Exchange 2010 ActiveSync Problems

Posted on 2012-08-13
Last Modified: 2012-09-26
Hello Experts!

I am in the coexistence phase of a migration from Exchange 2003 to Exchange 2010 and I am having problems with autodiscover and ActiveSync that are making it impossible to get email to iPhones. In my company this is a very big deal.

Our environment consists of one server running Exchange 2003 and two servers running Exchange 2010. The 2010 servers sit behind a Kemp LoadMaster 2200 that load balances incoming web and smtp traffic.

When I run tests of Autodiscover and ActiveSync from I get the following relevant information:

 Attempting to test potential Autodiscover URL
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x
 Testing TCP port 443 on host to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   ExRCA is attempting to obtain the SSL certificate from remote server on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject:, OU=MIS, O="companyname", L=Seattle, S=Washington, C=US, Issuer: CN=DigiCert High Assurance CA-3,, O=DigiCert Inc, C=US.
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name was found in the Certificate Subject Alternative Name entry.
 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate, OU=MIS, O="companyname", L=Seattle, S=Washington, C=US.
  One or more certificate chains were constructed successfully.
   Additional Details
  A total of 4 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA,, O=DigiCert Inc, C=US.
 Analyzing the certificate chains for compatibility problems with versions of Windows.
  No Windows compatibility problems were identified.
   Additional Details
  The certificate chain has been validated up to a trusted root. Root = Secure Server Certification Authority, OU=(c) 1999 Limited, incorp. by ref. (limits liab.),, C=US.
 Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  The certificate is valid. NotBefore = 4/26/2012 12:00:00 AM, NotAfter = 7/3/2013 12:00:00 PM
 Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates isn't configured.
 Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   ExRCA is attempting to retrieve an XML Autodiscover response from URL for user
  ExRCA failed to obtain an Autodiscover XML response.
   Additional Details
  The Response element in the payload was null.
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="" xmlns:xsi="" xmlns="" />
 Please assist if you are able.
Question by:PMIMIS
    LVL 33

    Expert Comment

    Let us start with basics

    ==> Do you have SRV Record for pointing to your firewall?
    ==> Which URL does Autodiscover URL point to? is this what you find in EMC?
    ==> Open the link in IE internally and externally.
    ==> Which URL does Activesync URL point to?

    **** was found in the Certificate Subject Alternative Name entry****
    ==> This is good.


    Author Comment

    Thank you for responding to my question.

    I do not have an SRV record for autodiscover pointing to my firewall. I had planned to rely on the dns A record for

    The autodiscover virtual directory has both internalUrl and ExternalUrl set to

    On both client access servers the AutoDiscoverServiceInternalUri is set to

    If I open the link internally in IE I get a forms authentication box prepopulated with my username. When I enter my password it takes me to a page that says

      <?xml version="1.0" encoding="utf-8" ?>
    - <Autodiscover xmlns="">
    - <Response>
    - <Error Time="22:33:51.0956606" Id="2239513966">
      <Message>Invalid Request</Message>
      <DebugData />

    If I go to that page externally I get almost the same thing except the authentication prompt does not have my username prepopulated. (Just the domain.) Then the following comes up.

      <?xml version="1.0" encoding="utf-8" ?>
    - <Autodiscover xmlns="">
    - <Response>
    - <Error Time="22:37:22.1216382" Id="2239513966">
      <Message>Invalid Request</Message>
      <DebugData />

    When I run get-ActiveSyncVirtualDirectory | fl

    I get the following information

    RunspaceId                                 : f8ead0c3-c54f-42e5-8e26-c1bf5f33af37
    MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
    MobileClientCertificateProvisioningEnabled : False
    BadItemReportingEnabled                    : True
    SendWatsonReport                           : True
    MobileClientCertificateAuthorityURL        :
    MobileClientCertTemplateName               :
    ActiveSyncServer                           : https://webmail.companyname/Microsoft-Server-ActiveSync
    RemoteDocumentsActionForUnknownServers     : Allow
    RemoteDocumentsAllowedServers              : {}
    RemoteDocumentsBlockedServers              : {}
    RemoteDocumentsInternalDomainSuffixList    : {}
    MetabasePath                               : IIS://EX01.companyname.corp/W3SVC/1/ROOT/Microsoft-Server-ActiveSync
    BasicAuthEnabled                           : True
    WindowsAuthEnabled                         : False
    CompressionEnabled                         : True
    ClientCertAuth                             : Ignore
    WebsiteName                                : Default Web Site
    WebSiteSSLEnabled                          : False
    VirtualDirectoryName                       : Microsoft-Server-ActiveSync
    Path                                       :
    ExtendedProtectionTokenChecking            : None
    ExtendedProtectionFlags                    : {}
    ExtendedProtectionSPNList                  : {}
    Server                                     : EX01
    InternalUrl                                :
    InternalAuthenticationMethods              : {}
    ExternalUrl                                :
    ExternalAuthenticationMethods              : {}
    AdminDisplayName                           :
    ExchangeVersion                            : 0.10 (
    Name                                       : Microsoft-Server-ActiveSync (Default Web Site)
    DistinguishedName                          : CN=Microsoft-Server-ActiveSync (Default Web Site),CN=HTTP,CN=Protocols,CN=
                                                 EX01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
                                                 Administrative Groups,CN=companyname,CN=Microsoft Exchang
    Identity                                   : EX01\Microsoft-Server-ActiveSync (Default Web Site)
    Guid                                       : 96207981-fe7a-405e-b724-316a410ce1c6
    ObjectCategory                             : companyname.corp/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
    ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
    WhenChanged                                : 7/31/2012 10:58:06 AM
    WhenCreated                                : 7/30/2012 3:56:56 PM
    WhenChangedUTC                             : 7/31/2012 5:58:06 PM
    WhenCreatedUTC                             : 7/30/2012 10:56:56 PM
    OrganizationId                             :
    OriginatingServer                          : DC1.companyname.corp
    IsValid                                    : True is the common name on the Subject Alternative Name certificate that we purchased.
    LVL 33

    Expert Comment

    => Does your SAN have your CAS server name hosted on them with NETBIOS and their FQDN?
    => If you run test-outlookwebservices - does it error out?
    => What happens when you create a new profile using OL2k7 / OL2k10 and rely on autodiscover and not completing the profile details manually? Any errors?


    Author Comment

    The SAN certificate only has three names assinged: for web services such as OWA, EWS, and ECP for autodiscover services for redirects to OWA on the 2003 server.

    test-outlookwebservices fails because I have not installed the mailbox role on the servers yet. Specifically it says Failed to find the mailbox. Mailbox = 'extest_e88af0663a854@companyname.corp'.

    If I use the Outlook tool, Test E-Mail AutoConfiguration, it says Autoconfiguration was unable to determine your settings. The log shows the following:
    Autodiscover to starting
    GetLastError=0; httpStatus=200.
    Autodiscover to failed (0x800C8203)
    LVL 33

    Expert Comment

    My bad i should have corrected you at the first instance

    You mentioned

    The autodiscover virtual directory has both internalUrl and ExternalUrl set to

    On both client access servers the AutoDiscoverServiceInternalUri is set to

    This should be pointed to

    Get me the output

    Get-ClientAccessServer | FT -AutodiscoverServiceInternalUri
    Get-WebServicesVirtualDirectory | FT InternalUrl,ExternalURL
    Get-OABVirtualDirectory | FT InternalURL,ExternalURL
    Get-ActiveSyncVirtualDirectory | FT InternalURL,ExternalURL
    Set-OutlookAnywhere -identity "CAS Server Name\RPC (Default Web Site) | FT ExternalHostname


    Author Comment

    I am not sure I agree with you  about the requirement for the autodiscover Uri so point to

    According to "Microsoft Exchange Server 2010 Best Practices" pages 163-164, clients attempt to search well-known URLs based on the user's email address, going through the following in order:
    1. https://<smtp-address-domain>/autodiscover/autodiscover.xml
    2. https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml
    3. A local XML file if one has been configured
    4. SRV record.

    I appear to be properly configured for method 2.

    I will get you the information that you asked for above soon.

    Accepted Solution

    This turned out to be an issue with IIS on the Windows 2003 server running Exchange 2003.

    We followed the below steps for resolving our issue:
    •      Stopped Secondary website;
    •      Kept All unassigned for IP in DWS;
    •      Unchecked SSL in Exchange and MSAS;
    •      Checked Basic and Integrated in Exchange/MSAS.
    •      Created New Exchange-oma VD.

    Author Closing Comment

    This completely resolved the issue.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Easy CSR creation in Exchange 2007,2010 and 2013
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
    This video discusses moving either the default database or any database to a new volume.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now