Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 - "Can't connect to server.  Error 111" when trying to connect both Android and iOS devices

Posted on 2016-08-09
12
Medium Priority
?
11,845 Views
Last Modified: 2016-11-22
I'm having some issues with trying to get Android and iOS devices connected to Exchange.  The biggest problem is that some devices work fine while others do not.  On the devices that don't work, we have some users including myself who have tried multiple phones and it will  not complete the setup.  We are running AD 2012 and Exchange 2010 SP3 UR13.  (However, this issue has been prevalent since Exchange 2010 SP2 and UR8.)  I have tried connecting to Exchange via the Android app, GMail, the Outlook app and Touchdown.  On the Android app, GMail and the Outlook app, neither will connect and show the error "Can't connect to server.  Error 111".  On the Touchdown app, it's stating that ActiveSync is not available and is using Exchange 2007 to connect.  (It shows the entire folder structure, but it will not download any emails to those folders nor can I send an email from the app.)  The problem is that prior to my arrival, this site had just installed Exchange 2010 and never used 2000/2003/2007.

I can connect to OWA without any problems through a browser on these phones and can connect via owa.domain.com and autodiscover.domain.com.  When I run a RCA test, everything comes back correctly except for the SSL certificate.  It comes back with the error:

          Certificate name validation failed.
          Host name domain.com doesn't match any name found on the server certificate CN=IMG.domain.com, OU=Domain Control Validated.

I don't believe this is causing the issue as I exported the certificate and installed it on a phone to test and it fails with the same message.  I've also confirmed that none of the users affected currently have ever had a mobile profile show up in Exchange.  Would anyone else out there have an idea what I can check to confirm what the issue is?  The only other thing that I have seen is that it appears that older users who have been in the system for some time have no problem, whereas anyone new is affected.  Even the older users have been able to setup new phones within the last six months without any issues.
0
Comment
Question by:FormerZeroCool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 41749732
Since some devices work meaning activesync is running fine. Have you look at exchange activesync policy, does the devices was blocked by policies

https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/
0
 
LVL 49

Expert Comment

by:Jackie Man
ID: 41749760
"The only other thing that I have seen is that it appears that older users who have been in the system for some time have no problem, whereas anyone new is affected.  Even the older users have been able to setup new phones within the last six months without any issues."

"The biggest problem is that some devices work fine while others do not.  On the devices that don't work, we have some users including myself who have tried multiple phones and it will  not complete the setup. "

These two statements are conflicting.

Are you new to your company also?

Can the old user connects to the Exchange on the devices that don't work?
0
 

Author Comment

by:FormerZeroCool
ID: 41750246
There are no policies for ActiveSync except for a device policy which allows the default access and a newly created one that uses the same setup except that it requires the device to now have a PIN.  (However this has not been added to anyone as I'm still testing and the system was broken prior to this.)

Allow devices that don't support policies to synchronize.

Device password:
Optional

Device settings:
Device encryption not required
Storage card use allowed
Camera use allowed
Manual synchronization not required when roaming


As for the conflicting information, hopefully this will clear some of that up.

An existing user that has been in AD for more than three years can setup their phone in the system "if" they already had a phone setup in the system.  We have some users who have more than six phones due to constantly upgrading/replacing their phones.  An existing user that has been in AD for more than three years cannot setup their phone if they have "never" had a phone setup in the system.  Basically, if the user has never had a phone setup in the system, we're unable to get their phone to added.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 49

Expert Comment

by:Jackie Man
ID: 41750272
Besides, it is likely the admin who create the new users lacks some permission which are needed to create a container for mobile device. Details are as follows.

The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.

Source: https://support.microsoft.com/en-us/kb/2579075
0
 

Author Comment

by:FormerZeroCool
ID: 41750405
If I have an existing ActiveSync user try on one of the users phones where it doesn't work, they are able  to add their account to the phone and it will show up on the Exchange server as a device.  However, if you remove the account and try to add the user who couldn't before, it shows the error "Can't connect to server.   (Status: 111)" so it's definitely security related.  However, I  checked the security you mention above and all of the prior admins and security groups for Exchange don't have access to the msExchActiveSyncDevices object permission, so I'm not sure if that is truly the reason it's not letting them in.
0
 
LVL 49

Expert Comment

by:Jackie Man
ID: 41750613
Do you have Event ID 1053 in Event Viewer of your AD?
0
 
LVL 19

Assisted Solution

by:suriyaehnop
suriyaehnop earned 1000 total points
ID: 41750629
I assume that the activesync feature is enabled on the problematic user's mailbox

Does the "inherit permission" is enabled? You can check this on AD. Double click ok that user, go to properties and click on security tab

Try compare with user who has no issue in activesync
1
 

Author Comment

by:FormerZeroCool
ID: 41750641
I did see two events for 1053 in the event log from this morning.  However after seeing those errors earlier after your post I added the temp workaround from the MS article and it still fails when I try to add my own account in.  The error no longer shows up, but I'm still stuck at the "Can't connect to server.   (Status: 111)"
0
 
LVL 49

Accepted Solution

by:
Jackie Man earned 1000 total points
ID: 41750682
0
 

Author Comment

by:FormerZeroCool
ID: 41750822
Bingo!  Thanks Jackie Man and Suriyaehnop!  Turning on the enable inheritance for my account successfully got me in.  I tried on a few other accounts and that also worked for those users.  Is there any reason why this is turned off by default or is this just a known issue that happens?  Originally they were using AD 2003 and then upgraded to AD 2008 and I just upgraded that to 2012.  (Albeit it was already an issue prior to the 2012 upgrade.)
0
 

Author Closing Comment

by:FormerZeroCool
ID: 41750836
Thanks again for all the help!
0
 

Expert Comment

by:wahib moh
ID: 41898536
Hai gaes.. Please following this instruction.
To check whether inheritance is disabled on the user:

    Open Active Directory Users and Computers.
    On the menu at the top of the console, click View > Advanced Features.
    Locate and right-click the mailbox account in the console, and then click Properties.
    Click the Security tab.
    Click Advanced.
    Make sure that the check box for “Include inheritable permissions from this object’s parent” is selected.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to import Lotus Notes Contacts into Outlook 2016, 2013, 2010 and 2007 etc. with a few manual steps. You can easily export and migrate Lotus Notes contacts into Microsoft Outlook without having to use any third party tools.
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question