ActiveSync issues

We have a mixed environment of Exchange 2007 SP3 RU13 and 2013 CU7. No mailboxes has been moved to Exchange 2013 as of now.

Not able to add an email account using ActiveSync on a mobile device. When I try to configure an email on a phone from inside the network  using ActiveSync I get the attached error message.

Any thoughts?

Thanks
ActiveSync-Error.JPG
LVL 23
Stelian StanNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Ganesh Kumar ASr Infrastructure SpecialistCommented:
When the migration process especially with mixed environment. This issue occurs, basically it happens due to permission issues. In exchange 2007 you have to try this, but i recommend to move all mailboxes to Exchange 2013 and then apply the below said permissions which will solve the issue. Exchange 2013 is far better than Exchange 2013.

To work around this issue, assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:
Start Active Directory Users and Computers.
Click View, and then click to enable Advanced Features.
Right-click the object where you want to change the Exchange Server permissions, and then click Properties.

Note You can change permissions against a user, an organizational unit, or a domain.
On the Security tab, click Advanced.
Click Add, type Exchange Servers, and then click OK.
In the Apply to box, click Descendant msExchActiveSyncDevices objects.
Under Permissions, click to enable Modify Permissions.
Click OK three times.
Back to the topBack to the top | Give Feedback
0
 
Stelian StanNetwork AdministratorAuthor Commented:
So you are suggesting to move all mailboxes to Exchange 2013 the try your suggestion?

That's not working for me because I have to have this working before I can move any mailbox to 2013. I cannot do the migration of all mailboxes over night. That process will take at list two weeks if not longer, so we have to find a way to fix this issue before I start moving any mailbox.
0
 
Ganesh Kumar ASr Infrastructure SpecialistCommented:
There is a similar issue about the active sync issue in mixed mode please check this : http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Q_28598716.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Stelian StanNetwork AdministratorAuthor Commented:
I looked at that one before I even posted my question. All my settings seems OK according to that posting.
0
 
Alan HardistyCo-OwnerCommented:
Have you reconfigured the Exchange 2007 server as per the following guide (near the bottom):

https://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx

You will need to set your activesyncvirtualdirectory back to the 2007 server until you have moved everyone to the 2013 server.

If you run get-activesyncvirtualdirectory - it will probably be pointing to the 2013 server which won't help you.

Alan
0
 
Stelian StanNetwork AdministratorAuthor Commented:
Thanks Alan.
I will make that change then post back.
0
 
Stelian StanNetwork AdministratorAuthor Commented:
I made the change:

Set-ActiveSyncVirtualDirectory -Identity "<CAS2007>\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync - changed the values to my environment and followed with an iireset on the server.

Still not working after making this change.

I also noticed if i put wrong password at least I get to next screen (please see attachment file) and then when i fill all the information on this screen it fails.
ActiveSync-Error-02.JPG
0
 
Alan HardistyCo-OwnerCommented:
Please run the Activesync test on https://testexchangeconnectivity.com and post the results (hiding your domain name) as that might help identify the problem.

Alan
0
 
Stelian StanNetwork AdministratorAuthor Commented:
Hi Alan. Thanks for all your help. Here is the ActiveSync test result:

      
The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       Exchange ActiveSync was tested successfully.
       
      Additional Details
       
      Test Steps
       
      Attempting to resolve the host name oma.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host oma.domain.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Additional Details
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server oma.mmms.ca on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
      Validating certificate trust for Windows Mobile devices.
       The certificate is trusted and all certificates are present in the chain.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.domain.com, OU=PremiumSSL Wildcard,
       One or more certificate chains were constructed successfully.
       
      Additional Details
      Analyzing the certificate chains for compatibility problems with Windows Phone devices.
       Potential compatibility problems were identified with some versions of Windows Phone.
        Tell me more about this issue and how to resolve it
       
      Additional Details
      The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.
       All intermediate certificates are present and valid.
       
      Additional Details
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       
Accept/Require Client Certificates isn't configured.
Elapsed Time: 671 ms.
      Testing HTTP Authentication Methods for URL https://oma.domain.com/Microsoft-Server-ActiveSync/.
       The HTTP authentication methods are correct.
       
      Additional Details
       
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
HTTP Response Headers:
Connection: Keep-Alive
Pragma: no-cache
Content-Length: 2057
Cache-Control: no-cache
Content-Type: text/html
WWW-Authenticate: Basic Realm="oma.domain.com"
Elapsed Time: 550 ms.
      An ActiveSync session is being attempted with the server.
       Testing of an Exchange ActiveSync session completed successfully.
       
      Additional Details
       
Elapsed Time: 1300 ms.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       The OPTIONS response was successfully received and is valid.
       
      Additional Details
      Attempting the FolderSync command on the Exchange ActiveSync session.
       The FolderSync command completed successfully.
       
      Additional Details
      Attempting the initial sync to the Inbox folder. This initial sync won't return any data.
       The Sync command completed successfully.
       
      Additional Details
      Attempting to test the GetItemEstimate command for the Inbox folder.
       The Microsoft Connectivity Analyzer successfully received the GetItemEstimate response from the server.
       
      Additional Details
0
 
Alan HardistyCo-OwnerCommented:
Okay - looks promising.

Is the certificate that is being reported installed on both servers or just one or the other?

Where is port 443 being pointed to at present?
0
 
Stelian StanNetwork AdministratorAuthor Commented:
unfortunately is pointing to old server.

To give you more information on this problem:
- at this point we are using ISA 2006 to access from outside the network, ISA is pointing to EX2007 server
- I have an TMG installed and I want to use it during the migration process. So tonight I can change the outside DNS to point to TMG the do the Activesync test on https://testexchangeconnectivity.com then post the result. I have to make sure OWA and ActiveSync is working properly before I make the switch.
- also on March 1 i had to rebuild Ex2013 using "Setup /m:RecoverServer" because the server died. Now is a virtual server. Followed this technet to restore the server.
- after I restored the server, I installed the same certificate I used before the server died, assigned SMTP and IIS services to the cert. The cert has oma.domain.com, legacy.domain.com and autodiscovery.domain.com

Please let me know if you need more information so you can have a good understanding of my issue here.
0
 
Stelian StanNetwork AdministratorAuthor Commented:
Hi Alan, here is the result of Microsoft Connectivity Analyzer

Connectivity Test Failed
 
Test Details


      The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Additional Details
       
      Test Steps
       
      Attempting to resolve the host name oma.mmms.ca in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host oma.domain.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Additional Details
       
      Test Steps
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing HTTP Authentication Methods for URL https://oma.domain.com/Microsoft-Server-ActiveSync/.
       The HTTP authentication methods are correct.
       
      Additional Details
      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Additional Details
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
An HTTP 403 error was received because ISA Server denied the specified URL.
HTTP Response Headers:
Connection: Keep-Alive
request-id: e5df9475-e5ef-48d7-bee8-58e2acb6ab1a
Content-Length: 2040
Cache-Control: private
Content-Type: text/html
Date: Sat, 28 Mar 2015 05:12:10 GMT
Set-Cookie: cadataBB33EC985DEF4BEABDE0F43D8E681C55="0e1236fea-0b5a-4898-a3d6-4cdf37e87597ZMyc7K1Z8xGxL1mI3j+e3Rmkh5m0zYqfp1FmIRbbLABvaqE11q5K8tnoK8imQq4fLIwRGtUws72743ZoZt0G0gaLn8kaW2Vp26SHN02a5k61NzNS0xGO7BtLOfwzAroL"; HttpOnly; Domain=.mmms.ca; secure; path=/,ClientId=TCHJSOAKQUGFGHRZMTG; expires=Sun, 27-Mar-2016 05:12:11 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-3490700173-3735007161-874480475-2125=u56Lnp2ejJqBnc2eyJ6am57Sms7OzNLLzJuc0seZyJzSx8zOmZ3OnM6Zz8uagYHNz87K0s/L0s3Iq8/Kxc7Nxc7O; expires=Mon, 27-Apr-2015 05:12:11 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-CalculatedBETarget: exchange.domain.com
X-MS-BackOffDuration: L/-470
X-DiagInfo: exchange
X-BEServer: exchange
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: exchange
Elapsed Time: 130 ms.
0
 
Alan HardistyCo-OwnerCommented:
The problem you have with the test results is:

An HTTP 403 error was received because ISA Server denied the specified URL.

So it looks like ISA is blocking the URL you are using, so you need to sort that out before you can continue.  I'm no ISA expert, so you'll need someone to assist you with that aspect.

Alan
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Stelian StanNetwork AdministratorAuthor Commented:
Thanks Alan for your support. i will test this week from internal networks using our WiFi and the FQDN of the server and I will update the result. I tested Exchange 2013 ActiveSync with a 2013 User and it works, also Exchange 2007 ActiveSync with 2007 user this also works. I didn't tested Exchange 2013 ActiveSync with a 2007 user.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.