How to resolve Exchange ActiveSync
problems between Exchange and the iPhone
Now I had a feeling that if I simply changed the password for the user accounts, that all would be well. But I wanted to find out why two accounts were working and two were not.
The 'Cannot Get Mail' and the 'Password Incorrect' messages that given out by the iPhone are generic messages. It would seem that there are many reasons for this error message. I searched the Internet, looking for a solution. There are many suggestions out there but I did not find one that helped in my situation. I'm not really a fan of suggestions that have no tests that would indicate that the suggestion would be valid. It means that we are no closer to a solution; if it works, it is only a fix.
The solution for this case turned out to be quite simple. You can jump straight to the solution at the end of this document if you'd like! But I'll run through the troubleshooting steps I took now.
My Exchange and iPhone setup
My setup has moved on since my last blog on iPhone and ActiveSync problems.
Here are the relevant details to my scenario in my test lab:
Windows Server 2008 R2
Exchange 2010 Server with POP3 and IMAP services configured
Exchange 2010 Client Access Server (CAS)
Exchange 2010 DAG with two member Mailbox Servers
iPhones with many mailbox accounts configured for ActiveSync.
A certificate (non-self-signed) configured for my Client Access Server
This scenario will probably be similar to many business implementations, though some may not configure Exchange 2010 for high availability but might elect for a single server. Of course, larger businesses will deploy more Exchange Servers in various roles.
For the purposes of this troubleshooting exercise, it does not matter whether there is a DAG with member servers or the problem mailbox resides on a single server.
To successfully work through this document, you will need to have administrative access to your Exchange Server. If you don't, then you may need to enlist the help of your friendly Exchange Administrator.
Key Error Messages
Cannot Get Mail – The username or password for <name> is incorrect
Password Incorrect – Please enter the password for <name>
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from IIS7
Troubleshooting
For completeness, I'll touch on some of the early things that I looked at:
1. Re-entered the password several times on the iPhone.
OK. So I sort of knew that this wasn't going to work but, good to at least eliminate this as the problem.
2. Compared Mailbox settings between one mailbox that was working and another that wasn't.
Found no differences.
3. Compared User Account properties between one working user and one non-working user.
Again, I found no differences.
4. Increased logging for ActiveSync.
Found no significant error messages in the event logs.
Use the Microsoft Exchange Remote Connectivity Analyzer
This is a very useful service accessed via the web at https://www.testexchangeconnectivity.com.
This service is also accessible via the Toolbox in the Exchange Management Console.
Before using it – it can test a range of services – it is recommended that you set up a test account to use with it, in order to prevent exposing real accounts over the Internet. But in this situation, we have no choice but to use the account that we have a problem with.
We'll at least make sure that the padlock is showing. And we will later change the password to this account.
Select the Exchange ActiveSync test and click Next.
In the next screen, you'll be asked to fill in details that will allow the service to perform the test.
For the purposes of my setup, I will need to 'Manually specify my ActiveSync server' and I'll need to select 'Ignore Trust for SSL' since my certificate isn't trusted all the way to a root CA.
Fill in all other required fields and click Perform Test.
When I performed this test for one of the non-working user accounts I got the following result:
Expanding the Test Steps, I found the following error message:
ExRCA is attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details:
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from IIS7
Searching the Internet for any information on the above error yielded no credible answer for my particular problem.
Test 'direct' Outlook Connectivity
As mentioned, I had never logged into a computer using any of three of the accounts I use with my iPhone. And I therefore hadn't logged into the two that weren't working. Would Outlook have any problems with these accounts?
Would I even be able to logon?
Here's what happened.
The error message indicated that some password policy was in effect. I knew that I had not set such a password policy. But I remembered that Windows Server 2008 brought with it increased levels of security. A bit of research confirmed this to be the case.
http://technet.microsoft.com/en-us/library/cc264456.aspx
I noted from this page in particular that the default Maximum password age is now set to 42 days. I noted too that "...By default, the value for this policy setting in Windows Server 2008 is configured to Disabled, but it is set to Enabled in a Windows Server 2008 domain for both environments described in this guide."
Root Cause
Most all of my user accounts have 'Password never expires' set. But this was not set for my three new User and Mailbox accounts. This was no doubt due to the fact that you can create a mail-enabled new user from the Exchange Management Console – ADUC is not visible in this process and so I neglected to check the User Account tab properties.
Solution
1. Set a new password.
2. Select 'Password never expires'
Note that corporate implementations will likely not allow your user account to be modified in this way. If this is the case, then you likely are already used to changing your network password every so often.
3. On the iPhone, in Settings, navigate to the Mail settings and enter the new password.
Copyright 2010 Cairos Computing Limited
Help Computing is a trading style of Cairos Computing Ltd.
Help Computing is a trading style of Cairos Computing Ltd.
What are we
up to?
up to?
We'll write about the
sorts of things we get up
to. It'll be a slightly techy
read, but we'll try our
best to make it readable!
There'll soon be lots of top tips for the technically minded too.
Want to know more? Click the icon above..
There'll soon be lots of top tips for the technically minded too.
Want to know more? Click the icon above..
Part II
Reproduced with permission from http://messageflip.wordpress.com
My Test Lab has moved onto Exchange 2010 on Windows Server 2008. And I now have an iPhone 4. And it's great – I can have as many Exchange accounts as I like now. But that's really due to the update to iOS4, and so you can do this too on your iPhone 3GS or your iPhone 3G.
And now I have four Exchange accounts. I never log on to a computer for three of these user accounts. But I access the mailboxes of all three though my main user and Exchange account, via Outlook.
But now, two of the three accounts (that I never log into) are failing on the iPhone with the following message:
Reproduced with permission from http://messageflip.wordpress.com
My Test Lab has moved onto Exchange 2010 on Windows Server 2008. And I now have an iPhone 4. And it's great – I can have as many Exchange accounts as I like now. But that's really due to the update to iOS4, and so you can do this too on your iPhone 3GS or your iPhone 3G.
And now I have four Exchange accounts. I never log on to a computer for three of these user accounts. But I access the mailboxes of all three though my main user and Exchange account, via Outlook.
But now, two of the three accounts (that I never log into) are failing on the iPhone with the following message:
helpcomputing
If you and your computer are in or around London, we
could help!