Link to home
Create AccountLog in
Avatar of smyers051972
smyers051972Flag for United States of America

asked on

Exchange 2010 Active Sync Issue

Hello,

I am migrating my Exchange 2007 server to 2010.  I have all my users mailboxes moved with exception of _services and discovery mailbox.

My firewall is a sonicwall tz210 and I have the following ports Nat routed:

   25 (SMTP)
 443 (HTTPS)
 990 (RAPI)
 999 (Status)
 5721 (DTPT)
 5678 (Legacy Replication)
 5679 (Handshake & Legacy Replication)
 26675 (Airsync)

I am requiring SSL and have a valid cert (shows proper thumbprint on console when I ussue the get ssl command).

My issue is, on andriod devices the device can authenticate but after you get through the services to sync screen it takes a long time then fails. On apply devices I try to sync and it hangs for a long time then fails as well.

I am unsure what I am missing here and any help would be appreciated.

Thanks
Avatar of linraf
linraf

Are there events in your server logs?

2010 has some builtin policies that have caused issues with android with older revisions, what version are these running?
You probably have to enable a device password on the phone. This s a known issue with android 2x and lower
I just went through a Exchange 2003 to Exchagne 2010  migration with a domain migration myself.  I ran into issues with ActivSync and the Microsofot Remote Connectivity Analyzer was a great resource in my troubleshooting efforts.  My situation ended up being related to permissions propogation in IIS, for whatever reason the proper permissions did not propogate down to the necessary folders.  Not to mention we were first testing our ActiveSync with an ADMIN account, something that is blocked by default in Exchange 2010, so when you run the tests be sure to use a normal user account and not an account whom is a member of any protected group like Domain Admins. Also if you setup an OWA redirect, be sure and turn off the redirect for all the virtual directories except OWA.

The apple devices fail as well?

Please run the Active Sync tests and post the repones if possible.

I am leaning towards this possibly being a Firewall issue, there are occasions in which firewall ttl settings can cause active sync connections to fail because it drops the connection premature.  I have experienced this first hand with Watchguard, and ASA's, but not with my clients using sonicwall devices.  Something to consider!

Microsoft Remote Connectivity Analyzer
Avatar of smyers051972

ASKER

It's all devices, apple and android, ipad, ipad2, ipod etc all fail but whats strange is OWA is fine.  Dont they use OWA for mail?
Well yes and no, OWA can be working fine but ActiveSync NOT.  Please run the Microsoft Remote Connectivity Analyzer, it will aid in narrowing down the problem.  There are a lot of variables and running the test will point us in the right direction.

Did Active Sync ever work?  Are your SSL certs and the like all in place and correctly configured?  Do you have OWA redirects in place?
This is strange, I ran it and here is what it said:

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail. in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 24.120
 
 Testing TCP port 443 on host mail. to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
 
HOWEVER, when I load OWA from an external location it doesnt complain about the SSL cert at all and even showes the info from digicert.

Im stumped.
hmmm, well lets talk about your certificate.  Is it  a multi-domain cert, wild card cert or is just single domain?

Can you expand the response to see what validation checks the cert failed?

Single domain, one thing I remember yesterday tho setting it back up, I didnt revoke the old cert, I added this machine as a SAN onto it. Could this be an issue? The external domain it is answering to mail. for example is the same.
Looks like I didnt expand everything, here is the rest of the error:

   ExRCA is attempting to obtain the SSL certificate from remote server mail. on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject: CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
 
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail. was found in the Certificate Subject Common name.
 
 Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate CN=mail., O="Community Association, Inc.", L=Las Vegas, S=Nevada, C=US.
  One or more certificate chains were constructed successfully.
   Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
 
 Analyzing the certificate chains for compatability problems with Windows Phone devices.
  Potential compatibility problems were identified with some versions of Windows Phone.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate is not trusted on any version of Windows Phone device. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
This is losing me here, whats wierd is I can point to the exchange 2007 server and Activesync is fine I dont think that error its reporting is true.
What do you mean that you can point to it and it's fine?

The error above states that there is not a poblem with connecting, but that the problem is with the cert, more specifically the certs compatability with ActiveSync.

A quick test would be to remove the SSL requirements from the ActiveSync Virrtual Directory in IIS, restart iis, and test your devices without the Require SSL checked, and see if they work. Better yet, use the Microsoft Tool to perform this test without the SSL checks and see if it works.

It looks like you need a new cert, one that is Exchange friendly. For Exchange 2007 you really need a multi-domain cert to get full use of Autodiscover and Outlook Anywhere, it can be done with a single domain but requires mroe configurations.

GoDaddy has a multi-domain cert up to 5 domains for ONLY $89/yr, it's a great deal and is Unified Communications friendly, which means its root cert will be trusted by ActiveSync.

GoDaddy
I forgot to mention that you if do the above test from outside your org, then you will need to temporarily open port 80.
I got the cert issue sorted out with digicert (forgot to enable the thumb print yes stupid of me lol).

Now here is the error:

An ActiveSync session is being attempted with the server.
  Errors were encountered while testing the Exchange ActiveSync session.
   Test Steps
   Attempting to send the OPTIONS command to the server.
  The OPTIONS response was successfully received and is valid.
   Additional Details
  Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Fri, 07 Oct 2011 21:32:09 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

 Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Exchange ActiveSync returned an HTTP 500 response.
I checked the hub transport under server config and integrated windows authentication is check marked.... *sad face* lol
i have received error 500 with active sync when my symantec mail security was acting up.
i removed the mail security and it worked.
i reistalled, and it continued to work.

ASKER CERTIFIED SOLUTION
Avatar of jodiddy
jodiddy
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Found out the issue, it was the inheritance issue on ADUC.

Thanks for the help any ways though.
This was the issue.
Thanks

Awarded points because you posted it before me :)
No problem I am glad you got it resolved!