I'm in the middle of migrating from Ex2007 to Ex2013. This is a simple setup with a single server running Ex2007. Port forwarding on the firewall redirects incoming port 443 to Ex2007 for activesync/owa, etc. Exchange 2013 has been installed and configured. Both are coexisting fine. I've moved one mailbox. Exchange 2013 has a valid wildcard SSL certificate.

Now, I change the port forward on the firewall to direct 443 to the new server instead of the old. Remote Connectivity Analyzer connects and verifies that everything is fine for both the migrated mailbox as well as mailboxes that are still on Ex2007. However, for all mailboxes (the migrated one as well as all of the ones still on Ex2007), iPhones repeatedly prompt for password. Entering your password does no good. If you remove the account from the iPhone and add it back then everything is fine. The problem is that we have about 100 phones and doing this to each will be a nightmare. I changed port forwarding back to the old server until we can figure this out. Has anyone else run into this issue? To emphasize, ActiveSync is working fine. I have also found that, instead of removing the Exchange account and adding it back to the iOS device, you can just go into account settings, change a field and save, causing the iOS device to re-verify. After that, you are fine. Any ideas?

Update: We just realized that when adding the Exchange account back to the iOS devices, our techs were adding the domain name in the "Domain (optional)" field. However, all of the devices were originally set up with the domain field blank. Our theory now is that Exchange 2013 requires the domain, whereas 2007 did not. On the Exchange 2013 server, we have gone into IIS Manager > Microsoft-Server-ActiveSync > Authentication > Basic Authentication > Edit and set the default domain. We did an IIS reset and then changed the firewall to direct port 443 to the new server again. So far, it looks like this might have resolved the issue.

Ok, that did not actually fix the problem. It seemed to work on a test phone, so we were hopeful that it would work for all phones. No dice. We do think the issue is the missing domain however, since we now know you can just add the domain to the iOS device account and it will work, instead of completely removing the account and adding it back.

Hi,

According your post, I understand that ActiveSync device prompt username and password when change the direct port to new server, but it works fine when reconfigure this device.
If I misunderstand your concern, please do not hesitate to let me know.

Please run Test-ActiveSyncConnectivity to see if all passes when change port pointing to Exchange 2013 server, also check the Event Logs or run Export-ActiveSyncConnectivity to review the report for ActiveSync. For your reference:
http://blogs.technet.com/b/exchange/archive/2012/01/31/a-script-to-troubleshoot-issues-with-exchange-activesync.aspx
http://blogs.technet.com/b/exchange/archive/2006/04/03/424028.aspx

Besides, this issue is related to ActiveSync. Please contact Exchange Mobility and ActiveSync Team so that you can get more professional suggestion, for your convenience:
https://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobilitylegacy

Thanks

At this point, we have just worked through all of the affected phones. Once you input the domain (on the phone) and re-verify the account then it everything is fine. We basically bit the bullet, cut over to Exchange 2013 and fixed phones for anyone who yelled.

Hi,

Sorry for your inconvenience. Please post this issue on Exchange Mobility and ActiveSync Team for further troubleshooting.