going to attempt to reset the VDirs on the FE tonight - maybe followed by the BE.

OWA works fine - OMA works fine.  The strange thing is i use an iPhone and i can sync fine, there are multiple other users that can all sync with Androids/iPhones/iPads just fine, so i would have thought that means activesync is working great?

I tried using the accessmyLAN activeysnc tester for multiple accounts -all the ones that have this problem report the same: -

checking connection - OK
checking certificate - OK
checking application - OK
checking version (6.5.7638.1) - OK
checking protocols (1.0, 2.0, 2.1, 2.5) - OK
Checking user - OK
ActiveSync IS NOT available. (ActiveSync detected, but access denied. [HTTP 403: Disabled for this user])

I have checked an double checked - EVERY user and the Organisation are enabled for all mobile devices!
Try to go into ad show advanced setting. Here you can select security. Check the inheret permission from perrent checkbox and see what happens.
You do this setting for the user in question :-)
nope....already checked!
have u updated masssync.dll > let me know if not i will let you know how to do
Avatar of Amaze_IT
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Due to continuing issues with the old solution we pushed forward our Exchange upgrades, which resolved the issues