Ipad/Iphone email sync Problam

I have a client who just got 2 Ipads. And I tried to sync their email to them. They have never used any moblile devices to connect to their Exchange server so it may be something on their server I have over looked but I cannot get them to connect. I also have my Iphone and cannot connect it to their email system though I can connect my phone to my email.

The MX record is correct and resolves to the right Ip address
The appropriate ports on the firewall are open
I have tried the text exchange activesync Microsoft website and everything checks out in green
I downloaded the Active Sync tester and ran in on theserver and it says its fine

On the Ipad I add the account and it gets the check marks next to contacts, calander, and etc but when I open the mail on it and my iphone it says
'Cannot get mail
The connection to the server failed.
LVL 2
Axis52401Security AnalystAsked:
Who is Participating?
 
Alan HardistyCo-OwnerCommented:
@kdubendorf - The question states "I have tried the text exchange activesync Microsoft website and everything checks out in green" - so that should tell you the SSL certificate is fine.

Can you please check your IIS settings against my article and make sure all is as per my settings:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
0
 
Alan HardistyCo-OwnerCommented:
Please check your inherited permissions for the accounts as per my article (ignore the Exchange version of the article - it is relevant to 2003 as well):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

If that doesn't work - please let me know.

Alan
0
 
kdubendorfCommented:
Can you pull up an OWA login screen from Internet Explorer from both inside and outside of your firewall?

If not check your SSA certificate.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Alan HardistyCo-OwnerCommented:
OWA has nothing to do with Activesync, so your test isn't going to prove / disprove an awful lot.
0
 
kdubendorfCommented:
It will validate if your SSA is working properly.
0
 
Axis52401Security AnalystAuthor Commented:
Alan, that box is checked, and the OWA does work.
0
 
Axis52401Security AnalystAuthor Commented:
Yes the IIS setting all match those on that page. I had already found that link in my troubleshooting.
0
 
Alan HardistyCo-OwnerCommented:
Do you have any other iDevices you can test the accounts on?

Can you test other accounts on the iPad's too please?
0
 
Axis52401Security AnalystAuthor Commented:
Yes, I have my Iphone and was unable to connect to their server to their account or a test account I created. But I can connect to my companies exchange server. I was also able to connect to my Exchange account from their Ipads so I believe it is some sort of server problem on their side just not sure what.
0
 
Alan HardistyCo-OwnerCommented:
Okay - so it looks like their server.  Can you uncheck the Inherited permissions, apply, then re-check them and apply again and then test again please.
0
 
Axis52401Security AnalystAuthor Commented:
Unchecked, applied, rechecked reapplied,

Not with the Active Sync test program on the server itself I am getting
Testing 192.168.10.10 (SSL, On LAN):

Communications:
      Doing DNS lookup on 192.168.10.10 ........ OK (server.domain.local)
      Testing TCP to 192.168.10.10 port 443 .... FAIL

Result:
      Failed to connect to the server. [Connection Refused]
0
 
Axis52401Security AnalystAuthor Commented:
Never mind last, Restared IIS and now were back to where I started

'Cannot get mail
The connection to the server failed. on the ipad but the Active sync test program shows

Testing 192.168.10.10 (, On LAN):

Communications:
      Doing DNS lookup on 192.168.10.10 ........ OK (server.domain.local)
      Testing TCP to 192.168.10.10 port 80 ..... OK
ActiveSync:
      Checking for application ................. OK
      Checking version ......................... OK (2.0.3274.0)
      Checking protocols ....................... OK (1.0,2.0)
User Permissions:
      Checking "mlh/test" ...................... OK

Result:
      ActiveSync IS available.
0
 
Alan HardistyCo-OwnerCommented:
Can you please use the test site https://testexchangeconnectivity.com and run the Exchange Activesync Test (without Autodiscover anything) and post those results.

Thanks

Alan
0
 
Axis52401Security AnalystAuthor Commented:
Here is what I get. I'm not an SSL expert and realize it says Certificate name validation failed but I ran the same test on my account on my mail server and get the exact results yet mine works.


ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name imail.domainname.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host imail.domainname.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server imail.domainname.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=mlh.local, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local, Issuer: CN=mlh.local, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name imail.domainname.com doesn't match any name found on the server certificate CN=mlh.local, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
0
 
Alan HardistyCo-OwnerCommented:
Your certificate is named mlh.local - thus it is never going to work because .local domain names are for internal use only and are not internet routeable.

You need to rename the certificate imail.domainname.com to match the FQDN you are using to access the server via when configuring activesync.

So - not sure how you managed to get all Green Ticks in the test previously as you mentioned in your question.
0
 
Axis52401Security AnalystAuthor Commented:
Do you know how I would rename that?
0
 
Axis52401Security AnalystAuthor Commented:
Or maybe even set it to not require ssl
0
 
Alan HardistyCo-OwnerCommented:
Christ no - Not requiring SSL will send your username / password in clear text across the network and thus you can get hacked nice and easily.

Is this an SBS server or Windows 2003 / Exchange 2003 server?
0
 
Axis52401Security AnalystAuthor Commented:
SBS 2003
0
 
Alan HardistyCo-OwnerCommented:
Then just re-run the Connect to the Internet Wizard, change nothing until you get to the Certificate part and then generate a new SSL cert using imail.domainname.com and then complete the wizard.

Then re-test and all should be well.
0
 
Axis52401Security AnalystAuthor Commented:
I re ran it created a new SSL cert but may have done something wrong because it still shows this

      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name imail.domainname.com doesn't match any name found on the server certificate CN=imail.domainname.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
0
 
Alan HardistyCo-OwnerCommented:
Your cert shows imail.mullenlaverty.com yet your domain is imail.mullinlaverty.com.

Please re-run the wizard and change the cert name to the correct spelling.
0
 
Axis52401Security AnalystAuthor Commented:
Well I think we're making progress at least now I have a different error on the Exchange site test



Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name imail.mullinlaverty.com was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       Certificate trust validation failed.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
       A certificate chain couldn't be constructed for the certificate.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local
0
 
Alan HardistyCo-OwnerCommented:
Please download and install the following patch:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6149
0
 
Axis52401Security AnalystAuthor Commented:
I'm not sure that did anything it just gave the hour glass for a sec and went away.
0
 
Alan HardistyCo-OwnerCommented:
Have you re-run the test on the test site?
0
 
Axis52401Security AnalystAuthor Commented:
Yes and if I hit Ignore Trust for SSL it works but if not I get the below and the phone and Ipad still wont connect


Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name imail.mullinlaverty.com was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       Certificate trust validation failed.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
       A certificate chain couldn't be constructed for the certificate.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local
0
 
Alan HardistyCo-OwnerCommented:
Not sure if that is a deal-breaker.  Can you please try the iPad's now.

When it comes to the cert pop-up, just click on Continue to accept the certificate.
0
 
Axis52401Security AnalystAuthor Commented:
Still getting 'Cannot get mail
The connection to the server failed. on the Ipads
0
 
Alan HardistyCo-OwnerCommented:
Did you get a certificate prompt?
0
 
Axis52401Security AnalystAuthor Commented:
no, I've seen that prompt you're talking about before on other systems but for this one it doesn't come up. I put in the setting and it seems to take them like its going to work but them when I go to the mail screen and hit the mail icon it gives the error.
0
 
Axis52401Security AnalystAuthor Commented:
Is there any way of not requiring the SSL cert even temporarily to see if that is indeed the problem?
0
 
Alan HardistyCo-OwnerCommented:
You can do that - but that requires you to change the SSL requirements on various IIS virtual directories.

It also isn't safe.

$30 would solve the problem if you buy a 3rd party SSL certificate which is guaranteed to work.
0
 
Axis52401Security AnalystAuthor Commented:
Yea but I'd hate to make them spend the money and hat turn out not to be the problem.
0
 
Alan HardistyCo-OwnerCommented:
I know more about Activesync than any other Expert on this site.

The $30 is also refundable if it doesn't work, so there is no risk to take financially.
0
 
Alan HardistyCo-OwnerCommented:
Have you deleted and re-created the Exchange account on the iPad, or did you just re-try the existing account?

If the latter - please delete and re-create the account and make sure you get the Certificate Prompt.
0
 
Axis52401Security AnalystAuthor Commented:
yes I've been deleting and readding it every time. Whats weird is it says account added and then doesn't work. Usually if it gets to account added it works.
0
 
Alan HardistyCo-OwnerCommented:
Have you re-checked the IIS settings using my article since re-running the Wizard?  Sometimes the settings can get reset to the wrong settings!
0
 
Axis52401Security AnalystAuthor Commented:
Yes and they are still the same as you have in that link
0
 
Alan HardistyCo-OwnerCommented:
Okay - can you set me up a test account on your server and email me the details to alan @ it-eye.co.uk please.

I need to know:

email address
internal domain name
username
password

I can then setup an account on my iPhone / iPad and see if that works for me.

One other Q - have you got Wi-Fi enabled on the iPad's?  If you have - please disable it and try setting up the account again.
0
 
Alan HardistyCo-OwnerCommented:
Thanks - getting the same issue!

Test site gives me all green ticks and no cert errors.

Don't suppose you have some software called "Hide Folders 2009" installed on your server?
0
 
Alan HardistyCo-OwnerCommented:
What Authentication is Enabled on the Exchange / Exchange-OMA / Microsoft-Server-Activesync virtual Directories in IIS?
0
 
Axis52401Security AnalystAuthor Commented:
I only get the all green when I hit ignore trust for ssl

I've never heard of Hide Folders 2009 and don't see it installed how would that help?
0
 
Alan HardistyCo-OwnerCommented:
You need to tick that - it isn't a trusted SSL certificate.

The Hide Folders software doesn't help - it breaks Activesync.
0
 
Axis52401Security AnalystAuthor Commented:
Right, then I get all green to but the Ipad doesn't have that option. Can you tell me how to disable requiring SSL just to see if it;ll work. If it is I can get them to buy the trusted cert?
0
 
Alan HardistyCo-OwnerCommented:
Check my article and where it says have SSL required - set it to SSL not required.

Then run IIS reset and test without SSL on the iPad.  You can't use the test site to test without SSL, so don't waste your time trying.  You can use the Test App mentioned in my article though.
0
 
Axis52401Security AnalystAuthor Commented:
I tried unchecking it on Microsoft-Server-Activesync and turning the ssl check off on the ipad and  still get

'Cannot get mail
The connection to the server failed.
0
 
Alan HardistyCo-OwnerCommented:
SSL Shouldn't be enabled on Microsoft-Server-Activesync unless you are running Exchange 2003 Native.  You have SBS, so you need to follow the IIS Settings for the SBS section.

Please check those and make sure they are ALL correct, then run iisreset and test on the test site to make sure that is happy, then try the iPad.
0
 
Axis52401Security AnalystAuthor Commented:
On that document under Exchange 2003 (Part of Small Business Server):
There are 4 Virtual directories. I have the require ssl unchecked on all 4

Exchange Virtual Directory
Microsoft-Server-Activesync Virtual Directory
Exchange-oma Virtual Directory
OMA Virtual Directory
0
 
Alan HardistyCo-OwnerCommented:
Okay - so now run iisreset (if you changed anything) and then test the iPad without SSL enabled.
0
 
Axis52401Security AnalystAuthor Commented:
On the Ipad when I slide off the SSL it gives a popup that says
Exchange Account
Unable to verify Account information
0
 
Alan HardistyCo-OwnerCommented:
Yep - I got that too.

Can you put the IIS settings back to how they were (as per the SBS section of my article), then run iisreset.

Once done - please right-click the exchange virtual directory in IIS Manager and click Browse.  You should see the Administrator webmail account.

Do the same for the exchange-oma virtual directory.  What happens?
0
 
Alan HardistyCo-OwnerCommented:
Is your Sonicwall doing any HTTPS inspection on the inbound traffic?
0
 
Alan HardistyCo-OwnerCommented:
Port 80 for your network goes straight to your Sonicwall, so you won't be able to use Activesync without SSL until you change the management port of the sonicwall.
0
 
Axis52401Security AnalystAuthor Commented:
It looks like the same on both a mini webmail window for the administrator account
0
 
Alan HardistyCo-OwnerCommented:
Do you have to login on the Exchange-oma virtual directory?
0
 
Axis52401Security AnalystAuthor Commented:
I just changed the sonicwall management port to 8080
Still can't connect
0
 
Axis52401Security AnalystAuthor Commented:
Do you mean when i hit Browse? no it just opened up.
0
 
Alan HardistyCo-OwnerCommented:
Then your settings are not as per my article.

Please run through them very carefully and make sure that all settings are correct.

I am heading to bed shortly - nearly 2:00am for me and I will pick up again tomorrow.
0
 
Axis52401Security AnalystAuthor Commented:
I'll run through them again but I've gone line by line and am pretty sure but I was pretty sure I had the SSL cert with the right spelling so it could be there.  

I appreciate all your help.
0
 
Alan HardistyCo-OwnerCommented:
If you can double-check the authentication and SSL settings etc, that would be great.

I'll be around tomorrow to see if you have made any progress.

Good luck until then.

Alan
0
 
Axis52401Security AnalystAuthor Commented:
I went through them line by line and they match exactly what you have in that link.
0
 
Axis52401Security AnalystAuthor Commented:
I was wondering if anyone was still monitoring this post. does anyone have any ideas
0
 
Alan HardistyCo-OwnerCommented:
Still here but missed your last but one comment.  Sorry.

So all settings are as per my article?  If so - please re-test the device and setup the account.  Is it working?
0
 
Axis52401Security AnalystAuthor Commented:
I went through it line by line and it looks the same. And yea I haven;t made any progress. I was out of the office last week and just getting back to it.

You said since I hit Browese on that virtual directory and it opened up something is not setup right but I can't find what.
0
 
Alan HardistyCo-OwnerCommented:
This is looking very weird.  I'll review the question and see if I have any other ideas.
0
 
Axis52401Security AnalystAuthor Commented:
No problems.  Will wait to hear from you.
0
 
Axis52401Security AnalystAuthor Commented:
Solution was right on point, thanks for all your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.