How we recovered a stolen laptop with help from GFI Remote Monitoring, Prey Project, a dash of cunning and a little bit of luck!

A customer of ours recently called us up to request a quote for a replacement laptop because the one we had bought them only a few months earlier had been stolen in a burglary and they didn’t expect to ever see it again. The laptop (running Windows 7) was configured with Office 365 and the password was cached, so we reset the password for the account to prevent anyone abusing the account and at that point we thought we couldn’t do anything else to help.

The thought of getting the laptop back was the furthest thing from our minds (and our customers) because there was no software on it that we could use to gather information that could be used to recover it (or so we thought). We therefore started to search for a suitable replacement laptop and passed on the prices to our customer accordingly.

It was only after having a discussion in the office that Mark, my business partner mentioned about PreyProject and what a shame that it wasn’t already installed on the laptop. He did a bit of digging around on their website and found that there was a batch file that could silently install the software if only we could get the software on to the laptop.

We currently use GFI Max RemoteManagement to monitor our customers servers, computers and laptops and we could see that the laptop had been connected to the Internet on a new IP Address, so we started to record the IP Address (screen-shots of the laptop in the GFI Control Panel) and passed the information on to the Police. The Police would then be able to use the IP Address to trace the user at the date/time we recorded it and from that, trace the address and hopefully the laptop. That would all take time though and it was possible that the laptop would be moved to a different location and therefore getting the laptop back would take time and might not happen at all. GFI also records a multitude of information about the hardware including the Serial Number, Make and Model and I also passed this information to the Police to identify the laptop should they eventually get the opportunity to recover it.

Thinking more about GFI and what was available to us, one of the options available is to use a Script Check to perform remote commands. If only we could somehow come up with a script to remotely download and install PreyProject then we might be able to do more than just trace the IP Address, we could possibly get some web-cam pictures of the person using the laptop, some screen-shots of what they were doing and local Wi-Fi networks that were in the vicinity of the laptop. If only……..

So I set about writing a script that could download the .exe file and the batch installation file using FTP from my Draytek router (with memory stick plugged into it) and tested this locally, which worked very well. Testing the same script at a different location unfortunately didn’t work and so I gave up on the FTP route and searched for an alternative. The alternative that I came up with was to use BITSADMIN (Background Intelligent Transfer Service), which is used by Windows to download files for things like Windows Update and was of course installed on the laptop by default. After uploading the PreyProject .exe file and their installation batch file to our website, I wrote a script to download the files to the laptop and then run the installation. I then tested the script out on my laptop and it worked successfully.

My script which I eventually used looked like this:
@echo off
md c:\temp
bitsadmin /transfer myDownloadJob /download /priority high c:\temp\preyinstall.bat
bitsadmin /transfer myDownloadJob /download /priority high c:\temp\prey-0.5.3-win.exe
cd c:\temp
preyinstall MY_Prey_API_Key

(any script writers out there please forgive the very basic nature of the script – I am no batch-script writer – but it works!)

Having uploaded the script to GFI, I then assigned the script check to the stolen laptop and waited.

After a short while, the script came back with a Timeout Error. At that point I was disappointed because I had scheduled the script with the maximum timeout value of 150 seconds and it must have taken longer to run that the 150 seconds. I then set about checking the script to make sure all was well and couldn’t see a problem. I even started timing the downloads and for me it all worked well within the 150 seconds. So presumably the current laptop user was using a slower connection.

I decided to login to the Prey Project Control Panel to make sure there was space for the stolen laptop to be installed (on a free account you get 3 free spaces to monitor devices and I knew that I had one space left). I was very surprised at that point to see the stolen laptop appear in the list of Devices I could monitor and so I reported it as stolen, configured the settings to geo-location information, grab web-cam shots, screen-shots, Wi-Fi networks and anything else it could to help me locate the laptop. There are additional options available to lock the device, have the device make a noise, display a warning message on the screen and to hide emails, delete browser cookies and stored passwords, but I decided to leave those alone for now as I didn’t want to scare off the laptop user, I wanted to get the laptop back.

I set the PreyProject monitoring interval to the smallest interval available and waited to see what came back into the 10 available reporting slots available on a free account (this can be increased for a paltry $5.00 a month to a 2 minute interval and 100 reporting slots).

What initially came back was a very dark image of the laptop user playing games and their location was reported as being in Central London (it was night-time so the lighting wasn’t brilliant). I flagged my laptop as being stolen and waited for the first report back from that and when it came back, I was reported as being right next to the stolen laptop, which clearly wasn’t the case, so I didn’t pay much heed to the geo-location information and eventually turned it off.

I sat back and waited for more reports to come in and was rewarded the next time with a slightly clearer picture of the laptop user who was busy watching porn!

After a while, it seemed that the laptop user was aware of the webcam being used and the images then came back completely black, so I turned off the web-cam setting and continued to grab screen-shots and wi-fi networks etc.

The next day (during daytime), I turned the web-cam back on and ended up getting a very clear picture of the laptop user which I then passed along to the Police.

I continued to enable / disable the web-cam option and as my available slots for reports were filling up, decided I didn’t want to lose any good images of the laptop user, so upgraded my account and then increased the monitoring interval.

After several not very exciting reports with no new information, I then received the most interesting screen-shot that was to give the laptops location away precisely. They were writing a letter and had put their address and telephone number at the top of the letter and I had a screen-shot of the letter. The location wasn’t too far away from my own location, so I decided to pay the address a visit and took my iPhone with me to verify the Wi-Fi networks that were shown in the report.

Standing outside the address in the letter I turned on my Wi-Fi on my iPhone and took some screen-shots of the available networks and 5 of the networks that were captured using PreyProject matched the networks I could see. The laptop HAD to be close and thus the address on the letter had to be the laptop users address. I excitedly passed this information on to the Police and they then arranged for a Search Warrant from the Courts the next day and then paid the address a visit the following morning.

I then received a phone call from my customer to say that they had been contacted by the Police and that they could collect their laptop from them (with some proof of their identity) the following day, which they did. We are now restoring the laptop back to a pre-stolen date to remove traces of software that was installed during its absence and we heard that the insurance company was not going to pay out for the laptop because it was a work laptop and was not therefore technically covered on the household insurance from the house it was stolen from, so it was just as well we got it back.

So – if you don’t already have PreyProject installed on your iPad, iPhone, Laptop, Computer, Android phone, Apple Mac, Linux PC or anything else that it can be installed from, then what are you waiting for. If it gets stolen without PreyProject installed, you had better be one of our customers with Monitoring software installed or you can kiss it goodbye!


Exchange 2003 Activesync HTTP 500 Error

Further to my Exchange 2003 / Activesync Troubleshooting Guide which can be found here, I was working remotely on a Windows 2003 Server with Exchange 2003 SP2 installed over the weekend having been asked to try and make Activesync work as they had read through my guide and not managed to get everything working properly.

Initially the server needed to have it’s DNS configuration fixed so that the server could talk to the Internet and allow me access, so once their IT department had resolved that issue I was given credentials and started to look at the problems on the server.

Checking the settings against my article, everything appeared to be set properly, but the test on the test site was throwing HTTP 500 errors (my least favourite!), so I followed Method 2 of KB883380 (remove and re-create the Exchange IIS Virtual Directories) and once they had been recreated and the IIS settings re-checked, I re-ran the test on the test site and still received the HTTP 500 error.  At that point I was debating a call to Microsoft, but started to check the Event logs on the server and saw various DNS related errors which were of some concern.

Outlook 2007 was also installed on the Exchange 2003 server, so I wasn’t convinced that I had a simple fix on my hands.

I ran the Exchange 2003 Best Practises Analyzer tool and that reported that Exchange could not be contacted, which suggested a DNS issue.  In the DNS logs there was an Event ID 800 error:

The zone <zone> is configured to accept updates but the A record for the primary server in the zone’s SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause DNS clients to be unable to perform DNS updates.

The suggested fix for this was to run dcdiag /fix followed by netdiag /fix and then to restart the Netlogon Service.  I did this but nothing changed.

Running the netdiag /fix threw up the following error:

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE [FATAL] Failed to fix: DC DNS entry xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.internaldomainname.local. re-registeration on DNS server ‘Server IP Address’ failed.

I checked the DNS zones and saw that both the _msdcs.internaldomain.local zone and internaldomain.local zones were not showing all that they should have been so I deleted both zones and recreated them manually (referring to another Windows 2003 server for the relevant entries.  Once all that could be manually created was created, I re-ran dcdiag /fix and netdiag /fix and still received the error above.

I then tried searching for a way to fix this problem but drew a blank.  Looking through the other event logs, I came across the following error in the System Log:

Event ID: 5788
Source: Netlogon
Description: Attempt to update Service Principal Name (SPN) of the computer object in Active Directory failed. The following error occurred: The attribute syntax specified to the directory service is invalid.

Searching for this error landed me here and upon checking the Computer Name / Domain Name,  I saw that the computer name was simply computername. not computername.internaldomain.local.  Never seen that one before.

Following the resolution in the MS article, I created a VB Script file and ran it on the server and rebooted.

Following the reboot, I re-ran the dcdiag /fix and netdiag /fix and the errors had gone.  In addition, some of the DNS records that I wasn’t able to create manually were magically back, so that seemed to have resolved the DNS issues – hurrah!

I then decided to re-test Activesync and happily received a complete pass on all tests – so now that Exchange could talk to itself, Activesync could actually work!

Running the Exchange Best Practices Analyzer again I was happy to see that Exchange could now talk to itself and the results showed a much happier server with only a few minor issues.

So – if you are seeing the dreaded HTTP 500 error and have gone through my Guide, followed KB883380 method 2 and still get the same error – it just might be a good idea to run the Exchange BPA and check your DNS settings are 100% happy.


Forefront Threat Management Gateway and Activesync – Password Prompt Issues on Windows Phones

Since installing Microsoft Forefront Threat Management Gateway in Front of my Exchange 2010 server, my Windows Mobile Phone has been regularly prompting me to enter my password (I have an HTC HD2). If I hit Cancel instead of entering the password, the phone will continue to sync (of course I could have entered my password, but I felt that it wasn’t necessary).

So – presumably there is a problem with a rule somewhere or a rule missing that is causing this problem.

After my business partner (Mark) had done some digging, he discovered a potential fix for this and emailed me a link. On checking the link, I did some research and there appeared to be a setting in my OWA / Activesync Publishing Rule that when de-selected (it is set by default), seems to happily solve the problem. To change the setting, please do the following:

Open up Forefront TMG Management, Click on “Firewall Policy” in the tree in the left-hand pane and then find your OWA / Activesync rule.

Double-click on your OWA / Activesync Publishing Rule, then click on the Listener Tab, then the Properties Button for the Listener, then click on the Forms Tab, then the Advanced button on the Forms Tab and you will see a Check box call “Apply Session Timeout to Non-Browser Clients”.

Untick this check box, click on OK 3 times, Apply the rule changes and then the Password Prompt on your Windows Mobile phone should have stopped and syncing will resume normally.

As Activesync needs to keep a connection open with the Exchange server, with this setting selected, the connection is dropped and thus the phone thinks it needs to re-authenticate with the server. With the setting not selected, then phone is allowed to keep a connection open with the Exchange server and thus the password prompt doesn’t pop up.

HTC HD2 Screen Lock – Prompt For PIN Every Time Phone Turned On Fix

Anyone who has an HTC HD2 mobile phone and syncs it to an Exchange Server that forces a PIN for security reasons has probably been frustrated as much as I have with having to key in the PIN every single time the phone is turned on.

Having used numerous HTC mobile phones over the past 6 or 7 years, and not having had this problem with any of their phones before, even when connected to an Exchange Server, I spoke to HTC about the issue and left the problem with them to hopefully find a fix and allow me to use my phone properly.

Well, that was in early August when I got back from holiday.

It is now September 23rd and having not heard a peep out of HTC, decided to chase them up and see what progress they had made.

After putting the phone down to HTC after one conversation, they suggested that I call my airtime provider (O2) as the software on the phone was an O2 branded version and that they must have changed something to cause the problem. Well, my business partner has an O2 HTC HD2 phone and it came from O2 and does not have the O2 branding all over it and it has the same problem, so a further call to HTC to discount O2 as the root of the problem left them a little bit perplexed, but me even more annoyed because I had to explain myself again to the support person at the other end of the phone.

One support guy escalated the call to a 2nd line person who basically advised me the fix was to Hard Reset the phone (which I had already done, so had my business partner, and it was no better). Well, that was useful advice!

To cut a long story short, after several phone calls to different HTC support staff, each time having to explain the problem to them, which they clearly did not understand and after much persuasion that it was not an Exchange issue, not an issue with the settings on the phone, but that the settings were simply getting ignored, I finally spoke to one person there who basically said that they were not going to do anything about it because it was not a problem, more like a “Security Feature”! Well – it is a Security Feature that I can do without.

After the final phone call, I rang O2 and asked if they could change my handset to one that worked. They advised me that I was not able to upgrade (having just done so), and could not change phones, so I was stuck with the annoying handset until next time renewal was due (10 months away). At that point, I asked to be put back onto an iPhone tariff and will continue to use the iPhone.

Not wanting to let this problem go, I surfed the web and after scouring through some forums, decided that I was not alone in having this problem, music to my ears, but no doubt something that HTC won’t want to hear, or maybe that should be ‘couldn’t care less’?

Buried within one forum was a Registry Tweak that could be made which looked like it might solve the problem and one user reported that it had worked for them (hurrah!).

So, I downloaded CERegEditor and installed it, then hooked up my HD2 via the USB cable and opened up the registry.

The suggested key to change / add was:

HKCU\ControlPanel\Keybd REG_DWORD DeviceLockWhenSuspend – Value = 0

After adding that key, because it was not already present, soft resetting my phone and testing the phone lock timeout, the phone did not ask me for the PIN every time I turned the phone on. Eureka!

So – tomorrow I may call HTC and advise them of the ‘fix’ to the problem they don’t seem to care about and hopefully they will add this to future ROM versions so that others may stop being as annoyed as I was about this little issue that seems to be frustrating the life out of every HTC HD2 owner.

One drawback of this registry “tweak” is that the phone will start working in your pocket as there now i sno lock facility. This was a minor setback and can be fixed by installing the following free App:

Slide To Unlock 2

Now I don’t get annoyed by having to enter the PIN EVERY time I try to use my phone and I can lock the screen when it is is my pocket.

If you have read this far – please take the poll below so that I can see if I am alone in being annoyed with HTC or not.



Windows Phone 7 Series – Released To Manufacturing

Microsoft has announced today that their next Mobile Phone Operating System (Windows Phone 7 Series), has been released to manufacturing.

As with most Mobile Phone Operating Systems, if you have a phone that has been tied to a particular carrier, it will be a few weeks before you can download and upgrade your Windows Mobile 6.5 phone.

For more information, please visit the following link:

Windows Phone 7 Series has been a complete re-write for Microsoft and it promises to be very different to the past versions.

Personally, I hope they bring out a Windows Phone 7 Series Home User version and a Windows Phone 7 Series Professional version, so that people have a choice and can use their phones for business (as I do), or use it for social networking, which I don’t.

The new version is all geared around people and what they are doing / up to, not something I will be rushing to update my phone to (he says), but then I said I wasn’t going to get an iPhone and then did (although I don’t use it any more).

Exchange 2003 and Activesync Configuration and Troubleshooting

So, here is my guide to solving (most) Exchange 2003 and Activesync issues:


1. Make sure that you have Exchange Server 2003 Service Pack 2 Installed. Whilst Activesync will work with Exchange 2003 Service Pack 1, Service Pack 2 makes it a whole lot easier!

To check if you have it installed, open up Exchange System Manager (Start> Programs> Microsoft Exchange> System Manager). Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not.

If you do not have SP2 installed you can download it here –

2. Ensure that TCP Port 443 is open (and forwarded) on your firewall to your Exchange server. You don’t need to open up any other ports to get Activesync working, just TCP port 443. You can check this on your Exchange Server at and you should see ‘Success’ if the port is open and forwarded correctly. If it isn’t open and forwarded, check your router and make sure you have the settings configured correctly.

3. Please check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).

4. Open up IIS Manager (Start> Programs> Administrative Tools> Internet Information Services (IIS) Manager), expand ‘Web Sites’ then ‘Default Web Site’ then right-click on the relevant Virtual Directory (see below) and choose properties, then click on the Directory Security Tab):

Exchange 2003 (Not part of Small Business Server):

Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm =
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked

Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm =
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

Exchange 2003 (Part of Small Business Server):

Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany*
• Realm =
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

Exchange-oma Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Restricted to IP Address of Server
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

OMA Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm =
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

The Domain / Realm parts can be left as “\” for the Domain and Blank (empty) for the Realm.  MS recommend it this way, but I have fixed some servers by adding the Domain / Realm as per the settings above.

* yourcompany can be determined by opening up a command prompt (Start> Run> [type] cmd [press enter]) and then typing ‘SET’ and pressing enter. The variable ‘USERDOMAIN’ is the info you should use for ‘yourcompany’. Most often – this is not required, but I have seen instances where simply adding this info has made Activesync work.

5. ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.

6. Make sure that you have HTTP Keep-Alives enabled. Right-Click on the Default Web Site and choose Properties. On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box and click OK

7. Check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Directory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA). If it is not there – no worries.

Please make sure that IPV6 is NOT installed on your server as this is known to break Activesync. (Start> Run> [type] ncpa.cpl [press enter]) Right-click on your Local Area Network Connection and choose Properties. Look under ‘This Connection Uses The Following Items:’ for Internet Protocol (TCP/IP) v6 – if it exists – uninstall it and reboot.

8. Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS manager, Right-Click the Default Website and choose properties, then on the Advanced button).

If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync! Also make sure that you are not using any Host Headers on the Default Website (or any other website that you happen to have running that uses the same Host Header name that you are using on your SSL certificate) because this can/will also break Activesync.

If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.

SSL Certificate
Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync – for example, To check, right-click on the Default Web Site in IIS, choose Properties, click on the Directory Security Tab and then on the View Certificate Button.

If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.

If you have a Small Business Server and don’t want to buy a 3rd Party SSL certificate, just re-run the ‘Connect To The Internet Wizard’, (Start> Server Management> To-Do List> Connect to the Internet).

Click Next. If the Wizard detects a Router – click No to leave the configuration alone.

Make sure ‘Do not change connection type’ is selected and click Next.

Leave the Web Services Configuration Settings as they are and click Next.

Select ‘Create a new Web server certificate’ and enter a ‘Web server name’ e.g., and click Next.

Select ‘Do not change Internet e-mail configuration’ and click Next.

Click Finish to complete the Wizard

If you have Windows Mobile Phones, Activesync is much easier to get working with a purchased SSL certificate. If you have a self-created SSL certificate and use Windows Mobile Phones, you will have to install the SSL certificate onto each and every Windows Mobile Phone that you want to use with your Exchange 2003 server. If you only have a handful of devices, then it won’t take long to do, but if you have dozens, a £30 1-Year SSL certificate is probably a very good investment. You can purchase a cheap, trusted SSL certificate from that will work happily.

Windows Mobile Phone / iPhone Settings:

Email Address: Your Users Email Address
Server: Whatever name you have on your certificate e.g., (do not add /exchange or /oma or /anything)
Domain: Your internal Domain Name e.g., yourdomain (maximum 15 characters)
Username: Your Username e.g., User123
Password: The CORRECT password!
Description: Whatever you want to call the Account


If you have got SP2 installed, check on to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity.

Please select ‘Specify Manual Server Settings’ (Exchange 2003 does not have native Autodiscover enabled so using the Autodiscover settings will fail).

3rd Party SSL Certificate:

Do NOT check the “Ignore Trust for SSL” check box

Self-Certified SSL Certificate:

Check the “Ignore Trust for SSL” checkbox.

If you are trying to make an iPhone work, then you can also download the free iPhone App ‘Activesync Tester’ and this should identify any problems with your configuration, or download the version for your PC from

Various Activesync Errors / Solutions:

REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit and re-run the test.

Activesync Error 0x86000108:

Activesync is unsuccessful and you see the error 0x86000108 on your Windows Mobile Device:
Please read the following MS Article which checks that Authenticated Users has write permissions to the %TEMP% directory (usually c:\windows\temp) –

Application Event Log 3005 Errors:

A lot of 3005 errors can be resolved by changing the Default Website Timeout value from 120 (default) to something greater, such as 480 using IIS Manager.
For Small Business Server 2003 Users – please read this MS article –

Inconsistent Sync:

If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
ProactiveScanning REG_DWORD 1

HTTP 401 Error:

If you are getting an HTTP 401 error when testing on then you are probably entering an incorrect username or password, or you may have IP Address restrictions setup on your virtual directories (see IIS Settings above under prerequisites).

HTTP 403 Error:

Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is – please read and create an exchange-oma virtual directory following the instructions in the KB article.

I have had Activesync work despite seeing “An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is:

HTTP/1.1 403 Forbidden

” at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.

I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)

Check to see if Activesync is enabled globally on your server –

Also check to see if it is enabled on a user by user basis –

HTTP 500 Error:

If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in Microsoft Knowledgebase Article KB883380 and this should resolve the issues. This essentially deletes the Exchange Virtual Directories from the IIS Metabase (which can be corrupted) and rebuilds them. When deleting the Exchange virtual Directories, please also delete the Exchange-OMA virtual directory if it exists. Rebuilding those virtual directories often clears up problems that all the other steps above do not resolve.

If, after following KB 883380, Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:

• Disable Forms Based Authentication – Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected – hopefully this should work or give the OK result
• If okay – right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as ‘EntireRegistry’ and save the backup of the registry to the desktop
• In regedit – locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the ‘Select a configuration to import’ section and click on OK. Select ‘Create a new virtual Directory’ and name the directory ‘exchange-oma’ and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse – you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync – it should hopefully be working now!

If the above fails, please check you event logs for Event ID 9667 – Source MSExchangeIS. If this event exists, please have a read of MS KB820379

In a recent question on, I was advised that running the following command against the unmounted database solved an HTTP 500 error, so if you are still having issues, please try running the integrity check (from a command prompt):

Isinteg –s servername –fix –test alltests

Select the dismounted database and let the check run. If you see 0 errors and 0 fixes, then all is well. If not, please re-run the test until you do (as many times as it takes – two usually is ufficient).

If you are still reading this article and are still seeing HTTP 500 errors, then we need to check the settings on the EXCHWEB Virtual Directory in IIS Manager.

Exchweb Virtual Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth \ USA Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit and re-run the test.

Recently added HTTP 500 Error solution for a server I worked on.

Hopefully if you are now at the bottom of my article, your mobile phones should now be synchronising happily. If that is not the case, please review your IIS Settings carefully and start at the top of this article again.

RECENT UPDATE (10/01/12) – A piece of software called [url=””%5DHide Folders 2009[/url] has been found to install a service called “FSPRO Filter Service” and a dll called FSPFltd.sys (in c:\windows\system32\drivers).  This program breaks Activesync.  If you have Activesync part working / part not working, please check your server for this software and if it is there – disable the service, move / delete the .dll file and restart your server.  Once restarted, Activesync should return to normal functionality!

RECENT UPDATE (29/05/12) – Please make sure that the server does not have Microsoft Security Essentials installed as this will break Activesync.  If you find it is installed – please uninstall it.

Recent Update (10/07/13) – DO NOT INSTALL programs such as Disk Keeper on any server running Exchange as it too will break Activesync!

If you are still not working – then you will probably have to call Microsoft to get support from them as something else not covered by this article is causing your problems.

So, in summary, you have reviewed and checked the settings in IIS to ensure that Activesync will work on your Exchange 2003 server, you have made sure that you have Exchange 2003 Service Pack 2 installed and you have run a test to make sure that your server is responding happily and by now, your iPhones and Windows Mobile phones should be happily synchronising.

Having got this far – and hopefully fixing your problems – if you have found this article helpful, please vote for it at the top of the page : )

* * * Please rate this article below if you have found it helpful * * *