iPhone 4S cannot verify Exchange 2010 account

I'm about to pull my hair out on this one. :)

A user changed their Active Directory password, which is no big deal usually. Her iPhone asked for the new password when they tried to sync, she entered the new password, did not work. We reset the AD password to something simple for testing purposes, still did not work. We also tried on her device:

Remove and re-add the Exchange account
Restart the phone
Cleared network settings
Tried other accounts and they are able to be set up

The user is able to log into OWA. This is the only user this is happening for, all other iPhone users are working fine. On my own iPhone I've tried to add her account with no success, but I was able to remove and re-add my own account and add a test account just fine.

Inheritable permissions are enabled on her AD user object. Account is not locked or disabled.

I've tried recycling the app pools on both CAS servers, which are set up in a CAS array. The problem occurs when trying to set up the account over any connection. I'm at a loss as to what to check next as it appears to be her user account. She is middle management and I don't want to delete and recreate the mailbox or user account when everything else is working perfectly fine for her.

Environment is Exchange 2010, latest service packs, AD forest and domain levels are 2008 R2. Exchange RCA reports no problems, SSL is enabled, and I have a trusted 3rd party cert installed (Network Solutions) which is not expired or revoked.

EDIT: Message is the very specific "unable to verify account information" message.
EDIT: User is not in any kind of administrative or protected group outside of local workstation admin.
cmacklesAsked:
Who is Participating?
 
cmacklesConnect With a Mentor Author Commented:
The only iOS device that has the account would be hers. I've even removed the partnerships in the Exchange Management Console so that there are no mobile phone partnerships at all on her mailbox.

There are 2 domain controllers in the same AD site on the same LAN though on different subnets. They communicate just fine. Tried to force a replication sync and still not able to add the account.

In the interim between when I typed the first two parts of this comment and just now, the user called me back. I verified that the password I was typing into my iPhone is exactly how she had changed it. I go onto one of my DCs, reset the password on her AD account to *exactly* what she just told me the password was, and like magic everything worked. Funny thing is I was able to log in to everything with that password, except ActiveSync on iThings.

Good thing I have a terrible memory because I forgot her password already. If my memory was any worse I could plan my own surprise parties. :)
0
 
Dan ArseneauCommented:
From an Apple forum:

remove existing account
start new account
when get 'unable to verify' pop up hit 'OK' and then SAVE and save it anyway.

return and open the account
TURN OFF "use SSL"
hit DONE
if you get check marks next to each field then you're done!
0
 
cmacklesAuthor Commented:
Having the user try that since she changed her password from the temporary one already and I don't have it (as I shouldn't).
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
pwnbasketzCommented:
Any messages in the event logs on the exchange server indicating failed authentication for the user's account?
0
 
cmacklesAuthor Commented:
Interesting. On one CAS server (cas1) there's a lot of audit successes for her account, but on the other (cas2) there's a ton of audit failures for unknown username or password. Thing is, she's able to log into OWA just fine with that same username and password but is unable to set up account information on her iPhone with those same credentials.
0
 
Dan ArseneauCommented:
Are the certificates setup correctly on cas2?
0
 
pwnbasketzCommented:
The reason I asked was because I had an issue very similar to this where somebody thought it was a great idea to add my domain users group to a protected group, which was overwriting their AD permissions with the adminSDholder default permissions, thus rendering the users' accounts incapable of adding new devices (although I'm not sure how a password change would kick that series of events into motion), but I was hoping for more of a permissions issue that gave more details on what was failing.
0
 
cmacklesAuthor Commented:
As far as I can tell, yes. The 3rd party cert is configured for IIS, IMAP, and POP, the subject matches the external (and internal for that matter) address. The certificates are identically configured on both CAS servers.
0
 
cmacklesAuthor Commented:
Just manually deleted all mobile phone partnerships on her Exchange mailbox (one from an old iPhone, one for the new one that's currently having problems) and instructed her to try adding it again. Let's see if that changes anything.
0
 
Alan HardistyCo-OwnerCommented:
What exactly did you do to remove and re-add the Exchange account?
0
 
cmacklesAuthor Commented:
In Mail, Contacts, Calendars, tap the Exchange account, scroll down and hit the big, red "Delete Account" button.
0
 
Alan HardistyCo-OwnerCommented:
Okay - did you re-add the same mailbox or create a new mailbox?

Have you checked the inherited permissions / group membership as per my article?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
0
 
cmacklesAuthor Commented:
As stated in my original post above, I've checked inherited permissions and group memberships on the AD object. Inherited permissions is enabled and the user is not a member of any protected groups. The only group the user is a member of that has any kind of elevated permissions is local admins group on her PC.

Added the same mailbox, using 3 different passwords (2 resets by us, 1 change by her). Tried adding the mailbox to my iPhone without success. Added other accounts (mine and a "test user") successfully.
0
 
Alan HardistyCo-OwnerCommented:
Okay - make sure ALL iDevices don't have the account added then reset the password.

How many DC's do you have?

If more than one - sync them:

repadmin /syncall /AePd

Then make sure the Mail App is closed on the user's iPhone and then reboot it.

Once rebooted - disable Wi-Fi and then 3G.

Enable 3G and then try to setup the Account again.

Any better?
0
 
Alan HardistyCo-OwnerCommented:
We have users that can't remember their passwords on a daily basis and call us when they lock out their accounts, only for us to get them to type the password in again with us watching and hey presto - it works.

One for the PEBCAK file:

Problem
Exists
Between
Chair
And
Keyboard

Glad it is working.  Gotta love users!
0
 
cmacklesAuthor Commented:
Apparently it was some kind of password issue, but it's odd that the problem persisted when we reset it to a temp password and it still did not work. Best guess is the user changed it right after we reset the password. At any rate, got it working.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.