Solved

Ipad/Iphone email sync Problam

Posted on 2012-03-26
68
612 Views
Last Modified: 2012-04-05
I have a client who just got 2 Ipads. And I tried to sync their email to them. They have never used any moblile devices to connect to their Exchange server so it may be something on their server I have over looked but I cannot get them to connect. I also have my Iphone and cannot connect it to their email system though I can connect my phone to my email.

The MX record is correct and resolves to the right Ip address
The appropriate ports on the firewall are open
I have tried the text exchange activesync Microsoft website and everything checks out in green
I downloaded the Active Sync tester and ran in on theserver and it says its fine

On the Ipad I add the account and it gets the check marks next to contacts, calander, and etc but when I open the mail on it and my iphone it says
'Cannot get mail
The connection to the server failed.
0
Comment
Question by:Axis52401
  • 33
  • 33
  • 2
68 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768160
Please check your inherited permissions for the accounts as per my article (ignore the Exchange version of the article - it is relevant to 2003 as well):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html

If that doesn't work - please let me know.

Alan
0
 
LVL 4

Expert Comment

by:kdubendorf
ID: 37768198
Can you pull up an OWA login screen from Internet Explorer from both inside and outside of your firewall?

If not check your SSA certificate.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768213
OWA has nothing to do with Activesync, so your test isn't going to prove / disprove an awful lot.
0
 
LVL 4

Expert Comment

by:kdubendorf
ID: 37768253
It will validate if your SSA is working properly.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768254
Alan, that box is checked, and the OWA does work.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37768287
@kdubendorf - The question states "I have tried the text exchange activesync Microsoft website and everything checks out in green" - so that should tell you the SSL certificate is fine.

Can you please check your IIS settings against my article and make sure all is as per my settings:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768332
Yes the IIS setting all match those on that page. I had already found that link in my troubleshooting.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768380
Do you have any other iDevices you can test the accounts on?

Can you test other accounts on the iPad's too please?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768455
Yes, I have my Iphone and was unable to connect to their server to their account or a test account I created. But I can connect to my companies exchange server. I was also able to connect to my Exchange account from their Ipads so I believe it is some sort of server problem on their side just not sure what.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768551
Okay - so it looks like their server.  Can you uncheck the Inherited permissions, apply, then re-check them and apply again and then test again please.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768613
Unchecked, applied, rechecked reapplied,

Not with the Active Sync test program on the server itself I am getting
Testing 192.168.10.10 (SSL, On LAN):

Communications:
      Doing DNS lookup on 192.168.10.10 ........ OK (server.domain.local)
      Testing TCP to 192.168.10.10 port 443 .... FAIL

Result:
      Failed to connect to the server. [Connection Refused]
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768652
Never mind last, Restared IIS and now were back to where I started

'Cannot get mail
The connection to the server failed. on the ipad but the Active sync test program shows

Testing 192.168.10.10 (, On LAN):

Communications:
      Doing DNS lookup on 192.168.10.10 ........ OK (server.domain.local)
      Testing TCP to 192.168.10.10 port 80 ..... OK
ActiveSync:
      Checking for application ................. OK
      Checking version ......................... OK (2.0.3274.0)
      Checking protocols ....................... OK (1.0,2.0)
User Permissions:
      Checking "mlh/test" ...................... OK

Result:
      ActiveSync IS available.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768715
Can you please use the test site https://testexchangeconnectivity.com and run the Exchange Activesync Test (without Autodiscover anything) and post those results.

Thanks

Alan
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768744
Here is what I get. I'm not an SSL expert and realize it says Certificate name validation failed but I ran the same test on my account on my mail server and get the exact results yet mine works.


ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name imail.domainname.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host imail.domainname.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server imail.domainname.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=mlh.local, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local, Issuer: CN=mlh.local, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name imail.domainname.com doesn't match any name found on the server certificate CN=mlh.local, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768829
Your certificate is named mlh.local - thus it is never going to work because .local domain names are for internal use only and are not internet routeable.

You need to rename the certificate imail.domainname.com to match the FQDN you are using to access the server via when configuring activesync.

So - not sure how you managed to get all Green Ticks in the test previously as you mentioned in your question.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768849
Do you know how I would rename that?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768852
Or maybe even set it to not require ssl
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768875
Christ no - Not requiring SSL will send your username / password in clear text across the network and thus you can get hacked nice and easily.

Is this an SBS server or Windows 2003 / Exchange 2003 server?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768877
SBS 2003
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768886
Then just re-run the Connect to the Internet Wizard, change nothing until you get to the Certificate part and then generate a new SSL cert using imail.domainname.com and then complete the wizard.

Then re-test and all should be well.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37768946
I re ran it created a new SSL cert but may have done something wrong because it still shows this

      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name imail.domainname.com doesn't match any name found on the server certificate CN=imail.domainname.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37768962
Your cert shows imail.mullenlaverty.com yet your domain is imail.mullinlaverty.com.

Please re-run the wizard and change the cert name to the correct spelling.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769000
Well I think we're making progress at least now I have a different error on the Exchange site test



Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name imail.mullinlaverty.com was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       Certificate trust validation failed.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
       A certificate chain couldn't be constructed for the certificate.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769016
Please download and install the following patch:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6149
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769061
I'm not sure that did anything it just gave the hour glass for a sec and went away.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769085
Have you re-run the test on the test site?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769101
Yes and if I hit Ignore Trust for SSL it works but if not I get the below and the phone and Ipad still wont connect


Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name imail.mullinlaverty.com was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       Certificate trust validation failed.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local.
       A certificate chain couldn't be constructed for the certificate.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=imail.mullinlaverty.com, CN=companyweb, CN=mlh2k3fs, CN=localhost, CN=mlh2k3fs.MLH.local
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769118
Not sure if that is a deal-breaker.  Can you please try the iPad's now.

When it comes to the cert pop-up, just click on Continue to accept the certificate.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769134
Still getting 'Cannot get mail
The connection to the server failed. on the Ipads
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769164
Did you get a certificate prompt?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769172
no, I've seen that prompt you're talking about before on other systems but for this one it doesn't come up. I put in the setting and it seems to take them like its going to work but them when I go to the mail screen and hit the mail icon it gives the error.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769174
Is there any way of not requiring the SSL cert even temporarily to see if that is indeed the problem?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769178
You can do that - but that requires you to change the SSL requirements on various IIS virtual directories.

It also isn't safe.

$30 would solve the problem if you buy a 3rd party SSL certificate which is guaranteed to work.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769189
Yea but I'd hate to make them spend the money and hat turn out not to be the problem.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769192
I know more about Activesync than any other Expert on this site.

The $30 is also refundable if it doesn't work, so there is no risk to take financially.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769199
Have you deleted and re-created the Exchange account on the iPad, or did you just re-try the existing account?

If the latter - please delete and re-create the account and make sure you get the Certificate Prompt.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769204
yes I've been deleting and readding it every time. Whats weird is it says account added and then doesn't work. Usually if it gets to account added it works.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769206
Have you re-checked the IIS settings using my article since re-running the Wizard?  Sometimes the settings can get reset to the wrong settings!
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769217
Yes and they are still the same as you have in that link
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769226
Okay - can you set me up a test account on your server and email me the details to alan @ it-eye.co.uk please.

I need to know:

email address
internal domain name
username
password

I can then setup an account on my iPhone / iPad and see if that works for me.

One other Q - have you got Wi-Fi enabled on the iPad's?  If you have - please disable it and try setting up the account again.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769254
Thanks - getting the same issue!

Test site gives me all green ticks and no cert errors.

Don't suppose you have some software called "Hide Folders 2009" installed on your server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769268
What Authentication is Enabled on the Exchange / Exchange-OMA / Microsoft-Server-Activesync virtual Directories in IIS?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769270
I only get the all green when I hit ignore trust for ssl

I've never heard of Hide Folders 2009 and don't see it installed how would that help?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769275
You need to tick that - it isn't a trusted SSL certificate.

The Hide Folders software doesn't help - it breaks Activesync.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769281
Right, then I get all green to but the Ipad doesn't have that option. Can you tell me how to disable requiring SSL just to see if it;ll work. If it is I can get them to buy the trusted cert?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769286
Check my article and where it says have SSL required - set it to SSL not required.

Then run IIS reset and test without SSL on the iPad.  You can't use the test site to test without SSL, so don't waste your time trying.  You can use the Test App mentioned in my article though.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769299
I tried unchecking it on Microsoft-Server-Activesync and turning the ssl check off on the ipad and  still get

'Cannot get mail
The connection to the server failed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769302
SSL Shouldn't be enabled on Microsoft-Server-Activesync unless you are running Exchange 2003 Native.  You have SBS, so you need to follow the IIS Settings for the SBS section.

Please check those and make sure they are ALL correct, then run iisreset and test on the test site to make sure that is happy, then try the iPad.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769311
On that document under Exchange 2003 (Part of Small Business Server):
There are 4 Virtual directories. I have the require ssl unchecked on all 4

Exchange Virtual Directory
Microsoft-Server-Activesync Virtual Directory
Exchange-oma Virtual Directory
OMA Virtual Directory
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769317
Okay - so now run iisreset (if you changed anything) and then test the iPad without SSL enabled.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769320
On the Ipad when I slide off the SSL it gives a popup that says
Exchange Account
Unable to verify Account information
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769327
Yep - I got that too.

Can you put the IIS settings back to how they were (as per the SBS section of my article), then run iisreset.

Once done - please right-click the exchange virtual directory in IIS Manager and click Browse.  You should see the Administrator webmail account.

Do the same for the exchange-oma virtual directory.  What happens?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769331
Is your Sonicwall doing any HTTPS inspection on the inbound traffic?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769334
Port 80 for your network goes straight to your Sonicwall, so you won't be able to use Activesync without SSL until you change the management port of the sonicwall.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769340
It looks like the same on both a mini webmail window for the administrator account
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769347
Do you have to login on the Exchange-oma virtual directory?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769351
I just changed the sonicwall management port to 8080
Still can't connect
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769354
Do you mean when i hit Browse? no it just opened up.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769359
Then your settings are not as per my article.

Please run through them very carefully and make sure that all settings are correct.

I am heading to bed shortly - nearly 2:00am for me and I will pick up again tomorrow.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37769370
I'll run through them again but I've gone line by line and am pretty sure but I was pretty sure I had the SSL cert with the right spelling so it could be there.  

I appreciate all your help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37769384
If you can double-check the authentication and SSL settings etc, that would be great.

I'll be around tomorrow to see if you have made any progress.

Good luck until then.

Alan
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37771370
I went through them line by line and they match exactly what you have in that link.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37808372
I was wondering if anyone was still monitoring this post. does anyone have any ideas
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37808439
Still here but missed your last but one comment.  Sorry.

So all settings are as per my article?  If so - please re-test the device and setup the account.  Is it working?
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37808484
I went through it line by line and it looks the same. And yea I haven;t made any progress. I was out of the office last week and just getting back to it.

You said since I hit Browese on that virtual directory and it opened up something is not setup right but I can't find what.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37808510
This is looking very weird.  I'll review the question and see if I have any other ideas.
0
 
LVL 2

Author Comment

by:Axis52401
ID: 37808565
No problems.  Will wait to hear from you.
0
 
LVL 2

Author Closing Comment

by:Axis52401
ID: 37814638
Solution was right on point, thanks for all your help
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now