Exchange Issue - Exchange 2003 SP2 - Active sync issue

Looking for some pointers:

Have a site with Server 2003 and Exchange 2003 SP2.

There are only about 8 users on the site and they use Outlook with RPC over HTTP and have been doing so for the last 4 years, they also use iphones/ipads  for the last 4 years for mail access.

A new user started and I created an account for him and RPC over HTTP for his outlook worked fine but when I tried to setup mail on his phone it would not connected and I can see this in the servers event logs (See Error 1)

I then tried to create a new user by copying an existing user but still the same error.

I cannot understand why the other users are still able to get mail onto their phones with no issues. ( I even tried setting 2 of the existing working users up on the new iphone and onto my own iphone and they worked perfectly so its new accounts that cannot connect via mobile devices.) See All correct attachment.

When I go onto an iphone and setup the new user or users (Ive created 3 as tests), I input the server name and their username and password and it ticks all as correct and then asked do I want to sync just mail or contacts, calender and I just pick mail. I then open the apple mail app and get cannot connect to server as the error and nothing comes into the new mail box. (no folders or anything)

I went onto and ran the test (unticked SSL as using self signed cert), and got the attached error which looks like my problem is activesync. (Tested using the new users account) , When I run this test for an existing user it passes.

Just tried this but it was already ticked:
Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Sea DoolanCompany OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
First - you need to think about upgrading Exchange 2003. It has problems with modern ActiveSync clients which will cause you problems. It is well outside of support and therefore you will find the mobile devices are able to do things the server cannot.

Check the user account has an email address in both your public and internal domain. So if your internal domain is example.local and public is, then the user needs an address in both.

Sea DoolanCompany OwnerAuthor Commented:
Hi Simon,
They are moving over to 365 later this year so that will be no harm.
Checked there and they have a public and internal email address on the new accounts, same as the working accounts.
Alan HardistyCo-OwnerCommented:
Have you been through my article to check your settings against my article?

If you haven't, please do and let me know if you need any further guidance or can't get things working.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Sea DoolanCompany OwnerAuthor Commented:
Will go through your link now and report back with findings.
Sea DoolanCompany OwnerAuthor Commented:
1)      Service Pack 2 Installed - Yes
2)      TCP Port 443 is open (and forwarded) – Yes and Tested
3)      LAN Adapter Binding order – Confirmed and correct
4)      Which directory is the relevant one?
 When accessing mail server we go to:
https:\\  (when setting up mail on the iphones )
or for setting up RCP over HTTP mail access (Outlook) we\exchange
also use https:\\\certsrv for downloading the mail cert (self signed or RPC over Https)
Uploaded screen shot of IIS
Sea DoolanCompany OwnerAuthor Commented:
Checked and as required:
ASP.NET is set to v 1.1.4322
HTTP Keep-Alives enabled
Ensure that the IP for the Default Website is set to All Unassigned and using port 80
Sea DoolanCompany OwnerAuthor Commented:
Is this my issue? Cert expired ?

Why are the rest still working?
Sea DoolanCompany OwnerAuthor Commented:
This is the cert I install onto laptops to get them working - See its date - 2018 expiry
I download it from https:\\\certsrv

Also looking at this cery - its issued to and we always use
Alan HardistyCo-OwnerCommented:
The reference to the relevant directory is based on your server e.g., SBS or standard Exchange 2003 on Windows 2003.

The section following the 'relevant' comment shows the directories that are relevant to your version of Windows / Exchange, so use that as reference and the click on the various directories and check those settings.

If you have to install a certificate onto a laptop to get them working, that suggests that you have a self-issued certificate and looking at the certificate installed on the Default Website, it either runs out on the 4th July 2015 or the 7th April 2015 (in which case it has expired).

It will probably be easier to just run the Activesync test (specifying manual settings) on and seeing what results are returned.

Sea DoolanCompany OwnerAuthor Commented:
Hi Alan, Thanks for replying,
Yes the cert is self signed.
Here is the results from Activesync test - see attached:
Alan HardistyCo-OwnerCommented:
Thanks for the test results.  Can you re-run the test and expand ALL the parts that fail as that will tell you where the problem lies.

You will need to tick the ignore trust for SSL check box as your cert is self-issued.

Sea DoolanCompany OwnerAuthor Commented:
Thanks Alan, I have re-ran the test there now with an existing working user and then with a non working new user.
Alan HardistyCo-OwnerCommented:
Okay - the fact that it is working is good, but I've often seen the reason for some working and some not working as IIS Settings not being 100% correct.

The 403 forbidden error suggests permissions errors or could be device issues.  Have you looked at the 403 Error section of my article?

Sea DoolanCompany OwnerAuthor Commented:
Hi Alan, Yes I went through the 403 error section and :
1) Ensured that Forms Based Authentication is NOT turned on under Exchange Virtual Server  - not clicked on.
2) Device Security Button  - Added the new user as an exception and still the same, tried with the other new user and also the same.
3) I have not done number 3
"I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)"
4) How to Enable and Disable Exchange ActiveSync Features at the User Level - Checked it was enabled, then disabled and re-enabled it and still the same.
Alan HardistyCo-OwnerCommented:
Are you running SBS 2003?

Have you checked KB817379 has been configured correctly?
Sea DoolanCompany OwnerAuthor Commented:
Hi Alan, No its 2003 and exchange 2003 SP2 not SBS.

It is the only exchange box on the site, I see KB817379 refers to if its a back end to change it to front end (Method 1.)

Method 2 of KB817379 says Method 2 should be used only in an environment that has no Exchange Server 2003 front-end server - Do you think I should go down this method "Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory. " ?
Alan HardistyCo-OwnerCommented:
The reason I asked is that you have the exchange-oma virtual directory listed in the IIS image you posted earlier, so you need to either get rid of that and delete the registry key shown in the article, or add it and make sure the settings are set correctly.

The idea behind the exchange-oma directory is if you use HTPS on the /exchange virtual directory, you need something to talk internal on port 80 to the Exchange server and that's the function that adding the exchange-oma virtual directory gives you.

So - you either need exchange-oma set as port 80 (no HTTPS) and /exchange and /microsoft-server-activesync with HTTPS enabled or you get rid of the exchange-omw directory and have /exchange without SSL and /microsoft-server-activesync with SSL and it should work.

At the moment - you are possible half-way between the two!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sea DoolanCompany OwnerAuthor Commented:
Going to move this to Office 365
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.