cannot add email account to smart phone

You can run the Microsoft Remote Connectivity Analyzer to see if you get any clues:
https://www.testexchangeconnectivity.com/
Make sure you use an account you can delete after running it so you don't compromise your network security

Also check out this article and follow the steps to configure RPC over HTTP on SBS 2003
http://technet.microsoft.com/en-us/library/bb123622%28v=exchg.65%29.aspx

Did you purchase a 3rd party SSL certificate? I know that iPhones require it, not too sure about Android devices. iPhones don't like the self signed cert that Exchange creates.

@victornegri - What has RPC over HTTPS got to do with setting up a mobile phone?

Also, a 3rd party SSL certificate is NOT a requirement to make Activesync work.  They work happily with self-issued certificates, if the certificate is correctly named.

It looks like there is a SSL security from Go daddy that has expired. If I call go daddy to renew it does it automaticlly renew on server? Alanhardisty can you tell me what you mean by relevant virtual directory in ISS.

An SSL expiring won't help - you need to use IIS manager to generate a renewal request, then go to GoDaddy, copy/paste the contents of the renewal request file generated from IIS into the website in the CSR box, request a renewal and once renewed, download the certificate and use IIS to install the certificate.

By relevant, I am referring to the ones listed in my article, just below where it mentions the relevant virtual directory and the image of the virtual directories.

In that case can I buy the ssl certificate from NO IP who is hosting the domain. Do have any suggestions? This server has been around.

Either way you will need to generate a request, either a renewal one, or you need to remove the existing certificate using IIS then generate a new request, so I would go for the renewal as it should be easier and quicker.

Alanhardisty can you please guide me on how to how to generate a request?

Sure - open up IIS Manager, expand the tree so that you can see the Default Website, then right-click the Default Website and choose Properties.  Click onto the Directory Security Tab and then on there, click on the Server Certificate Button, click Next, select Renew the Certificate and complete the Wizard.  That should write a Certificate Request file somewhere of your choice.  Open that file up in Notepad and copy the entire contents and paste that into the GoDaddy site where you will request a renewal for the certificate.

Thank you kindly.

What do I do once it is renewed?

Once the cert is renewed, download the new cert, copy it to the server, return to IIS and go back to the Default Website Properties> Directory Security Tab> Server Certificate button and install the certificate.

Point the wizard to the new certificate (you may need to change the file type to make it happy), then finish the wizard and job done.

I will try. Your articale is very impressive.

Thank you - shout if you get stuck anywhere.

when I tried to generate the cert it came back with

The requested common name, nyserver01, is not a fully-qualified common name. You must use a fully-qualified common name.

What should I use?

I took a snap shot of the certificate I deleted. It says issued to  mail.dwq-arch.com is that what I should use?

Yes - the name must resolve externally in DNS back to the IP Address of your server.  The nyserver01 is your server name and will only resolve internally, which means your phones will only be able to resolve the name when connected to your WiFi (assuming you have WiFi) inside your company.

Using mail.dwq-arch.com will resolve happily (as long as it is configured to point to the right IP) and will work happily.

Alan

The Cert installed. Does it take time on the internet to see if it had any effect?

No - should work straight away.

Visit https://testexchangeconnectivity.com and run the Activesync test (no Autodiscover anything) and see what results you get.

Should I run outside the network?

No - it's fine anywhere.  The test checks externally, so it makes no difference.

connectivity test failed

Host name domain.com doesn't match any name found on the server certificate CN=mail.domain.com, OU=Domain Control Validated, O=mail.domain.com.

ExRCA successfully obtained the remote SSL certificate.

Additional Detail

Remote Certificate Subject: CN=mail.domain.com, OU=Domain Control Validated, O=mail.domain.com, Issuer: SERIALNUMBER=XXXXXXXX, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

Make sure you specify mail.domain.com not domain.com - you have to use the same FQDN as specified in the certificate name.

Client certificate authentication wasn't detected.

Additional Details

Testing HTTP Authentication Methods for URL https://mail.domain.com/Microsoft-Server-ActiveSync/.

The HTTP authentication test failed.

Additional Details

An HTTP 403 forbidden response was received. The response appears to have come from IIS6. Body of the response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
 BODY { font: 8pt/12pt verdana }
 H1 { font: 13pt/15pt verdana }
 H2 { font: 8pt/12pt verdana }
 A:link { color: red }
 A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
</ul>
<h2>HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
 and search for topics titled <b>About Security</b>, <b>Limiting Access by IP Address</b>, <b>IP Address Access Restrictions</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Okay - please refer to my article and check the IIS Virtual Directory settings and make sure the IP Address Restrictions are as per my article.

You have currently got access restricted to internal IP's only on either the microsoft-server-activesync or Exchange virtual directories.

domain is registered with register.com
hosted by no-ip
ssl from godaddy

do you think this could generate the IP restrictions?

No - the restrictions are set in the IIS settings on the virtual directories> Directory Security Tab.

It is all explained in my article.

I'm trying to folow your steps but i think I might be making changes to the wrong subfolders
here is a list

exchange
exchange-oma
exchweb
Microsoft server activsync

which one is which?

Okay - you need to look at the following virtual directories:

Exchange 2003 (Part of Small Business Server):

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany*
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•     IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchange-oma Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•      IP Address Restrictions = Restricted to IP Address of Server
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

OMA Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany*
•      Realm = NETBIOS name
•     IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Most likely the Microsoft-Server-Activesync virtual Directory is the one with the restricted IPs configured.

Is virtual directory part of the title
exchange next to a globe means exchange virtual directory next to a globe icon

I noticed in ttaht the website properties have no ip address  selected is this a problem?

The Virtual Directory is a directory under the Default Website and most of them have a Globe showing as per the image in my article below the section showing this:

4. Open up IIS Manager (Start> Programs> Administrative Tools> Internet Information Services (IIS) Manager), expand ‘Web Sites’ then ‘Default Web Site’ then right-click on the relevant Virtual Directory (see below) and choose properties, then click on the Directory Security Tab):

Right-click the Microsoft-Server-Activesync Virtual Directory and choose Properties, then click on the Directory Security Tab, then on the middle Edit Button and that is where the IP Restrictions are set.

Netbios name for the realm is the machine name?

Don't worry about that part please - just follow what I am asking you to do and nothing else.

Just focus on the IP Restrictions.  Once you have changed that, run iisreset and re-run the test.

Based on the results of the test, we can either celebrate or adjust more settings.

An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.

Okay - as this is SBS, please just run the Connect To The Internet Wizard, change nothing, let the wizard complete and then re-run the test on the test site.

The Wizard is found by clicking Start> Server Management> To Do List> Connect To The Internet

An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.

again

for the domain when I run the test I'm using domain.com\username

Your domain name won't be domain.com - you need to use your internal NETBIOS domain name which can be obtained from a command prompt by typing SET and pressing enter - look for USERDOMAIN.

It may be domain\username

See what the internal netbios name is and then re-run the test please.

I tried my email address. it gives me that option.

still get An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.

Please just use domain\username

I keep getting the same error

Okay - what is your USERDOMAIN when you type SET in a command prompt?

domain\username

Okay - please check the 4 virtual directories (as per comment http:#a38685866) and make sure you have the IP Restrictions set correctly.

If you change anything, run iisreset from a command prompt and then re-test please.

No luck. I noticed another virtual folder called exchweb.

Okay - please just run through my article, check each and every stage, make sure your IIS settings match my article (don't worry too much about the realm\domain settings) and then test.  If you get errors, look for the error in the article and follow the suggestions.

If you are still stuck, then please let me know and I'll see what else I can suggest.

Are you sure you are on Exchange 2003 SP2?

Will you be available tomorow

Yes - I'm not usually too far away from Experts-Exchange.

Have to install a new PC for a customer but other than that, I'm fairly clear.

Alan

Now I'm getting
      Exchange ActiveSync returned an HTTP 500 response.

There can be many reasons for that, but the first way to try and fix is to follow method 2 of KB883380

Try that and then re-test please.

Alan

New development. no outgoing mail from withih. I havn't done KB883380 is it related

your message did not reach some or all of the intended recipients.

      Subject:      RE: Your SSL Certificate Has Been Issued
      Sent:      12/13/2012 9:27 AM

The following recipient(s) cannot be reached:

      Boris Fant on 12/13/2012 9:27 AM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <domain.com #5.7.1 smtp;530 5.7.1 Authentication required>

When you ran the Connect To The Internet Connection Wizard, did you change anything.

Your SMTP Connector may need settings for authentication to be put back if you did change something and you use a Smarthost not DNS to send out emails.

How do I check?

I'm re running connect to internet Wizard and when it come to the web server certificate I gues I need to add the new cert at that point?

I think when it asked me to configure email and internet connection the default was enable internet e-mail when I should of selected do not change internet e-mail configuration

does this mess me up?

Connection type: broadband connection using  a local router device with an IP address
Router connection information:
      Local IP address of the router: 10.10.21.254
      Preferred DNS server: 167.206.112.138
      Alternate DNS server: 167.206.7.4

The firewall on your computer running Small Business Server could not be configured. You must configure a firewall to secure your local network from the Internet. For more information about configuring firewall settings for your Small Business Server network, see Help and Support.
Web services on your server's default Web site to be available through the firewall to users on the Internet:
      Outlook Web Access
      Remote Web Workplace
      Outlook Mobile Access
      Outlook via the Internet
      Business Web site (wwwroot)

Do not change current Web server certificate
Email: Enable Exchange for Internet e-mail with the following settings:
E-mail delivery:
Route e-mail to the Internet via the following e-mail server at your ISP: smtp-auth.no-ip.com.
E-mail retrieval:
Use Exchange to retrieve SMTP e-mail.
Email retrieval method:
Route e-mail from the Internet directly to Exchange.
Registered Internet e-mail domain name: domain.com.
Mail delivery schedule: Deliver mail for Exchange mailboxes by using the defined schedule.
E-mail attachments: Remove e-mail attachments from Internet e-mail as specified in the wizard.

For more detailed information about the configurations performed by this wizard, click the link at the bottom of this page to open Icwdetails.htm in C:\Program Files\Microsoft Windows Small Business Server\Networking\Icw.
Note: each time the Configure E-mail and Internet Connection Wizard is run, a new .htm file is automatically generated to preserve the previous settings. For example, Icwdetails1.htm, Icwdetails2.htm, and so on.

It is using a smarthost but I didn't change that

alanhardisty can you help me my compony email is down and I don't know what to do next

Sorry - I'm back.  Been onsite and home now.

What is down?  Inbound and/or outbound email or both?

both. able to log in to webmail but cannot send. Thanks for being there

Okay - Your inbound mail comes via a 3rd party I believe.  Does your outbound mail also get sent via the same 3rd party?

You are welcome.

Not sure. How would I find that out?

There is a mail reflecter configured on NO-ip

Well - I was hoping that it would be something you would have known.

You are presumably on a Dynamic IP address.  Is that correct?

Static. the smpt connector is set to forward smtp-auth.no-ip.com. Should I change it to use DNS

If you are on a Static IP, then there should not be any problems using DNS to send out emails, but you will need to make sure you have Reverse DNS configured (if not done already you need to get it sorted asap otherwise some will reject your emails).

Is inbound mail working properly?

I changed it to DNS and there is a reverse lookup pointed server IP address. Should I reboot?

No need to reboot.  It should work straight away.  Are your outbound queues reducing?

Shows 0 through out.

Sounds good.  So is inbound mail working happily?

incoming is working but outgoing is still queing up but not sending

Plus I ran remote connectity anilyzer and still getiing
An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.

Okay - please make sure you don't have any credentials configured on your Default SMTP Virtual Server properties> Delivery Tab> Outbound Security Button> Select Anonymous Access.

Also check your Smallbusiness SMTP Connector Properties> Advanced Tab> Outbound Security Button> Select Anonymous Access.

Then restart your Simple Mail Transfer Protocol Service.

Should enable anonymous user be checked on each of the four virtual directories?

That has nothing to do with inbound or outbound emails.

where is that SMTP Virtual Server properties>

this one I found
Smallbusiness SMTP Connector Properties and is set to Anonymous Access

It is under Exchange System Manager> Servers> Servername> Protocols> SMTP> Default SMTP Virtual Server

It is set to Anonymous access

the other setting in that window are checked as well
basic authentication is sent in clear text. Does that matter

You can only select one method, so if Basic is selected, then you need to select anonymous and click OK, then restart the SMTP Service.

You do that by right clicking on the Default SMTP Virtual Server stopping and then restarting it

You can do or just open up the services (Start> Run [type] services.msc [press enter].

Then restart the Simple Mail Transfer Protocol Service

Oh ya I was looking msexchange services.

the smpt virtual server \ delivery \ outbound security and checked anonymous.in the advanced delivry  tab under smart host  points to smtp-auth.no-ip.com and preform reverse dns lookup is dissabled

Okay - if you want to use DNS, remove the SmartHost then restart the service.

An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.

still getting this fffffffffffff

Okay - but is your mail leaving the server now?

email is still in the Queues not going out

when I use MX tollbox its still pointing to NO-IP

You will need to change your MX records to point the mail directly to your server if that is what you want to do.

there is no mx record set for the exchange server on NO-IP

This is what I see for your domain's MX records:

Two or more different MX records exist within the zone. This is good and ensures consistent and fail-safe mail deliverability. The MX records are:

preference = 10 mail2.noip.com. [69.65.5.110]
preference = 5 mail1.noip.com. [8.23.224.50]

What should I do? Should use DNS to do the work or should I re-configure the server to NO-IP settings. I have static ip and port 25 is open and I have a server poweredge 2900.

It's still not sending mail out.

It should be if you are using DNS and Anonymous Authentication.

I got the instructions from NO-IP, My going item by item. Yes and yes

It's working. I can send

smpt outbound connections were set to 3325 instead of 25

Okay - excellent.

So where are we at with the original question now?

Mobile phone will not connect. Still with the fffffffffffffauthentication problems

re-checked the settings and rebooted the server and it all started to work.
Thank you Alanhardisty. You're a genius wizard