Exchange 2007 Active Sync
We have a client who needs active sync enabled but they refuse to pay for an SSL cert. We logged in to the server and enabled Active sync on an account for testing purposes. When we attempted to sync a device it gives a logon failure. We began troubleshooting. Following is the information and steps we have attempted to use to resolve the issue. Exchange management shell: Test-ActiveSyncConnectivity -allowunsecureaccess ClientAccessServer : CAS name Scenario : Options ScenarioDescription : To retrieve the Exchange ActiveSync protocol version, issue an HTTP OPTIONS command. PerformanceCounterName : Result : Failure MailboxServer : StartTime : 4/1/2011 9:41:40 AM Latency : 00:00:00.0156000 SecureAccess : True Error : This failure occurred because, by default, this task f irst accesses the server by using a security channel ( for example, by using the SSL protocol). If the -Allow Unsecure flag is set, this task will next attempt to a ccess the server by using a method that is not secure. The -AllowUnsecure flag will cause test user credenti als to be sent over the network in clear text. [System.Net.WebException]: The underlying connection w as closed: Could not establish trust relationship for the SSL/TLS secure channel. Inner error [System.Securi ty.Authentication.AuthenticationException]: The remote certificate is invalid according to the validation pr ocedure. UserName : username VirtualDirectoryName : Url : UrlType : Unknown EventType : Error Port : 0 ConnectionType : Plaintext ClientAccessServer : CAS name Scenario : Options ScenarioDescription : To retrieve the Exchange ActiveSync protocol version, issue an HTTP OPTIONS command. PerformanceCounterName : DirectPush Latency Result : Failure MailboxServer : StartTime : 4/1/2011 9:41:40 AM Latency : -00:00:01 SecureAccess : False Error : [System.Net.WebException]: The remote server returned an error: (403) Forbidden. HTTP response headers: Content-Length: 0 Cache-Control: private Date: Fri, 01 Apr 2011 16:41:40 GMT Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Event Viewer logs the following error: Product: Exchange Event ID: 1031 Source: MSExchange ActiveSync Version: 8.0 Symbolic Name: UserHasBeenDisabled Message: User "%1" cannot synchronize their mobile device with their mailbox because Exchange ActiveSync has been disabled for this user. IIS log shows: 2011-04-01 16:44:01 INTERNALIP GET /Microsoft-Server-ActiveSync/default.eas &Log=Error:UserHasBeenDisabled_ 80 DOMAIN\USERNAME CLIENTIP Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0) 403 0 0 234 Steps we have attempted: Verified active sync mailbox policies. Non-provisionable devices is set to true. Created new default policy in the event the original was corrupt. verified the activesync URL is correct Verified permissions on the IIS site recreated the ActiveSync site stopped and restarted the App Pool sync object Bounced the server generated a new exchange self signed cert created a new test user with mailbox dismounted and remounted the information store Verified inheritable permissions on the active directory object The result doesn't change and the issue is Global Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
April 1st, 2011 1:33pm

Do not use the Exchange self-signed certificate for remote access. Your client should use a 3rd party certificate of course. The cost for the certificate is nothing compared to the management nightmare cost. You can use the Windows PKI cert, but then you have to ensure the mobile device trusts the certificate chain. 3rd party certs are the only real option here. http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2011 1:57pm

We have informed the client of this however they do not care. We set active sync to http and verified the iis site settingsDislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
April 1st, 2011 2:29pm

and SSL is required is not checked in IIS? You can also test here: https://www.testexchangeconnectivity.com/
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2011 3:38pm

Correct SSL is not required and I have used the testexchangeconnectivity with no viable results to speak of.Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
April 1st, 2011 3:53pm

Is it impossible to convince the customer to let you install an internal Certificate Authority (if not already present) and to issue a certificate to Exchange so that SSL encryption is possible. I'm always blown away by the fact that customers count nickels & dimes and in the process are willing to totally circumvent basic security protection measures. To continue down this unencrypted path, revealing passwords in clear text, is ... disastrous.Jesper Bernle | Blog: http://xchangeserver.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2011 4:35pm

I am on board with you... ah the life of an MSP however. I know that months from now when something bad goes down it will be our fault however what I have is what I have at the moment.Dislaimer 1:As usual I could be way off so no playing like I'm Frankenstein. Disclaimer 2: my Speeling and proofing skills are teh fail
April 1st, 2011 5:41pm

I assume that you have also checked ActiveSync feature on the mailbox, right? Get-CASMailbox -Identity TestUser | Fl *ActiveSync* Please browse the “Microsoft-Server-ActiveSync” virtual directory, the expected behavior should be “501/505” error The same error information still appears for test mailbox? Test-ActiveSyncConnectivity -MailboxCredential "TestMailbox" -AllowUnsecureAccess Please increase the diagnostic logging level of the ActiveSync component on the CAS server, reproduce the issue, and then check if there’s any related event in the application log Diagnostic Logging of Exchange Processes Please use the example 3 in this article to get ActiveSync mailbox log, which could help for troubleshootingPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 2:49am

How's the issue currently? Any further information?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 9th, 2011 7:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics