Can no longer access ActiveSync

Charlie

unread,

Sep 23, 2006, 4:47:02 PM9/23/06

to

Hi -

I have a Windows 2003, SP1 server running Exchange 2003, SP 2.
ActiveSync had been working using SSL, but for some reason it no longer
does. The version of the OS and Exchange were the same before the trouble
started as they are now.
Even when inside the firewall (on the LAN) this is so. If I try it without
SSL it will work from a Windows Mobile device.

I had installed the certificate for the server on the mobile devices, which
got ActiveSync and OMA working in the first place. OMA still works using SSL.

The error message is "Your account in Microsoft Exchange Server does not
have permission to synchronize with your current settings." The error code
is 0x85010001, which I can't find in the KB.

Help, anyone?
Thanks.

chace zhang

unread,

Sep 25, 2006, 3:23:54 AM9/25/06

to

Hi,

Thank you for posting here.

From your post, my understanding on this issue is: You encountered error
code 0x85010014 during accessing mailbox by ActiveSync. If I'm off base,
please feel free to let me know.

Based on my knowledge, support code 0x85010014 means error HTTP 500. The
error 0x85010004 happens when the authentication method is not configured
correctly in ActiveSync, OMA and Exchange/Exchange-OMA virtual directory.

Please verify Authentication settings by the following steps.

For Exchange-oma virtual directory:

1. Open IIS Manager
2. Open properties of virtual directory Exchange-oma
3. Select Directory Security tab
4. Select Edit in Authentication and access control box. Make sure the
authentication setting as below:

Authentication Methods
Enabled Basic authentication
Enabled Integrated Windows authentication
Disabled anonymous access

For OMA virtual directory and Microsoft-Server-ActiveSync virtual directory:

1. Open IIS Manager
2. Open properties of OMA virtual directory and Microsoft-Server-ActiveSync
virtual directory respectively.
3. Select Directory Security tab
4. Select Edit in Authentication and access control box. Make sure the
authentication setting as below:

Authentication Methods
Uncheck Enable anonymous access
Uncheck Integrated Windows authentication
Check Basic authentication

After that, please restart the IIS Admin Service (services.msc) and then
verify the issue.

If the issue persists after steps above, in order to have a more concrete
idea about the issue, please let me know the following info.

1. Do all the users have such issue or just specific users? Please create a
new mail-enabled user and verify whether he can access mailbox by
ActiveSync. If the issue persists, the issue may be caused by the
configuration of this specific device. If the issue disappears here, the
issue may be caused by the Exchange attribute of original user account.

2. Please locate another mobile device like original smart phone without
such issue before, and then use this smart phone to sync the specific
mailbox whose owner encountered issue on previous device. If the issue
disappears here, the issue may be caused by the configuration of this
device. If the issue persists, we may consider the issue happens to this
user account.

Collect the IIS metabase on Exchange Server and send to me:
v-ch...@microsoft.com. for further analysis:

1). On Exchange Server, install .NET Framework Version 1.1:
http://www.microsoft.com/downloads/details.aspx?FamilyID=262d25e3-f589-4842-
8157-034d1e7cf3a3&DisplayLang=en.
2). Install MBExplorer by installing IIS 6 Resource Kit Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-
B628-ADE629C89499&displaylang=en.
3). Once it is installed, access it from Start, Programs, IIS Resources,
Metabase Explorer.
4). In the left pane, right click ''LM'' (under your server computer name)
to choose ''Export to file'', and then save it as IIS.mbk.
5). Compress this mbk file and send it to me for analysis. Please let me
know the password if you set on this iis mbk file.

4. Please collect the IIS log on Exchange Server so that I can perform
further research:

1). On Exchange Serves, open IIS MMC, right click Default Web Site and then
click Properties.
2). Click Website tab and then check Enable logging.
3). Stop the Default Website and RENAME the existing IIS log files under
C:\WINDOWS\system32\LogFiles\W3SVC1.
4). Restart the Default Website and reproduce the problem, which will
generate new IIS log file with the exact error.
5). Wait for a while so that IIS Log can be synced. And then go to the
following folder on Exchange Server: C:\WINDOWS\system32\LogFiles\W3SVC1.
6). Send me the log files to my working email address v-a...@microsoft.com.
And please let me know the alias of the user who encountered the issue.

5. For further test, please temporarily disable SSL if you enable it for
ActiveSync; create a new test account and let me know the following
information.

- Credential of this test account
- The public URL of your Exchange Server
- Domain name

I will access the mailbox by ActiveSync in my side to verify the issue. To
keep these confidential, please let me know by mail:
v-ch...@microsoft.com.

Hope this helps! If you have further concern, feel free to let me know.
Have a great day!

Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Charlie

unread,

Sep 29, 2006, 12:40:02 PM9/29/06

to

Thanks for the help on this.

To clarify, the error code I am getting is 0x85010001 to be exact.

I confirmed that the permissions were set exactly as you specified for all 3
VDs*. *This includes the OMA-Exchange VD, which is present only because I
had created it after reading a KB article that prompted me to create it.
Interestingly, you must have followed (or written?) the same article since
you have a VD with the same name. I believe this was to get around the
problem of OMA not accepting SSL. Could it be that creating a similar VM for
ActiveSync would solve my problem?

I have tried a different user, the domain admin/exchange full admin, and got
the same result. Again, without using SSL it works just fine. Furthermore,
this was working with SSL until about a month ago.

I may be able to get hold of a second smart phone to test this further.

Also, to make it clear, this is not actually a production environment. I am
testing this and I want to be able to get it working. I appreciate the help
though, as I would not want to have this happen when I try to implement it in
a production environment.

Within the next 24 hours, I should be able to set up an account for you and
send the logs, etc.

Thanks again.

chace zhang

unread,

Oct 2, 2006, 4:39:38 AM10/2/06

to

Hi,

Thank you for your clarification.

As you mentioned you are in a testing environment currently, I suppose you
do not have the published FQDN in internet. If you published your Exchange
Server, send me the root certificate if you enable it for ActiveSync;

create a new test account and let me know the following information.

- Credential of this test account
- The public URL of your Exchange Server
- Domain name

So I can test on my side.

I look forward to your update.

Have a nice day!

Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on Exchange technical issues. If you have

issues regarding other Microsoft products, you'd better post in the
corresponding newsgroups so that they can be resolved in an efficient and
timely manner. You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Can no longer access ActiveSync

| thread-index: Acbj5ej9R6CvSxnhQcSC9+FbdiLZZA==

| X-WBNR-Posting-Host: 136.167.76.86
| From: =?Utf-8?B?Q2hhcmxpZQ==?= <bab...@news.postalias>

| References: <71EAE630-F205-4204...@microsoft.com>
<xA#JTOH4G...@TK2MSFTNGXA01.phx.gbl>
| Subject: RE: Can no longer access ActiveSync
| Date: Fri, 29 Sep 2006 09:40:02 -0700
| Lines: 224
| Message-ID: <7991C039-01CF-46EF...@microsoft.com>

| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.exchange.admin:571612

Charlie

unread,

Oct 21, 2006, 10:30:01 PM10/21/06

to

It turns out that the root certificate that had been imported on the mobile
device must have gotten corrupted somehow. I imported a fresh copy and all
was OK. Thanks to Chace for lots of help on this.

chace zhang

unread,

Oct 23, 2006, 7:22:32 AM10/23/06

to

Hi,

Thank you for letting me know that the information helped you resolve this
issue. Please let us know if we can be of assistance in the future.

| thread-index: Acb1gfnYfAf9TcntQAuKkZSCyksPSQ==
| X-WBNR-Posting-Host: 24.218.218.243

| From: =?Utf-8?B?Q2hhcmxpZQ==?= <bab...@news.postalias>
| References: <71EAE630-F205-4204...@microsoft.com>

| Subject: RE: Can no longer access ActiveSync

| Date: Sat, 21 Oct 2006 19:30:01 -0700
| Lines: 24
| Message-ID: <2BCDA626-0544-4DA0...@microsoft.com>

| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.exchange.admin:575753

| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.exchange.admin
|