Excahneg Active Sync (ok on android, not on IOS)

policies look fine

one warning on AS test....

Please post the test results

2010 (not latest SP)
yes i have 2x androids which works fine
its my account (admin), but fails on any account for ios

odd, its now failing:

The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Additional Details
       
Elapsed Time: 22448 ms.
       
      Test Steps
       
      Attempting to resolve the host name mail.church-house.co.uk in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: external1 ip, external2 ip
Elapsed Time: 575 ms.
      Testing TCP port 443 on host mail.domain.co.uk to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 310 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Additional Details
       
Elapsed Time: 489 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.domain.co.uk on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
       
Remote Certificate Subject: CN=mail.domain.co.uk, OU=Domain Control Validated, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 429 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       
Host name mail.church-house.co.uk was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
      Validating certificate trust for Windows Mobile devices.
       The certificate is trusted and all certificates are present in the chain.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.domain.co.uk, OU=Domain Control Validated.
       One or more certificate chains were constructed successfully.
       
      Additional Details
       
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 26 ms.
      Analyzing the certificate chains for compatibility problems with Windows Phone devices.
       Potential compatibility problems were identified with some versions of Windows Phone.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 3 ms.
      The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.
       All intermediate certificates are present and valid.
       
      Additional Details
       
All intermediate certificates were present and valid.
Elapsed Time: 0 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       
The certificate is valid. NotBefore = 5/2/2013 2:29:34 PM, NotAfter = 5/1/2016 8:37:28 AM
Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       
Accept/Require Client Certificates isn't configured.
Elapsed Time: 542 ms.
      Testing HTTP Authentication Methods for URL https://mail.domain.co.uk/Microsoft-Server-ActiveSync/.
       The HTTP authentication methods are correct.
       
      Additional Details
       
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
Elapsed Time: 316 ms.
      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Additional Details
       
Elapsed Time: 20214 ms.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       
An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>

Headers received:
Content-Length: 1233
Cache-Control: private
Content-Type: text/html
Date: Thu, 31 Oct 2013 09:11:55 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 20214 ms.

If you are an Admin, it will fail.

MS Recommend having an Admin account for Admin purposes and a user account for regular stuff, including emails.

Permissions will be reset hourly for anyone with an Admin account and those permissions will stop Activesync working.

There is a workaround discussed in my blog (link to) if you are interested:

http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/

Alan

Those groups are listed in my article :)

i have tried ion a normal user account and that fails too!!

Have you checked the inherited permissions as per my article?

Alan

yes, ticked the inherit option, still not working.

Sorry - using a 3rd party SSL cert - ignore that part of the question above.

Alan

Yes, i has worked before on my ipad.
old install of exchange, cert not changed either...

Its on 3g at the moment, but have also tried wifi on another wifi connection...

mainly 3g

Standard domain user (without inherited permissions):

is now working...


The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
Exchange ActiveSync was tested successfully.
Additional Details
Elapsed Time: 8528 ms.
Test Steps
Attempting to resolve the host name mail.-.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned:
Elapsed Time: 118 ms.
Testing TCP port 443 on host mail.-.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 301 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 663 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.-.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.-.co.uk, OU=Domain Control Validated, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 617 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.-.co.uk was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Validating certificate trust for Windows Mobile devices.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.-.co.uk, OU=Domain Control Validated.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 20 ms.
Analyzing the certificate chains for compatibility problems with Windows Phone devices.
Potential compatibility problems were identified with some versions of Windows Phone.
Tell me more about this issue and how to resolve it
Additional Details
The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 2 ms.
The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.
All intermediate certificates are present and valid.
Additional Details
All intermediate certificates were present and valid.
Elapsed Time: 0 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 5/2/2013 2:29:34 PM, NotAfter = 5/1/2016 8:37:28 AM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 725 ms.
Testing HTTP Authentication Methods for URL https://mail.-.co.uk/Microsoft-Server-ActiveSync/.
The HTTP authentication methods are correct.
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
Elapsed Time: 426 ms.
An ActiveSync session is being attempted with the server.
Testing of an Exchange ActiveSync session completed successfully.
Additional Details
Elapsed Time: 6293 ms.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Headers received: Allow: OPTIONS,POST MS-Server-ActiveSync: 14.2 MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1 MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert Public: OPTIONS,POST Content-Length: 0 Cache-Control: private Date: Fri, 01 Nov 2013 15:29:18 GMT Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET
Elapsed Time: 340 ms.
Attempting the FolderSync command on the Exchange ActiveSync session.
The FolderSync command completed successfully.
Additional Details
Number of folders: 35 Response: <FolderSync xmlns="FolderHierarchy:"> <Status>1</Status> <SyncKey>1</SyncKey> <Changes> <Count>35</Count> <Add> <ServerId>1</ServerId> <ParentId>0</ParentId> <DisplayName>Calendar</DisplayName> <Type>8</Type> </Add> <Add> <ServerId>2</ServerId> <ParentId>0</ParentId> <DisplayName>Contacts</DisplayName> <Type>9</Type> </Add> <Add> <ServerId>3</ServerId> <ParentId>0</ParentId> <DisplayName>Deleted Items</DisplayName> <Type>4</Type> </Add> <Add> <ServerId>4</ServerId> <ParentId>0</ParentId> <DisplayName>Drafts</DisplayName> <Type>3</Type> </Add> <Add> <ServerId>5</ServerId> <ParentId>0</ParentId> <DisplayName>Inbox</DisplayName> <Type>2</Type> </Add> <Add> <ServerId>6</ServerId> <ParentId>5</ParentId> <DisplayName>Capital Cash Flows</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>7</ServerId> <ParentId>5</ParentId> <DisplayName>Capital Valuations</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>8</ServerId> <ParentId>5</ParentId> <DisplayName>CH Deep Value</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>9</ServerId> <ParentId>5</ParentId> <DisplayName>Directors</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>10</ServerId> <ParentId>9</ParentId> <DisplayName>MBaines</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>11</ServerId> <ParentId>10</ParentId> <DisplayName>Andrew Martin Smith</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>12</ServerId> <ParentId>10</ParentId> <DisplayName>Internal Emails</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>13</ServerId> <ParentId>12</ParentId> <DisplayName>Investment Trust Research</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>14</ServerId> <ParentId>13</ParentId> <DisplayName>Bond &amp; Fixed Interest Data</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>15</ServerId> <ParentId>14</ParentId> <DisplayName>Lombard research</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>16</ServerId> <ParentId>13</ParentId> <DisplayName>S&amp;W Cash Flows</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>17</ServerId> <ParentId>16</ParentId> <DisplayName>Smith &amp; Williamson</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>18</ServerId> <ParentId>12</ParentId> <DisplayName>James - Internal Emails</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>19</ServerId> <ParentId>18</ParentId> <DisplayName>Capital Trades</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>20</ServerId> <ParentId>5</ParentId> <DisplayName>Share Dealing</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>21</ServerId> <ParentId>5</ParentId> <DisplayName>SIPP</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>22</ServerId> <ParentId>5</ParentId> <DisplayName>Victoria</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>23</ServerId> <ParentId>22</ParentId> <DisplayName>Private</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>24</ServerId> <ParentId>0</ParentId> <DisplayName>Journal</DisplayName> <Type>11</Type> </Add> <Add> <ServerId>25</ServerId> <ParentId>0</ParentId> <DisplayName>Junk E-mail</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>26</ServerId> <ParentId>0</ParentId> <DisplayName>Notes</DisplayName> <Type>10</Type> </Add> <Add> <ServerId>27</ServerId> <ParentId>0</ParentId> <DisplayName>Outbox</DisplayName> <Type>6</Type> </Add> <Add> <ServerId>28</ServerId> <ParentId>0</ParentId> <DisplayName>RSS Feeds</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>29</ServerId> <ParentId>0</ParentId> <DisplayName>Sent Items</DisplayName> <Type>5</Type> </Add> <Add> <ServerId>30</ServerId> <ParentId>0</ParentId> <DisplayName>Suggested Contacts</DisplayName> <Type>14</Type> </Add> <Add> <ServerId>31</ServerId> <ParentId>0</ParentId> <DisplayName>Sync Issues</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>32</ServerId> <ParentId>31</ParentId> <DisplayName>Conflicts</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>33</ServerId> <ParentId>31</ParentId> <DisplayName>Local Failures</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>34</ServerId> <ParentId>31</ParentId> <DisplayName>Server Failures</DisplayName> <Type>12</Type> </Add> <Add> <ServerId>35</ServerId> <ParentId>0</ParentId> <DisplayName>Tasks</DisplayName> <Type>7</Type> </Add> </Changes> </FolderSync> Diagnostics:
Elapsed Time: 1369 ms.
Attempting the initial sync to the Inbox folder. This initial sync won't return any data.
The Sync command completed successfully.
Additional Details
Status: 1 Diagnostics:
Elapsed Time: 1032 ms.
Attempting to test the GetItemEstimate command for the Inbox folder.
The Microsoft Connectivity Analyzer successfully received the GetItemEstimate response from the server.
Additional Details
Estimate: 3092 messages Diagnostics:
Elapsed Time: 1100 ms.
Attempting to test synchronization of the Inbox folder.
The Sync command completed successfully.
Additional Details
Number of items synchronized: 100 Diagnostics:
Elapsed Time: 2449 ms.

And on their phone?

ipad mini 'unable to verify account information'.

using the activesync test app - AS Test:

fails on valid user...

should TCP port 5223 be open?

I see that Rollup 7 for SP" is ready...

Not to mention SP3 Rollup 2 as well!  You are a bit behind and would be good to get up to date.

we will upgrade, but shouldn't cause EAS issues?

It can only help - as the updates fix bugs.

true.

Applied rollup and rebooted.
The samsung device hasn't synced since Sunday.  I now cant setup EAS on the device.

I recall i had to manually run a command in powershell to automatically approve devices when testing with maas360.  I assume this command is similar to allowing allow/block lists in the GUI through OWA?

Is it worth adding an allow rule through OWA for all devices?

Are you now saying you have MAAS360 installed and configured on your server?

We did have.  its no not being used.

We are using native EAS client on the devices so bypassing Maas..

Is it still installed though?

not on the device, no.

I have just noticed that one of our other exchange servers at a remote sites, no mailboxes is coming up with warnings.  I'm assuming this is the problem...

Event id 1044.

The Client Access server doesn't have the InternalURL value set for the Microsoft-Server-ActiveSync virtual directory. This prevents Exchange ServiceDiscovery from finding the MobileSyncService information for user CHI-EXCH.domain.local. At least one Client Access server in the user's mailbox Active Directory site must have the InternalURL value set. The format for the InternalURL value is https://hostname/Microsoft-Server-ActiveSync 

Remind me how the clients will know which server to access and how to force our main server to accept the connections..?

Thanks

ah:

http://support.microsoft.com/kb/2850143

DNS setup for point to two servers at different sites..
Removed 2nd box, all ok