I have a multi-tennant Exchange environment and am working on a migration from Exchange 2007 to 2013. I am having trouble with ActiveSync for mailboxes on 2007, through my 2013 CAS. Here is what my environment looks like:

- Internet-facing Exchange 2007 CAS 2007cas1/10.1.1.2/204.228.1.2 (name/internal IP/external IP)
- Non-Internet-facing Exchange 2007 CAS 2007cas2/10.1.1.3 (name/internal IP)
- Internet-facing Exchange 2013 CAS/MBX 2013casmbx1/10.1.1.4/204.228.1.4 (name/internal IP/external IP)
- 2007 URL: webmail.hosteddomain.com
- 2013 URL: testmail.hosteddomain.com
- Certificate: Third-party CA wildcard cert

I have verified that OWA out OutlookAnywhere work. When I try to connect to my Exchange 2007 mailbox (and only 2007) through ActiveSync, my phone says "Can't connect to server" and I see the following entries in my IIS logs (2013casmbx1):

Front-end: 
2015-06-15 16:28:32 10.147.0.34 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=PYSJZZTTUA9DOEHLZDW&cafeReqId=3b8bbbeb-f258-4f82-8ae2-85ddb58433f7; 443 mtest2@customerdomain.com 10.2.1.2 Android/5.1.1-EAS-2.0 - 500 0 0 124

2015-06-15 16:47:44 10.147.0.34 GET /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=YGEGSFJYKEWUKETSAGG&cafeReqId=96b81a28-90ab-45cf-9d7d-c117c7cba7d9; 443 domain\mtest2_customerdomain 10.2.1.2 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.124+Safari/537.36 - 500 0 0 21612

Back-end:
2015-06-15 16:28:32 fe80::24f5:677f:e642:1b83%12 OPTIONS /Microsoft-Server-ActiveSync/Proxy/default.eas &Log=PrxTo:2007cas2.domain.local_PrxFrom:fe80%3a%3a24f5%3a677f%3ae642%3a1b83%2512_V0_HH:testmail.hosteddomain.com_SmtpAdrs:mtest2%40customerdomain.com_Error:SendFailure_Mbx:2007mbx1.domain.local_Dc:dc01.domain.local_SBkOffD:L%2f-470_TmRcv16:28:32.7702994_ActivityContextData:ActivityID%3d3b8bbbeb-f258-4f82-8ae2-85ddb58433f7%3bI32%3aADR.C%5bDC01%5d%3d1%3bF%3aADR.AL%5bDC01%5d%3d1.1509%3bI32%3aADS.C%5bDC01%5d%3d3%3bF%3aADS.AL%5bDC01%5d%3d2.216033%3bI32%3aADS.C%5bdc01%5d%3d1%3bF%3aADS.AL%5bdc01%5d%3d1.7718%3bI32%3aATE.C%5bdc01.domain.local%5d%3d1%3bF%3aATE.AL%5bdc01.domain.local%5d%3d0%3bI32%3aATE.C%5bDC01.domain.local%5d%3d3%3bF%3aATE.AL%5bDC01.domain.local%5d%3d5%3bS%3aWLM.Bal%3d480000%3bS%3aWLM.BT%3dEas_Budget:(D)Owner%3aSid%7eDOMAIN%5cMTest2%5Fcustomerdomain%7eEas%7efalse%2cConn%3a0%2

I verified that the AS virtual directories on our 2007 CAS server look like this:
- InternalURL: webmail.hosteddomain.com
- ExternalURL: $null
- BasicAuthEnabled: True
- WindowsAuthEnabled: False

Finally, I verified that my test user as inheritance enabled.

Since all the other mail clients work and ActiveSync works when I'm not trying to proxy through Exchange 2013, I'm not sure what else to check. Thoughts? Thanks.

• Edited by mhashemi Monday, June 15, 2015 7:38 PM

Jim-Xu,

1. Verified 

2. Verified

3. Autodiscover still points to webmail.hosteddomain.com, so it bypasses Exchange 2013. Once I can set up the account manually, I will update DNS to point to 2013.

4. The Remote Connectivity Analyzer failed and showed the following (truncated)

Attempting to send the OPTIONS command to the server.

An HTTP 500 response was returned from IIS7.
HTTP Response Headers:
request-id: 3adc6cca-9188-467c-ac47-73b2aae2ee18
X-CalculatedBETarget: 2013casmbx1.domain.local
X-MS-BackOffDuration: L/-470
X-DiagInfo: 2013casmbx1
X-BEServer: 2013casmbx1
Cache-Control: private
Content-Type: text/html
Set-Cookie: ClientId=VIULIVZSYEUZMVDFBTJBG; expires=Wed, 15-Jun-2016 19:57:13 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-320083725-3346028824-3299231156-52809=u56Lnp2ejJqBnZ3HnJnMnMbSy8rPmdLLz5nM0p6eyprSz57Hy8vLncvPx86ZgYHNz87K0s/I0s7Jq87GxcrIxc7M; expires=Thu, 16-Jul-2015 19:57:13 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319

I also verified that the Microsoft-Server-ActiveSync virtual directory in IIS 6.5 is setup for Basic auth only. Does it matter if the default domain is specified or not?

• Edited by mhashemi Tuesday, June 16, 2015 8:18 PM

Hi mhashemi,

Thank you for your question.

There are following steps for us to troubleshooting:

Step 1: Confirm that ActiveSync is enabled for the user

Step 2: Confirm that the mobile device isn't blocked by an ActiveSync quarantine rule

Step 3: Confirm that ActiveSync can be set up by using Autodiscover

Step 4: Set up the mobile device without using Autodiscover (if you don't want to use Autodiscover)

The more details could be referred by the following link:

https://support.microsoft.com/en-us/kb/2427193?wa=wsignin1.0

Notice: although this is a line which is about Exchange online, but it was adapt to Exchange 2013.

If there are any errors when we check, you could post the error to ibsexc@microsoft.com for our troubleshooting.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Beside the above given suggestion, you can follow this well described blog from technet team that covers almost all the required aspects while need to migrate from Exchange 2007 to 2013 : http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx

Moreover, when migrating users mailboxes, this available automated solution (http://www.exchangemailboxmigration.com/ ) could also be a good alternative approach in order to accomplish migration task without having downtime or any further interruption.

Jim-Xu,

1. Verified 

2. Verified

3. Autodiscover still points to webmail.hosteddomain.com, so it bypasses Exchange 2013. Once I can set up the account manually, I will update DNS to point to 2013.

4. The Remote Connectivity Analyzer failed and showed the following (truncated)

Attempting to send the OPTIONS command to the server.

An HTTP 500 response was returned from IIS7.
HTTP Response Headers:
request-id: 3adc6cca-9188-467c-ac47-73b2aae2ee18
X-CalculatedBETarget: 2013casmbx1.domain.local
X-MS-BackOffDuration: L/-470
X-DiagInfo: 2013casmbx1
X-BEServer: 2013casmbx1
Cache-Control: private
Content-Type: text/html
Set-Cookie: ClientId=VIULIVZSYEUZMVDFBTJBG; expires=Wed, 15-Jun-2016 19:57:13 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-320083725-3346028824-3299231156-52809=u56Lnp2ejJqBnZ3HnJnMnMbSy8rPmdLLz5nM0p6eyprSz57Hy8vLncvPx86ZgYHNz87K0s/I0s7Jq87GxcrIxc7M; expires=Thu, 16-Jul-2015 19:57:13 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319

I also verified that the Microsoft-Server-ActiveSync virtual directory in IIS 6.5 is setup for Basic auth only. Does it matter if the default domain is specified or not?

• Edited by mhashemi 10 hours 58 minutes ago

Andrew,

I have followed those steps. That has led me to my current state.

Hi mhashemi,

To check whether inheritance is disabled on the user:

1.        Open Active Directory Users and Computers.
2.        On the menu at the top of the console, click View > Advanced Features.
3.        Locate and right-click the mailbox account in the console, and then click Properties.
4.        Click the Security tab.
5.        Click Advanced.
6.        Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.

We could refer to the following link:

https://technet.microsoft.com/en-us/library/dd439375(v=exchg.80).aspx

If not, we could check if there are any errors in application log and send them to ibsexc@microsoft.com for our troubleshooting.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

If I remember correctly, I also believe NTLM needs to be enabled on the 2007 CAS server AS virtual directory since the 2013 server is doing the proxy request.

Also, the 2013 Autodiscover response includes additional information related to the 2013 environment and service URL's.  Using the 2007 autodiscover XML and trying to proxy through the 2013 server could be the problem.

• Marked as answer by mhashemi 16 hours 34 minutes ago

If I remember correctly, I also believe NTLM needs to be enabled on the 2007 CAS server AS virtual directory since the 2013 server is doing the proxy request.

Also, the 2013 Autodiscover response includes additional information related to the 2013 environment and service URL's.  Using the 2007 autodiscover XML and trying to proxy through the 2013 server could be the problem.

• Marked as answer by mhashemi Friday, June 26, 2015 2:51 PM

Looks like NTLM was the answer. Thanks.