Active Sync

Ok, have issues with a single android (tab2) device not connecting to activesync.
Its a managed device via Maas360.  

All my other devices (playbook, and Galaxy S3) work fine.

Running test on exchange remote test analyser shows the following:

Attempting each method of contacting the Autodiscover service.
       The Autodiscover service was tested successfully.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://domain.co.uk/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name domain.co.uk in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host domain.co.uk to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server church-house.co.uk on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name domain.co.uk doesn't match any name found on the server certificate E=info@parallels.com, CN=Parallels Panel, OU=Parallels Panel, O=Parallels, L=Herndon, S=Virginia, C=US.

Also getting:

An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>

Headers received:
Content-Length: 1233
Cache-Control: private
Content-Type: text/html
Date: Tue, 27 Aug 2013 15:20:57 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

Running Get-ActiveSyncDevice shows my connected devices.

We have split DNS internally )when we setup the certs) as we have .local domain.
Active sync tool i have works fine..

Ideas why the samsung device is failing to connect?
LVL 1
CHI-LTDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CHI-LTDAuthor Commented:
forgot to mention i had this last week:

Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
Information about your mobile phone:
Device model:      Android
Device type:      Android
Device ID:      mdmxxandroidc920955460
Device OS:      
Device user agent:      Android/4.0.3-EAS-1.3
Device IMEI:      
Exchange ActiveSync version:      14.1
Device access state:      Blocked
Device access state reason:      Individual


But there were no rules set!!!
0
leakim971PluritechnicianCommented:
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
What is the error on your mobile?
Do you have HTTP redirect configured?
is this problem only for Android phones?
0
CHI-LTDAuthor Commented:
Not rooted.

HTTP redirect (in IIS?), if so no.

Happening on my samsung tab 2 (just won't accept user and password (also same with other user accounts)

My wifi ipad seems to have connected last night but didn't sync.  its listed as a device in OWA/EMC
0
leakim971PluritechnicianCommented:
it look like there's a policy somewhere blocking your device by its devidceID not by the account (try an other account, it should fail too)

http://www.idroidspace.com/root-samsung-galaxy-tab-2-101-p5100/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CHI-LTDAuthor Commented:
So i need to root the device?/?
0
leakim971PluritechnicianCommented:
I saw you tried to :
- clear activesync allowed deviceid using powershell and it fail
- enable activesync allowed deviceid using powershell and it fail

changing the ID temporary is a good test.

Did you check your defaut ActiveSync "policy" : Get-ActiveSyncOrganizationSettings
0
CHI-LTDAuthor Commented:
default access level allow.
0
CHI-LTDAuthor Commented:
ok, now that the device is being shown as blocked and in the EMC as a device i have managed to allow the device...
0
CHI-LTDAuthor Commented:
but unable to sync/connect...
noticed & managed to get the maas360 device status set to approve.
I suspect maas360 isnt synchronising correctly with exchange...
0
BlueComputeCommented:
Hi CHI-LTD,  those Exchange Remote Connectivity Analyser results are useless to you.  It's using the autodiscover URL method and picking up the wildcard domain name DNS record and redirecting to your website host, hence all the Parralels Plesk certificates.

What happens if you go through the EXRCA and enter the server details manually?

Also you may wish to consider fixing your DNS configuration for Activesync Autodiscover to work properly.
0
CHI-LTDAuthor Commented:
I am getting:

:-(
something went wrong
Sorry, we had a problem servicing your request. Please try again later. If the problem continues, let us know.

We have 'autodiscover' and 'mail' in our split dns.
0
CHI-LTDAuthor Commented:
Ok the exchange test website is working.   Now.  Getting:

An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>

Headers received:
Content-Length: 1233
Cache-Control: private
Content-Type: text/html
Date: Wed, 28 Aug 2013 14:25:32 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
0
BlueComputeCommented:
Hi CHI-LTD,  apologies, I was misled by the result you posted.  The first error, "The SSL certificate failed one or more certificate validation checks." is not a problem, as the autodiscover process then finds and uses the correct autodiscover.domain.co.uk address.

This article discusses a few ways you can diagnose and fix devices being blocked by activesync policies: http://exchangeserverpro.com/activesync-policies-cause-test-activesyncconnectivity-to-fail/

What version of Exchange?
0
CHI-LTDAuthor Commented:
2010 v14.2
0
BlueComputeCommented:
Ummm, you can try ticking the box in ADUC > User > Security > Advanced > Include inheritable permissions from this object's parent  as per AlanHardisty's article: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
0
CHI-LTDAuthor Commented:
Right i have got the android tab 2 working (finally), as it was before.  I think a combination of things.

The maas app at some point along the line must have set the device to blocked.  Managed to manually set it to allowed.
Got the device hooked up with exchange and then re-deployed maas and setup active sync...
0
CHI-LTDAuthor Commented:
Very odd, but resolved.  Still believe our exchange issues, caused by snapshot, resulting in afful performance & other problems...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.