[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

iPhone 4S cannot verify Exchange 2010 account

Posted on 2012-09-07
16
Medium Priority
?
841 Views
Last Modified: 2012-09-16
I'm about to pull my hair out on this one. :)

A user changed their Active Directory password, which is no big deal usually. Her iPhone asked for the new password when they tried to sync, she entered the new password, did not work. We reset the AD password to something simple for testing purposes, still did not work. We also tried on her device:

Remove and re-add the Exchange account
Restart the phone
Cleared network settings
Tried other accounts and they are able to be set up

The user is able to log into OWA. This is the only user this is happening for, all other iPhone users are working fine. On my own iPhone I've tried to add her account with no success, but I was able to remove and re-add my own account and add a test account just fine.

Inheritable permissions are enabled on her AD user object. Account is not locked or disabled.

I've tried recycling the app pools on both CAS servers, which are set up in a CAS array. The problem occurs when trying to set up the account over any connection. I'm at a loss as to what to check next as it appears to be her user account. She is middle management and I don't want to delete and recreate the mailbox or user account when everything else is working perfectly fine for her.

Environment is Exchange 2010, latest service packs, AD forest and domain levels are 2008 R2. Exchange RCA reports no problems, SSL is enabled, and I have a trusted 3rd party cert installed (Network Solutions) which is not expired or revoked.

EDIT: Message is the very specific "unable to verify account information" message.
EDIT: User is not in any kind of administrative or protected group outside of local workstation admin.
0
Comment
Question by:cmackles
  • 8
  • 4
  • 2
  • +1
16 Comments
 
LVL 9

Expert Comment

by:Dan Arseneau
ID: 38377336
From an Apple forum:

remove existing account
start new account
when get 'unable to verify' pop up hit 'OK' and then SAVE and save it anyway.

return and open the account
TURN OFF "use SSL"
hit DONE
if you get check marks next to each field then you're done!
0
 

Author Comment

by:cmackles
ID: 38377381
Having the user try that since she changed her password from the temporary one already and I don't have it (as I shouldn't).
0
 
LVL 4

Expert Comment

by:pwnbasketz
ID: 38377410
Any messages in the event logs on the exchange server indicating failed authentication for the user's account?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:cmackles
ID: 38377449
Interesting. On one CAS server (cas1) there's a lot of audit successes for her account, but on the other (cas2) there's a ton of audit failures for unknown username or password. Thing is, she's able to log into OWA just fine with that same username and password but is unable to set up account information on her iPhone with those same credentials.
0
 
LVL 9

Expert Comment

by:Dan Arseneau
ID: 38377458
Are the certificates setup correctly on cas2?
0
 
LVL 4

Expert Comment

by:pwnbasketz
ID: 38377461
The reason I asked was because I had an issue very similar to this where somebody thought it was a great idea to add my domain users group to a protected group, which was overwriting their AD permissions with the adminSDholder default permissions, thus rendering the users' accounts incapable of adding new devices (although I'm not sure how a password change would kick that series of events into motion), but I was hoping for more of a permissions issue that gave more details on what was failing.
0
 

Author Comment

by:cmackles
ID: 38377473
As far as I can tell, yes. The 3rd party cert is configured for IIS, IMAP, and POP, the subject matches the external (and internal for that matter) address. The certificates are identically configured on both CAS servers.
0
 

Author Comment

by:cmackles
ID: 38377502
Just manually deleted all mobile phone partnerships on her Exchange mailbox (one from an old iPhone, one for the new one that's currently having problems) and instructed her to try adding it again. Let's see if that changes anything.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38377618
What exactly did you do to remove and re-add the Exchange account?
0
 

Author Comment

by:cmackles
ID: 38377659
In Mail, Contacts, Calendars, tap the Exchange account, scroll down and hit the big, red "Delete Account" button.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38377679
Okay - did you re-add the same mailbox or create a new mailbox?

Have you checked the inherited permissions / group membership as per my article?

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
0
 

Author Comment

by:cmackles
ID: 38377708
As stated in my original post above, I've checked inherited permissions and group memberships on the AD object. Inherited permissions is enabled and the user is not a member of any protected groups. The only group the user is a member of that has any kind of elevated permissions is local admins group on her PC.

Added the same mailbox, using 3 different passwords (2 resets by us, 1 change by her). Tried adding the mailbox to my iPhone without success. Added other accounts (mine and a "test user") successfully.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38377726
Okay - make sure ALL iDevices don't have the account added then reset the password.

How many DC's do you have?

If more than one - sync them:

repadmin /syncall /AePd

Then make sure the Mail App is closed on the user's iPhone and then reboot it.

Once rebooted - disable Wi-Fi and then 3G.

Enable 3G and then try to setup the Account again.

Any better?
0
 

Accepted Solution

by:
cmackles earned 0 total points
ID: 38377820
The only iOS device that has the account would be hers. I've even removed the partnerships in the Exchange Management Console so that there are no mobile phone partnerships at all on her mailbox.

There are 2 domain controllers in the same AD site on the same LAN though on different subnets. They communicate just fine. Tried to force a replication sync and still not able to add the account.

In the interim between when I typed the first two parts of this comment and just now, the user called me back. I verified that the password I was typing into my iPhone is exactly how she had changed it. I go onto one of my DCs, reset the password on her AD account to *exactly* what she just told me the password was, and like magic everything worked. Funny thing is I was able to log in to everything with that password, except ActiveSync on iThings.

Good thing I have a terrible memory because I forgot her password already. If my memory was any worse I could plan my own surprise parties. :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38377840
We have users that can't remember their passwords on a daily basis and call us when they lock out their accounts, only for us to get them to type the password in again with us watching and hey presto - it works.

One for the PEBCAK file:

Problem
Exists
Between
Chair
And
Keyboard

Glad it is working.  Gotta love users!
0
 

Author Closing Comment

by:cmackles
ID: 38402913
Apparently it was some kind of password issue, but it's odd that the problem persisted when we reset it to a temp password and it still did not work. Best guess is the user changed it right after we reset the password. At any rate, got it working.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses
Course of the Month19 days, 20 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question