?
Solved

Exchange 2010 Active Sync issues (coexist with 2003)

Posted on 2011-09-22
1
Medium Priority
?
1,152 Views
Last Modified: 2012-08-13
I have an Exchange 2003 org that I have added an Exchange 2010 CAS to.
I have configured an external DNS record for activesync.domain.com and port 443 is allowed through the firewall to the CAS server. I am trying to test AS connectivity via the testoutlookconnectivity.com tool.

I am getting this error:

An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.

Test Steps

Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.

Additional Details
An HTTP 401 Unauthorized response was received from the remote IIS7 server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).

Any ideas?
0
Comment
Question by:ncfbins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 1

Accepted Solution

by:
ncfbins earned 0 total points
ID: 36582382
Solved it myself.


What are the configuration changes I must make on the Exchange 2003 Front-End servers to support ActiveSync?

In order to introduce Exchange 2010 into your "Internet Facing AD Site" and support your Exchange 2003 mailboxes, you will move the primary EAS namespace that is associated with the Exchange 2003 Front-End servers and associate it with the Exchange 2010 CAS array.  For more information on the detailed steps required to support coexistence process see my first blog article in the series, TechNet, or within the Deployment Assistant.

What are the configuration changes I must make on the Exchange 2003 mailbox servers?

Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

   1. Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory.
   2. Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.

Note: It is important that you do not use IIS Manager to change the authentication setting on the ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

What scenarios involve proxying and what scenarios involve redirection for Exchange ActiveSync (Exchange 2003)?

Hopefully the Exchange 2003 coexistence diagram is self-explanatory, but if it is not, the key thing here is that regardless of the location of the Exchange 2003 mailbox (remember Exchange 2003 is not site aware), CAS2010 will always proxy the request to the Exchange 2003 mailbox server.  Also, since Exchange 2003 does not support Autodiscover, the device version does not matter.

   1. User's device is already configured to use the namespace mail.contoso.com.
   2. User's device attempts to synchronize.
   3. CAS2010 will authenticate the user, determine the mailbox version is Exchange 2003 by performing a service discovery lookup in Active Directory, and retrieve the Exchange 2003 mailbox server FQDN.
   4. CAS2010 will proxy the connection to the Exchange 2003 mailbox server's Microsoft-Server-ActiveSync virtual directory.  In the IIS logs, you will see a response similar to:

          POST /Microsoft-Server-ActiveSync/default.eas User=user5&DeviceId=foo&DeviceType=PocketPC&Cmd=FolderSync&Log=PrxTo:mail.contoso.com_LdapC2_ 443 contoso\user5 10.20.100.117 MSFT-PPC/5.1.2301 200 0 0 189

   5. The mailbox server will authenticate the user and retrieve and render the mailbox data and will provide the rendered data back to the CAS2010 server.
   6. CAS2010 will expose the data to the end user.

You need to install the hotfix on ALL exchange 2003 servers, and check the intergrated authentication setting on each Active Sync Virtual Directory
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video discusses moving either the default database or any database to a new volume.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question