Setting up activesync/exchange 2010 on iphone
Hi
Im pretty new to exchange but Ive got everything setup and seems to be working fine but I'm unable to get exchange working on users iphones.
I have gone to Organization Config > Client Access > Exchange ActiveSync Polices and created a new one and them assigned it to the users.
When I enter the settings on the iphones it displays the error "unable to verify account information"
the email address is xxxx@domain.co.uk and I'm entering mail.domain.co.uk in the server field.
What else do I need to do ?
Thanks
Im pretty new to exchange but Ive got everything setup and seems to be working fine but I'm unable to get exchange working on users iphones.
I have gone to Organization Config > Client Access > Exchange ActiveSync Polices and created a new one and them assigned it to the users.
When I enter the settings on the iphones it displays the error "unable to verify account information"
the email address is xxxx@domain.co.uk and I'm entering mail.domain.co.uk in the server field.
What else do I need to do ?
Thanks
Have you tested your OWA. Outlook web access. Let me know if this works
Also worth running the Exchange Activesync test on https://testexchangeconnectivity.com and posting the results if it fails (obscuring your domain name / IP Address etc).
Alan
Alan
ASKER
"Please check your inherited permissions / group membership as per my article:"
I have just checked the tick box but still the same error message when setting up on the iphone.
"Have you tested your OWA. Outlook web access. Let me know if this works"
My owa works on the internal URL, where do I find the external URL ?
I have just checked the tick box but still the same error message when setting up on the iphone.
"Have you tested your OWA. Outlook web access. Let me know if this works"
My owa works on the internal URL, where do I find the external URL ?
ASKER
These are the results from https://testexchangeconnectivity.com
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://domain.co.uk/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 217.194.XXX.X
Testing TCP port 443 on host domain.co.uk to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server domain.co.uk on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Attempting to test potential Autodiscover URL https://autodiscover.domain.co.uk/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.domain.co.uk in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.domain.co.uk couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.domain.co.uk in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.domain.co.uk couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.domain.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://domain.co.uk/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 217.194.XXX.X
Testing TCP port 443 on host domain.co.uk to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server domain.co.uk on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Attempting to test potential Autodiscover URL https://autodiscover.domain.co.uk/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.domain.co.uk in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.domain.co.uk couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.domain.co.uk in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host autodiscover.domain.co.uk couldn't be resolved in DNS InfoDomainNonexistent.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.domain.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
That may be your issue then. You need to set up an external DNS record. Is your main url hosted by you? Do you have an external ip address for your exchange server to use? is your firewall router set to re-route your external IP address to your internal Exchange IP address.
If you do have tese things run the utility alan talked about.
If you do have tese things run the utility alan talked about.
Please just retry the test without using any of the Autodiscover options.
You should ideally setup an Autodiscover A record, but this requires you to have an SSL certificate with autodiscover.domain.com included in the certificate names.
You should ideally setup an Autodiscover A record, but this requires you to have an SSL certificate with autodiscover.domain.com included in the certificate names.
The external URL for OWA in Exchange 2010 will be the URL you use to access the server externally (mail.domain.co.uk) with /owa appended to the end. You will need to make the connection over a secure (HTTPS) line, so make sure you begin the URL with https://.
I just made a connection to https://mail.domain.co.uk, and there appears to be a couple of issues:
Thus, the URL does not appear to point at an Exchange 2010 server, which could be the source of your difficulties.
Has there been some sort of co-existence or migration scenario taking place? If so, you might want to check inbound firewall publishing rules to ensure port 443 traffic is being directed to the new server.
-Matt
I just made a connection to https://mail.domain.co.uk, and there appears to be a couple of issues:
the SSL certificate configured on there is a self-signed certificate, so it is not automatically trusted by most devices
the /owa extension on the URL does not work, and the page served up at the root of that URL appears to be the "Under Construction" message associated with IIS in Windows 2003.
Thus, the URL does not appear to point at an Exchange 2010 server, which could be the source of your difficulties.
Has there been some sort of co-existence or migration scenario taking place? If so, you might want to check inbound firewall publishing rules to ensure port 443 traffic is being directed to the new server.
-Matt
ASKER
Main URL is hosted by a 3rd party
We have an external IP address for exchange to use.
The router is set to re-route to the internal exchange IP address.
in regards to setting up the external dns > I have RECORD A set against mail.domain.co.uk to my external static IP address.
I have done a nslookup against mail.domain.co.uk and it points to my static ip address. Is this the correct way to do it ?
We have an external IP address for exchange to use.
The router is set to re-route to the internal exchange IP address.
in regards to setting up the external dns > I have RECORD A set against mail.domain.co.uk to my external static IP address.
I have done a nslookup against mail.domain.co.uk and it points to my static ip address. Is this the correct way to do it ?
ASKER
"Has there been some sort of co-existence or migration scenario taking place?"
No this is a new install
No this is a new install
Is your firewall pointing to the right internal server on port 443?
If you visit www.canyouseeme.org - does the IP that is shown match 87.xxx.xxx.231 ?
If you visit www.canyouseeme.org - does the IP that is shown match 87.xxx.xxx.231 ?
ASKER
yes the IP matches 82.xxx.xxx.231 on canyouseeme.org
i need to check if the firewall is pointing to the server on port 443
i need to check if the firewall is pointing to the server on port 443
Okay - then please re-run the test without using Autodiscover anything, then specify manual server settings as mail.domain.co.uk and tick the box for "Ignore Trust for SSL" and see how that behaves.
ASKER
Heres the result without autodiscover. I noticed it displayed another domain name in a couple of place.
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.domain.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 82.71.xx.xxx
Testing TCP port 443 on host mail.domain.co.uk to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server mail.domain.co.uk on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail. THIS_DISPLAYED_ANOTHER_DOM
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name mail.domain.co.uk doesn't match any name found on the server certificate CN=mail.THIS_DISPLAYED_ANO
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name mail.domain.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 82.71.xx.xxx
Testing TCP port 443 on host mail.domain.co.uk to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server mail.domain.co.uk on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail. THIS_DISPLAYED_ANOTHER_DOM
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name mail.domain.co.uk doesn't match any name found on the server certificate CN=mail.THIS_DISPLAYED_ANO
Your certificate show mail.thedomain.co.uk not mail.domain.co.uk
Please try testing using mail.thedomain.co.uk instead (without Autodiscover).
Please try testing using mail.thedomain.co.uk instead (without Autodiscover).
ASKER
Mail.thedomain.co.uk is another domain we use, I think during the set up I entered this domain.
Is there anyway to change it?
Is there anyway to change it?
It's not massively important which domain name you use - but to change it you need to reconfigure Exchange and re-issue the certificate.
ASKER
How do I go about reconfig the exchange and re issue the certificate
ASKER
I have just been reading into this further, do I need a new certificate or can I use the default ones ??
ASKER
Is there anything else I could try as its still not working.
Sorry - was out all day yesterday.
I always buy a 3rd party SSL certificate from my GoDaddy Reseller site and get a SAN / UCC SSL Certificate for 3 years which costs $180. As soon as I install the certificate, Exchange works 100% and Activesync is totally happy.
I have never used a self-issued certificate because I prefer to keep my servers configured in the easiest way and a way that is known to work and is supported by Microsoft, so if you want my advice, I would be buying a certificate.
I always buy a 3rd party SSL certificate from my GoDaddy Reseller site and get a SAN / UCC SSL Certificate for 3 years which costs $180. As soon as I install the certificate, Exchange works 100% and Activesync is totally happy.
I have never used a self-issued certificate because I prefer to keep my servers configured in the easiest way and a way that is known to work and is supported by Microsoft, so if you want my advice, I would be buying a certificate.
ASKER
Hi
just a quick question before I purchase the certificate.
Im currently tested the exchange using domain.co.uk but once im happy with everything I will be swapping everything to thedomain.co.uk.
so I wanted to ask if I bought the certificate for domain.co.uk will it still work for thedomain.co.uk ?
just a quick question before I purchase the certificate.
Im currently tested the exchange using domain.co.uk but once im happy with everything I will be swapping everything to thedomain.co.uk.
so I wanted to ask if I bought the certificate for domain.co.uk will it still work for thedomain.co.uk ?
You can happily re-key the certificate or include both names in the certificate to start with.
You will need the following names:
mail.domain.co.uk
mail.thedomain.co.uk
autodiscover.domain.co.uk or autodiscover.thedomain.co.
servername.internaldomainn
servername
To get Autodiscover to work for both domains, setup an A record called Autodiscover pointing to the Public IP address of your Exchange server for the domain that you add autodiscover.domain.co.uk to the certificate and for the other domain, just add an SRV record pointing to mail.theotherdomain.co.uk.
http://support.microsoft.com/kb/940881
Hope that makes sense!
You will need the following names:
mail.domain.co.uk
mail.thedomain.co.uk
autodiscover.domain.co.uk or autodiscover.thedomain.co.
servername.internaldomainn
servername
To get Autodiscover to work for both domains, setup an A record called Autodiscover pointing to the Public IP address of your Exchange server for the domain that you add autodiscover.domain.co.uk to the certificate and for the other domain, just add an SRV record pointing to mail.theotherdomain.co.uk.
http://support.microsoft.com/kb/940881
Hope that makes sense!
ASKER
yep thats great alan.
thanks.
thanks.
ASKER
hi
i have finally got round to buying certificate, I have bought a UCC SSL certificate from Go Daddy.
Im going to set it up on the go daddy website and its asking for the following info, what do I enter and where do I find it ?
Certificate Signing Request (CSR)
New Subject Alt Name
i have finally got round to buying certificate, I have bought a UCC SSL certificate from Go Daddy.
Im going to set it up on the go daddy website and its asking for the following info, what do I enter and where do I find it ?
Certificate Signing Request (CSR)
New Subject Alt Name
You need to generate the CSR on Exchange first.
Go to the Exchange Management Console> Server Configuration> New Exchange Certificate (which is in the right-hand column).
Run the wizard and make sure all the names I mentioned before are added to the relevant sections and once you click next, review the names, make sure they are all present and the primary name is highlighted in bold, then complete the request.
Then open the CSR file generated in Notepad and copy / paste the entire contents to the GoDaddy CSR screen and click next. This will then read and translate the encrypted CSR contents into the relevant names and then you complete the request and wait for the approval process.
The Admin contact for your domain name will receive an email asking for approval, so make sure you have access to that email account and get the request approved. Once the request is approved, the certificate will be issued. Download the certificate and import it into the Exchange Management Shell using the following command:
Import-ExchangeCertificate
Change the "c:\SSL_Certificate_Name.c
Go to the Exchange Management Console> Server Configuration> New Exchange Certificate (which is in the right-hand column).
Run the wizard and make sure all the names I mentioned before are added to the relevant sections and once you click next, review the names, make sure they are all present and the primary name is highlighted in bold, then complete the request.
Then open the CSR file generated in Notepad and copy / paste the entire contents to the GoDaddy CSR screen and click next. This will then read and translate the encrypted CSR contents into the relevant names and then you complete the request and wait for the approval process.
The Admin contact for your domain name will receive an email asking for approval, so make sure you have access to that email account and get the request approved. Once the request is approved, the certificate will be issued. Download the certificate and import it into the Exchange Management Shell using the following command:
Import-ExchangeCertificate
Change the "c:\SSL_Certificate_Name.c
ASKER
Thanks for the detailed walk through Alun
I'll give that a go tomorrow, home time now !!
I'll give that a go tomorrow, home time now !!
ASKER
i have copied the contents from the file into go daddy and on the import page im getting the following
mail.domain.co.uk
mail.thedomain.co.uk
autodicover.internaldomain
autodiscover.domain.co.uk
is it ok to processed with these or is anything else required ?
mail.domain.co.uk
mail.thedomain.co.uk
autodicover.internaldomain
autodiscover.domain.co.uk
is it ok to processed with these or is anything else required ?
You don't need autodiscover.internaldomai
What is your server configured for primarily?
mail.domain.co.uk or mail.thedomain.co.uk?
What is your server configured for primarily?
mail.domain.co.uk or mail.thedomain.co.uk?
ASKER
At the moment its configured for mail.domain.co.uk but this is just for testing, once everything is working as expected I will be using mail.thedomain.co.uk
how do I get server.internaldomain.loca
how do I get server.internaldomain.loca
Okay - so I would make sure your certificate request includes the following names:
mail.thedomain.co.uk
autodiscover.thedomain.co.
internalservername.interna
internalservername
To get the right names, run the wizard in the EMC> Server Configuration and fill in the relevant sections.
Then for the mail.domain.co.uk domain, add an SRV record that points to mail.thedomain.co.uk which will make Autodiscover work happily.
mail.thedomain.co.uk
autodiscover.thedomain.co.
internalservername.interna
internalservername
To get the right names, run the wizard in the EMC> Server Configuration and fill in the relevant sections.
Then for the mail.domain.co.uk domain, add an SRV record that points to mail.thedomain.co.uk which will make Autodiscover work happily.
ASKER
I cant seem to find the option to run the wizard
I have go to EMC>Server Configuration
Sorry to be such a pain
I have go to EMC>Server Configuration
Sorry to be such a pain
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
Alan