?
Solved

Exchange 2010 Active Sync Issue

Posted on 2011-10-07
19
Medium Priority
?
1,306 Views
Last Modified: 2012-05-12
Hello,

I am migrating my Exchange 2007 server to 2010.  I have all my users mailboxes moved with exception of _services and discovery mailbox.

My firewall is a sonicwall tz210 and I have the following ports Nat routed:

   25 (SMTP)
 443 (HTTPS)
 990 (RAPI)
 999 (Status)
 5721 (DTPT)
 5678 (Legacy Replication)
 5679 (Handshake & Legacy Replication)
 26675 (Airsync)

I am requiring SSL and have a valid cert (shows proper thumbprint on console when I ussue the get ssl command).

My issue is, on andriod devices the device can authenticate but after you get through the services to sync screen it takes a long time then fails. On apply devices I try to sync and it hangs for a long time then fails as well.

I am unsure what I am missing here and any help would be appreciated.

Thanks
0
Comment
Question by:smyers051972
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 6

Expert Comment

by:linraf
ID: 36932808
Are there events in your server logs?

2010 has some builtin policies that have caused issues with android with older revisions, what version are these running?
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36932930
You probably have to enable a device password on the phone. This s a known issue with android 2x and lower
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 36933248
I just went through a Exchange 2003 to Exchagne 2010  migration with a domain migration myself.  I ran into issues with ActivSync and the Microsofot Remote Connectivity Analyzer was a great resource in my troubleshooting efforts.  My situation ended up being related to permissions propogation in IIS, for whatever reason the proper permissions did not propogate down to the necessary folders.  Not to mention we were first testing our ActiveSync with an ADMIN account, something that is blocked by default in Exchange 2010, so when you run the tests be sure to use a normal user account and not an account whom is a member of any protected group like Domain Admins. Also if you setup an OWA redirect, be sure and turn off the redirect for all the virtual directories except OWA.

The apple devices fail as well?

Please run the Active Sync tests and post the repones if possible.

I am leaning towards this possibly being a Firewall issue, there are occasions in which firewall ttl settings can cause active sync connections to fail because it drops the connection premature.  I have experienced this first hand with Watchguard, and ASA's, but not with my clients using sonicwall devices.  Something to consider!

Microsoft Remote Connectivity Analyzer
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:smyers051972
ID: 36933478
It's all devices, apple and android, ipad, ipad2, ipod etc all fail but whats strange is OWA is fine.  Dont they use OWA for mail?
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 36933557
Well yes and no, OWA can be working fine but ActiveSync NOT.  Please run the Microsoft Remote Connectivity Analyzer, it will aid in narrowing down the problem.  There are a lot of variables and running the test will point us in the right direction.

Did Active Sync ever work?  Are your SSL certs and the like all in place and correctly configured?  Do you have OWA redirects in place?
0
 
LVL 1

Author Comment

by:smyers051972
ID: 36933631
This is strange, I ran it and here is what it said:

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail. in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 24.120
 
 Testing TCP port 443 on host mail. to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
 
HOWEVER, when I load OWA from an external location it doesnt complain about the SSL cert at all and even showes the info from digicert.

Im stumped.
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 36933693
hmmm, well lets talk about your certificate.  Is it  a multi-domain cert, wild card cert or is just single domain?

Can you expand the response to see what validation checks the cert failed?

0
 
LVL 1

Author Comment

by:smyers051972
ID: 36933721
Single domain, one thing I remember yesterday tho setting it back up, I didnt revoke the old cert, I added this machine as a SAN onto it. Could this be an issue? The external domain it is answering to mail. for example is the same.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 36933736
Looks like I didnt expand everything, here is the rest of the error:

   ExRCA is attempting to obtain the SSL certificate from remote server mail. on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject: CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
 
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail. was found in the Certificate Subject Common name.
 
 Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US.
  One or more certificate chains were constructed successfully.
   Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
 
 Analyzing the certificate chains for compatability problems with Windows Phone devices.
  Potential compatibility problems were identified with some versions of Windows Phone.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate is not trusted on any version of Windows Phone device. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
0
 
LVL 1

Author Comment

by:smyers051972
ID: 36933759
This is losing me here, whats wierd is I can point to the exchange 2007 server and Activesync is fine I dont think that error its reporting is true.
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 36933815
What do you mean that you can point to it and it's fine?

The error above states that there is not a poblem with connecting, but that the problem is with the cert, more specifically the certs compatability with ActiveSync.

A quick test would be to remove the SSL requirements from the ActiveSync Virrtual Directory in IIS, restart iis, and test your devices without the Require SSL checked, and see if they work. Better yet, use the Microsoft Tool to perform this test without the SSL checks and see if it works.

It looks like you need a new cert, one that is Exchange friendly. For Exchange 2007 you really need a multi-domain cert to get full use of Autodiscover and Outlook Anywhere, it can be done with a single domain but requires mroe configurations.

GoDaddy has a multi-domain cert up to 5 domains for ONLY $89/yr, it's a great deal and is Unified Communications friendly, which means its root cert will be trusted by ActiveSync.

GoDaddy
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 36933961
I forgot to mention that you if do the above test from outside your org, then you will need to temporarily open port 80.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 36934001
I got the cert issue sorted out with digicert (forgot to enable the thumb print yes stupid of me lol).

Now here is the error:

An ActiveSync session is being attempted with the server.
  Errors were encountered while testing the Exchange ActiveSync session.
   Test Steps
   Attempting to send the OPTIONS command to the server.
  The OPTIONS response was successfully received and is valid.
   Additional Details
  Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Fri, 07 Oct 2011 21:32:09 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

 Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Exchange ActiveSync returned an HTTP 500 response.
0
 
LVL 1

Author Comment

by:smyers051972
ID: 36934020
I checked the hub transport under server config and integrated windows authentication is check marked.... *sad face* lol
0
 
LVL 6

Expert Comment

by:linraf
ID: 36934032
i have received error 500 with active sync when my symantec mail security was acting up.
i removed the mail security and it worked.
i reistalled, and it continued to work.

0
 
LVL 3

Accepted Solution

by:
jodiddy earned 2000 total points
ID: 36934065
hmmm, are you using an account to test that is a member of a protected group.  Make sure you are using a normal user account.  Here are the steps necessary to allow an account that is a member of a protected group to test:

In Exchange Server 2010, you may also experience this issue if the Exchange Servers group does not have the appropriate permission to the mailbox object in Active Directory. The most common cause for this is broken Access Control List (ACL) inheritance in Active Directory.
To check whether inheritance is disabled on the user:
      1. Open Active Directory Users and Computers.
      2. On the menu at the top of the console, click View > Advanced Features.
      3. Locate and right-click the mailbox account in the console, and then click Properties.
      4. Click the Security tab.
      5. Click Advanced.
      6. Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.
If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.
Pasted from <http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
0
 
LVL 1

Author Comment

by:smyers051972
ID: 36934236
Found out the issue, it was the inheritance issue on ADUC.

Thanks for the help any ways though.
0
 
LVL 1

Author Closing Comment

by:smyers051972
ID: 36934238
This was the issue.
Thanks

Awarded points because you posted it before me :)
0
 
LVL 3

Expert Comment

by:jodiddy
ID: 36934240
No problem I am glad you got it resolved!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses
Course of the Month15 days, 20 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question