ActiveSync stopped working

ckleavitt2
ckleavitt2 used Ask the Experts™
on
We have an SBS 2003 server running Exchange 2003 and a few days ago users stopped being able to get email on their phones through ActiveSync. They are getting messages like network unavailable, or security certificate errors. Even when trying to re-setup the account or add new phones we get server unavailable on some androids, and on others "There are problems with the security certificate for this site" followed by "Unable to open connection to server, Security error occurred". I have taken many steps to try and resolve the issue including:

1. Checking 443 is open and pointed at the exchange server
2. Turning off our GFI Mail Essentials and testing
3. Using Server Manager wizard to re-create the certificate
4.Ran the Microsoft Exchange ActiveSync Connectivity Tests on their analyzer, and the failures that were produced per below:
5. Going through all these steps: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

None of this has been successful, and I would greatly appreciate any help you can provide. All phones are affected, and PC's work normal.

testconnectivity.microsoft.com results:

The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Additional Details
       
Elapsed Time: 795 ms.
       
      Test Steps
       
      Attempting to resolve the host name mail.xxxxx.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: xxx.xxx.xxx.xxx
Elapsed Time: 306 ms.
      Testing TCP port 443 on host mail.xxxxx.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 253 ms.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
Elapsed Time: 235 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.xxxxx.com on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
       
      Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 182 ms.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I QasmiTechnical Lead

Commented:
check the certificate hasnt expired.

Type in powershell

Get-Exchangeccertificate |fl

check the certificates for your fqdn : mail.contoso.com etc.

Also check for event 12014, 12015 ,12016, 12017 ,12018 in the event viewer
Most Valuable Expert 2014

Commented:
The self signed SSL certificate created by SBS 2003 wizard is not supported for use with ActiveSync.
You should switch to a trusted SSL certificate. A standard single name certificate will be fine - something like GoDaddy or one of their resellers will be the cheapest option.
If you have recreated the self signed certificate, for the ActiveSync clients to trust it, it will have to be installed on to each device - simply not worth the headache - switch to a trusted certificate instead.

Although SBS 2003 is very old, I would suggest an upgrade in the very near future. You will find some ActiveSync devices simply do not work properly with a server of that age.


@ Irfan Ahmed - read the question. SBS 2003 is Exchange 2003. No PowerShell/EMS.

Simon.

Author

Commented:
Simon, this has been working up until a few days ago using a self signed certificate with no problems. And the certificate had not expired and was using the correct fqdn, even before creating a new one.  However, I will definitely look into the trusted SSL right away, but I would like to figure out why it just stopped working with our current setup. Upgrades are already in the approval process, but that is 30-60 days out. Do you think this would be acceptable: https://www.ssl2buy.com/comodo-multi-domain-ssl.php

What are the chances the Trusted SSL doesn't solve the issue? Although I imagine this is the option I will want regardless.
Thank you for your help.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

I QasmiTechnical Lead

Commented:
Thank you simon,

ckleavitt2

please check the configuration settings for SBS and standard server for exchange 2003 Activesync configuration

and what needs to be rectified here is an amazing article by alan :

http://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/

Author

Commented:
I Qasmi,

Please see my original question. I already went through the steps that Alan Hardisty put together.  You have simply provided a link to the same information. I appreciate your willingness to respond, but I am afraid your lack of comprehension or unwillingness to read is an impediment to the process.
Most Valuable Expert 2014

Commented:
Without a valid certificate the testing site at Microsoft is going to fail, due to the lack of trust. Therefore if a trusted certificate fails then at least it will allow the tools to work for diagnosis.

Previous behaviour is not an indication that it was configured correctly or will continue to work.

If it was working, what changed? Things don't usually stop working on their own.

The comodo certificates will work, but they are usually more expensive than other providers.
As this is Exchange 2003 you need a standard certificate, nothing more. If the upgrade is taking place in the near future, get the cheapest trusted certificate you can find. In many cases you get a certificate from GoDaddy with coupons for US$10/year. You would only need one year. Then get a new certificate for the new deployment.

Simon.

Author

Commented:
So the ignore trust for SSL option on the testing site does not do what I thought then. I will purchase a standard SSL and re-test. Thank you.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You don't need to buy a 3rd party SSL to get this working.  It will work happily with a self-issued SSL cert and you can choose the Ignore Trust for SSL check box on the test site and it will work happily.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
As this is SBS - just re-run the Connect To The Internet Wizard and generate a new SSL certificate using the Public FQDN you are currently using and then re-test.  Steps are outlined in my article that you have referenced.

Alan

Author

Commented:
Alan, I was hoping you would chime in at some point.
I followed your article and did the Internet Wizard to generate the new cert, making sure the fqdn was correct. I did this before posting my question. However, this did not resolve my issue :(. The test results above were post following your article. Oddly, when I set things up for the first time a few years back I referenced your article and everything worked great from that point up until a couple days ago. Any other suggestions?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Sorry - busy weekend!

What Antivirus software is on the server?

What changed recently (or did nothing change)?

The certificate should be fine if you just reissued it.  What router do you have and is in on the latest firmware?

Author

Commented:
Avg cloudcare is the AV, and we use a Watchguard XTM router. I will update that software while I am at it as I think there is a newer software version available. And there have been no changes to the server software or hardware since well before the problem occurred.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Hmm!  Odd.  Might be worth trying a 3rd party certificate to rule out the self-issued one, but it shouldn't be necessary.  Should cost about $30 - link in my article if you want to use that one.
hecgomrecNetwork Administrator

Commented:
Is the ActiveSync working inside the organization? Did you run IISRESET and restart Information Store?

Make sure all your databases are in good health, Check your DNS server(s) are working properly if the external request is mapping to the wrong server it will never find the SSL.

Author

Commented:
I ran a tool called AccessMyLan activesync tester, and did the tests for inside and outside the firewall. They both failed with the same SSL negotiation error. Testing 10.10.200.20 (SSL, On LAN):

Communications:
      Doing DNS lookup on 10.10.200.20 ......... OK (xxxxxxxxxxxx-SBS.xxxxxxxxxxx.local)
      Testing TCP to 10.10.200.20 port 443 ..... OK
SSL Certificate:
      Receiving ................................ FAIL

Result:
      Failed to negotiate SSL with the server.

I ran through Alan's article once more. I made sure to do IISRESET when instructed.
Also, I installed a 3rd party cert and made sure the FQDN matched what the phones connected to.
In addition I have checked DNS is working fine.

As far as making sure the databases are in good health, I can use  ISINTEG and run particular tests. Do I need to run all tests, or just run a particular test for this issue?
Most Valuable Expert 2014

Commented:
I don't think this has anything to do with the databases.
The problem is around SSL.

It could be that you have a corrupt SSL certificate (does happen unfortunately). Could also be something interfering with the SSL transport.

If you browse to https://host.example.com/exchange - do you get SSL prompts? It should give you the OWA login screen.

Simon.

Author

Commented:
I started out with a self signed cert, re-issued it, and then moved to a 3rd party cert. The same issue remains. When I browse to exchange I get page cannot be displayed.

Author

Commented:
The test results:

You have selected First Storage Group / Mailbox Store (xxxxxxx-SBS).
Continue?(Y/N)y
Test Search Folder Links result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s);
time: 0h:0m:2s
Test Global result: 0 error(s); 0 warning(s); 0 fix(es); 1 row(s); time: 0h:0m:0
s
Test Delivered To result: 0 error(s); 0 warning(s); 0 fix(es); 23 row(s); time:
0h:0m:0s
Test Repl Schedule result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time:
0h:0m:0s
Test Timed Events result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time: 0
h:0m:0s
Test reference table construction result: 0 error(s); 0 warning(s); 0 fix(es); 0
 row(s); time: 0h:3m:28s
Test Folder result: 0 error(s); 17 warning(s); 0 fix(es); 1510 row(s); time: 0h:
2m:21s
Test Deleted Messages result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); tim
e: 0h:0m:0s
Test Message result: 0 error(s); 0 warning(s); 0 fix(es); 96420 row(s); time: 0h
:0m:39s
Test Attachment result: 0 error(s); 0 warning(s); 0 fix(es); 91613 row(s); time:
 0h:0m:3s
Test Mailbox result: 0 error(s); 0 warning(s); 0 fix(es); 27 row(s); time: 0h:0m
:0s
Test Sites result: 0 error(s); 0 warning(s); 0 fix(es); 106 row(s); time: 0h:0m:
0s
Test Categories result: 0 error(s); 0 warning(s); 0 fix(es); 252 row(s); time: 0
h:0m:0s
Test Per-User Read result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time:
0h:0m:0s
Test special folders result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time
: 0h:0m:0s
Test Message Tombstone result: 0 error(s); 0 warning(s); 0 fix(es); 253 row(s);
time: 0h:0m:0s
Test Folder Tombstone result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); tim
e: 0h:0m:0s
Test reference count verification result: 0 error(s); 8 warning(s); 0 fix(es); 0
 row(s); time: 0h:0m:3s
Now in test  19(Row Count/Dumpster Count) of total  19 tests; 100% complete.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Can you follow Method 2 in KB883380 to reset the Exchange Virtual Directories and then re-test to see if that improves anything.  Can't hurt and if the problem is SSL, then you would have thought a 3rd party one would have fixed it.

Alan

Author

Commented:
Alan,

I did a certificate test from another site SSLChecker and it resolves the domain, but says there were no SSL certs found. Also, I went back through the Internet Wizard to re-install the 3rd party cert, and I get  "The specified certificate file is not properly formatted....." error. I recall installing the certificate under IIS when this happened the first time, however the cert shows up properly under View Certificate in the IIS folders. I certainly do not want to get side tracked, as the issue has persisted a week now, and we are eager to get it up, but do I need to be concerned with this format error prior to KB883380? Thank you!!
Alan HardistyCo-Owner
Top Expert 2011

Commented:
As per Simon's last comment, can you browse the site he mentioned internally?

I'm wondering if port 443 isn't configured on the default website or is being grabbed by another service.

Alan

Author

Commented:
No, the page cannot be displayed when I try and browse to it from inside the network.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - in that case can you please post a screen-shot of the websites under IIS Manager (select the level on the left above the sites) showing the sites on the right with the relevant ports they are assigned.

Thanks

Alan

Author

Commented:
IIS Ports
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - that looks normal port-wise.

The Mailessentials directories aren't normal.

Is there any redirection going on on the default website.

Author

Commented:
The Mailessentials directories were installed with GFI antispam gateway, but they have a way to completely disable the system for troubleshooting, which I did. I got the same result whether enabled or disabled. As far as redirection, the Default Web Site has  "A directory located on this computer" selected for the Home Directory. Path C:\Inetpub\Wwwroot
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Can you right-click the Default Website and Browse to it using IIS?

Author

Commented:
No. "This program cannot display the webpage".
Co-Owner
Top Expert 2011
Commented:
Can you run the SBS Best Practices Analyzer and see what errors that throws up please:

http://www.microsoft.com/en-gb/download/details.aspx?id=5334

Alan
Alan HardistyCo-Owner
Top Expert 2011

Commented:
What was the problem (or were the problems)?

Alan

Author

Commented:
I don't know exactly Alan, but there were several issues caught by running the best practices. After resolving those issues, the problem was corrected. I wish that I could be more specific at this point. I really appreciate all the help though.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Oh well - a fix is a fix, even if you don't know what it was, but I'm glad it is resolved and glad I could help.

Long may it stay fixed too :)

Alan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial