Setting up activesync/exchange 2010 on iphone

Plancom
Plancom used Ask the Experts™
on
Hi

Im pretty new to exchange but Ive got everything setup and seems to be working fine but I'm unable to get exchange working on users iphones.

I have gone to Organization Config > Client Access > Exchange ActiveSync Polices and created a new one and them assigned it to the users.

When I enter the settings on the iphones it displays the error "unable to verify account information"

the email address is xxxx@domain.co.uk and I'm entering mail.domain.co.uk in the server field.

What else do I need to do ?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Alan HardistyCo-Owner
Top Expert 2011

Commented:
rtayIT Director

Commented:
Have you tested your OWA.  Outlook web access.  Let me know if this works
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Also worth running the Exchange Activesync test on https://testexchangeconnectivity.com and posting the results if it fails (obscuring your domain name / IP Address etc).

Alan

Author

Commented:
"Please check your inherited permissions / group membership as per my article:"

I have just checked the tick box but still the same error message when setting up on the iphone.

"Have you tested your OWA.  Outlook web access.  Let me know if this works"

My owa works on the internal URL, where do I find the external URL ?

Author

Commented:
These are the results from https://testexchangeconnectivity.com 


ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
       Test Steps
             Attempting the Autodiscover and Exchange ActiveSync test (if requested).
      Testing of Autodiscover for Exchange ActiveSync failed.
             Test Steps
             Attempting each method of contacting the Autodiscover service.
      The Autodiscover service couldn't be contacted successfully by any method.
             Test Steps
             Attempting to test potential Autodiscover URL https://domain.co.uk/AutoDiscover/AutoDiscover.xml
      Testing of this potential Autodiscover URL failed.
             Test Steps
             Attempting to resolve the host name domain.co.uk in DNS.
      The host name resolved successfully.
             Additional Details
      IP addresses returned: 217.194.XXX.X

       Testing TCP port 443 on host domain.co.uk to ensure it's listening and open.
      The port was opened successfully.
       Testing the SSL certificate to make sure it's valid.
      The SSL certificate failed one or more certificate validation checks.
             Test Steps
             ExRCA is attempting to obtain the SSL certificate from remote server domain.co.uk on port 443.
      ExRCA wasn't able to obtain the remote SSL certificate.
             Additional Details
      The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.





       Attempting to test potential Autodiscover URL https://autodiscover.domain.co.uk/AutoDiscover/AutoDiscover.xml
      Testing of this potential Autodiscover URL failed.
             Test Steps
             Attempting to resolve the host name autodiscover.domain.co.uk in DNS.
      The host name couldn't be resolved.
       Tell me more about this issue and how to resolve it

             Additional Details
      Host autodiscover.domain.co.uk couldn't be resolved in DNS InfoDomainNonexistent.



       Attempting to contact the Autodiscover service using the HTTP redirect method.
      The attempt to contact Autodiscover using the HTTP Redirect method failed.
             Test Steps
             Attempting to resolve the host name autodiscover.domain.co.uk in DNS.
      The host name couldn't be resolved.
       Tell me more about this issue and how to resolve it

             Additional Details
      Host autodiscover.domain.co.uk couldn't be resolved in DNS InfoDomainNonexistent.



       Attempting to contact the Autodiscover service using the DNS SRV redirect method.
      ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
             Test Steps
             Attempting to locate SRV record _autodiscover._tcp.domain.co.uk in DNS.
      The Autodiscover SRV record wasn't found in DNS.
       Tell me more about this issue and how to resolve it
rtayIT Director

Commented:
That may be your issue then.  You need to set up an external DNS record.  Is your main url hosted by you?  Do you have an external ip address for your exchange server to use?  is your firewall router set to re-route your external IP address to your internal Exchange IP address.  

If you do have tese things run the utility alan talked about.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Please just retry the test without using any of the Autodiscover options.

You should ideally setup an Autodiscover A record, but this requires you to have an SSL certificate with autodiscover.domain.com included in the certificate names.
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
The external URL for OWA in Exchange 2010 will be the URL you use to access the server externally (mail.domain.co.uk) with /owa appended to the end. You will need to make the connection over a secure (HTTPS) line, so make sure you begin the URL with https://.

I just made a connection to https://mail.domain.co.uk, and there appears to be a couple of issues:
the SSL certificate configured on there is a self-signed certificate, so it is not automatically trusted by most devices
the /owa extension on the URL does not work, and the page served up at the root of that URL appears to be the "Under Construction" message associated with IIS in Windows 2003.


Thus, the URL does not appear to point at an Exchange 2010 server, which could be the source of your difficulties.

Has there been some sort of co-existence or migration scenario taking place? If so, you might want to check inbound firewall publishing rules to ensure port 443 traffic is being directed to the new server.

-Matt

Author

Commented:
Main URL is hosted by a 3rd party
We have an external IP address for exchange to use.
The router is set to re-route to the internal exchange IP address.

in regards to setting up the external dns > I have RECORD A set against mail.domain.co.uk to my external static IP address.

I have done a nslookup against mail.domain.co.uk and it points to my static ip address. Is this the correct way to do it ?

Author

Commented:
"Has there been some sort of co-existence or migration scenario taking place?"

No this is a new install
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Is your firewall pointing to the right internal server on port 443?

If you visit www.canyouseeme.org - does the IP that is shown match 87.xxx.xxx.231 ?

Author

Commented:
yes the IP matches 82.xxx.xxx.231 on canyouseeme.org

i need to check if the firewall is pointing to the server on port 443
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - then please re-run the test without using Autodiscover anything, then specify manual server settings as mail.domain.co.uk and tick the box for "Ignore Trust for SSL" and see how that behaves.

Author

Commented:
Heres the result without autodiscover. I noticed it displayed another domain name in a couple of place.

       ExRCA is testing Exchange ActiveSync.
      The Exchange ActiveSync test failed.
             Test Steps
             Attempting to resolve the host name mail.domain.co.uk in DNS.
      The host name resolved successfully.
             Additional Details
      IP addresses returned: 82.71.xx.xxx

       Testing TCP port 443 on host mail.domain.co.uk to ensure it's listening and open.
      The port was opened successfully.
       Testing the SSL certificate to make sure it's valid.
      The SSL certificate failed one or more certificate validation checks.
             Test Steps
             ExRCA is attempting to obtain the SSL certificate from remote server mail.domain.co.uk on port 443.
      ExRCA successfully obtained the remote SSL certificate.
             Additional Details
      Remote Certificate Subject: CN=mail. THIS_DISPLAYED_ANOTHER_DOMAIN_NAME.co.uk, Issuer: CN=mdcdc001, DC=MDC, DC=o2.

       Validating the certificate name.
      Certificate name validation failed.
       Tell me more about this issue and how to resolve it

             Additional Details
      Host name mail.domain.co.uk doesn't match any name found on the server certificate CN=mail.THIS_DISPLAYED_ANOTHER_DOMAIN_NAME.co.uk.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Your certificate show mail.thedomain.co.uk not mail.domain.co.uk

Please try testing using mail.thedomain.co.uk instead (without Autodiscover).

Author

Commented:
Mail.thedomain.co.uk is another domain we use, I think during the set up I entered this domain.

Is there anyway to change it?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
It's not massively important which domain name you use - but to change it you need to reconfigure Exchange and re-issue the certificate.

Author

Commented:
How do I go about reconfig the exchange and re issue the certificate

Author

Commented:
I have just been reading into this further, do I need a new certificate or can I use the default ones ??

Author

Commented:
Is there anything else I could try as its still not working.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Sorry - was out all day yesterday.

I always buy a 3rd party SSL certificate from my GoDaddy Reseller site and get a SAN / UCC SSL Certificate for 3 years which costs $180.  As soon as I install the certificate, Exchange works 100% and Activesync is totally happy.

I have never used a self-issued certificate because I prefer to keep my servers configured in the easiest way and a way that is known to work and is supported by Microsoft, so if you want my advice, I would be buying a certificate.

Author

Commented:
Hi  

just a quick question before I purchase the certificate.

Im currently tested the exchange using domain.co.uk but once im happy with everything I will be swapping everything to thedomain.co.uk.

so I wanted to ask if I bought the certificate for domain.co.uk will it still work for thedomain.co.uk ?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You can happily re-key the certificate or include both names in the certificate to start with.

You will need the following names:

mail.domain.co.uk
mail.thedomain.co.uk
autodiscover.domain.co.uk or autodiscover.thedomain.co.uk
servername.internaldomainname.local
servername

To get Autodiscover to work for both domains, setup an A record called Autodiscover pointing to the Public IP address of your Exchange server for the domain that you add autodiscover.domain.co.uk to the certificate and for the other domain, just add an SRV record pointing to mail.theotherdomain.co.uk.

http://support.microsoft.com/kb/940881

Hope that makes sense!

Author

Commented:
yep thats great alan.

thanks.

Author

Commented:
hi

i have finally got round to buying certificate, I have bought a UCC SSL certificate from Go Daddy.

Im going to set it up on the go daddy website and its asking for the following info, what do I enter and where do I find it ?

Certificate Signing Request (CSR)
New Subject Alt Name
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You need to generate the CSR on Exchange first.

Go to the Exchange Management Console> Server Configuration> New Exchange Certificate (which is in the right-hand column).

Run the wizard and make sure all the names I mentioned before are added to the relevant sections and once you click next, review the names, make sure they are all present and the primary name is highlighted in bold, then complete the request.

Then open the CSR file generated in Notepad and copy / paste the entire contents to the GoDaddy CSR screen and click next.  This will then read and translate the encrypted CSR contents into the relevant names and then you complete the request and wait for the approval process.

The Admin contact for your domain name will receive an email asking for approval, so make sure you have access to that email account and get the request approved.  Once the request is approved, the certificate will be issued.  Download the certificate and import it into the Exchange Management Shell using the following command:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\SSL_Certificate_Name.cer -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS,POP,IMAP,SMTP

Change the "c:\SSL_Certificate_Name.cer" part in Bold above to match the location and exact file name that you have downloaded and extracted from the .ZIP file you will have downloaded.  I usually copy the .CRT file to the root of the C: drive because it makes life easier with importing the certificate.  You can always move it elsewhere later to be tidy!

Author

Commented:
Thanks for the detailed walk through Alun

I'll give that a go tomorrow, home time now !!

Author

Commented:
i have copied the contents from the file into go daddy and on the import page  im getting the following

mail.domain.co.uk
mail.thedomain.co.uk
autodicover.internaldomain.local
autodiscover.domain.co.uk

is it ok to processed with these or is anything else required ?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You don't need autodiscover.internaldomain.local and you are missing server.internaldomain.local and server

What is your server configured for primarily?

mail.domain.co.uk or mail.thedomain.co.uk?

Author

Commented:
At the moment its configured for mail.domain.co.uk but this is just for testing, once everything is working as expected I will be using mail.thedomain.co.uk

how do I get server.internaldomain.local and server added to the list ?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - so I would make sure your certificate request includes the following names:

mail.thedomain.co.uk
autodiscover.thedomain.co.uk
internalservername.internaldomain.local
internalservername

To get the right names, run the wizard in the EMC> Server Configuration and fill in the relevant sections.

Then for the mail.domain.co.uk domain, add an SRV record that points to mail.thedomain.co.uk which will make Autodiscover work happily.

Author

Commented:
I cant seem to find the option to run the wizard

I have go to EMC>Server Configuration

Sorry to be such a pain
Co-Owner
Top Expert 2011
Commented:
They say a picture paints a thousand words, but hopefully it wouldn't take me a thousand words to explain the location!
Exchange-Wizard.png

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial