Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2010 - "Can't connect to server.  Error 111" when trying to connect both Android and iOS devices

Posted on 2016-08-09
12
Medium Priority
?
13,744 Views
Last Modified: 2016-11-22
I'm having some issues with trying to get Android and iOS devices connected to Exchange.  The biggest problem is that some devices work fine while others do not.  On the devices that don't work, we have some users including myself who have tried multiple phones and it will  not complete the setup.  We are running AD 2012 and Exchange 2010 SP3 UR13.  (However, this issue has been prevalent since Exchange 2010 SP2 and UR8.)  I have tried connecting to Exchange via the Android app, GMail, the Outlook app and Touchdown.  On the Android app, GMail and the Outlook app, neither will connect and show the error "Can't connect to server.  Error 111".  On the Touchdown app, it's stating that ActiveSync is not available and is using Exchange 2007 to connect.  (It shows the entire folder structure, but it will not download any emails to those folders nor can I send an email from the app.)  The problem is that prior to my arrival, this site had just installed Exchange 2010 and never used 2000/2003/2007.

I can connect to OWA without any problems through a browser on these phones and can connect via owa.domain.com and autodiscover.domain.com.  When I run a RCA test, everything comes back correctly except for the SSL certificate.  It comes back with the error:

          Certificate name validation failed.
          Host name domain.com doesn't match any name found on the server certificate CN=IMG.domain.com, OU=Domain Control Validated.

I don't believe this is causing the issue as I exported the certificate and installed it on a phone to test and it fails with the same message.  I've also confirmed that none of the users affected currently have ever had a mobile profile show up in Exchange.  Would anyone else out there have an idea what I can check to confirm what the issue is?  The only other thing that I have seen is that it appears that older users who have been in the system for some time have no problem, whereas anyone new is affected.  Even the older users have been able to setup new phones within the last six months without any issues.
0
Comment
Question by:FormerZeroCool
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 41749732
Since some devices work meaning activesync is running fine. Have you look at exchange activesync policy, does the devices was blocked by policies

https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/
0
 
LVL 51

Expert Comment

by:Jackie Man
ID: 41749760
"The only other thing that I have seen is that it appears that older users who have been in the system for some time have no problem, whereas anyone new is affected.  Even the older users have been able to setup new phones within the last six months without any issues."

"The biggest problem is that some devices work fine while others do not.  On the devices that don't work, we have some users including myself who have tried multiple phones and it will  not complete the setup. "

These two statements are conflicting.

Are you new to your company also?

Can the old user connects to the Exchange on the devices that don't work?
0
 

Author Comment

by:FormerZeroCool
ID: 41750246
There are no policies for ActiveSync except for a device policy which allows the default access and a newly created one that uses the same setup except that it requires the device to now have a PIN.  (However this has not been added to anyone as I'm still testing and the system was broken prior to this.)

Allow devices that don't support policies to synchronize.

Device password:
Optional

Device settings:
Device encryption not required
Storage card use allowed
Camera use allowed
Manual synchronization not required when roaming


As for the conflicting information, hopefully this will clear some of that up.

An existing user that has been in AD for more than three years can setup their phone in the system "if" they already had a phone setup in the system.  We have some users who have more than six phones due to constantly upgrading/replacing their phones.  An existing user that has been in AD for more than three years cannot setup their phone if they have "never" had a phone setup in the system.  Basically, if the user has never had a phone setup in the system, we're unable to get their phone to added.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 51

Expert Comment

by:Jackie Man
ID: 41750272
Besides, it is likely the admin who create the new users lacks some permission which are needed to create a container for mobile device. Details are as follows.

The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.

Source: https://support.microsoft.com/en-us/kb/2579075
0
 

Author Comment

by:FormerZeroCool
ID: 41750405
If I have an existing ActiveSync user try on one of the users phones where it doesn't work, they are able  to add their account to the phone and it will show up on the Exchange server as a device.  However, if you remove the account and try to add the user who couldn't before, it shows the error "Can't connect to server.   (Status: 111)" so it's definitely security related.  However, I  checked the security you mention above and all of the prior admins and security groups for Exchange don't have access to the msExchActiveSyncDevices object permission, so I'm not sure if that is truly the reason it's not letting them in.
0
 
LVL 51

Expert Comment

by:Jackie Man
ID: 41750613
Do you have Event ID 1053 in Event Viewer of your AD?
0
 
LVL 19

Assisted Solution

by:suriyaehnop
suriyaehnop earned 1000 total points
ID: 41750629
I assume that the activesync feature is enabled on the problematic user's mailbox

Does the "inherit permission" is enabled? You can check this on AD. Double click ok that user, go to properties and click on security tab

Try compare with user who has no issue in activesync
1
 

Author Comment

by:FormerZeroCool
ID: 41750641
I did see two events for 1053 in the event log from this morning.  However after seeing those errors earlier after your post I added the temp workaround from the MS article and it still fails when I try to add my own account in.  The error no longer shows up, but I'm still stuck at the "Can't connect to server.   (Status: 111)"
0
 
LVL 51

Accepted Solution

by:
Jackie Man earned 1000 total points
ID: 41750682
0
 

Author Comment

by:FormerZeroCool
ID: 41750822
Bingo!  Thanks Jackie Man and Suriyaehnop!  Turning on the enable inheritance for my account successfully got me in.  I tried on a few other accounts and that also worked for those users.  Is there any reason why this is turned off by default or is this just a known issue that happens?  Originally they were using AD 2003 and then upgraded to AD 2008 and I just upgraded that to 2012.  (Albeit it was already an issue prior to the 2012 upgrade.)
0
 

Author Closing Comment

by:FormerZeroCool
ID: 41750836
Thanks again for all the help!
0
 

Expert Comment

by:wahib moh
ID: 41898536
Hai gaes.. Please following this instruction.
To check whether inheritance is disabled on the user:

    Open Active Directory Users and Computers.
    On the menu at the top of the console, click View > Advanced Features.
    Locate and right-click the mailbox account in the console, and then click Properties.
    Click the Security tab.
    Click Advanced.
    Make sure that the check box for “Include inheritable permissions from this object’s parent” is selected.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Creating a Cordova application which allow user to save to/load from his Dropbox account the application database.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question