Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1499
  • Last Modified:

Exchange 2010 ActiveSync Problems

Hello Experts!

I am in the coexistence phase of a migration from Exchange 2003 to Exchange 2010 and I am having problems with autodiscover and ActiveSync that are making it impossible to get email to iPhones. In my company this is a very big deal.

Our environment consists of one server running Exchange 2003 and two servers running Exchange 2010. The 2010 servers sit behind a Kemp LoadMaster 2200 that load balances incoming web and smtp traffic.

When I run tests of Autodiscover and ActiveSync from www.testexchangeconnectivity.com I get the following relevant information:

 Attempting to test potential Autodiscover URL https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name autodiscover.companyname.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x
 Testing TCP port 443 on host autodiscover.companyname.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.companyname.com on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject: CN=webmail.companyname.com, OU=MIS, O="companyname", L=Seattle, S=Washington, C=US, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name autodiscover.companyname.com was found in the Certificate Subject Alternative Name entry.
 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate CN=webmail.companyname.com, OU=MIS, O="companyname", L=Seattle, S=Washington, C=US.
  One or more certificate chains were constructed successfully.
   Additional Details
  A total of 4 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
 Analyzing the certificate chains for compatibility problems with versions of Windows.
  No Windows compatibility problems were identified.
   Additional Details
  The certificate chain has been validated up to a trusted root. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US.
 Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  The certificate is valid. NotBefore = 4/26/2012 12:00:00 AM, NotAfter = 7/3/2013 12:00:00 PM
 Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates isn't configured.
 Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml for user testuser@companyname.com.
  ExRCA failed to obtain an Autodiscover XML response.
   Additional Details
  The Response element in the payload was null.
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006" />
 Please assist if you are able.
  • 5
  • 3
1 Solution
Let us start with basics

==> Do you have SRV Record for _autodiscover._tcp.domain.com pointing to your firewall?
==> Which URL does Autodiscover URL point to?
https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml is this what you find in EMC?
==> Open the link https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml in IE internally and externally.
==> Which URL does Activesync URL point to?

****autodiscover.companyname.com was found in the Certificate Subject Alternative Name entry****
==> This is good.

PMIMISAuthor Commented:
Thank you for responding to my question.

I do not have an SRV record for autodiscover pointing to my firewall. I had planned to rely on the dns A record for autodiscover.companyname.com.

The autodiscover virtual directory has both internalUrl and ExternalUrl set to https://autodiscover.companyname.com/autodiscover/autodiscover.xml.

On both client access servers the AutoDiscoverServiceInternalUri is set to https://autodiscover.companyname.com/AutoDiscover/Autodiscover.xml.

If I open the link internally in IE I get a forms authentication box prepopulated with my username. When I enter my password it takes me to a page that says

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="22:33:51.0956606" Id="2239513966">
  <Message>Invalid Request</Message>
  <DebugData />

If I go to that page externally I get almost the same thing except the authentication prompt does not have my username prepopulated. (Just the domain.) Then the following comes up.

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="22:37:22.1216382" Id="2239513966">
  <Message>Invalid Request</Message>
  <DebugData />

When I run get-ActiveSyncVirtualDirectory | fl

I get the following information

RunspaceId                                 : f8ead0c3-c54f-42e5-8e26-c1bf5f33af37
MobileClientFlags                          : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificateProvisioningEnabled : False
BadItemReportingEnabled                    : True
SendWatsonReport                           : True
MobileClientCertificateAuthorityURL        :
MobileClientCertTemplateName               :
ActiveSyncServer                           : https://webmail.companyname/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUnknownServers     : Allow
RemoteDocumentsAllowedServers              : {}
RemoteDocumentsBlockedServers              : {}
RemoteDocumentsInternalDomainSuffixList    : {}
MetabasePath                               : IIS://EX01.companyname.corp/W3SVC/1/ROOT/Microsoft-Server-ActiveSync
BasicAuthEnabled                           : True
WindowsAuthEnabled                         : False
CompressionEnabled                         : True
ClientCertAuth                             : Ignore
WebsiteName                                : Default Web Site
WebSiteSSLEnabled                          : False
VirtualDirectoryName                       : Microsoft-Server-ActiveSync
Path                                       :
ExtendedProtectionTokenChecking            : None
ExtendedProtectionFlags                    : {}
ExtendedProtectionSPNList                  : {}
Server                                     : EX01
InternalUrl                                : https://webmail.companyname.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods              : {}
ExternalUrl                                : https://webmail.companyname.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMethods              : {}
AdminDisplayName                           :
ExchangeVersion                            : 0.10 (
Name                                       : Microsoft-Server-ActiveSync (Default Web Site)
DistinguishedName                          : CN=Microsoft-Server-ActiveSync (Default Web Site),CN=HTTP,CN=Protocols,CN=
                                             EX01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=
                                             Administrative Groups,CN=companyname,CN=Microsoft Exchang
Identity                                   : EX01\Microsoft-Server-ActiveSync (Default Web Site)
Guid                                       : 96207981-fe7a-405e-b724-316a410ce1c6
ObjectCategory                             : companyname.corp/Configuration/Schema/ms-Exch-Mobile-Virtual-Directory
ObjectClass                                : {top, msExchVirtualDirectory, msExchMobileVirtualDirectory}
WhenChanged                                : 7/31/2012 10:58:06 AM
WhenCreated                                : 7/30/2012 3:56:56 PM
WhenChangedUTC                             : 7/31/2012 5:58:06 PM
WhenCreatedUTC                             : 7/30/2012 10:56:56 PM
OrganizationId                             :
OriginatingServer                          : DC1.companyname.corp
IsValid                                    : True

Webmail.companyname.com is the common name on the Subject Alternative Name certificate that we purchased.
=> Does your SAN have your CAS server name hosted on them with NETBIOS and their FQDN?
=> If you run test-outlookwebservices - does it error out?
=> What happens when you create a new profile using OL2k7 / OL2k10 and rely on autodiscover and not completing the profile details manually? Any errors?

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

PMIMISAuthor Commented:
The SAN certificate only has three names assinged:
webmail.companyname.com for web services such as OWA, EWS, and ECP
autodiscover.companyname.com for autodiscover services
legacy.companyname.com for redirects to OWA on the 2003 server.

test-outlookwebservices fails because I have not installed the mailbox role on the servers yet. Specifically it says Failed to find the mailbox. Mailbox = 'extest_e88af0663a854@companyname.corp'.

If I use the Outlook tool, Test E-Mail AutoConfiguration, it says Autoconfiguration was unable to determine your settings. The log shows the following:
Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml starting
GetLastError=0; httpStatus=200.
Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml failed (0x800C8203)
My bad i should have corrected you at the first instance

You mentioned

The autodiscover virtual directory has both internalUrl and ExternalUrl set to https://autodiscover.companyname.com/autodiscover/autodiscover.xml.

On both client access servers the AutoDiscoverServiceInternalUri is set to https://autodiscover.companyname.com/AutoDiscover/Autodiscover.xml.

This should be pointed to

Get me the output

Get-ClientAccessServer | FT -AutodiscoverServiceInternalUri
Get-WebServicesVirtualDirectory | FT InternalUrl,ExternalURL
Get-OABVirtualDirectory | FT InternalURL,ExternalURL
Get-ActiveSyncVirtualDirectory | FT InternalURL,ExternalURL
Set-OutlookAnywhere -identity "CAS Server Name\RPC (Default Web Site) | FT ExternalHostname

PMIMISAuthor Commented:
I am not sure I agree with you  about the requirement for the autodiscover Uri so point to https://webmail.companyname.com/AutoDiscover/Autodiscover.xml.

According to "Microsoft Exchange Server 2010 Best Practices" pages 163-164, clients attempt to search well-known URLs based on the user's email address, going through the following in order:
1. https://<smtp-address-domain>/autodiscover/autodiscover.xml
2. https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml
3. A local XML file if one has been configured
4. SRV record.

I appear to be properly configured for method 2.

I will get you the information that you asked for above soon.
PMIMISAuthor Commented:
This turned out to be an issue with IIS on the Windows 2003 server running Exchange 2003.

We followed the below steps for resolving our issue:
•      Stopped Secondary website;
•      Kept All unassigned for IP in DWS;
•      Unchecked SSL in Exchange and MSAS;
•      Checked Basic and Integrated in Exchange/MSAS.
•      Created New Exchange-oma VD.
PMIMISAuthor Commented:
This completely resolved the issue.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now