smyers051972
asked on
Exchange 2010 Active Sync Issue
Hello,
I am migrating my Exchange 2007 server to 2010. I have all my users mailboxes moved with exception of _services and discovery mailbox.
My firewall is a sonicwall tz210 and I have the following ports Nat routed:
25 (SMTP)
443 (HTTPS)
990 (RAPI)
999 (Status)
5721 (DTPT)
5678 (Legacy Replication)
5679 (Handshake & Legacy Replication)
26675 (Airsync)
I am requiring SSL and have a valid cert (shows proper thumbprint on console when I ussue the get ssl command).
My issue is, on andriod devices the device can authenticate but after you get through the services to sync screen it takes a long time then fails. On apply devices I try to sync and it hangs for a long time then fails as well.
I am unsure what I am missing here and any help would be appreciated.
Thanks
I am migrating my Exchange 2007 server to 2010. I have all my users mailboxes moved with exception of _services and discovery mailbox.
My firewall is a sonicwall tz210 and I have the following ports Nat routed:
25 (SMTP)
443 (HTTPS)
990 (RAPI)
999 (Status)
5721 (DTPT)
5678 (Legacy Replication)
5679 (Handshake & Legacy Replication)
26675 (Airsync)
I am requiring SSL and have a valid cert (shows proper thumbprint on console when I ussue the get ssl command).
My issue is, on andriod devices the device can authenticate but after you get through the services to sync screen it takes a long time then fails. On apply devices I try to sync and it hangs for a long time then fails as well.
I am unsure what I am missing here and any help would be appreciated.
Thanks
You probably have to enable a device password on the phone. This s a known issue with android 2x and lower
I just went through a Exchange 2003 to Exchagne 2010 migration with a domain migration myself. I ran into issues with ActivSync and the Microsofot Remote Connectivity Analyzer was a great resource in my troubleshooting efforts. My situation ended up being related to permissions propogation in IIS, for whatever reason the proper permissions did not propogate down to the necessary folders. Not to mention we were first testing our ActiveSync with an ADMIN account, something that is blocked by default in Exchange 2010, so when you run the tests be sure to use a normal user account and not an account whom is a member of any protected group like Domain Admins. Also if you setup an OWA redirect, be sure and turn off the redirect for all the virtual directories except OWA.
The apple devices fail as well?
Please run the Active Sync tests and post the repones if possible.
I am leaning towards this possibly being a Firewall issue, there are occasions in which firewall ttl settings can cause active sync connections to fail because it drops the connection premature. I have experienced this first hand with Watchguard, and ASA's, but not with my clients using sonicwall devices. Something to consider!
Microsoft Remote Connectivity Analyzer
The apple devices fail as well?
Please run the Active Sync tests and post the repones if possible.
I am leaning towards this possibly being a Firewall issue, there are occasions in which firewall ttl settings can cause active sync connections to fail because it drops the connection premature. I have experienced this first hand with Watchguard, and ASA's, but not with my clients using sonicwall devices. Something to consider!
Microsoft Remote Connectivity Analyzer
ASKER
It's all devices, apple and android, ipad, ipad2, ipod etc all fail but whats strange is OWA is fine. Dont they use OWA for mail?
Well yes and no, OWA can be working fine but ActiveSync NOT. Please run the Microsoft Remote Connectivity Analyzer, it will aid in narrowing down the problem. There are a lot of variables and running the test will point us in the right direction.
Did Active Sync ever work? Are your SSL certs and the like all in place and correctly configured? Do you have OWA redirects in place?
Did Active Sync ever work? Are your SSL certs and the like all in place and correctly configured? Do you have OWA redirects in place?
ASKER
This is strange, I ran it and here is what it said:
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail. in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 24.120
Testing TCP port 443 on host mail. to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
HOWEVER, when I load OWA from an external location it doesnt complain about the SSL cert at all and even showes the info from digicert.
Im stumped.
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail. in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 24.120
Testing TCP port 443 on host mail. to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
HOWEVER, when I load OWA from an external location it doesnt complain about the SSL cert at all and even showes the info from digicert.
Im stumped.
hmmm, well lets talk about your certificate. Is it a multi-domain cert, wild card cert or is just single domain?
Can you expand the response to see what validation checks the cert failed?
Can you expand the response to see what validation checks the cert failed?
ASKER
Single domain, one thing I remember yesterday tho setting it back up, I didnt revoke the old cert, I added this machine as a SAN onto it. Could this be an issue? The external domain it is answering to mail. for example is the same.
ASKER
Looks like I didnt expand everything, here is the rest of the error:
ExRCA is attempting to obtain the SSL certificate from remote server mail. on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail. was found in the Certificate Subject Common name.
Validating certificate trust for Windows Mobile devices.
Certificate trust validation failed.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
Analyzing the certificate chains for compatability problems with Windows Phone devices.
Potential compatibility problems were identified with some versions of Windows Phone.
Tell me more about this issue and how to resolve it
Additional Details
The certificate is not trusted on any version of Windows Phone device. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
ExRCA is attempting to obtain the SSL certificate from remote server mail. on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail. was found in the Certificate Subject Common name.
Validating certificate trust for Windows Mobile devices.
Certificate trust validation failed.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
Analyzing the certificate chains for compatability problems with Windows Phone devices.
Potential compatibility problems were identified with some versions of Windows Phone.
Tell me more about this issue and how to resolve it
Additional Details
The certificate is not trusted on any version of Windows Phone device. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
ASKER
This is losing me here, whats wierd is I can point to the exchange 2007 server and Activesync is fine I dont think that error its reporting is true.
What do you mean that you can point to it and it's fine?
The error above states that there is not a poblem with connecting, but that the problem is with the cert, more specifically the certs compatability with ActiveSync.
A quick test would be to remove the SSL requirements from the ActiveSync Virrtual Directory in IIS, restart iis, and test your devices without the Require SSL checked, and see if they work. Better yet, use the Microsoft Tool to perform this test without the SSL checks and see if it works.
It looks like you need a new cert, one that is Exchange friendly. For Exchange 2007 you really need a multi-domain cert to get full use of Autodiscover and Outlook Anywhere, it can be done with a single domain but requires mroe configurations.
GoDaddy has a multi-domain cert up to 5 domains for ONLY $89/yr, it's a great deal and is Unified Communications friendly, which means its root cert will be trusted by ActiveSync.
GoDaddy
The error above states that there is not a poblem with connecting, but that the problem is with the cert, more specifically the certs compatability with ActiveSync.
A quick test would be to remove the SSL requirements from the ActiveSync Virrtual Directory in IIS, restart iis, and test your devices without the Require SSL checked, and see if they work. Better yet, use the Microsoft Tool to perform this test without the SSL checks and see if it works.
It looks like you need a new cert, one that is Exchange friendly. For Exchange 2007 you really need a multi-domain cert to get full use of Autodiscover and Outlook Anywhere, it can be done with a single domain but requires mroe configurations.
GoDaddy has a multi-domain cert up to 5 domains for ONLY $89/yr, it's a great deal and is Unified Communications friendly, which means its root cert will be trusted by ActiveSync.
GoDaddy
I forgot to mention that you if do the above test from outside your org, then you will need to temporarily open port 80.
ASKER
I got the cert issue sorted out with digicert (forgot to enable the thumb print yes stupid of me lol).
Now here is the error:
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0 ,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward ,SmartRepl y,GetAttac hment,GetH ierarchy,C reateColle ction,Dele teCollecti on,MoveCol lection,Fo lderSync,F olderCreat e,FolderDe lete,Folde rUpdate,Mo veItems,Ge tItemEstim ate,Meetin gResponse, Search,Set tings,Ping ,ItemOpera tions,Prov ision,Reso lveRecipie nts,Valida teCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Fri, 07 Oct 2011 21:32:09 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response.
Now here is the error:
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0
MS-ASProtocolCommands: Sync,SendMail,SmartForward
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Fri, 07 Oct 2011 21:32:09 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response.
ASKER
I checked the hub transport under server config and integrated windows authentication is check marked.... *sad face* lol
i have received error 500 with active sync when my symantec mail security was acting up.
i removed the mail security and it worked.
i reistalled, and it continued to work.
i removed the mail security and it worked.
i reistalled, and it continued to work.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Found out the issue, it was the inheritance issue on ADUC.
Thanks for the help any ways though.
Thanks for the help any ways though.
ASKER
This was the issue.
Thanks
Awarded points because you posted it before me :)
Thanks
Awarded points because you posted it before me :)
No problem I am glad you got it resolved!
2010 has some builtin policies that have caused issues with android with older revisions, what version are these running?