Droid Phones Not Working with Exchange 2010 SP2

Hello.  

I installed a new Exchange 2010 server running SP2 in an environment which had Exchange 2003.  All of the users who had iPhones and Windows Phones are working fine after the upgrade.  I did not change the virtual server names of the IIS server or the DNS names of the EAS server.  From the end users' perspective there were no changes other than the look and feel of OWA.

However, several users with Droid phones cannot use Activesync anymore.  They had been successfully using EAS with Exchange 2003.

When I look at the phone settings in OWA for each user having problems, I see this:

Device name:    Not Available
Device model:       htcheroc
Phone number:       Not Available
Mobile network:       Not Available
Device type:       htcheroc
Device ID:       HTCAndc165a94c
Device IMEI:       Not Available

Device OS:  Not Available
Device language:       Not Available
User agent:       Android-EAS/0.1

Access state:       Access Denied
Access set by:       Security Policy Application

Policy applied:    Default - Applied in full
Policy updated:       12/31/2011 1:23 PM
ActiveSync version:       12.1

Before I start making changes to EAS policies, is anyone aware of any quick fixes?  Could there be an issue that Google (Android) needs to address?  This is happening with several different Android devices.

Any help is greatly appreciated.

Thank you.
tedwillAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
please disable form based authentication in OWA using IIS -> default web site -> authentications -> disable form based authentication. do the same for OWA virtual Directory.

good luck
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
don't forget to restart IIS after apply.try again and update me
0
tedwillAuthor Commented:
I just checked it and they're already disabled.  
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ok , can you please run this command on powershell and post results here :

Get-ActiveSyncVirtualDirectory |fl

also i need you to go to :

https://www.testexchangeconnectivity.com/

then select to test activesync and activesync autodiscover , and post results here..

this will make things clear.
0
giltjrCommented:
Are they trying to access from the Internet?

If so, did you define a SRV record or host name autodiscover.yourdomain.tld?

We just did a migration on Thursday and everything is working fine.
0
tedwillAuthor Commented:
Here are the results of the Get-ActiveSyncVirtualDirectory |fl command:

RunspaceId                                 : ef44f662-6368-4d6a-a3dd-a75558cca658
MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled                    : True
SendWatsonReport                           : True
MobileClientCertificateAuthorityURL        :
MobileClientCertTemplateName               :
ActiveSyncServer                           : http://smtp.pslz.com/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUnknownServers     : Allow
RemoteDocumentsAllowedServers              : {}
RemoteDocumentsBlockedServers              : {}
RemoteDocumentsInternalDomainSuffixList    : {}
MetabasePath                               : IIS://PSLZEXCH.pslzcpa.local/W3SVC/1/ROOT/Microsoft-Server-ActiveSync
BasicAuthEnabled                           : True
WindowsAuthEnabled                         : False
CompressionEnabled                         : True
ClientCertAuth                             : Ignore
WebsiteName                                : Default Web Site
WebSiteSSLEnabled                          : False
VirtualDirectoryName                       : Microsoft-Server-ActiveSync
Path                                       :
ExtendedProtectionTokenChecking            : None
ExtendedProtectionFlags                    : {}
ExtendedProtectionSPNList                  : {}
Server                                     : PSLZEXCH
InternalUrl                                : http://pslzexch.pslzcpa.local/Microsoft-Server-ActiveSync
InternalAuthenticationMethods              : {}
ExternalUrl                                : http://smtp.pslz.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMethods              : {}
AdminDisplayName                           :
ExchangeVersion                            : 0.10 (14.0.100.0)
Name                                       : Microsoft-Server-ActiveSync (Default Web Site)
DistinguishedName                          : CN=Microsoft-Server-ActiveSync (Default Web Site),CN=HTTP,CN=Protocols,CN=
                                             PSLZEXCH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
                                             Administrative Groups,CN=PSLZCPA,CN=Microsoft Exchange,CN=Services,CN=Conf
                                             iguration,DC=pslzcpa,DC=local
Identity                                   : PSLZEXCH\Microsoft-Server-ActiveSync (Default Web Site)
Guid                                       : faf8fc14-e815-41b3-a50d-248512d12df8
ObjectCategory                             : pslzcpa.local/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged                                : 12/31/2011 2:28:21 AM
WhenCreated                                : 12/29/2011 3:29:33 PM
WhenChangedUTC                             : 12/31/2011 7:28:21 AM
WhenCreatedUTC                             : 12/29/2011 8:29:33 PM
OrganizationId                             :
OriginatingServer                          : DC2.pslzcpa.local
IsValid                                    : True

----------------------------------------------------------------------------------

Here are the results of the connectivity test.  It doesn't look good, and yet the Windows and iPhones are able to work with EAS just fine.

As a background - this company has a hosted web site, an onsite Exchange environment and they use Postini for offsite email hygiene.  All phones including the Droids worked with Exchange 2003 and these same settings.  They also don't use certs at this point.   The domain.com points to their hosted web site.  Their smtp.domain.com points to their Exchange server on site.  Their DNS is hosted by AT&T offisite.  They have two DCs running DNS onsite.

Connectivity Test -



Attempting the Autodiscover and Exchange ActiveSync test (if requested).

Testing of Autodiscover for Exchange ActiveSync failed.

Test Steps

Attempting each method of contacting the Autodiscover service.

The Autodiscover service couldn't be contacted successfully by any method.

Test Steps
Attempting to test potential Autodiscover URL https://pslz.com/AutoDiscover/AutoDiscover.xml
 

Testing of this potential Autodiscover URL failed.


Test Steps

Attempting to resolve the host name pslz.com in DNS.
 

The host name resolved successfully.

Additional Details
 

IP addresses returned: 140.174.83.121


Testing TCP port 443 on host pslz.com to ensure it's listening and open.
 

The port was opened successfully.


Testing the SSL certificate to make sure it's valid.
 

The SSL certificate failed one or more certificate validation checks.


Test Steps


ExRCA is attempting to obtain the SSL certificate from remote server pslz.com on port 443.


ExRCA successfully obtained the remote SSL certificate.


Additional Details
Validating the certificate name.
Certificate name validation failed.


 Tell me more about this issue and how to resolve it

Additional Details


Attempting to test potential Autodiscover URL https://autodiscover.pslz.com/AutoDiscover/AutoDiscover.xml


Testing of this potential Autodiscover URL failed.

Test Steps

Attempting to resolve the host name autodiscover.pslz.com in DNS.

The host name couldn't be resolved.


 Tell me more about this issue and how to resolve it

Additional Details

Host autodiscover.pslz.com couldn't be resolved in DNS InfoDomainNonexistent.

Attempting to contact the Autodiscover service using the HTTP redirect method.

The attempt to contact Autodiscover using the HTTP Redirect method failed.

Test Steps

Attempting to resolve the host name autodiscover.pslz.com in DNS.

The host name couldn't be resolved.
 Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.pslz.com couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.

ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps

Attempting to locate SRV record _autodiscover._tcp.pslz.com in DNS.
 

The Autodiscover SRV record wasn't found in DNS.


 Tell me more about this issue and how to resolve it

0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
@giltr:
This will be clear after posting testexchangeconnectivity results
0
giltjrCommented:
What timing.

Yes, you need to define a host autodiscover.pslz.com or setup a SRV record.  You can read more here:

      http://technet.microsoft.com/en-us/library/bb124251.aspx

It also looks like your SSL cert may have issues.


0
tedwillAuthor Commented:
@giltjr - all othe phones using EAS - iPhones and Windows phones are all connecting from outside the office and syncing mail, contacts and calendars.  It just the Droids that are getting the "Access State:  Acess Denied" when they try to connect to the CAS.
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
its clear from test that autodiscover.pslz.com is not available , so what you need to do is go to your domain pslz.com management -> DNS -> add new record , type SRV -> name : autodiscover.pslz.com
point to your static IP address of exchange , as additional settings please run these commands to make sure that autodiscover configuration is working fine for external and internal :

set-AutodiscoverVirtualDirectory -identity "Autodiscover (Default Web Site)" -internalURL https://ExchangeServerName.LocalDomain.local/autodiscover/autodiscover.xml -externalURL https://autodiscover.pslz.com/autodiscover/autodiscover.xml

Set-ClientAccessServer -identiy "ExchangeServerName" -internalURL https://serverName.LocalDomain.local/autodiscover/autodiscover.xml

set-webServiceVirtualDirectory -identity "EWS (Default Web Site)" -internalURL https://ServerName.LocalDomain.local/EWS/Exchange.asmx -externalURL https://mail.doma.com/ews/exchange.asmx


note that : ServerName.Localdomain.local = yourExchangeServerName.YourlocalDOmain.local
example : exch01.domain.local
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ahaaaaaaaaa its different then , the problem with Adroid only .. will back for you
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
just am wondering to know did you install leatest service pack of exchange 2010??
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
please download and install exchange 2010 sp2 , it will be work :

http://www.microsoft.com/download/en/details.aspx?id=28190

good luck
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
am sorry i did not notice that its sp2 , maybe because time is late 3:21 AM , i will continue figure out
0
giltjrCommented:
Exchange 2010 changed how it did things when compared to 2003 when it comes to certain things.

I don't know all of the details.  I am not involved in the Exchange side of things.  I had to setup a Big-IP F5 LTM load balancer to to load balance between two CAS servers running OWA.  I was given the above link and got some doc from Big-IP and setup the F5 and went on my way.

We had to add the DNS entry autodiscover.ourname.com  in order to to get it work and we had to have a Subject Alternative Names (SAN) cert that covered the host names involved.

I have no clue why the iPhones or Windows phones are working.  I personally would be doing packet captures to see what was going on.

I have not read through the whole chain, but I did find:

      http://code.google.com/p/android/issues/detail?id=11177#c142

This is supposedly a fix for "a problem" with the same symptoms you are having.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
OH i feel sleeeepy ... please read here ,, its same one :


http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/bcc50ce4-0c97-4851-987d-1f5080d7942b

wish this will help..

good luck and good night
0
tedwillAuthor Commented:
@giltjr: I just tried the permissions issue.  I had to do that for a number of people prior to moving their  mailboxes from Exchange 2003 to 2010 otherwise the move mailbox command failed.  Odd how that security issue plays such a huge role.  Thanks for your help.  I'll let you know if this worked.

@jordannet: I read that entire saga before posting my message because I thought since the problem was over a year and half old that it had been resolved.  I re read it in greater detail and it looks like there's a lot of potential solutions including the "include inheritable permissions" I'll keep looking into this.

Thanks to both of you for all your help.  I'll let you know in the morning if it worked.  Happy New Year!
0
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ok wish to you good luck man , , happy new year too
0
tedwillAuthor Commented:
So, it was a combination of the "Set Inheritable Permissions" and getting rid of the default EAS policy - Remove-ActiveSyncMailboxPolicy -id <Default>

Though it's not a perfect solution, all devices are working.  Thanks for pointing me in the right direction.
0
giltjrCommented:
Thanks for the points.  

What is really weird is that when I returned to work today, I found out that iPhones and iPads were not working after we did our migration, only Andriod's and Windows phones were.

I was told that by removing the settings on the iPhone/iPad and re-defining it that everything worked.  Something about the fact that we changed our SSL Cert and the iPhone/iPad got upset.  Again, this is what I was told.  Sometimes the group in charge of our distributed servers don't tell me the whole story though.
0
TTAF4Commented:
Hi Ted

I am having the exact same problem. just a question, the last part of your solution, remove-activesyncmailboxpolicy, does remove the default EAS policy from the exchange? i thought there has to be atleast one policy active??
0
tedwillAuthor Commented:
I set up several policies after removing this one.  The devices are all working fine.  It might also have to do with having a service pack upgrade to Exchange since then as well.  Hopefully you get your devices working.  All but one switched to the iPhone, which is a way better client of EAS than Android.
0
TTAF4Commented:
ok thanks bud. I am still struggling....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.