[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ActiveSync stopped working

Posted on 2014-08-02
32
Medium Priority
?
279 Views
Last Modified: 2014-10-28
We have an SBS 2003 server running Exchange 2003 and a few days ago users stopped being able to get email on their phones through ActiveSync. They are getting messages like network unavailable, or security certificate errors. Even when trying to re-setup the account or add new phones we get server unavailable on some androids, and on others "There are problems with the security certificate for this site" followed by "Unable to open connection to server, Security error occurred". I have taken many steps to try and resolve the issue including:

1. Checking 443 is open and pointed at the exchange server
2. Turning off our GFI Mail Essentials and testing
3. Using Server Manager wizard to re-create the certificate
4.Ran the Microsoft Exchange ActiveSync Connectivity Tests on their analyzer, and the failures that were produced per below:
5. Going through all these steps: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

None of this has been successful, and I would greatly appreciate any help you can provide. All phones are affected, and PC's work normal.

testconnectivity.microsoft.com results:

The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Additional Details
       
Elapsed Time: 795 ms.
       
      Test Steps
       
      Attempting to resolve the host name mail.xxxxx.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: xxx.xxx.xxx.xxx
Elapsed Time: 306 ms.
      Testing TCP port 443 on host mail.xxxxx.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 253 ms.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
Elapsed Time: 235 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.xxxxx.com on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
       
      Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 182 ms.
0
Comment
Question by:ckleavitt2
  • 14
  • 12
  • 3
  • +2
32 Comments
 
LVL 8

Expert Comment

by:I Qasmi
ID: 40237342
check the certificate hasnt expired.

Type in powershell

Get-Exchangeccertificate |fl

check the certificates for your fqdn : mail.contoso.com etc.

Also check for event 12014, 12015 ,12016, 12017 ,12018 in the event viewer
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40237480
The self signed SSL certificate created by SBS 2003 wizard is not supported for use with ActiveSync.
You should switch to a trusted SSL certificate. A standard single name certificate will be fine - something like GoDaddy or one of their resellers will be the cheapest option.
If you have recreated the self signed certificate, for the ActiveSync clients to trust it, it will have to be installed on to each device - simply not worth the headache - switch to a trusted certificate instead.

Although SBS 2003 is very old, I would suggest an upgrade in the very near future. You will find some ActiveSync devices simply do not work properly with a server of that age.


@ Irfan Ahmed - read the question. SBS 2003 is Exchange 2003. No PowerShell/EMS.

Simon.
0
 

Author Comment

by:ckleavitt2
ID: 40237530
Simon, this has been working up until a few days ago using a self signed certificate with no problems. And the certificate had not expired and was using the correct fqdn, even before creating a new one.  However, I will definitely look into the trusted SSL right away, but I would like to figure out why it just stopped working with our current setup. Upgrades are already in the approval process, but that is 30-60 days out. Do you think this would be acceptable: https://www.ssl2buy.com/comodo-multi-domain-ssl.php

What are the chances the Trusted SSL doesn't solve the issue? Although I imagine this is the option I will want regardless.
Thank you for your help.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 8

Expert Comment

by:I Qasmi
ID: 40237544
Thank you simon,

ckleavitt2

please check the configuration settings for SBS and standard server for exchange 2003 Activesync configuration

and what needs to be rectified here is an amazing article by alan :

http://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/
0
 

Author Comment

by:ckleavitt2
ID: 40237560
I Qasmi,

Please see my original question. I already went through the steps that Alan Hardisty put together.  You have simply provided a link to the same information. I appreciate your willingness to respond, but I am afraid your lack of comprehension or unwillingness to read is an impediment to the process.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40237573
Without a valid certificate the testing site at Microsoft is going to fail, due to the lack of trust. Therefore if a trusted certificate fails then at least it will allow the tools to work for diagnosis.

Previous behaviour is not an indication that it was configured correctly or will continue to work.

If it was working, what changed? Things don't usually stop working on their own.

The comodo certificates will work, but they are usually more expensive than other providers.
As this is Exchange 2003 you need a standard certificate, nothing more. If the upgrade is taking place in the near future, get the cheapest trusted certificate you can find. In many cases you get a certificate from GoDaddy with coupons for US$10/year. You would only need one year. Then get a new certificate for the new deployment.

Simon.
0
 

Author Comment

by:ckleavitt2
ID: 40237600
So the ignore trust for SSL option on the testing site does not do what I thought then. I will purchase a standard SSL and re-test. Thank you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40237796
You don't need to buy a 3rd party SSL to get this working.  It will work happily with a self-issued SSL cert and you can choose the Ignore Trust for SSL check box on the test site and it will work happily.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40237799
As this is SBS - just re-run the Connect To The Internet Wizard and generate a new SSL certificate using the Public FQDN you are currently using and then re-test.  Steps are outlined in my article that you have referenced.

Alan
0
 

Author Comment

by:ckleavitt2
ID: 40237828
Alan, I was hoping you would chime in at some point.
I followed your article and did the Internet Wizard to generate the new cert, making sure the fqdn was correct. I did this before posting my question. However, this did not resolve my issue :(. The test results above were post following your article. Oddly, when I set things up for the first time a few years back I referenced your article and everything worked great from that point up until a couple days ago. Any other suggestions?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40237832
Sorry - busy weekend!

What Antivirus software is on the server?

What changed recently (or did nothing change)?

The certificate should be fine if you just reissued it.  What router do you have and is in on the latest firmware?
0
 

Author Comment

by:ckleavitt2
ID: 40237840
Avg cloudcare is the AV, and we use a Watchguard XTM router. I will update that software while I am at it as I think there is a newer software version available. And there have been no changes to the server software or hardware since well before the problem occurred.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40237879
Hmm!  Odd.  Might be worth trying a 3rd party certificate to rule out the self-issued one, but it shouldn't be necessary.  Should cost about $30 - link in my article if you want to use that one.
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40238951
Is the ActiveSync working inside the organization? Did you run IISRESET and restart Information Store?

Make sure all your databases are in good health, Check your DNS server(s) are working properly if the external request is mapping to the wrong server it will never find the SSL.
0
 

Author Comment

by:ckleavitt2
ID: 40249012
I ran a tool called AccessMyLan activesync tester, and did the tests for inside and outside the firewall. They both failed with the same SSL negotiation error. Testing 10.10.200.20 (SSL, On LAN):

Communications:
      Doing DNS lookup on 10.10.200.20 ......... OK (xxxxxxxxxxxx-SBS.xxxxxxxxxxx.local)
      Testing TCP to 10.10.200.20 port 443 ..... OK
SSL Certificate:
      Receiving ................................ FAIL

Result:
      Failed to negotiate SSL with the server.

I ran through Alan's article once more. I made sure to do IISRESET when instructed.
Also, I installed a 3rd party cert and made sure the FQDN matched what the phones connected to.
In addition I have checked DNS is working fine.

As far as making sure the databases are in good health, I can use  ISINTEG and run particular tests. Do I need to run all tests, or just run a particular test for this issue?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40249056
I don't think this has anything to do with the databases.
The problem is around SSL.

It could be that you have a corrupt SSL certificate (does happen unfortunately). Could also be something interfering with the SSL transport.

If you browse to https://host.example.com/exchange - do you get SSL prompts? It should give you the OWA login screen.

Simon.
0
 

Author Comment

by:ckleavitt2
ID: 40249086
I started out with a self signed cert, re-issued it, and then moved to a 3rd party cert. The same issue remains. When I browse to exchange I get page cannot be displayed.
0
 

Author Comment

by:ckleavitt2
ID: 40249094
The test results:

You have selected First Storage Group / Mailbox Store (xxxxxxx-SBS).
Continue?(Y/N)y
Test Search Folder Links result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s);
time: 0h:0m:2s
Test Global result: 0 error(s); 0 warning(s); 0 fix(es); 1 row(s); time: 0h:0m:0
s
Test Delivered To result: 0 error(s); 0 warning(s); 0 fix(es); 23 row(s); time:
0h:0m:0s
Test Repl Schedule result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time:
0h:0m:0s
Test Timed Events result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time: 0
h:0m:0s
Test reference table construction result: 0 error(s); 0 warning(s); 0 fix(es); 0
 row(s); time: 0h:3m:28s
Test Folder result: 0 error(s); 17 warning(s); 0 fix(es); 1510 row(s); time: 0h:
2m:21s
Test Deleted Messages result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); tim
e: 0h:0m:0s
Test Message result: 0 error(s); 0 warning(s); 0 fix(es); 96420 row(s); time: 0h
:0m:39s
Test Attachment result: 0 error(s); 0 warning(s); 0 fix(es); 91613 row(s); time:
 0h:0m:3s
Test Mailbox result: 0 error(s); 0 warning(s); 0 fix(es); 27 row(s); time: 0h:0m
:0s
Test Sites result: 0 error(s); 0 warning(s); 0 fix(es); 106 row(s); time: 0h:0m:
0s
Test Categories result: 0 error(s); 0 warning(s); 0 fix(es); 252 row(s); time: 0
h:0m:0s
Test Per-User Read result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time:
0h:0m:0s
Test special folders result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time
: 0h:0m:0s
Test Message Tombstone result: 0 error(s); 0 warning(s); 0 fix(es); 253 row(s);
time: 0h:0m:0s
Test Folder Tombstone result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); tim
e: 0h:0m:0s
Test reference count verification result: 0 error(s); 8 warning(s); 0 fix(es); 0
 row(s); time: 0h:0m:3s
Now in test  19(Row Count/Dumpster Count) of total  19 tests; 100% complete.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40249231
Can you follow Method 2 in KB883380 to reset the Exchange Virtual Directories and then re-test to see if that improves anything.  Can't hurt and if the problem is SSL, then you would have thought a 3rd party one would have fixed it.

Alan
0
 

Author Comment

by:ckleavitt2
ID: 40249246
Alan,

I did a certificate test from another site SSLChecker and it resolves the domain, but says there were no SSL certs found. Also, I went back through the Internet Wizard to re-install the 3rd party cert, and I get  "The specified certificate file is not properly formatted....." error. I recall installing the certificate under IIS when this happened the first time, however the cert shows up properly under View Certificate in the IIS folders. I certainly do not want to get side tracked, as the issue has persisted a week now, and we are eager to get it up, but do I need to be concerned with this format error prior to KB883380? Thank you!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40249296
As per Simon's last comment, can you browse the site he mentioned internally?

I'm wondering if port 443 isn't configured on the default website or is being grabbed by another service.

Alan
0
 

Author Comment

by:ckleavitt2
ID: 40249305
No, the page cannot be displayed when I try and browse to it from inside the network.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40249325
Okay - in that case can you please post a screen-shot of the websites under IIS Manager (select the level on the left above the sites) showing the sites on the right with the relevant ports they are assigned.

Thanks

Alan
0
 

Author Comment

by:ckleavitt2
ID: 40249351
IIS Ports
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40249382
Okay - that looks normal port-wise.

The Mailessentials directories aren't normal.

Is there any redirection going on on the default website.
0
 

Author Comment

by:ckleavitt2
ID: 40249435
The Mailessentials directories were installed with GFI antispam gateway, but they have a way to completely disable the system for troubleshooting, which I did. I got the same result whether enabled or disabled. As far as redirection, the Default Web Site has  "A directory located on this computer" selected for the Home Directory. Path C:\Inetpub\Wwwroot
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40249613
Can you right-click the Default Website and Browse to it using IIS?
0
 

Author Comment

by:ckleavitt2
ID: 40249818
No. "This program cannot display the webpage".
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 40249897
Can you run the SBS Best Practices Analyzer and see what errors that throws up please:

http://www.microsoft.com/en-gb/download/details.aspx?id=5334

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40409049
What was the problem (or were the problems)?

Alan
0
 

Author Comment

by:ckleavitt2
ID: 40409052
I don't know exactly Alan, but there were several issues caught by running the best practices. After resolving those issues, the problem was corrected. I wish that I could be more specific at this point. I really appreciate all the help though.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40409077
Oh well - a fix is a fix, even if you don't know what it was, but I'm glad it is resolved and glad I could help.

Long may it stay fixed too :)

Alan
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question