• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1580
  • Last Modified:

Active-Sync issue after migrating from 2003 to 2010

Hi ,

Can anybody help me here in troubleshooting phone-activesync connectivity issue with my exchange server. All the steps passed except the last where i am getting the message

Testing HTTP Authentication Methods for URL https://webmail.syscon.net/Microsoft-Server-ActiveSync.
 	The HTTP authentication test failed.
 	
	Additional Details
 	An HTTP 500 response was returned from IIS7.

Below is my full report from testexchangeconnectivity.com . 

	Attempting to test potential Autodiscover URL https://autocon.net/AutoDiscover/AutoDiscover.xml
 	Testing of the Autodiscover URL was successful.
 	
	Test Steps
 	
	Attempting to resolve the host name autodisn.net in DNS.
 	The host name resolved successfully.
 	
	Additional Details
 	IP addresses returned: 66.119.176.2
	Testing TCP port 443 on host autodiscover.syscon.net to ensure it's listening and open.
 	The port was opened successfully.
	Testing the SSL certificate to make sure it's valid.
 	The certificate passed all validation requirements.
 	
	Test Steps
 	
	ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.syscon.net on port 443.
 	ExRCA successfully obtained the remote SSL certificate.
 	
	Additional Details
 	Remote Certificate Subject: CN=*.syscon.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.synet, C=CA, SERIALNMBER=WTK4TszUL--HLsKS7A6NBtPLQf9cCB, Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US.
	Validating the certificate name.
 	The certificate name was validated successfully.
 	
	Additional Details
 	The host name that was found, autodiscover.syscon.net, is a wildcard certificate match for common name *.syscon.net.
	Certificate trust is being validated.
 	The certificate is trusted and all certificates are present in the chain.
 	
	Test Steps
 	
	ExRCA is attempting to build certificate chains for certificate CN=*.on.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.syscon.net, C=CA, SERIALNUMBER=WTzUL--HLssPKS7A6NBtPLQf9cCB.
 	One or more certificate chains were constructed successfully.
 	
	Additional Details
 	A total of 1 chains were built. The highest quality chain ends in root certificate CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
	Analyzing the certificate chains for compatibility problems with versions of Windows.
 	Potential compatibility problems were identified with some versions of Windows.
 	
	Additional Details
 	ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
	Testing the certificate date to confirm the certificate is valid.
 	Date validation passed. The certificate hasn't expired.
 	
	Additional Details
 	The certificate is valid. NotBefore = 2/20/2011 8:00:55 AM, NotAfter = 3/24/2014 11:02:06 AM
	Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication wasn't detected.
 	
	Additional Details
 	Accept/Require Client Certificates isn't configured.
	Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 	ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
 	
	Test Steps
 	
	ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.syet/AutoDiscover/AutoDiscover.xml for user jma.net.
 	The Autodiscover XML response was successfully retrieved.
 	
	Additional Details
 	Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:us</Culture>
<User>
<DisplayName>Janes</DisplayName>
<EMailAddress>JMaon.net</EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url>https://webon.net/Microsoft-Server-ActiveSync</Url>
<Name>https://webn.net/Microsoft-Server-ActiveSync</Name>
</Server>
</Settings>
</Action>
</Response>
</Autodiscover>
	Validating Exchange ActiveSync settings.
 	Exchange ActiveSync URL https://webet/Microsoft-Server-ActiveSync was validated successfully.
	Attempting to resolve the host name webet in DNS.
 	The host name resolved successfully.
 	
	Additional Details
 	IP addresses returned: 66.119.176
	Testing TCP port 443 on host weet to ensure it's listening and open.
 	The port was opened successfully.
	Testing the SSL certificate to make sure it's valid.
 	The certificate passed all validation requirements.
 	
	Test Steps
 	
	ExRCA is attempting to obtain the SSL certificate from remote server webn.net on port 443.
 	ExRCA successfully obtained the remote SSL certificate.
 	
	Additional Details
 	Remote Certificate Subject: CN=*.syet, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.syscon.net, C=CA, SERIALNUMBER=WTK4TUL--HLssPKS7NBtPLQf9cCB, Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US.
	Validating the certificate name.
 	The certificate name was validated successfully.
 	
	Additional Details
 	The host name that was found, t, is a wildcard certificate match for common name *.
	Validating certificate trust for Windows Mobile devices.
 	The certificate is trusted and all certificates are present in the chain.
 	
	Test Steps
 	
	ExRCA is attempting to build certificate chains for certificate CN=*.syscon.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*t, C=CA, SERIALNUMBER=WTK4TszUL--HLssPKS7A6NBtPL.
 	One or more certificate chains were constructed successfully.
 	
	Additional Details
 	A total of 1 chains were built. The highest quality chain ends in root certificate CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
	Analyzing the certificate chains for compatibility problems with Windows Phone devices.
 	Potential compatibility problems were identified with some versions of Windows Phone.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
	ExRCA is analyzing intermediate certificates that were sent down by the remote server.
 	All intermediate certificates are present and valid.
 	
	Additional Details
 	All intermediate certificates were present and valid.
	Testing the certificate date to confirm the certificate is valid.
 	Date validation passed. The certificate hasn't expired.
 	
	Additional Details
 	The certificate is valid. NotBefore = 2/20/2011 8:00:55 AM, NotAfter = 3/24/2014 11:02:06 AM
	Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication wasn't detected.
 	
	Additional Details
 	Accept/Require Client Certificates isn't configured.
	Testing HTTP Authentication Methods for URL https://webmail.syscon.net/Microsoft-Server-ActiveSync.
 	The HTTP authentication test failed.
 	
	Additional Details
 	An HTTP 500 response was returned from IIS7.
 	
	Additional Details
 	IP addresses returned: 66.119.176.227
	Testing TCP port 443 on host autodiscover.syscon.net to ensure it's listening and open.
 	The port was opened successfully.
	Testing the SSL certificate to make sure it's valid.
 	The certificate passed all validation requirements.
 	
	Test Steps
 	
	ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.syscon.net on port 443.
 	ExRCA successfully obtained the remote SSL certificate.
 	
	Additional Details
 	Remote Certificate Subject: CN=*.syscon.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.syscon.net, C=CA, SERIALNUMBER=WTK4TszUL--HLssPKS7A6NBtPLQf9cCB, Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US.
	Validating the certificate name.
 	The certificate name was validated successfully.
 	
	Additional Details
 	The host name that was found, autodiscover.syscon.net, is a wildcard certificate match for common name *.syscon.net.
	Certificate trust is being validated.
 	The certificate is trusted and all certificates are present in the chain.
 	
	Test Steps
 	
	ExRCA is attempting to build certificate chains for certificate CN=*.syscon.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.syscon.net, C=CA, SERIALNUMBER=WTK4TszUL--HLssPKS7A6NBtPLQf9cCB.
 	One or more certificate chains were constructed successfully.
 	
	Additional Details
 	A total of 1 chains were built. The highest quality chain ends in root certificate CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
	Analyzing the certificate chains for compatibility problems with versions of Windows.
 	Potential compatibility problems were identified with some versions of Windows.
 	
	Additional Details
 	ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
	Testing the certificate date to confirm the certificate is valid.
 	Date validation passed. The certificate hasn't expired.
 	
	Additional Details
 	The certificate is valid. NotBefore = 2/20/2011 8:00:55 AM, NotAfter = 3/24/2014 11:02:06 AM
	Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication wasn't detected.
 	
	Additional Details
 	Accept/Require Client Certificates isn't configured.
	Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 	ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
 	
	Test Steps
 	
	ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.syscon.net/AutoDiscover/AutoDiscover.xml for user jmanes@syscon.net.
 	The Autodiscover XML response was successfully retrieved.
 	
	Additional Details
 	Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<Culture>en:us</Culture>
<User>
<DisplayName>Jas Manes</DisplayName>
<EMailAddress>JManes@syscon.net</EMailAddress>
</User>
<Action>
<Settings>
<Server>
<Type>MobileSync</Type>
<Url>https://webmail.syscon.net/Microsoft-Server-ActiveSync</Url>
<Name>https://webmail.syscon.net/Microsoft-Server-ActiveSync</Name>
</Server>
</Settings>
</Action>
</Response>
</Autodiscover>
	Validating Exchange ActiveSync settings.
 	Exchange ActiveSync URL https://webmail.syscon.net/Microsoft-Server-ActiveSync was validated successfully.
	Attempting to resolve the host name webmail.syscon.net in DNS.
 	The host name resolved successfully.
 	
	Additional Details
 	IP addresses returned: 66.119.176.227
	Testing TCP port 443 on host webmail.syscon.net to ensure it's listening and open.
 	The port was opened successfully.
	Testing the SSL certificate to make sure it's valid.
 	The certificate passed all validation requirements.
 	
	Test Steps
 	
	ExRCA is attempting to obtain the SSL certificate from remote server webmail.syscon.net on port 443.
 	ExRCA successfully obtained the remote SSL certificate.
 	
	Additional Details
 	Remote Certificate Subject: CN=*.syscon.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.syscon.net, C=CA, SERIALNUMBER=WTK4TszUL--HLssPKS7A6NBtPLQf9cCB, Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US.
	Validating the certificate name.
 	The certificate name was validated successfully.
 	
	Additional Details
 	The host name that was found, webmail.syscon.net, is a wildcard certificate match for common name *.syscon.net.
	Validating certificate trust for Windows Mobile devices.
 	The certificate is trusted and all certificates are present in the chain.
 	
	Test Steps
 	
	ExRCA is attempting to build certificate chains for certificate CN=*.syscon.net, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT15993031, O=*.syscon.net, C=CA, SERIALNUMBER=WTK4TszUL--HLssPKS7A6NBtPLQf9cCB.
 	One or more certificate chains were constructed successfully.
 	
	Additional Details
 	A total of 1 chains were built. The highest quality chain ends in root certificate CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
	Analyzing the certificate chains for compatibility problems with Windows Phone devices.
 	Potential compatibility problems were identified with some versions of Windows Phone.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = CN=GeoTrust Global CA, O=GeoTrust Inc., C=US.
	ExRCA is analyzing intermediate certificates that were sent down by the remote server.
 	All intermediate certificates are present and valid.
 	
	Additional Details
 	All intermediate certificates were present and valid.
	Testing the certificate date to confirm the certificate is valid.
 	Date validation passed. The certificate hasn't expired.
 	
	Additional Details
 	The certificate is valid. NotBefore = 2/20/2011 8:00:55 AM, NotAfter = 3/24/2014 11:02:06 AM
	Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication wasn't detected.
 	
	Additional Details
 	Accept/Require Client Certificates isn't configured.
	Testing HTTP Authentication Methods for URL https://webmail.syscon.net/Microsoft-Server-ActiveSync.
 	The HTTP authentication test failed.
 	
	Additional Details
 	An HTTP 500 response was returned from IIS7.

Open in new window

0
jmanes
Asked:
jmanes
  • 13
  • 12
1 Solution
 
NetfloCommented:
Hi,

This is perfectly normal. As the warning states " The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync.".

I can tell you if your operating any other type of ActiveSync device - Android, IOS, Win Mobile 6.0+ etc you will be fine. If you have any Win Mobile 5.0, which is fairly old, yes you will have a problem where they won't be able to sync.

Safe to ignore, unless you have legacy devices in your organisation.
0
 
jmanesAuthor Commented:
I am trying it from galaxy 3 and iphone4 :(
0
 
NetfloCommented:
Both should and do work against Exchange 2010. I can assure you this notification is not your issue.

Are you trying this via the mobile / wifi network remotely or over wifi on the corporate LAN?

I had a look at your OWA link and can see you've changed the default username prompt to email address, via the authentication settings via EMC
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jmanesAuthor Commented:
I am trying via mobile over the rogers network and i tried on different cellphone,no success :( . yeah on owa it say's e-mail address and if i enter user@sys...net .it will not take the credentials . But if i enter domain/user then the user will have the access to the owa.
This is the easy fix though but i don't care about it now .

Everything else is working fine like owa access pop3/imap ,outlook client except active-sync .
0
 
jmanesAuthor Commented:
Let me know if you need any other information or any results from get command and exchange test connectivity
0
 
NetfloCommented:
To eliminate the mobile network and DNS, try to visit your OWA address via the web browser on the phone? Does the OWA page load? If yes, then the mobile has no trouble looking at the correct location for email services.

Then you need to look at the settings your putting in on the phone during the email setup.

Just to confirm the server address is webmail.domain.net, no slash OWA

And everything is setup, as per the following link: http://www.talkandroid.com/guides/droid/motorola-droid-exchange-email-calendar-contact-setup/
0
 
jmanesAuthor Commented:
yes ,the owa page loads on the phone and i can login into it .
manual settings that i am putting on galaxy s3 are
 domain\user
password
webmail.domain.net/owa          
tick ssl  

error that i am getting on the phone,and believe me username ,password is correct

the server responded with an error,please check your username and password and try again

FYI:If i enter exchange server as webmail.domain.net on the browser ,it displays iis page ,that's why i am using webmail.domain.net/owa for now .Again this is minor fix but i am not concern with this now
0
 
NetfloCommented:
On the S3, put the server address as webmail.domain.net NO owa, the phone will be okay.

Just to confirm that the user accounts you're trying to configure via ActiveSync, they are not domain admins right? As these are protected accounts and you will not be able to get them on the mobiles - easily.

Further reading: http://aztech.net.au/node/137
0
 
jmanesAuthor Commented:
Nope,still getting the same message... i am using the account that i have created for the test purposes and is only the member of domain user. This user can access everything like owa,pop3,imap and not only this user but all other  account's can't use active-sync.
 Even i meet http://aztech.net.au/node/137 :(

Is there anything we can double check on the front end server..
0
 
NetfloCommented:
Have a look in your AD for inheritable permissions, see the following link and read the bit for 2010 onwards:

http://technet.microsoft.com/en-us/library/dd439375(v=exchg.80).aspx
0
 
jmanesAuthor Commented:
Yes,the same thing is mentioned also in  http://aztech.net.au/node/137 and i have already configured it at the beginning .
0
 
NetfloCommented:
This is your problem: https://webmail.syscon.net/Microsoft-Server-ActiveSync you should normally receive an authentication prompt at this stage, on your box you don't at all.

I'm assuming you have two servers? CAS / HUB and MBX?

Just also to confirm that your Exchange 2010 servers is on at least SP2, or fully patched?
0
 
NetfloCommented:
Can you also confirm that your Exchange CAS setup is as follows:

1. In the console tree, navigate to Server Configuration > Client Access.
2. In the result pane, click the Exchange ActiveSync tab.
3. Select the Microsoft-Server-ActiveSync virtual directory.
4. In the action pane, under Microsoft-Server-ActiveSync, click Properties.
5. Click the Authentication tab.
6. Select the Basic authentication (password is sent in clear text) check box.
7. Click Apply to save your changes or click OK to save your changes and close the Microsoft-Server-ActiveSync properties dialog box.

Reference: http://technet.microsoft.com/en-us/library/bb232190.aspx
0
 
jmanesAuthor Commented:
Well right now i am in coexistence stage between 2003 and 2010 and for 2010 ,i have one front end cas/hub server with two backend servers . We are running two smart host mbx servers  on open source via .
Can you please guide with what i should i do so that the link above prompt for the credentials?
0
 
jmanesAuthor Commented:
Sorry,i forget to tell you that all All 2010 exchange servers are running on 2008 r2 sp1
0
 
jmanesAuthor Commented:
It is already set to Basic authentication (password is sent in clear text) check box with ignore client certificate :(
0
 
NetfloCommented:
Just to confirm the migration you're performing and in the middle off, are you following the MS documentation for this process?

With respect to the test account, is that mailbox on the new Exch 2010 server?

Can you please explain in more detail what you mean by this "We are running two smart host mbx servers  on open source via ."

Thanks.
0
 
jmanesAuthor Commented:
Yes, and now i have about 20 mailboxes residing on exch 2010 and many more to go .
Yes ,the test account is on exch 2010 and i am trying from different accounts that are on exch 2010 but getting the same result.
Well we have two MTA "which itself is postfix "infront that are checking viruses,spam and so on .The os is openbsd 4.9 - 5.0. These are relay transport to our 2003 exch server .
For 2010 ,i have configured the connector between 2003 and 2010 .
0
 
jmanesAuthor Commented:
Are you still there ?
0
 
jmanesAuthor Commented:
Hey
I just figured it out

Making basic authentication enabled and all others disabled in iis  under Microsoft-server-activeSync authentication makes activesync works
0
 
NetfloCommented:
I'm still here, working during the day and had evening meetings.

From looking at one of our test machines, that should be the default setting: Basic Authentication | Enabled | HTTP 401 Challenge.

Are the phones syncing now successfully or TestExchangeConnectivity giving you positive results?
0
 
anuragshankarCommented:
After migrating the MBX from E2K3 to E2k10, check whether the Allow Inheritable Permissions for the migrated user from E2K3 to E2K10 is enabled or is disabled.

Open ADUC(dsa.msc)/Users/Migrated User/Properites/Security/Advanced/
Ensure that the Allow Inheritable permissions to propagate to this object and all child objects is enabled or disabled.

If this issue is for all the users then follow the steps as per the article: http://support.microsoft.com/kb/817433
You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container: 1.Right-click the container, and then click Properties.
2.Click the Security tab.
3.Click Advanced.
4.Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5.Click OK, and then click Close.
The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
0
 
NetfloCommented:
@anuragshankar, this has already been suggested and verified as not the cause. Read the posts, expecially http:#a38348366
0
 
jmanesAuthor Commented:
From looking at one of our test machines, that should be the default setting: Basic Authentication | Enabled | HTTP 401 Challenge.

Are the phones syncing now successfully or TestExchangeConnectivity giving you positive results?  yessssssssssssssssssssssssssssss :)

By the way you guys are great..Nice to get the upgrade account
Thanks Netflo
0
 
NetfloCommented:
You're welcome, glad to hear all is working as expected, we finally got there in the end :)
0
 
NetfloCommented:
If you were happy with my solution, please could accept the comment which best described the solution and close the question down.

I believe it was this one: http:#a38348385

For more info on how to do this, see here: http://support.experts-exchange.com/customer/portal/articles/608621-how-do-i-accept-a-comment-as-my-solution-
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 13
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now