So, here is my guide to solving (most) Exchange 2003 and Activesync issues:
Pre-Requisites:
1. Make sure that you have Exchange Server 2003 Service Pack 2 Installed. Whilst Activesync will work with Exchange 2003 Service Pack 1, Service Pack 2 makes it a whole lot easier!
To check if you have it installed, open up Exchange System Manager (Start> Programs> Microsoft Exchange> System Manager). Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not.
If you do not have SP2 installed you can download it here – http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en
2. Ensure that TCP Port 443 is open (and forwarded) on your firewall to your Exchange server. You don’t need to open up any other ports to get Activesync working, just TCP port 443. You can check this on your Exchange Server at http://www.canyouseeme.org and you should see ‘Success’ if the port is open and forwarded correctly. If it isn’t open and forwarded, check your router and make sure you have the settings configured correctly.
3. Please check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).
4. Open up IIS Manager (Start> Programs> Administrative Tools> Internet Information Services (IIS) Manager), expand ‘Web Sites’ then ‘Default Web Site’ then right-click on the relevant Virtual Directory (see below) and choose properties, then click on the Directory Security Tab):
Exchange 2003 (Not part of Small Business Server):
Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked (very important)
Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked
Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)
Exchange 2003 (Part of Small Business Server):
Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany*
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)
Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked
Exchange-oma Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Restricted to IP Address of Server
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked
OMA Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked
Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)
The Domain / Realm parts can be left as “\” for the Domain and Blank (empty) for the Realm. MS recommend it this way, but I have fixed some servers by adding the Domain / Realm as per the settings above.
* yourcompany can be determined by opening up a command prompt (Start> Run> [type] cmd [press enter]) and then typing ‘SET’ and pressing enter. The variable ‘USERDOMAIN’ is the info you should use for ‘yourcompany’. Most often – this is not required, but I have seen instances where simply adding this info has made Activesync work.
5. ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.
6. Make sure that you have HTTP Keep-Alives enabled. Right-Click on the Default Web Site and choose Properties. On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box and click OK
7. Check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Directory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA). If it is not there – no worries.
IPV6
Please make sure that IPV6 is NOT installed on your server as this is known to break Activesync. (Start> Run> [type] ncpa.cpl [press enter]) Right-click on your Local Area Network Connection and choose Properties. Look under ‘This Connection Uses The Following Items:’ for Internet Protocol (TCP/IP) v6 – if it exists – uninstall it and reboot.
8. Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS manager, Right-Click the Default Website and choose properties, then on the Advanced button).
If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync! Also make sure that you are not using any Host Headers on the Default Website (or any other website that you happen to have running that uses the same Host Header name that you are using on your SSL certificate) because this can/will also break Activesync.
If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.
SSL Certificate
Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync – for example, mail.microsoft.com. To check, right-click on the Default Web Site in IIS, choose Properties, click on the Directory Security Tab and then on the View Certificate Button.
If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.
If you have a Small Business Server and don’t want to buy a 3rd Party SSL certificate, just re-run the ‘Connect To The Internet Wizard’, (Start> Server Management> To-Do List> Connect to the Internet).
Click Next. If the Wizard detects a Router – click No to leave the configuration alone.
Make sure ‘Do not change connection type’ is selected and click Next.
Leave the Web Services Configuration Settings as they are and click Next.
Select ‘Create a new Web server certificate’ and enter a ‘Web server name’ e.g., mail.yourdomain.com and click Next.
Select ‘Do not change Internet e-mail configuration’ and click Next.
Click Finish to complete the Wizard
If you have Windows Mobile Phones, Activesync is much easier to get working with a purchased SSL certificate. If you have a self-created SSL certificate and use Windows Mobile Phones, you will have to install the SSL certificate onto each and every Windows Mobile Phone that you want to use with your Exchange 2003 server. If you only have a handful of devices, then it won’t take long to do, but if you have dozens, a £30 1-Year SSL certificate is probably a very good investment. You can purchase a cheap, trusted SSL certificate from http://exchange-certificates.com that will work happily.
Windows Mobile Phone / iPhone Settings:
Email Address: Your Users Email Address
Server: Whatever name you have on your certificate e.g., mail.yourdomain.com (do not add /exchange or /oma or /anything)
Domain: Your internal Domain Name e.g., yourdomain (maximum 15 characters)
Username: Your Username e.g., User123
Password: The CORRECT password!
Description: Whatever you want to call the Account
Testing:
If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity.
Please select ‘Specify Manual Server Settings’ (Exchange 2003 does not have native Autodiscover enabled so using the Autodiscover settings will fail).
3rd Party SSL Certificate:
Do NOT check the “Ignore Trust for SSL” check box
Self-Certified SSL Certificate:
Check the “Ignore Trust for SSL” checkbox.
If you are trying to make an iPhone work, then you can also download the free iPhone App ‘Activesync Tester’ and this should identify any problems with your configuration, or download the version for your PC from https://store.accessmylan.com/main/diagnostic-tools
Various Activesync Errors / Solutions:
REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.
Activesync Error 0x86000108:
Activesync is unsuccessful and you see the error 0x86000108 on your Windows Mobile Device:
Please read the following MS Article which checks that Authenticated Users has write permissions to the %TEMP% directory (usually c:\windows\temp) – http://support.microsoft.com/kb/950796/en-us
Application Event Log 3005 Errors:
A lot of 3005 errors can be resolved by changing the Default Website Timeout value from 120 (default) to something greater, such as 480 using IIS Manager.
For Small Business Server 2003 Users – please read this MS article – http://support.microsoft.com/kb/937635
Inconsistent Sync:
If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
ProactiveScanning REG_DWORD 1
HTTP 401 Error:
If you are getting an HTTP 401 error when testing on https://testexchangeconnectivity.com then you are probably entering an incorrect username or password, or you may have IP Address restrictions setup on your virtual directories (see IIS Settings above under prerequisites).
HTTP 403 Error:
Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is – please read http://support.microsoft.com/kb/817379 and create an exchange-oma virtual directory following the instructions in the KB article.
I have had Activesync work despite seeing “An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is:
HTTP/1.1 403 Forbidden
” at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.
I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)
Check to see if Activesync is enabled globally on your server – http://technet.microsoft.com/en-us/library/bb125073(EXCHG.65).aspx
Also check to see if it is enabled on a user by user basis – http://technet.microsoft.com/en-us/library/aa997489(EXCHG.65).aspx
HTTP 500 Error:
If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in Microsoft Knowledgebase Article KB883380 and this should resolve the issues. This essentially deletes the Exchange Virtual Directories from the IIS Metabase (which can be corrupted) and rebuilds them. When deleting the Exchange virtual Directories, please also delete the Exchange-OMA virtual directory if it exists. Rebuilding those virtual directories often clears up problems that all the other steps above do not resolve.
If, after following KB 883380, Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:
• Disable Forms Based Authentication – Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected – hopefully this should work or give the OK result
• If okay – right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as ‘EntireRegistry’ and save the backup of the registry to the desktop
• In regedit – locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the ‘Select a configuration to import’ section and click on OK. Select ‘Create a new virtual Directory’ and name the directory ‘exchange-oma’ and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse – you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync – it should hopefully be working now!
If the above fails, please check you event logs for Event ID 9667 – Source MSExchangeIS. If this event exists, please have a read of MS KB820379
In a recent question on Experts-Exchange.com, I was advised that running the following command against the unmounted database solved an HTTP 500 error, so if you are still having issues, please try running the integrity check (from a command prompt):
Isinteg –s servername –fix –test alltests
Select the dismounted database and let the check run. If you see 0 errors and 0 fixes, then all is well. If not, please re-run the test until you do (as many times as it takes – two usually is ufficient).
If you are still reading this article and are still seeing HTTP 500 errors, then we need to check the settings on the EXCHWEB Virtual Directory in IIS Manager.
Exchweb Virtual Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked
Exchweb \ Bin Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked
Exchweb \ Bin \ Auth Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked
Exchweb \ Bin \ Auth \ USA Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked
REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.
Recently added HTTP 500 Error solution for a server I worked on.
Hopefully if you are now at the bottom of my article, your mobile phones should now be synchronising happily. If that is not the case, please review your IIS Settings carefully and start at the top of this article again.
RECENT UPDATE (10/01/12) – A piece of software called [url=”http://fspro.net/hide-folders/”%5DHide Folders 2009[/url] has been found to install a service called “FSPRO Filter Service” and a dll called FSPFltd.sys (in c:\windows\system32\drivers). This program breaks Activesync. If you have Activesync part working / part not working, please check your server for this software and if it is there – disable the service, move / delete the .dll file and restart your server. Once restarted, Activesync should return to normal functionality!
RECENT UPDATE (29/05/12) – Please make sure that the server does not have Microsoft Security Essentials installed as this will break Activesync. If you find it is installed – please uninstall it.
Recent Update (10/07/13) – DO NOT INSTALL programs such as Disk Keeper on any server running Exchange as it too will break Activesync!
If you are still not working – then you will probably have to call Microsoft to get support from them as something else not covered by this article is causing your problems.
So, in summary, you have reviewed and checked the settings in IIS to ensure that Activesync will work on your Exchange 2003 server, you have made sure that you have Exchange 2003 Service Pack 2 installed and you have run a test to make sure that your server is responding happily and by now, your iPhones and Windows Mobile phones should be happily synchronising.
Having got this far – and hopefully fixing your problems – if you have found this article helpful, please vote for it at the top of the page : )
* * * Please rate this article below if you have found it helpful * * *
Filed under: Exchange 2003, Exchange Server, IIS, iPad, iPhone, Mobile phones, SBS, SBS 2003, Windows Mobile | Tagged: Activesync, Activesync Error, android, Configure Activesync, Exchange 2003, Exchange 2003 Activesync, Exchange Activesync, HTTP 403 Error, HTTP 500 Error, IIS, iPad, ipad2, iPhone, iPhone Activesync, KB817379, KB883380, SBS 2003, Virtual Directories, Windows Mobile |
Alan Hardisty's Blog - All Things IT Related 
[…] 2003 box and I had already configured Activesync on the server having followed my own article (https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles…), so I knew that this part was not going to present me with any […]
This worked perfectly on two SBS 2003 servers.
Thank you!
Very glad it helped you out and thanks for letting me know. Feedback is always appreciated, especially positive feedback : )
This is the most comprehensive troubleshooting page I have come across – I got stuck trying to troubleshoot a client’s ActiveSync, and your article definitely helped!
Hi,
I’ve just updated to Service Pack 2, however am stuck where you say
“Please check and mirror the settings below (Open up IIS, expand the default website then expand the relevant Virtual Directory, right-click on the Virtual Directory and choose properties, then click on the Directory Security Tab):”
Which virtual directory are you reffering to?
Also, how do I know if my Exchange Server is part of OR not part of SBS 2003?
I’d really appreciate some help because this looks promising.
Thanks in advance,
Steve
I figured out what you meant. That was me just being stupid.
As for the exchange being part of SBS, I just tried the first settings and along with the test link, and this URL (to create a self signed SSL) http://www.somacon.com/p42.php, I was able to get this working.
PLEASE NEVER DELETE THIS PAGE 🙂
Great walk through I’ve been trying to get Iphones working with exchange for ages and this got it working. I will be saving this web page for future reference
[…] Troubleshooting ActiveSync with Exchange 2003: https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles… […]
Thank you very mutch.
Hi Alan,
I don’t have Exchange-OMA Virtual Directory on my IIS. Do you think that could be the problem I am not able to access exchange emails on my IPhone ?
Please ignore my previous question as I made change in Excahnge Virtual Directory where Authentication = Integrated was missing and when I put check on it and restarted the server and it works now.
thanks for your nice blog.
These guidings didn’t work for me when I try to sync a HTC Wildfire. I have posted my problem under the title “device security settings on sbs 2003”. I think the autentication goes OK for me, but it fails on some pasword handshaking : Failed to create the account. Please try again later.
Do you believe this can be caused by the self signed cert I’m using?
Self-Signed certificates can happily be used in SBS 2003 – you need to make sure the certificate name matches the server name you enter in Activesync and that this name resolves to the IP Address of your SBS server.
What are the results of the Exchange Activesycn test on https://testexchangeconnectivity.com?
I purchased a certificate from the website you refer “exchange-certificates.com” but I am having trouble finding directions to install the SSL certificate on my Exchange 2003 server. They only offer support for Exchange 2007. Any and all help would be greatly appreciated.
You blog here is very helpful, thanks for publishing it.
Please have a read of the following link which should explain all you need:
http://help.godaddy.com/topic/742/article/4875
If you get stuck, please let me know. Glad you liked the article and thanks for using the certificate link.
Alan
Gr8 thanks! Under “To Install the SSL certificate: #7, I dont have that option “Process the pending request and install the certificate”. I think its because I tried in the past to create a self signed one. Thats where I am stuck ;-(
If you created a Certificate Signing Request (CSR) via IIS, then you should have the option to Process the Pending Request.
If this is not available, how did you generate the CSR?
You may need to start again with the CSR via IIS and then re-key the certificate, then complete the installation.
thanks that worked.
[…] Exchange 2003 and Activesync Configuration and Troubleshooting « Alan Hardisty’s Blog – All… […]
Hi! Thanks for your post. I have configured myy SBS 2003 to get access from two iPhone 4, but I always get the same response: “Cannot Get Mail, connection to server failed ” When I configure the account in the iPhone, it verify the account correctly, in SSL mode and without SSL.
I have an self certificate, created with certsvr.
I have executed the test from testexchangeconnectivity.com an I get this certificate error:
Validating certificate trust for Windows Mobile Devices
Certificate trust validation failed.
> Additional Details
The certificate chain couldn’t be built. You may be missing required intermediate certificates. For more information, see Microsoft Knowledge Base article KB 927465.
Although I have tried to configure the account in the iPhone without SSL and I also get the “Cannot Get Mail, connection to server failed” problem.
Is it a certificate problem?
A lot of thanks
You may need to download the Windows Root Certificate Update from Micosoft from the following link http://support.microsoft.com/kb/931125
Once that is loaded, please re-run the test, making sure you tick the “Ignore Trust for SSL” check box.
Any better?
If I tick “Igenore trust for ssl” the test is ok. My problem only appears when I dont tick this option. Is it normall?
Yes – this is perfectly normal for a Self-Issued Certificate.
If the certificate was from a Trusted 3rd Party, then I would be concerned.
Is Activesync working happily now?
Ok, now is working. This is the problem: I though that I have installed the SP2 for exchange, because I right-click over Mycomputer and I saw that I have Windows Server 2003 for Small Bussines SP2, but this is NOT the Exchange SP2 !!!
Then I right-clicked on Server on Exchange Administration and I saw that I dont have any service pack.
I have downloaded the SP2 for Exchange and installed. Now all works perfect.
A lot of thanks
[…] configure IIS, start with Alan Hardisty excellent tutorial and follow it in all details. Use ActiveSync Tester and Exchange Remote Connectivity Tester from […]
[…] Posts Activesync Working But Only For Some Users On Exchange 2007 / 2010Exchange 2003 and Activesync Configuration and TroubleshootingHTC HD2 Screen Lock – Prompt For PIN Every Time Phone Turned On FixApple iOS4 Issues with iPhone 4 / […]
[…] Posts Activesync Working But Only For Some Users On Exchange 2007 / 2010Exchange 2003 and Activesync Configuration and TroubleshootingHTC HD2 Screen Lock – Prompt For PIN Every Time Phone Turned On FixWindows Small Business Server […]
[…] https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles… […]
Thanks a lot. This page saved my bacon getting activesync to work on a clients server and iphones.
[…] Posts Exchange 2003 and Activesync Configuration and TroubleshootingActivesync Working But Only For Some Users On Exchange 2007 / 2010Windows Small Business Server 2011 […]
Alan,
I just came across this post while miserably failing to connect our first company iPad via activesync.
All I can say is THANK YOU!
I followed your instructions to a T and the iPad connected seamlessly and I am quite impressed.
Best Regards,
Hugo
You are very welcome Hugo. Thanks for taking the time to post a comment on my blog : )
I am glad that it went smoothly for you – and hope it continues that way.
Best wishes
Alan
Hey Alan,
IainNIX from EE here, just found your site and this page helped me get our CEO’s iPad linked to our aging 2003 server. Little did I know a few tweaks of the virtual directory settings (which did not interfere with our OWA and BES settings) was all it took.
Well impressed, many thanks Alan.
Rgds
Iain.
Hi Alan,
Yesterday, I finally managed to get Exchange SBS 2003 mail on Ipad’s client. I kept getting Ipad’s “cannot connect to server” error. The cause was IIS default web-site port was set to 8080 to avoid conflict with port 80 used by web server of router for mgmt from web. Once the port is set to 80 and IIS service restarted, all mails show up. Thank you very much for putting together a very nice guide. Janto in Indonesia.
Hi Alan,
I must start with a big thank you.
This step-by-step was precious to solve my problem with ActiveSync in an SBS2003 that was insisting on returning HTTP 500 error while using the Exchange Remote Connectivity Tester.
I came here several times but, only when got completely desperate and after trying all your tips decided to go from the very first to the very last step to get it fixed.
Just a few remarks that may help others with this same problem and which was the key to unlock my solution:
At some point under the topic “HTTP 500 error:” you have
“Test Activesync without SSL selected – hopefully this should work or give the OK result
• If okay…”
Using the Exchange Remote Connectivity Tester I don’t know how to do that so I decided to follow the “if okay…” also, the step “• Right-click on Exchange-OMA virtual directory you just created and click Browse – you should see OWA open up happily” didn’t work but doesn’t matter.
The fact was that at the end of this topic, the Exchange Remote Connectivity Tester returned to me the most beautiful green mark for successful test I’ve ever seen.
Great stuff! All seems to work fine on the lan but not from the web. activesync tester fails at checking version. i have exchange server 2003 behind isa server 2000. thoughts on what i am missing?
I am not up-to-speed on ISA server, but that would be where you need to start focussing your efforts as there will be a rule somewhere that isn’t configured properly.
Please have a read of the following link, which should hopefully steer you in the right direction.
Alan
Hi Alan
After following all your steps to conficure activesync, over and over again I just can’t make it to pass the exchange connectivity test. The HTTP 401 error won’t clear. These are my specs and configuration:
Windows 2003 Standard (Single Server)
Exchange 2003 SP2
UCC SSL Certificate from GoDaddy.com
ISS 6.0 configuration
====================================
Default Website\Properties\Directory Security
Authentication and access control:
Enable anonymus access (checked)
————————————————————–
IP Address and Domain Name Restrictions:
Granted Access (checked)
————————————————————–
Secure Communications:
Require secure channel SSL (Not Checked)
====================================
Virtual Directories Configuration
Exchange\Properties\Directory Security
Authentication and access control
Integrated Windows Authentication (Checked)
Basic Authentication (Checked)
Default domain: MyCompany
Realm: MyCompany.com
—————————————————————
IP Address and Domain Name Restrictions:
Granted Access (checked)
—————————————————————
Secure Communications:
Require secure channel SSL (Not Checked)
=====================================
Microsoft-Server-ActiveSync\Properties\Directory Security
Authentication and access control
Basic Authentication (Checked)
Default domain: MyCompany
Realm: MyServerName
—————————————————————–
IP Address and Domain Name Restrictions:
Granted Access (checked)
—————————————————————–
Secure Communications:
Require secure channel SSL-Require 128-bit encryption (Checked)
=====================================
I have followed Microsoft’s KB817379, KB883380 and everything you posted here and ActiveSync just won’t work, this is getting frustrating and I have asked helped averywhere and everyone points me to Microsoft’s KBs or online tutorials. Everybody complaints about ActiveSync issues. Thank you for your support.
Hi
I have tried everything you have posted in your blog, and nothing seems to work for me. Several times and very carefully.
I need to know the correct setting for a
Windows Server 2003 Standard (Single Server)
Exchange 2003 SP2
HTTP 400 Error won’t clear.
Thank you
[…] https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles… […]
[…] https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles… […]
Hi Alan,
I was able to setup exchange emails on my Iphone after reading your article last year and I was able to get new email notification on my Iphone. But for the last 2 weeks after Ipohne OS update seems like I am not able to get new emal notification on iphone. Same problem is with my colleague in office. I called Apple Tech Support and they told me to reset all settings and restore on my iphone and even I deleted my exchange account and setup again but not luck. Can you please guide me what could be the problem. Is it Exchange Server problem. We have Windows Std Server 2003 Sp2 and Exchange Server 2003 SP2.
Thanks,
Mukesh
I would be very surprised if an iOS upgrade caused you the problems. That’s a first for me.
Have you run the Exchange Activesync test on https://testexchangeconnectivity.com and does it pass?
HI Aan, Thanks for your prompt response.
Seems like not update but when I setup my IPAD2 for exchange email. It started having not push. I found the solution from google search. see below.
—–
anyone who has Exchange 2007, or older with Push, if you setup another device with Push, it will register with the server.
You need to go to the self-service in Webmail in 2007 or have your admin delete the synchronization relationship with the server so only the iPhone is listed.
The server is confused as to which device to Push new email to. Once I deleted my other device and the iPhone was by itself in the list, it alerted and changed the Icon.
——-
Can you please tell me where in Exchange server (synchronization relationship) I can remove IPAD device ?
Thanks,
You can sync multiple devices to a single account. I have my iPad and iPhone hooked up to my account on Exchange 2010 and there isn’t a problem.
Sadly, the information you have found is inaccurate.
If you log into OWA (following steps are from Exchange 2010 OWA), then go to Options> All Options> Phone – you should see a list of devices configured under your account. If you want – you can delete one or more, but there isn’t a problem having more than one device.
Hi Alan,
I tested ActivSync connectivity and it is passed except SSL as we don’t have.
Hi Alan, Thnaks for oyur prompt response again.
I have Excahnge Server 2003 so I don’t have ALL OPTIONS where I can see devices.
Hi Alan,
I checked on Event Viewer Application and have found Error ID 3024 and 3015. As per 3015 error , seems like I need to add UDP port 2883 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts
Do you think this could solve my problem. I am going to change today and will reboot the server tonight to see if that works. Presently only 3343 port is added in ReservedPorts key.
Thanks,
Mukesh
It works now. Thanks.
Hi Alan, I wonder if you know the answer to this question? I have a 2003 sbs server which has been running fine with iPhones / iPads until we changed the internal IP of the server – now the devices sometimes connect but always end up with “the connection to the server failed”?
Hi Paul,
Check your default website and the IP Assigned to it – you may have it set to the old internal IP Address and it should ideally be All Unassigned.
IIS Manager> Default Website> Properties> Web Site Tab> IP Address Button.
Hi Alan, I checked that setting yesterday and changed it from the new address to all unassigned and then did iisreset but the problem remains – I’m now connecting to one for the users mailboxes from my own iphone and so far seems ok – could there be something old config wise that needs to be flushed on the handset?
ok so after working for about 30mins – my iphone now displays Cannot get mail server error! strange how it worked for a while? any ideas?
Thanks
I totally have this problem too – when testing with Exchange connectivity analyzer it will work sometimes perfectly and other times it won’t at the sync part at the end (HTTP 500 error). It’s doing my head in…….
Hi Jason,
Is Activesync working at all or is it completely defunct?
Have you followed my HTTP 500 error section and tried the various fixes? If you have and still don’t have any joy, then I’m afraid it’s time to call Microsoft as I don’t have any further info to assist you (until I can call MS with another HTTP 500 problem).
Alan
THANK YOU SOOOOOO MUCH!! After countless hours, you’re article saved the day 😀
Thank you very much. Like so many others I’ve spent many hours trying to get this to work and have even been told it can’t work. Your article filled in the critical missing bits. My boss is now just a bit happier and I can get on with more important matters. 🙂
Very, very, very good… Thank you, sir! Thank you very much indeed!
Hi Alan,
Thanks for chiming in… Active-sync works fine for everyone and then it will start failing with the HTTP 500 issue in what seems to me to be a random fashion and then it will start working again on its own. I’ve tried almost your whole article above – just not the Exchange store error fix. FYI, this all started after I ran CIECW to fix an expired self-signed cert. – I’ve since replaced that self-signed one with a Godaddy SAN cert to no avail.
Cheers,
JC
You are welcome.
After running the wizard – usually the IIS settings are slightly adrift from what they should be and may need checking.
I have also found that re-installing Exchange 2003 SP2 can often resolve various random issues and might be something that resolves your issue happily.
Would these same instructions apply trying to get a droid phone to connect to exchange. We can’t get either our iPhone’s or droids to connect. That’s for the article. Its the best I’ve found.
Short answer is yes. If you get the iPhone working, then the Droid should work too, but, in my experience (not that I have a Droid but my business partner and one of our employees does), they don’t work properly and something like Touchdown is required, which makes them worse than blooming useful IMHO.
If you get stuck anywhere with my article – either ping me an email or leave me a comment here. If you get stuck with the HTTP 500 error – then a call to Microsoft might be necessary, but talk to me first before calling them!!
ALan
[…] Exchange 2003 and Activesync Configuration and Troubleshooting […]
Tried everything, recreate virtuell dirs re-creation, patched exchange 2003 sp2 to latest version, all of the above. Still having http 500 Errors.
Change: Installed Windows Server 2003 SP2 + Bitdefender Antivirus.
Disabling Antivirus does not change anything.
Will try installing all System Updates now as well.
Cheers.
Unfortunately, my article needs more added to it to solve ALL the issues which relate to the HTTP 500 errors and I’m waiting for some more broken servers to be able to call Microsoft over. As soon as I have more to add to my article, I will, but for now, if you keep getting the HTTP 500 error, I’m afraid, as my article advises, you will need to call Microsoft and get them to resolve the issue.
Sorry
Alan
You can add one more thing, for us it was indeed the Bitdefender Software. Once removed 500 Errors gone.
I will follow up with the Company Bitdefender to try figuring out what the real connection is.
For us now everything is back to normal.
Cheers
Well done on finding that – I guess 3rd party Firewall software such as BitDefender doesn’t help! No doubt it was blocking the internal proxy calls from IIS to Exchange made on port 80?
I resolved this problem by uninstalling Trend Micro’s Worry Free Business software from the server. They must have patched their software and it began to conflict with the activesync.
I am experiencing 500 error.
I am stuck at Test Activesync without SSL selected – hopefully this should work or give the OK result
What do you do it this result is not okay?
Also, Can Kaspersky be causing the ActiveSync Issue?
Thanks
What are you using to test Activesync with? The website or the App? App should work and give you a result – the website can’t work without SSL.
Kaspersky could be causing issues – never used it so not 100% sure but it won’t hurt to remove it and reboot the server.
Thanks for the quick reply!
What are you using to test Activesync with? or The website
Tested an old Driod which first reported the error. Haven’t tested with an Iphone and new Driod x2. Can do this week.
We are going to replace Kaspersky in a month or two so it might need to wait.
Okay – if you are using the website – it will never work without SSL, so please download and use the test app instead.
Test as and when you can and let me know – I’m normally not too far away unless I’m asleep!
Question: Do you HAVE to have a 64bit exchange box to get the autodiscovery to work with droid3 phones and syncing with exchange?
Thanks!!
The short answer is yes.
The longer answer is that Autodiscover was only introduced in Exchange 2007 which is a 64-bit product, so if you only have Exchange 2003, then Autodiscover wasn’t invented and you will need to manually specify the settings to get your phones configured.
Exchange 2003 is a 32-bit product, hence the yes answer to your question.
Alan
Great article.
Alan,
After two months of trying to set my iPad 2 for a charity, I followed your article and have got them working. Don’t know which step – had slot of trouble with a router that keeps losing setting, but it finally worked today, wish I found the blog two month. Thanks
Hi Brendon,
Thanks for your comment. Glad you got there in the end – sorry it took you so long to find my article.
Best wishes
Alan
Hi,
No matter how many times I have tried, I cannot get past the 403 error (An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is)..
any other tips?
What is your environment? SBS / pure Exchange 2003?
I had this working fine until we changed our domain name. Error in event viewer give a 403, but results on the ms activesync test give a 500. Disabling Forms based authentication gets a pass so I then follow your instructions for 500 error but there is no ExchangeVDir key under MasSync\Parameters, only a default value not set. Do I continue your instructions for the 500 error or switch and follow the kb817379 for the 403? Any advice would be appreciated.
Hi Michaela,
Are you working in an SBS 2003 environment or native Exchange 2003?
Alan
Thanks for coming back to me so quickly – native Exchange 2003.
Okay – so if you don’t have the Registry key – then no-one has followed KB817379 when they enabled Forms Based Authentication.
Having disabled FBA, make sure you remove the exchange-oma virtual directory (if one exists) and the ExchangeVDir key and run iisreset.
When you renamed the domain – did you change the name on the SSL certificate too?
Check your IIS settings as per my article (if you make any changes run iisreset again) , then test with FBA disabled and let me know how that goes.
Hi Alan – no I doubt whoever set up the server originally followed KB817379. There was no exchange-oma virtual directory to remove and there is no ExchangeVDir key to remove, only the default value not set key. Should I remove this anyway? The activesync test passes fine like this. However, I would like to run FBA for OWA.
I didn’t create a new ssl certificate since most of us are still using the old domain name as a primary email. Servers have not been renamed either. Many thanks for your help.
Okay – if the test passes with FBA disabled, then follow KB817379 to create the exchange-oma virtual directory and add the registry key, then enable FBA and test again – it should all work 🙂
If that doesn’t work – you know where I am!!
Alan, just a quick note to say that your instructions worked like a charm. Thank you very much.
I knew our ActiveSync was broken and it was one of those, “No one is using it; I’ll deal with it later when I get some time.” Yesterday my boss came into my office with his iPhone 4S. “So what did I need to do to get my e-mail and calendar.” Needless to say my “later” turned into “now”.
A couple of hours of head scratching, reconfiguring and testing against http://www.testexchangeconnectivity.com resolved all of the issues. The iPhone connected without issue on the first shot.
A happy boss equals a happy IT guy.
What can I say? Glad it helped and well done on getting it working.
Alan
Hi, i tried to follow your instructions but i think i scewed up!
It went pretty good, or so I thought, until the last step
“Click Finish to complete the Wizard” that took a few minutes then it kicked me out and i cant reconnect though the internet using RDP (remote desktop protocol). VNC from within the LAN still works fine.
Any ideas on how to fix this? Need to undo this to make it possible to connecct though RDP again.
In step:
“Leave the Web Services Configuration Settings as they are and click Next”
I unchecked a few i tought i didnt need, that might be the problem?
Ofcourse i didnt make a backup of the Server before i started *DOH*
SBS2003, with built in Exchange 2003 latest SP.
If you are referring to the Connect to the Internet Wizard – just re-run it.
If RDP fails after that – then that’s a new one on me.
Check all services set to Automatic are started and look in the Application Event log for errors.
I would leave most of the Web Services checked (as per my article image) on the next run.
Hi Alan, thanxs for your reply!
I have been troubleshooting alot and found ut the wizard changed the default gateway and some other stuff. Hence i got kicked out and RDP and all other stuff went down except internal mail etc.
I thought i fixed that setting but it turns out, all stressed out as i was 🙂 that i did a little typo. So all is working again and I will make a new attempt but this time with a system image saved first 😛
I have followed your article and have everything setup, but am still having problems. I have SBS 2003 and an Iphone 4S. I get my Iphone to verify my settings, but I keep getting “connection to the server failed”. This is on my mailbox.
I setup a test mailbox on my server and it works perfectly.
I have checked to make sure active sync is enabled for my mailbox and still can not get it to work.
Any ideas?
Thanks,
Jeff
Hi Jeff,
Have you checked the inherited permissions are set:
Ignore the 2007 / 2010 part – it is relevant to 2003 too.
Alan
Alan,
Thanks for the response. I read the link and removed admin priv. from the mailbox. It had turned off the inherited permissions that I had set on Friday. Hopefully this will keep it from reverting back.
I also double checked global and user permissions to enable active sync and they are checked.
I have a test account that is working, but I can not get my mail account working. Under the security tab, I have made sure the permissions are exactly the same for my account and the test account.
When I do the test from the Iphone app I get “ActiveSync is not available. (ActiveSync detected, but access denied. [HTTP 403: Disabled for this user]).
I am running out of things to check. Thanks for the help.
I am now getting ActiveSync is not available. (ActiveSync is not available on this server) when tested from the Iphone.
I am going to restart the server at lunch and see if that helps.
Hi Alan,
We have Exchange 2003 SP2 Front End and Back End.I followed your document and made sure that settings are the same on my front end server. Emails from exchange are being pushed however its taking over 10-15 minutes for emails to get to iphone 4s.I have confirmed that timeouts on firewall are set for 60 minutes.We have our own self signed certificate. OMA, OWA work fine. When I try access https://mysitename/microsoft-server-activesync it prompts me for a username/password and then I get a http 501/http 505. From what I read online http 501/http 505 is an indication that active sync is working fine. However when I use the active sync tester tool on iphone , I am getting the message active sync detected, but access denied ,http 403,disabled for this user. I also tried to create a new user acct for testing active sync and made sure that in Active Directory, it is inheriting permissions, but I get the same error message. I am not running any antivirus programs on front end and back end exchange servers.
The 501 Not Implemented when you login via the microsoft-server-activesync virtual directory is normal and suggests all is well with Activesync.
Are you seeing any Application event log errors?
I recently sorted a few errors for someone who found me via my blog by installing the Hotfix here:
http://support.microsoft.com/kb/967046
Thanks for your prompt response Alan.In the application log, at times I am seeing event id 3005 Unexpected exchange mailbox error. Also when I ran the testexchange connectivity tool, ignoring SSL certificate test I am getting the following error
An HTTP 403 forbidden response was received. The response seems to have come from unknown.
Do you use Forms Based Authentication on OWA (pretty login screen vs bland username / password box)?
If you do – please follow KB817379 and add the Exchange-OMA virtual directory.
No, when acessing OWA , all we see is just user name/ password box. Also on the Exchange virtual directory, I have confirmed that SSL is not checked.
Have you applied the Registry Tweak mentioned in the Inconsistent Sync Section of my article?
What AV is installed on your servers?
I did not apply the registry tweak since we are not running any Anti virus on Exchange servers. Do you recommend it applying registry tweak on front end or back end servers? The issue is the delay of emails in getting to iphones. The CTO and CEO now have iphones and when they set up a gmail acct as an exchange, push is instantaneous. However , push from Exchange is taking over 10 minutes for each to get to iphone.
Hi Alan
Our company has recently acquired ipads (3G & wifi). We have a MS Small Business Server (2003 software). Our iPads link via wifi when in the office (wifi router connected to the LAN) and either through 3G or other wifi networks when not in the office.
We have had to setup two exchange accounts in order to view outlook (emaio, contacts, calender, notes etc) both in the office and remotely.
Is there a way to set up just one account that will allow for internal and external access to outlook?
Many thanks.
Hi Rob,
Not sure exactly what you are asking here. What are you wanting the one account to do and are you planning on having the one account on the iPads?
Are the iPad’s shared resources or do specific users have them?
You can configure an iPad with multiple Exchange accounts on them (Mail, contacts, calendar, tasks).
Can you elaborate a little please.
Thanks
Alan
Thanks for the quick response.
iPads are single user only. I have an existing exchange account which uses the Outlook (2010) platform on my PC. I wish to use only one account on my iPad that will sync with Outlook (exchange).
When the iPad is connected to the office network (wifi) it accesses exchange via the server address “xxx.xxx.local”. When I am connecting outside the office (e.g. via 3G) the server I have to connect via “servername.dyndns.org”.
As soon as I connect to the office server (LAN) via wifi, I cannot access Outlook via the dyndns.org account. Likewise as soon as I leave the office network, I cannot access via xxx.xxx.local.
My question is how do I configure the iPad to use only one account that will access Outlook when in the office (connected via wifi) and when I am out the office (i.e not connected to the LAN)?
Thanks
It is not so much the account but the Fully Qualified Domain Name (FQDN) that you are using to connect to the server with.
Having a Dynamic IP isn’t going to help much.
The FQDN that you use must match the SSL certificate name installed on your server, so if you have servername.dyndns.org, your SL cert name should also be named servername.dyndns.org otherwise Activesync will fail.
If you have a servername.dyndns.org SSL certificate, then please have a read of the following article that should help address your issue:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3703-Use-iPhone-on-wifi-network-without-the-need-to-reconfigure.html
Thank you kindly for you help. I will give it a try.
You are welcome. Let me know if it doesn’t work.
Alan
Thank you very much for your post!!! After hours of searching your suggestions worked perfectly!
Have a great day!!!
You are very welcome – glad that I was able to help and thanks for taking the time to post a comment.
Alan
Hi Alan,
Thanks a lot for your instruction. First go, I did not configure properly, second go I followed step by step of your helpful instruction, I got it work.
Much appreciated
As they say – the “Devil is in the detail!”
Glad it helped.
Alan
Hi Alan,
We have a Front End Exchange (DMZ) and back end Exchange (LAN) running 2003 SP2. I have created registry keys for max and min heartbeat on Front End Exchange. Do I need to create Maxheartbeatinterval and minheartbeatinterval keys on back end exchange as well?
I have never had to set either setting for any config I have looked at – the most relevant setting I have changed is the default website timeout value and I usually set that to 480 seconds from 120 seconds.
Are you having issues?
Alan
Yeah we are having issues in terms of slow push.Do you suggest changing the timeout value for the default website on the Front End or Back End Exchange server ? The activesync is working but its taking over 15 minutes for emails to get to iphones. Confirmed that firewalls have timeouts of 60 minutes and there is not antivirus running on Back end and front end servers.
Change them both – it won’t hurt anything.
We are having issues with ActiveSync on Exchange 2003 SP2 on SBS Server 2003 SP2. We have 2 other servers on different customers’ networks that are configured and working properly, but the troublesome server has some strange differences in configuration. The following virtual directories were initially missing in IIS:
exchange-oma
Microsoft-Server-ActiveSync
OMA
I created all of the missing IIS virtual directories manually by matching all their settings to the working servers’ virtual directories, which allowed me to get past the “Testing HTTP Authentication Methods” section of http://www.testexchangeconnectivity.com. Now it hangs on the last step with:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
I have tried all the steps in your original post for SBS as well as other Microsoft KB articles (rebuilding the IIS Metabase, among others), but it seems to me that the problem may lie in the missing virtual directories. Also, when I look in ESM -> Servers -> servername -> Protocols -> HTTP -> Exchange Virtual Server, the only Virtual Directories that exist here are:
Exadmin
Exchange
public
I was going to try re-installing SP2, but I got the error referenced here http://support.microsoft.com/kb/935916. So, before I keep going down all these different paths, I thought I would see if I could get your input. This site has the most comprehensive guide I’ve found. Have you ever seen something like this before?
The best bet to recreate the IIS virtual directories is detailed in KB883380 (method 2 is my preferred method). If they fail to regenerate – SP2 re-install seems to fix that (if you have removed IMF).
In terms of the SP2 issues – follow this guide first and you should be fine:
http://exchangepedia.com/blog/2006/11/update-manually-removing-imf-v1.html
The link is for IMF v1 – but the same process applies to v2. The link I originally used no longer exists! Pesky people not keeping their websites 🙂
I followed the instructions in KB883380, and I was still missing some virtual directories in IIS (Microsoft-Server-ActiveSync & OMA). So I used the guide to remove IMF v2 and then reinstalled SP2. After all that and a reboot, still no Microsoft-Server-ActiveSync or OMA virtual directories. The test at http://www.testexchangeconnectivity.com fails here:
Testing HTTP Authentication Methods for URL https://mail.xxdomainxx.com/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
That makes sense since it does not exist. So if I manually create the Microsof-Server-ActiveSync virtual directory it gets past this error but then hangs on the next section:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
If you can think of anything else I would appreciate it. Thank you very much for you help so far!
That sounds like a corrupt IIS Metabase. You may have to start getting tough with your server and follow this article to remove and reinstall IIS & Exchange:
http://support.microsoft.com/kb/320202
Not sure if there is an easier way, but this should resolve the issue.
Having done a bit of surfing I came across this page which might prevent the above from having to be carried out:
http://blogs.iis.net/robert_mcmurray/archive/2009/08/22/the-end-of-metabase-corruption-r-i-p.aspx
Thank you for the very useful article! I’ve gone through these steps but still have a problem:
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Tell me more about this issue and how to resolve it
Additional Details
Exchange ActiveSync returned an HTTP 500 response.
Everything was working fine until I decided to try adding RPC/HTTP (we’re on SBS2003) for outside Outlook users… that part worked fine but Android users reported errors. I removed RPC/HTTP but the errors are still there. We’re trying to Sync with the Touchdown app in ActiveSync SSL mode but no go. Here’s the Diag Log section that details the errors in question:
Trying activesync protocol 25…
ActiveSync provisioning returns HTTP:200
ActiveSync provisioning success
The following policies have been requested :
Refreshing AS folders
Error refreshing folders
Trying activesync protocol 2.5…
ActiveSync provisioning returns HTTP:400
Error provisioning ActiveSync: Policy status is 0
So HTTP 500 from the tool and HTTP 200/400 errors from Touchdown… what gives??
Thanks!
Hi Vince,
What steps have you followed so far for the 500 error? Have you followed KB883380 (deleting the exchange-oma virtual directory too) and then follow KB817379 to put it back?
Have you re-run the Connect to the Internet Wizard?
Alan
Thanks Alan, that’s what I ended up having to do in fact, re-add the exchange-oma VDir. After I rebuilt everything I got it to work despite a 403 error reported on a couple of testers.
The bigger question is why did this happen? I had it working great, then adding RPC/HTTP screwed everything up. Can you not have both running at the same time i.e. ActiveSync and RPC/HTTP?
Why did you need to install RPC – it is installed by default?
With SBS 2003 all you should have needed to do was re-run the CEICW wizard (if it wasn’t working) and then set the permissions on the RPC virtual directory to Basic & Integrated Windows and make sure SSL is enabled and it should work.
The SSL cert name should be something like mail.domain.com or an IP Address, but whatever you use needs to resolve in DNS if you want Outlook via RPC over HTTPS working properly.
I have a third party cert installed and I did run the CEICW wizard and enabled the option, but that’s when the problems started and ActiveSync stopped working, which prompted my question… RPC/HTTPS was working fine, just not ActiveSync. When I went to turn off RPC/HTTPS, ActiveSync didn’t come back working and I needed to “rebuild” everything.
The Wizard does have a tendency to fix some things and unfix (break) others, so it isn’t unusual!
Just be careful if you need to re-run the wizard again and if you get stuck – let me know.
Best wishes
Alan
I got our Exchange 2003 to work with iPhone using your technique. Thank you so much!
Excellent news – that’s the plan!
[…] https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles… […]
I have exchange 2003 on sbs behind a cisco firewall with mcafee av installed. A phone, iphone or droid, can manually get email, but automatic push is not working. I’ve been through your article, which is great btw, and have adjusted the server settings to the articles specs. Unable to find any relevant errors in the logs and nothing seems to be denying the traffic. Exchange connectivity test has succeeded. Also perfmon is incrementing pings and sync commands and I’m out of ideas…. any suggestions?
Thanks
What are you getting as a result from the https://testexchangeconnectivity.com test site?
Are you using inspect HTTPS / HTTPS Fixup on the Cisco? If you are – please disable it.
Is McAfee configured to ignore the Exchange Structure on your server?
Did you get a resolution for this? We are having a very similar issue with manual sync on iPhone’s working but push is not coming through
Thank you so much for this post. I’ve been wondering what was misconfigured now for about 6 months. After changing my server settings to the suggested settings, everything works like a charm. Also, thanks for not downloading a rootkit when I chose your link!
Cheers!
You are welcome. Glad it has helped you and you won’t find any nasties lurking on my sites 🙂
Thank you man, great overview of all possible troubleshooting actions.
Saved my life 🙂
Greetings from Germany!
Borsti
Great Article! Did the trick for me! Thanks!
Great post! Curious if you’ve ever heard of others experiencing my “unique” issue. I’ve ran testexchangeconnectivity.com and I received all green check marks so everything looks good accoridng to that website. I’m running Exchange 2003 sp2.. Just got a new iphone 4s. Using the built in exchange mail options on the IPhone, everything connects fine and emails start showing up. Calendar never syncs existing or new calendar updates but if a calendar invite is created on the IPhone, it will show up in my Outlook on my PC. Also, when I open a new email, some times it will open and I can read it, but some times it just flashes and it disappears from my IPhone exchange Inbox and some times, other new emails under the new email I opened will open automaically once the first one is opened and they disappear as well. Very strange. Have you ever heard of anyone else experience this? I contacted Apple Tech support and they were stumped as well.
Have you looked at the inconsistent sync section of my article relating to AV interference?
Hi Alan, Yes, the registry chage for the inconsistent sync has been on my exchange server for a while to correct a different issue a few months back.
Hi, I have a big problem.
Recently changed the ip of my internet link, and after that the exchange active sync stopped working, I made the following settings:
– Re-created the exchange virtual directories in iis
– Recreated the self certificate on the server
– Recreated the pass rule in isa server
– Follow all procedures described here on the site
– The Exchange pass in the Exchange Activesync test
The phones connect to the server again, but no warning message appears in any inbox on your phone.
I can send mail normally by phone.
My network is as follows:
Exchange 2003 + ad server in one server
Isa server 2006 on another server
Both SBS server
Who has any clue, I am very grateful.
thank you
Waiting for 24 hours after an IP Address has changed is usually all that has to be done as the Airtime provider will re-cache IP Addresses roughly every 24 hours and once they pick up your new IP Address, your phones should start to work again.
Great job, Alan: you made my day!
Thank you so much!
You are very welcome Luca – glad my blog was helpful to you.
Alan
Alan,
Thanks for this article. this was a life saver and it worked like a charm.
You are welcome Tom – glad it helped you out.
Alan
What an amazing resource. Can I trade a tip for a tip?
I have been having problems with ActiveSync on my SBS 2003 Premium R2 machine. It all began with 403 Forbidden errors on http://www.testexchangeconnectivity.com. Traced it back to an explicity defined Host Header in my company’s website. It matched the domain listed on my Default Web Site’s security certificate. Removing this Host Header, or changing the domain listed on the security ticket solved the problem, and http://www.testexchangeconnectivity.com now passes with flying green colors. What was happening is the Host Header was hi-jacking the ActiveSync connection and sending it to my company’s website, and not the Default Web Site where all the important Exchange and ActiveSync virtual directories live. To edit the list of host headers, right-click on the web site in question, and click properties. Then click advanced. The host header list will display. Feel free to add this tip to your list of things to check!
Now can you return the favor? As mentioned, my http://www.testexchangeconnectivity.com passes just fine now. I’m using a self-signed certificate, and my SBS 2003 machine is behind a router/firewall. Ports 80 and 443 are forwarded to the SBS machine and apparently working fine. However, I cannot get a Playbook tablet or a Ipad to connect. Not sure where else to look. Since this is an SBS machine, Exchange is built-in, and there apparently is no direct SP2 patch for Exchange. Instead, the update is rolled into the overall SBS SP2 patch? Is this correct? I’m a bit sketchy about attempting to install Exchange SP2 on an SBS machine. Has anyone tried this?
I don’t mean to railroad this call for help into an Exchange service pack discussion unnecessarily. Other ideas/tips are welcome!
Thanks!
Derek
Hi Derek,
You appear to have missed this part of my article:
“If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync! Also make sure that you are not using any Host Headers on the Default Website because this can also break Activesync.”
Regarding installing SP2 for Exchange 2003 (as part of SBS 2003), this is perfectly fine and should be installed as per the opening part of my article:
“Pre-Requisites:
1. Make sure that you have Exchange Server 2003 Service Pack 2 Installed. Whilst Activesync will work with Exchange 2003 Service Pack 1, Service Pack 2 makes it a whole lot easier!”
Following it is a link – so please click on the link (which hopefully still works) and install SP2. You will probably find that Activesync is much happier afterwards, but if not, then running through my article and checking your IIS settings should get you up and running.
Alan
Hi Alan,
Indeed, installing Exchange SP2 on my SBS 2003 SP2 machine made ActiveSync much happer. I finally have connectivity on the tablets. Thanks for giving me that push!
Regarding the host headers, never at any time did I have them defined on the Default Web Site. They were defined on a separate company web site that faces our customers. The article focuses only on the Default Web Site settings. I think in order to make the article bullet-proof, you’ll want to mention that host headers defined on any other web site that matches the domain listed on your default certificate will break ActiveSync. Remove the host header from the non-default web site, or change the certificate. In my case, the non-default company web site had 2 host headers: http://www.abc.com and abc.com. My default certificate’s domain read abc.com — hence the problem. The company web site was hi-jacking the ActiveSync connection attempts away from the Default Web Site. I changed the default certificate’s domain to mail.abc.com, and ensured the A record on my domain host had mail.abc.com pointing at my SBS mahcine.
Thanks for keeping this resource available Alan. It makes frustrating technology fun again!
Glad you bit the SP2 bullet – it isn’t 100% essential (I made Activesync work before SP2 was released, but it was painful), but it does make life easier.
Good call about the Host Headers – blog post duly amended. Thanks for pointing this out.
Alan
Alan,
Aamazing article!
Here is something to add to make it the absolute best reference on the net.
I followed ALL your steps and followed all referenced articles, but I was still failing the Microsoft activesync connectivity test with HTTP 500.
On my single Exchange 2003 SP2 server (client access and mailboxes), I was getting:
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3005
Date: 3/15/2012
Time: 9:39:03 PM
User: domain\user
Computer: EXCHANGE
Description:
Unexpected Exchange mailbox Server error: Server: [exchange] User: [user@domain.ext] HTTP status code: [400]. Verify that the Exchange mailbox Server is working correctly.
Found this info: (credit to twisty168)
http://www.webservertalk.com/message1478873.html
“I fixed mine with a very simple change. I don’t know why Microsoft
doesn’t document this anywhere. I have really wasted a lot of time and
effort in it.
The fix for this problem is to remove anything you have in the host
header value from the properties of Default Web Site. I had the
Exchange server NetBios name in it before removing it.
1. Go to properties of Default Web Site
2. Under Web Site, click on Advanced of the IP Address
3. Highlight the IP address and select Edit
4. Remove anything you can see in there. I have tried to put in the
FQDN in it which solved my ActiveSync problem but OMA stopped working.”
Also confirmed here as a fix:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrmobility/thread/66a33f3a-d945-42e2-ac80-3e4244f9b258
BTW, restarting the IISADMIN service is better than just an iisreset.
Hi Frederic,
If you have a careful read through my article, you will find reference to removing any Host Headers on the Default Website as it is known to break Activesync.
“If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync! Also make sure that you are not using any Host Headers on the Default Website because this can also break Activesync.”
Best wishes
Alan
Thanks man. You saved us 🙂
Hi Kursad – You are most welcome 🙂
First off, amazing article! Unbelievably thorough! I’ve got a question though, and bear with me please because I’m not an IT guy.
After installing a 3rd party SSL cert on our small SBS 2003 server, everything worked great and was connecting via SSL, except our iPhones wouldn’t sync up with Exchange. In IIS under Default Web Site – Properties – Directory Security – Secure Communications – Edit, I had Require SSL & 128-bit encryption on, which enabled it for all the subfields under Default Web Site. Removing the SSL requirements here allowed the iPhones to connect without a hitch, but that wasn’t the answer I was looking for, so I re-enabled it.
Using the troubleshooting I found on this page, I decided to leave all other directories set to require SSL & 128-bit encryption and only disabled require SSL & 128-bit for the ‘exchange-oma’ directory. With this set-up, our iPhones began syncing again. However, our iPhones will now connect with Exchange regardless of whether ‘Use SSL’ is turned on in the iPhone’s Exchange settings, making me question whether or not it’s actually using SSL to connect even when the ‘Use SSL’ is turned on.
I’ve run the ActiveSync Tester app on the iPhone and everything comes back clean. I’ve also run ‘Test Exchange Connectivity’ for Exchange Activesync and everything comes back green like it’s working. But if ‘exchange-oma’ is set to require SSL, both of those tests fail. So, as glad as I am that everything appears to be working fine, I just want to make sure that our iPhones are actually using SSL to sync with Exchange. I hope all that made sense! Thanks!
Hi Joe
Thanks for your kind words and comments. When you set SSL to Enabled for all virtual directories, did you run IISRESET afterwards?
Leaving SSL off on the exchange-oma virtual directly is fine and is required because you have to have SSL off on one virtual directory for the internal calls and as they use port 80 internally, that is why with SSL enabled Activesync fails.
You should ideally run the Connect to the Internet Wizard to set the virtual directories to the correct settings, but if everything is working, then leave it alone (if it ain’t broke – don’t fix it!!).
Hope that puts your mind at rest.
Best wishes
Alan
Thanks for the quick reply! This is all very helpful and informative.
I did not run IISRESET after setting SSL to Enabled for all virtual directories. I saw that you said to do that in your guide, but I never actually did it because my settings changes seemed to be taking effect immediately.
For instance, with SSL disabled for all directories, I was able to connect to my server over RWW or OWA with http. After I enabled ‘require SSL’ for all directories without issuing IISRESET, connecting to RWW or OWA automatically forced me to an https connection using my SSL certificate; it wouldn’t let me connect at all over http. After seeing that, I wasn’t quite sure what the IISRESET command was going to do when my settings were already being applied. Do you think I should still run the IISREST command?
And trust me, I’m a big fan of if it ain’t broke – don’t fix it, lol. I just want to make sure I have all of my bases covered and I’m truly connecting with SSL. I just find it strange that my iPhone will still sync with Exchange even when SSL is set to OFF in the iPhone’s settings. But if the iPhone says SSL is ON, can I trust that it’s truly using SSL? I love how RWW & OWA now force me to connect over SSL and I wish my iPhone could be the same way.
Thanks, Alan, the answer for me was in the first step!
However, since I “knew” that I already had installed SP2, I can comment on your complete guide and further comments here. 😉
I worked through your entire guide. It was the last of a dozen that I worked through. Your page here is not only the most-complete, it was also one of the easist to follow because your writing is so clear.
In the end, becuase of too-many hard-learned lessons, I had the good sense to start back at the beginning. Apparently, when I rebuilt the server, I was interrupted after downloading SP2 and never had installed it.
Cheers – Bob
Hi Bob,
You would be amazed at how many people overlook that bit ‘knowing’ that they have SP2 installed, but when I take a look remotely, it is quickly apparent that this isn’t the case.
Glad you liked my article and thanks for your comments.
Happy syncing.
Alan
Thx for the detailed trouble shooting.
All issues are solved.
I have red thousands of threads but now yours was the right one.
Best wishes from Germany
Thanks, Alan. ActiveSync on SBS 2003 is working after going over these instructions.
Marco Alcala
http://www.alcalaconsultng.com
You are da bomb! This worked perfectly on Exchange 2003 standard. Thank you for this. You have made my life much easier!
Alan, you are the man! 😉
Now Google need a good slap round the head why this page isn’t top result for Activesync issues, grrr. It’s taken me the better part of a week and a half on and off and most of this weekend to find your post -THANK YOU!
Funnily enough, Activesync has been working quite happily with SE installed up until about the end of May – coincidence? Why the hell would MS create a product which breaks one of their main server apps – Muppets!
Anyway, thanks to you I can actually get some sleep tonight!
Cheers!
I’m with @James T up there. It took me forever to find this article, and it was exactly what I needed. I knew I was having a virt-folder settings problem, but didn’t know exactly what they all should be. And running the SBS wizards didn’t fix them — in one case it made them worse! This really should be the first result in any search for Activesync errors. Great job, and thanks for taking the time. You’re still saving butts over two years later!
Thanks James / Corey – your comments are very much appreciated.
I’ll see if I can tweak the article to improve its ratings on Google.
[…] […]
You are a CHAMPION!!! Alan Hardisty
fredblah
Hi Alan,
I’ve worked through your article and am using a self cert, but each time I test with microsoft’s website I get the same error. ” Host name mail.acl.co.uk doesn’t match any name found on the server certificate CN=MAIL.” I have checked the name of the certificate is the same as the server but with no avail. What am I missing?
John
Hi John,
Firstly, my blog is about Exchange 2003 and your Exchange server looks to be Exchange 2010, so not sure if you are commenting just because you are having Exchange Activesync issues and found the blog by chance.
Second;y, your certificate names are:
DNS Name=MAIL
DNS Name=MAIL.ACL.MANCS
Neither one of those is mail.acl.co.uk, so you don’t have a correctly named SSL certificate and that’s why the test is complaining.
I would suggest you make life easier for yourself and buy one. $60 will buy you one for a year from http://www.exchange-certificates.com and once installed, you won’t have any problems.
Run the New Certificate Wizard from the Exchange Management Console> Server Configuration> Action Pane and before you complete the wizard, make sure you include the following names:
mail.acl.co.uk
autodiscover.acl.co.uk
internalservername.internaldomain.local
internalservername
Then the problem should go away immediately. I ALWAYS install a 3rd party SSL cert and NEVER face any issues with Exchange at all. No cert errors, no certificate prompts and everything just simply works.
Alan 🙂
Thanks for the reply Alan, I am using exchange 2003, I created one cert named “acl-server” (the name of the server) and also one named “mail.acl.co.uk” (acl being the domain name) both of which don’t work with the tester. This MAIL one has suddenly appeared but I cannot for the life of me find where it has come from, but when I use the tester “Activesynctester” it always now uses this MAIL cert which I cannot find. Sorry to be a pain, perhaps I should buy a cert.
John
You are welcome.
If you are using Exchange 2003 – why then if I go to https://mail.acl.co.uk do I see an Exchange 2010 OWA login screen?
If you are using this FQDN to access your 2003 server – you have a conflict because port 443 can’t be forwarded to 2 servers.
If you want to drop me an email directly, please do as I would like to get specific, but posting on a website isn’t the best place to start getting specific!
Alan
Thanks Man you really save my life, 🙂 This worked perfectly on My OLD SBS 2003 server 🙂 Thanks again
You’re awesome! Thank you so much.
Thank you, I never knew there was an Exchange SP2 for SBS 2003 since Windows Update said I was up to date on things. I made the permissions changes first and they didn’t help. I applied Exchange SP2 and it started working. Fyi for others, do Windows Update after applying SP2 since there are other updates afterward.
PS: I would humbly suggest wording “Require SSL and Require 128-Bit Encryption NOT ticked” as “BOTH ‘Require SSL’ and ‘Require 128-Bit Encryption’ NOT ticked” since I misread it the first time and thought you meant the 1st item was ticked and the 2nd item was not ticked.
Hi Keith,
Amendments made to the blog article, which will hopefully read a bit more easily from now (sorry about that).
Glad you were able to get your server up and running with my article too 🙂
Alan
We have SBS 2003 Standard and we are trying to connect a Windows Mobile 7 phone to the ActiveSync on the server. The remote connectivity test shows the following. Please advise how to resolve. Thank you in advance.
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Headers received: MicrosoftOfficeWebServer: 5.0_Pub
Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,ResolveRecipients,ValidateCert,Provision,Search,Notify,Ping
Content-Length: 0
Date: Wed, 08 Aug 2012 01:11:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Attempting the FolderSync command on the Exchange ActiveSync session.
The FolderSync command completed successfully.
Additional Details
Number of folders: 11
Attempting the initial sync to the Inbox folder. This initial sync won’t return any data.
The Sync command completed successfully.
Additional Details
Status: 1
Attempting to test the GetItemEstimate command for the Inbox folder.
ExRCA successfully received the GetItemEstimate response from the server.
Additional Details
Estimate: 5 messages
Attempting to test synchronization of the Inbox folder.
An error occurred while the Sync command was being tested.
Additional Details
Exception details:
Message: The operation has timed out.
Type: System.Net.WebException
Stack trace:
at System.Net.ConnectStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.IO.Stream.ReadByte()
at Microsoft.Exchange.Tools.ExRca.Tests.ActiveSync.Wbxml.WbxmlReader.ReadHeader()
at Microsoft.Exchange.Tools.ExRca.Tests.ActiveSync.Wbxml.WbxmlReader.ReadXmlDocument()
at Microsoft.Exchange.Tools.ExRca.Tests.ActiveSync.ActiveSyncSyncTest.PerformTestReally()
Hi David,
The part that seems relevant in your post is the “Message: The operation has timed out.” So have you checked and amended the Default Website timeout value as per my blog?
Alan
Changed the IIS Default web timeout from default 120 to 480. After the IISReset it shows DAVEX, ActiveSync and OMA starting succesfully. I re-tested with the Remote Exchange Connectivity tool and received the same timeout error shown below after 10 minutes. On the phone it shows error 80072ee2. There are no Errors in the Event log. All iPhones, iPads and Droids are working just fine. I am open to any further ideas. Thanks.
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
The OPTIONS response was successfully received and is valid.
Additional Details
Headers received: MicrosoftOfficeWebServer: 5.0_Pub
Pragma: no-cache
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,ResolveRecipients,ValidateCert,Provision,Search,Notify,Ping
Content-Length: 0
Date: Mon, 13 Aug 2012 17:31:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Attempting the FolderSync command on the Exchange ActiveSync session.
The FolderSync command completed successfully.
Additional Details
Number of folders: 11
Attempting the initial sync to the Inbox folder. This initial sync won’t return any data.
The Sync command completed successfully.
Additional Details
Status: 1
Attempting to test the GetItemEstimate command for the Inbox folder.
ExRCA successfully received the GetItemEstimate response from the server.
Additional Details
Estimate: 5 messages
Attempting to test synchronization of the Inbox folder.
An error occurred while the Sync command was being tested.
Additional Details
Exception details:
Message: The operation has timed out.
Type: System.Net.WebException
Stack trace:
at System.Net.ConnectStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.IO.Stream.ReadByte()
at Microsoft.Exchange.Tools.ExRca.Tests.ActiveSync.Wbxml.WbxmlReader.ReadHeader()
at Microsoft.Exchange.Tools.ExRca.Tests.ActiveSync.Wbxml.WbxmlReader.ReadXmlDocument()
at Microsoft.Exchange.Tools.ExRca.Tests.ActiveSync.ActiveSyncSyncTest.PerformTestReally()
How many days worth of mail are you trying to sync? If more than 3, please try just 3 for now.
Are you trying to sync on the LAN via Wi-Fi or via the mobile network? Does one work but not the other?
I setup a brand new test user that has 5 messages in the Inbox. We are only try to sync through 4G as Wi-Fi is not available and we haven’t even tried over the LAN. Thanks.
Can you sync an iPhone to the same user account you are trying on the Windows 7 Phone?
Are you using a self-issued SSL certificate or a 3rd party certificate?
Yes. iPhone with same account works as does Droid. We are using Self Signed Cert from Windows 2003 Small Business Server with Exchange SP2. Looking forward to more ideas! Thanks for your assistance.
Okay – so with a self-signed certificate and a Windows Phone, which are (from past experience), very fussy about certificates, have you installed the certificate on the Windows Phone?
Another option, which you can test to see if it works is to install a 3rd party SSL cert for £30, which is fully refundable within 30 days, to see if that cures the problem.
What is the mame on the cert installed? A proper FQDN or does it end .local or are you using an IP address?
The certificate is self-signed in the format mail.companyname.com. The client is unwilling to invest in a 3rd party certificate when all iPhones, iPads and Droids are working in production just fine plus the only one not working is from Microsoft Exchange 2003 SBS to Windows Mobile 7 phone which is kind of ironic. We are not using the IP address. We know the certificate is properly installed since we can open a browser on the WM7 phone and login to Exchange Outlook Web Access with no certificate warnings or errors. Any other ideas or suggestions are welcome. Thanks.
Totally understand – please try to install your Self Issued SSL certificate by following the info in this link and hopefully you will then be able to get the phone working:
http://pocketnow.com/windows-phone/how-to-install-custom-ssl-certificates-on-wp7
I’ve never seen nor touched a Windows 7 Phone, so don’t have 1st hand experience, but know from bitter experience how fussy/painful they can be to get working, but with the certificate installed (because the phone won’t trust your server as the issuer naturally), then it should stop being difficult.
We were able to successfully install the self-signed certificate and test from the phone web browser using OWA and logged in successfully with no errors, certificate issues or warnings. The same time out issue continues 80072ee2. We are open to addtional ideas to solve. Thank you.
Not sure what else to suggest. Don’t know Windows 7 Phones as I ditched Windows when HTC screwed up the Security ‘features’ on the last Windows phone I had.
My recommendation would be to buy a 3rd party cert – install it, test the phone and if it works, you either keep the cert, or get a refund and then figure out why your cert isn’t working on the Windows 7 Phone.
A client whose SBS 2003 I maintain recently announced: “I’ve bought these Ipads. Get them to work, would you?” Resisting the urge to tell him that a) if he wanted to spend money, then updating the creaking SBS might have been a better idea and b) it was about time he grew up and put aside boyish toys, I set about the task, soon discovering that it was anything but simple. You can imagine how pleased I was to discover your site, with it’s plain, simple and logical step-by-step approach and even more pleased to see my installation pass the connectivity test with flying colours – so a big THANK YOU for that!
Of course – there’s a problem: I made all the necessary alterations as detailed to the various directories etc, but in the course of so doing, I seem to have lost OWA, which I used to access with no difficulty. What I was hoping to find out was where I’ve gone wrong. If I try OWA now, I get a ‘sign-in’ box (this is new and I use my SBS admin credentials), then the standard Outlook web access box, requiring a user name and password. I can put these in , but on Enter, just a blank white screen, as if OWA has decided not to bother with displaying the mail box. Regardless of wether you can help me, I would just like to reiterate my thanks (above). I was getting no-where fast until I stumbled across your site and running out of both options and excuses. Thanks again!
Well – would be rude not to try and help you as you have be so kind as to take the time to write a word or two in praise of my blog article 🙂
Feel free to drop me an email and I’ll see what I can do – it may drag on and this isn’t the best place to resolve your issues.
Best wishes
Alan
Thanks for the prompt reply. I’m sure I’m being a bit dim, but I can’t see your email address anywhere? Anyway, my problem is really just as outlined above – I used to have OWA working fine, I made (or I thought I made!) the changes necessary to get active-synch running and now OWA doesn’t work. I’m guessing I probably did something wrong, somewhere…wondered if you had any ideas where I should start looking? What would make OWA turn it’s toes up?
If you click on the About page – it is in there but not readily clickable (towards the end).
Alan
Hi
Thanks for writing a great article. If you have some time, can you assist me. Im working on an exchange 2003 server with activesync that has many many many Active EventID 3005 that reads Unexpected Exchange Mailbox Server Error: Server (name of my server) User (somebody@domain.net) HTTP Status Code [409]. Verify that the Exchange mailbox Server is working correctly. I have already set IP of default website to All Unassigned and to Port 80. The users whose name shows in the event log, can connect & read mail with their smartphone.
Hi Kimberly,
Sorry for the delay in getting back to you – didn’t see your post because I was on holiday.
Do you still need help?
Alan
First of all thanks for this post….
I have the following scenario:
Exchange 2003 with SP2 installed on a Windows 2003 Server
ISA Server 2000 as a firewall. Everything related to OWA an internal clients works fine but I’m not able to have IPAD´s 2 working, always with “cannot connect to server” issue…..after trying IPAD Exchange config…..
I Follow your step by step guide over an over again, test https://www.testexchangeconnectivity.com/, DNS and port 443 test ok, then fails with “ExRCA wasn’t able to obtain the remote SSL certificate message…..” I’m going crazy about it.
Based in your experience what can I do or test? Read about a previous post of ISA 2000 where you mentioned a link but I couldn’t see it, and about the certificates a free one is possible to get? and must be installed in both servers? I mean Exchange 2003 and ISA 2000?
Excuse all my questions but ActiveSync configuration is getting hard for me.
Thanks a lot !!!!!!!!
Hi Paul,
To rule out issues with ISA, can you configure / connect the iPad locally via Wi-Fi successfully?
Alan
HI Alan thanks for your reply.
No I can’t connect through Wi-Fi either. I have only one domain and only one exchange working. I tried to configure Ipad with or without SSL option, no luck…… My doubt is if I am using the correct information to populate the fields required by the IPAD’s configuration, after first failed try, when Server Informaition filed is asked for example….
Okay – if you concentrate on getting Activesync working internally then you can move to getting it working via ISA.
Are you using a self-issued SSL certificate or a 3rd party SSL certificate?
Do you use Forms-Based authentication (pretty OWA login Screen) or not (boring, plain Windows Username / Password box)?
Is Exchange part of SBS 2003 or just Exchange 2003 on Windows 2003 server?
Alan
Alan, I use self-issued SSL certificate, boring, plain Windows Username / Password box and Exchange 2003 on Windows 2003 server, not SBS.
Thanks.
Okay – Have you checked the IIS settings on your server against my article?
Do you have SSL enabled on the Microsoft-Server-Activesync virtual directory and NOT on the Exchange Virtual Directory?
What is the name on the SSL certificate? Is it the same name you are using to try to connect to via the iPad e.g., mail.domain.com or is it an IP address? It cannot be mail.domain.local or server or similar names.
Hi Paul,
I believe You need a seperate external certificate that matches the external fqdn like sync.domain.tld . You can create a cert with internal CA. If you use more than one sub domain for exchange services (owa, activesync, anywhere) you have to be sure, that the ISA is prepared using SAN certs.
In testexchangeconnectivity You can chosse, that testexchangeconnectivity have to ignore the cert (check box).
Iphones/Ipads only check if the fqdn be right. An error, on your smartphone, that the CA is unknown can be ignored.
best wishes from Germany
Sebastian
Alan, in self signed SSL Certificate I use in first attempt mail.domain.com.ar, and this is the value i put in the IPAD server address when asked.
http://www.domain.com.ar is an incorrect value to put in certificate for example?
Right now I’m cheking about Virtual Directories as you mentioned to see if something wrong there.
Paul.
Sounds good. Mail.domain.com.ar or http://www.domain.com.ar are both fine as long as they resolve to your server.
To make this work internally, you may need to setup a new DNS Record to make the name on your SSL certificate resolve to your Exchange Server.
Once the name does resolve – you may have more luck, especially if the Virtual Directories are configured correctly.
Also – make sure you have Exchange 2003 SP2 installed – I have spoken to plenty of people who think it is installed, but isn’t!
Alan
Finally it was all an ISA issue as you told first!!!!!!, all about your article was checked being all right, I have to import self-issued SSL certificate into the ISA Server Machine Certificate Store and create a Server Publishing Rule binding the Web Site Certificate.
I follow some parts of this article
http://www.isaserver.org/tutorials/rpchttppart3.html.
Thanks a lot for this blog and for your article because it was right the steps I had to follow in the begginning to get things working……..
[…] Top Posts Exchange 2003 and Activesync Configuration and Troubleshooting […]
Great detailed info! Making the changes for a Non-SBS server, and the mail started to come thru. Thanks!
Hi Robert,
You are very welcome. Glad it was nice and simple to get your mail flowing properly.
Alan
A brilliant bit of technical writing!
For some reason I found my client’s Exchange configuration on a W2K3 Standard box looked like an SBS box, and so I decided that for my first pass through the instructions I would set the Directory Security for the Standard server for the Exchange/Public/ActiveSync VDs but would follow the SBS instructions for the exchange-oma and oma VDs and see what happened. Answer, a big green checkmark.
That said, the OMA was present when I went to work on this issue, and the technote #817379 Method 2 solution to the Folder/500 error I was getting had me manually build exchange-oma.
And finally, just to show the difference between good clear instructions like yours and misleading instructions, consider this step from #817379, telling you how to configure IP access for exchange-oma:
“Click the option for Denied access, click Add, click Single computer, and then type the IP address of the server that you are configuring.”
When I read your instruction about making the server the only computer WITH access (allowed, not denied) I figured I had ID’d the major problem and was slapping the forehead until I went back to see just how badly I’d mis-read the Microsoft note.
Hi F.X. Flinn,
I’m glad my blog was able to allow you to get your client’s Exchange server working and thank you for your comments about it too.
The MS article are sometimes a little bit unclear and have caused a few problems in the past when people read them and follow what they think is being said only to find that it isn’t what is needed!
Best wishes
Alan
Comment ability removed due to a ridiculous amount of spam comments being left. If you want to contact me to discuss a problem with Activesync, please drop me an email to alan @ it-eye.co.uk.
Sorry
Alan
[…] […]
Thank you for this article. But still I can’t access http://localhost/oma to test active sync. it says Service Unavailable. Tried everything. any ideas?
Hi Damitha,
Why are you trying to test Activesync via the /oma virtual directory – that is not used for Activesync directly?
You can’t test Activesync via the /OMA directory – either use the test site or tool linked to in my blog.
Best wishes
Alan
Hey Alan! Thank you so much for putting together this “how to” blog for ActiveSync and Exchange 2003. I was struggling a wee bit, but then I found, and read your blog from home last night. I remoted into my work email server and made some changes based on your information. This morning while driving to work my first mobile user reported to me that his phone was “suddenly” receiving emails from the office exchange server. I’m one happy camper!
Kudo’s Alan! Appreciate it!
Hi Charles – you are very welcome. Glad that it helped you to sort your problems out and long may it stay working for you.
Best wishes
Alan
Hi alan.im using SBS2003 and i have configured my exchange and working perfectly.the only issue i have is when exchange retreives mail from my isp then it deletes the mail on that telecoms server therefore i cannot get the same mail from an another device which is my mobile, i even configured my microsoft oulook to leave a copy on server but still it wont work, pls do help
Hi Manoj,
Your mobile phones should be connecting to your Exchange server to sync mail, not your ISP’s mail server.
The POP3 download process will delete mail from your ISP and there is nothing you can do about that – that’s normal behaviour.
Sounds like you are trying to use your SBS server incorrectly.
Alan
Does implementing these steps change how Exchange 2003 functions for “regular” email and OWA?? I ask because I would like to set this up but I do not want to adversely affect a well-functioning server….Thank you, Tom
It won’t make any difference to regular mailflow or OWA. This just adds another way to be able to access the server via mobile devices and read emails on the move (as well as access the diary, contacts and tasks etc).
Alan
OIC — thank you — I know I can snapshot etc. but having some reassurance is helpful. From the Exchange test connectivity site, I’m mainly getting HTTP 500 errors about FolderSync and messages that negotiate and ntlm are enabled but not allowed…I will read everything here several times and try this out…Thank you, Tom
If you are running Exchange 2003 virtually – that is an unsupported configuration!
Alan, great write up!. My setup is still having trouble…. here are the details. We did have activesync working at one point, now we get this
“Failed to access user’s Mailbox, verify that the mailbox and user account are enabled and functional”
when trying to wipe a phone. I have followed your instructions to verify the correct settings. The remote connectivity analyzer test our server successfully and when I add a new phone it prompts with the security messages. But we cannot see any data on the mobile admin page, nothing in transaction log either. Any ideas?
I need to know a bit more about your environment before making any suggestions.
What changed from when it was working to now?
Is it only a problem when using the Mobile Admin link to wipe a phone?
What details are you entering / searching for on the mobile admin page?
Alan
Alan, thanks for the reply. I don’t have the luxury of knowing much about the previous changes. I did not setup the system nor have I been administering it for very long. As for the mobile admin link nothing shows in the transaction log and when searching to wipe it finds the user’s details by domain username or SMTP address. When it finds the user that is where I get the “Failed to access user’s Mailbox” error. As far as the phones go, emails are syncing fine and when you add a new phone is forces the security settings I have set in the exchange mobile polices. Any help or suggestions is much appreciated.
You can always remove and re-install the Mobile Admin tool.
Is everything okay apart from that?
Nice post.
All I can say is, thank you thank you thank you!!!!!!! Very Helpful article which saved me lots of time and research!!!!
You are welcome, you are welcome, you are welcome!
Glad it saved you time and research and hope your server continues to work now.
Best wishes
Alan
This is a great resource Thank You! I have one question, on a customer’s SBS 2003 the ASP.NET setting for some of the IIS virtual directories (Exchange, Exchange-OMA & public) are grayed out. Is this normal or is there a way to modify this?
Hi John,
It’s perfectly normal. It just means there isn’t another version to select.
Alan
Oh okay because I was able to change it for the “Microsoft-Server-ActiveSync” & “OMA” virtual directories so I thought I should be able to change it on the others. “Exchange”, “Exchange-OMA” & “public” are grayed out and display 2.0.50727.
I’m trying to understand why activesync on this server is taking around 5 minutes to deliver messages to a new S4 phone.
I did change the ProactiveScanning to 1 and bounced the IS svc and it seemed to help a little. Do you think having a self-signed certificate cause slow delivery?
Most of the times the ASP.net version isn’t a problem. I’ve seen v2 work happily, but not all the time.
Slow delivery sounds like AV interference. What AV software are you using and did the registry setting stick? Some AV has to be set in the software not the registry and if you set it in the registry, it gets changed back by the software!
A self-signed cert isn’t a problem. As long as the name in the cert (or IP Address) matches the FQDN you are using to point to your server, then it will be happy.
5 minutes is very slow! How fast is the internet connection?
Double checked registry and setting is still 1. They are using AVG and have an older version (2011) on the server I am going to update that and try again.
Cert is valid going to correct FQDN.
I don’t think it’s the internet connection speed they have Cable 16/2 with a Full T1 backup connection and it’s a relatively small office.
What firewall do they have?
Does the test site show everything is configured properly?
Have you checked the IIS settings / authentication settings carefully?
Sonicwall TZ190
Yes, no errors
Yes I will re-check, only thing I was not 100% was the REALM. On some of the virtual directories it says NETBIOS name, so should it be just the short server NETBIOS name i.e. SERVER or short domain i.e. DOMAIN or something else?
Are you performing HTTPS inspection on the Sonicwall? If you are – please disable it.
As per my article “The Domain / Realm parts can be left as “\” for the Domain and Blank (empty) for the Realm. MS recommend it this way, but I have fixed some servers by adding the Domain / Realm as per the settings above.”
Usually it is the NETBIOS name of the domain (not including the suffix).
I don’t believe we are performing any SSL inspection.
I’ve reset the REALM to blank. I will have to test again tomorrow when some users are in the office.
I just used this to track down the mail server settings for iphone so I didn’t have to bother our server maintenance guy. You just saved both me and him a lot of time. Much thanks!
This is incredible. Thank you for you very thorough explanation. Working through your instructions I get first Successful Connectivity Test with Microsoft’s Remote connectivity test. Thank you.
I am having one issue and my android phone will not send any email. It can receive fine but it dies Check outgoing server settings. The error message states “Cannot connect to server.” (Unable to open connection to SMTP server.) And ideas or leads you might give me?
Thanks again,
John
Glad you found my article helpful and that everything seems to be happy apart from your Android.
It doesn’t sound like it is setup as an Exchange account on the phone because Activesync has nothing to do with SMTP servers. Are you sure you set it up as an Exchange account?
Have you tried adding the account to an iPhone to see if it is happy? If it works on an iPhone then it should work on anything.
Alan
The ONLY problem with this article is that it took me too long to find. I had only updated the self-signed cert and things just stopped working. Sadly, I am not sure what corrected it, but by following the instructions for setting up the Vdir’s mail started working. It very well could be the “default domain” and Realm settings (and if so, I do find that odd) but nonetheless, this article got this server back in business for remote mail on devices! – Alan, we do thank you so much for taking the time to spell it out as you did. I am certain this must have taken you a long time to complete, and thank you for the updates as you have gotten them. While I have saved this page to disk, I will also save the URL so I can see if there are updates! – Thank you SIR!!!
Rob
Hi Rob,
Sorry it took you so long to find! What were you searching for?
Glad it helped you sort out your server and hopefully it will stay that way.
Best wishes
Alan
[…] the Exchange IIS virtual directories had been configured correctly using the steps posted in Alan Hardisty’s great blog post, I was no further to solving the […]
[…] @Norphy – I don't think that's correct. At least I can't find any evidence to support that. This may help too: Exchange 2003 and Activesync Configuration and Troubleshooting | Alan Hardisty's Blog – All Things I… […]
Outstanding!!! This was exactly what I needed. I’m so happy that you took the time to document this here. We are STILL running an SBS2003 server, and this procedure worked flawlessly on both an iPad and iPhone running iOS 7.1.1. I was able to leave the domain and realm at their defaults. The ‘Connect to the Internet’ wizard was the main key for me – this was not yet set up properly to allow mobile mail!
You’re not alone in still using SBS 2003! Still plenty of hits on this article on a daily basis, so that would suggest it is still needed.
Glad that it helped you fix your problem.
Best wishes
Alan
I’m currently working on resolving a smartphone issue with AS for our 2003 exchange box (http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28475856.html) and as I read through your article, I just want to confirm that for the Microsoft-Server-ActiveSync authentication settings you mention that Realm: needs to be the NETBIOS name.
The NETBIOS domain name (same as default domain) or the NETBIOS computer name? Or some other NETBIOS name?
Hi Reece,
As per the comments made on EE, the REALM is the NETBIOS domain name (should you need it). This article specifies that it can be left Blank (which is the MS default) but I have fixed a few servers where the REALM is required!
Try it blank for now and the Domain as a ‘\’ and se how that goes.
The KB article you mentioned that you installed the patch for is only required for On-Premises migrations AFTER you have installed Exchange 2007 / 2010 and it shouldn’t be needed for your Office 365 migration. An Office 365 migration should only use RPC over HTTPS to suck the contents of your Exchange server out and you MUST install a 3rd party trusted SSL certificate on your server to achieve this, or you are looking at exporting / importing to/from .PST files as an alternative, which will leave a few issues behind when users try to reply to existing ‘internal’ emails / calendar appointments etc.
Alan
I rarely comment on these types of things. But I just have to say. We’ve had an issue with our active sync for a week. I’ve followed this guide about a dozen times or more. Could not fix the issue.
Turns out, I should read the entire article, since our problem was due to a diskkeeper install. uninstalled diskkeeper and bam, everything working perfectly again. After rebuilding our IIS/Exchange environment about 20 times over the past week, lesson learned.
Thanks for this article, just wish i would have read the whole thing a week ago. 😛
Sorry it took you so long to find it (at the bottom of the guide). Seems that most programs that mess with the hard disk cause Exchange and thus Activesync problems.
Glad it’s all sorted now and sorry that you had to go to such lengths to get there.
Are you planning on leaving 2003 behind soon?
Alan
[…] Exchange 2003 and Activesync … – 28.02.2010 · Hey Alan, IainNIX from EE here, just found your site and this page helped me get our CEO’s iPad linked to our aging 2003 server. Little did I know a few …… […]
We had a HTTP 500 error at a site running Win2k3 and Exchange2k3SP2. Ran through all the steps above — turns out it was an issue with exhaustion of the named property table. This fixed it http://msexchangeguru.com/2009/09/04/event-id-9667/.
This should buy us a month or two to move the site to O365.
Hi Dan,
Thanks for the info. Not one I’ve come across before personally, but have seen various questions / solutions relating to named properties, but never in relation to Activesync!
Best wishes and Happy Xmas.
Alan
[…] Exchange 2003 and Activesync Configuration and … – 28/2/2010 · Hey Alan, IainNIX from EE here, just found your site and this page helped me get our CEO’s iPad linked to our aging 2003 server. Little did I know a few …… […]
Hello, All I have around 23 Exchange Server in My Hub for one of my major client. All these are connected to a Gateway Mail Server these days I facing problems that some users are not able to connect to Exchange active Sync using Mobile. They are getting an error called as unable to connect to server. Can Any one help me on this
Hi Ravi,
Have you run the Activesync test on https://testexchangeconnectivity.com and specified manual server settings (do not run autodiscover as this doesn’t work on Exchange 2003).
If you haven’t, please run the test and let me know the results.
Many thanks
Alan
Thank you for the very useful article!!!!!!!
Hi Alan, That for this useful article. I too still have HTTP Error 500, after getting through all the issues 1 by 1. I am now stuck at: ‘The test of the FolderSync command failed.’
Ah! If you have found yourself at the bottom of my article and have run out of things to check, it’s probably a DNS issue!
Can the server ping itself by server name and FQDN happily?
Alan
yep, dns resolution is working. I used https://testconnectivity.microsoft.com and it was always stuck at ‘HTTP AUthentication Failed’. NOw however it’s stuck further on at ‘The test of the FolderSync command failed.’
Also, Access my Lan Tester, gets stuck at : ‘Result:
ActiveSync detected, but not correctly configured. [HTTP 500: Forms-based auth enabled?]
‘. I’ve disabled forms based authentication in Exchange and on ISA server in my Web Listener
Thanks for this useful article.
ISA adds a nice layer of fun to the equation! Does the Access My LAN tester work internally or is that where you get the Forms Based Auth error? Are you plain Exchange 2003 or SBS 2003?
It returns the error whether I try it internally or externally.
I’m going to tackle it again later tonight and tomorrow. Need to fetch my son at daycare. Thanks so much for the help thus far. I will be in touch. Will try a few things this evening when the family’s asleep
Regards
No problems – where are you based? Happy to assist remotely if that works for you?
[…] https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubles… […]
Very nice trouble shooting guide which helped me. In my case was the internal server IP address altered for some but not all of the services. Changed the internal IP address for the server back by using “Change server IP address” tool (which by the way contained the wrong IP address)