SBS2003, Exchange 2003 & Mobile ActiveSync

I have a server running SBS2003 SP1 with Exchange 2003. I can open OWA, but
not OMA. I get the usual "Your account in Microsoft Exchange Server does not
have permission to synchronize with your current settings. Contact your
Exchange Server administrator. Support Code: 85010004" error. I have read
every fourm post and Google search return without success. I have deleted and
recreated virtual directories, adjusted permissions and added new SSL certs
and roots. Also, I can not sync my Verizon HTC XV6700, it gets the sanme
error.

I hoping there is something else I haven't discovered yet, as I'm hoping to
market SBS bundled with hardware, devices and services to exiting & potential
clients. Any suggetions would be appreciated!

Is it possible to deploy a SBS2003 server with mobile devices without all
the headaches and problems?

Thanks in advance for your time and consideration!
Matt Kiolbassa
Ntelogic

Active Directory Users and Computers> Right Click on User > Properties >
Exchange Features > Mobile Services
Are all 3 enabled?

--
Cris Hanna [SBS-MVP]
------------------------------
Please do not contact me directly, only respond in the Newsgroups
MVPs do not work for Microsoft
------------------------------
Send via Windows Mail on Vista Ultimate connected to SBS 2003 R2
"Matt K" <> wrote in message
news:A5750B77-95A2-438F-B4F2-...
>I have a server running SBS2003 SP1 with Exchange 2003. I can open OWA, but
> not OMA. I get the usual "Your account in Microsoft Exchange Server does
> not
> have permission to synchronize with your current settings. Contact your
> Exchange Server administrator. Support Code: 85010004" error. I have read
> every fourm post and Google search return without success. I have deleted
> and
> recreated virtual directories, adjusted permissions and added new SSL
> certs
> and roots. Also, I can not sync my Verizon HTC XV6700, it gets the sanme
> error.
>
> I hoping there is something else I haven't discovered yet, as I'm hoping
> to
> market SBS bundled with hardware, devices and services to exiting &
> potential
> clients. Any suggetions would be appreciated!
>
> Is it possible to deploy a SBS2003 server with mobile devices without all
> the headaches and problems?
>
> Thanks in advance for your time and consideration!
> Matt Kiolbassa
> Ntelogic

Hi Cris,

Yes - all three are enabled.

Thanks,
Matt Kiolbassa

"Cris Hanna [SBS-MVP]" wrote:

> Active Directory Users and Computers> Right Click on User > Properties >
> Exchange Features > Mobile Services
> Are all 3 enabled?
>
> --
> Cris Hanna [SBS-MVP]
> ------------------------------
> Please do not contact me directly, only respond in the Newsgroups
> MVPs do not work for Microsoft
> ------------------------------
> Send via Windows Mail on Vista Ultimate connected to SBS 2003 R2
> "Matt K" <> wrote in message
> news:A5750B77-95A2-438F-B4F2-...
> >I have a server running SBS2003 SP1 with Exchange 2003. I can open OWA, but
> > not OMA. I get the usual "Your account in Microsoft Exchange Server does
> > not
> > have permission to synchronize with your current settings. Contact your
> > Exchange Server administrator. Support Code: 85010004" error. I have read
> > every fourm post and Google search return without success. I have deleted
> > and
> > recreated virtual directories, adjusted permissions and added new SSL
> > certs
> > and roots. Also, I can not sync my Verizon HTC XV6700, it gets the sanme
> > error.
> >
> > I hoping there is something else I haven't discovered yet, as I'm hoping
> > to
> > market SBS bundled with hardware, devices and services to exiting &
> > potential
> > clients. Any suggetions would be appreciated!
> >
> > Is it possible to deploy a SBS2003 server with mobile devices without all
> > the headaches and problems?
> >
> > Thanks in advance for your time and consideration!
> > Matt Kiolbassa
> > Ntelogic
>

You're right, it doesn't get much more difficult than SBS and mobile devices,
however deploying mobile devices is much, much, much easier in Exch2007 so
there is hope for the next rev of SBS.

When I ran into this I found that the exchange-oma and exchange-activesync
something or other directories were locked down to only allow access from the
LAN. Not sure if you recreated all of them, but check the IP restrictions.
I had the exact error you're running into and that fixed it. Also make sure
exchange-oma is not requiring SSL. I think I ran into the same error with
that as well.

Also, check out the Windows Mobile Device Emulator to use in testing. When
setup with the virtual network adapter and ActiveSync, you can hammer away on
testing without having to deal with an actual physical mobile device.

"Matt K" wrote:

> I have a server running SBS2003 SP1 with Exchange 2003. I can open OWA, but
> not OMA. I get the usual "Your account in Microsoft Exchange Server does not
> have permission to synchronize with your current settings. Contact your
> Exchange Server administrator. Support Code: 85010004" error. I have read
> every fourm post and Google search return without success. I have deleted and
> recreated virtual directories, adjusted permissions and added new SSL certs
> and roots. Also, I can not sync my Verizon HTC XV6700, it gets the sanme
> error.
>
> I hoping there is something else I haven't discovered yet, as I'm hoping to
> market SBS bundled with hardware, devices and services to exiting & potential
> clients. Any suggetions would be appreciated!
>
> Is it possible to deploy a SBS2003 server with mobile devices without all
> the headaches and problems?
>
> Thanks in advance for your time and consideration!
> Matt Kiolbassa
> Ntelogic

Matt K <> wrote:
> Hi Cris,
>
> Yes - all three are enabled.
>
> Thanks,
> Matt Kiolbassa

Dumb question, but do you have Exchange 2003 SP2 installed?

>
> "Cris Hanna [SBS-MVP]" wrote:
>
>> Active Directory Users and Computers> Right Click on User >
>> Properties > Exchange Features > Mobile Services
>> Are all 3 enabled?
>>
>> --
>> Cris Hanna [SBS-MVP]
>> ------------------------------
>> Please do not contact me directly, only respond in the Newsgroups
>> MVPs do not work for Microsoft
>> ------------------------------
>> Send via Windows Mail on Vista Ultimate connected to SBS 2003 R2
>> "Matt K" <> wrote in message
>> news:A5750B77-95A2-438F-B4F2-...
>>> I have a server running SBS2003 SP1 with Exchange 2003. I can open
>>> OWA, but not OMA. I get the usual "Your account in Microsoft
>>> Exchange Server does not
>>> have permission to synchronize with your current settings. Contact
>>> your Exchange Server administrator. Support Code: 85010004" error.
>>> I have read every fourm post and Google search return without
>>> success. I have deleted and
>>> recreated virtual directories, adjusted permissions and added new
>>> SSL certs
>>> and roots. Also, I can not sync my Verizon HTC XV6700, it gets the
>>> sanme error.
>>>
>>> I hoping there is something else I haven't discovered yet, as I'm
>>> hoping to
>>> market SBS bundled with hardware, devices and services to exiting &
>>> potential
>>> clients. Any suggetions would be appreciated!
>>>
>>> Is it possible to deploy a SBS2003 server with mobile devices
>>> without all the headaches and problems?
>>>
>>> Thanks in advance for your time and consideration!
>>> Matt Kiolbassa
>>> Ntelogic

Hi Matt,

Thanks for posting here.

From your post, my understanding on this issue is: You encountered error
code 0x85010004 during accessing mailbox by ActiveSync. If I'm off base,
please feel free to let me know.

Based on my knowledge, The error 0x85010004 happens when the authentication
method is not configured correctly in ActiveSync, OMA and
Exchange/Exchange-OMA virtual directory.

I.Please verify Authentication settings by the following steps.

For Exchange-oma virtual directory:

1. Open IIS Manager

2. Open properties of virtual directory Exchange-oma

3. Select Directory Security tab

4. Select Edit in Authentication and access control box. Make sure the
authentication setting as below:

Authentication Methods

Enabled Basic authentication

Enabled Integrated Windows authentication

Disabled anonymous access

Note:If you need to use SSL on the Exchange virtual directory, you may
create the Exchange-OMA virtual directory for the OMA and ActiveSync and
don't use SSL on the Exchange-OMA virtual directory.

For OMA virtual directory and Microsoft-Server-ActiveSync virtual directory:

1. Open IIS Manager

2. Open properties of OMA virtual directory and Microsoft-Server-ActiveSync
virtual directory respectively.

3. Select Directory Security tab

4. Select Edit in Authentication and access control box. Make sure the
authentication setting as below:

Authentication Methods

Uncheck Enable anonymous access

Uncheck Integrated Windows authentication

Check Basic authentication

After that, please restart the IIS Admin Service (services.msc) and then
verify the issue.

II. if issue still occur, refer to the KB article 883380 to rebuild the
DS2MB of IIS server and manually create exchange-oma VD to see if the issue
resolved.

Step 1: Rebuild the DS2MB of IIS server. To do so:

1. Go to Internet Services Manager and delete the following virtual
directories:

Microsoft-Server-ActiveSync,

OMA,

Exchange,

Public,

ExchWeb.

2. Open Metabase Explorer and expand LM > DS2MB > HighWaterMarks > GUID

3. Double click the entry which has a 5-digit number in the data folder in
the right pane of the GUID folder.

4. Replace the number in the Data field with 0 (zero) and then click OK.
Close Metaedit

5. Run services.msc and right click IIS Admin Service, and then click
Restart to restart the service.

6. Restart the System Attendant. After that, these virtual directories can
be created.

7. Then please re-run CEICW to configure network connection.

More detailed information is addressed in the following article:

883380 How to reset the default virtual directories for Outlook Web Access
in Exchange Server 2003

http://support.microsoft.com/?id=883380

Step 2: Then create exchange-oma VD in IIS manager console manually since
the VD can not be automatically created by re-building DS2MB. Please refer
to the following KB article method 2 to create the exchange-oma VD.

Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or
forms-based authentication is required for Exchange Server 2003

http://support.microsoft.com/default.aspx?kbid=817379

More information is addressed in the following article, please check into
the following document:

Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft
Exchange Server 2003 SP2

http://www.microsoft.com/technet/its...oy/msfp_2.mspx


III.I have one way to verify whether the issue is related to Firewall
server.

1. Disable SSL for Microsoft-Server-ActiveSync virtual directory.
2. Locate a workstation within LAN; download PC ActiveSync application as
below:

http://www.microsoft.com/windowsmobi...ivesync45.mspx

3. Connect Pocket PC through cradle with this PC;
4. Specify the NetBIOS name of Exchange Server in order to avoid PPC
connecting Exchange Server from Internet; and then synchronize Exchange
Server mailbox by PC ActiveSync application.

If the issue disappears here, I am sure it is caused by Firewall settings.
If possible,temporarily disable ISA firewall.


If the issue persists after steps above, in order to have a more concrete
idea about the issue, please let me know the following info.

1. Does issue happen to accessing mailbox by OMA? For further test, please
login Exchange Server itself, and access URL: http://Exchange_Server/OMA,
verify whether you can access the mailbox successfully.

2. Do all the users have such issue or just specific users? this error
could also occur because of corrupt exchange attributes for the mailbox.
So, I would like to suggest that you create a new mail enabled user account
and see if the activesync/OMA can work for the new account.

3. Collect the IIS metabase on Exchange Server and send to
me:v-. for further analysis:

1). On Exchange Server, install .NET Framework Version 1.1:
http://www.microsoft.com/downloads/d...5e3-f589-4842-
8157-034d1e7cf3a3&DisplayLang=en.

2). Install MBExplorer by installing IIS 6 Resource Kit Tools:
http://www.microsoft.com/downloads/d...2EE-A71A-4C73-
B628-ADE629C89499&displaylang=en.

3). Once it is installed, access it from Start, Programs, IIS Resources,
Metabase Explorer.

4). In the left pane, right click ''LM'' (under your server computer name)
to choose ''Export to file'', and then save it as IIS.mbk.

5). Compress this mbk file and send it to me for analysis. Please let me
know the password if you set on this iis mbk file.

4. Please collect the IIS log on Exchange Server so that I can perform
further research:


1). On Exchange Serves, open IIS MMC, right click Default Web Site and then
click Properties.

2). Click Website tab and then check Enable logging.

3). Stop the Default Website and RENAME the existing IIS log files under
C:\WINDOWS\system32\LogFiles\W3SVC1.

4). Restart the Default Website and reproduce the problem, which will
generate new IIS log file with the exact error.

5). Wait for a while so that IIS Log can be synced. And then go to the
following folder on Exchange Server: C:\WINDOWS\system32\LogFiles\W3SVC1.

6). Send me the log files to my working email address
v-. And please let me know the alias of the user who
encountered the issue.


Hope this helps! If you have further concern, feel free to let me know.
Have a great day!


Have a nice day!

Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
================================================== ==
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ==

I got it working!

Thanks to everyone who posted! I really appreciate it!!

Here's the solution that worked for me:

I checked the IP restrictions in the exchange-oma as matt suggested in his
post and found that my public IP was allowed access and the default 127.0.0.1
was allowed access. I use 2 NIC's and the IP for the internal NIC comes from
SBS's DHCP server, so I added the IP used by the internal NIC and oma started
working!

Then, I followed Jacky's post and found the anonymous access was enabled in
the exchange-oma virtual directory after I recreated those in a prior step.
Disabled that and my PPC started syncing right away.

Seems the set-up wizards in SBS2003 add some settings a little outside of
normal, but I'm ready to try another server install/set-up.

Thanks again everyone!
Matt Kiolbassa

"Matt K" wrote:

> I have a server running SBS2003 SP1 with Exchange 2003. I can open OWA, but
> not OMA. I get the usual "Your account in Microsoft Exchange Server does not
> have permission to synchronize with your current settings. Contact your
> Exchange Server administrator. Support Code: 85010004" error. I have read
> every fourm post and Google search return without success. I have deleted and
> recreated virtual directories, adjusted permissions and added new SSL certs
> and roots. Also, I can not sync my Verizon HTC XV6700, it gets the sanme
> error.
>
> I hoping there is something else I haven't discovered yet, as I'm hoping to
> market SBS bundled with hardware, devices and services to exiting & potential
> clients. Any suggetions would be appreciated!
>
> Is it possible to deploy a SBS2003 server with mobile devices without all
> the headaches and problems?
>
> Thanks in advance for your time and consideration!
> Matt Kiolbassa
> Ntelogic

Hi Matt,

Thanks for posting back.

I am glad to hear that my informaiton is helpful to resolve your problem,
If you have any questions in the future, please feel free to post in the
newsgroup. We''ll try our best to assist you.

We are looking forward to working with you here again.


Here is the summary of your issue:

Symptom:OMA and activesync donot work

Cause:exchange-oma virtual directory setting is incorrect

Resolution:change the Ip restriction and disable anonymous access in
exchange-oma VD



Have a nice day!

Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
================================================== ==
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ==

Hello Charles,

Thanks for your post.

Before we go further, I would like to confirm that:

1. Has it ever worked before? Did the issue only occur to the specific iPhone mobile or all iPhone devices?
2. Have you tried using other mobile device like Windows Mobile device to have a try?

From the Exchange Remote Connectivity analyzer report, we can see error message " HTTP Error 403.6 - Forbidden: IP address of the client has been rejected", so please
first rerun the CEICW wizard to enable ActiveSync reset your Exchange default configurations as well as related network communications. Also, I still suggest you temporarily
disable all 3rd party anti-virus/anti-spam programs for test purpose.

How To Set Up iPhone Exchange ActiveSync
<http://blog.fosketts.net/2008/07/10/how-to-set-up-iphone-exchange-activesync>

Now, try again with Exchange Server ActiveSync Web Administration Tool:

Microsoft Exchange Server ActiveSync Web Administration Tool
<http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&DisplayLang=en>

More information:

iPhone 3G won't Sync with Exchange in Windows Small Business Server General
<http://www.microsoft.com/communities...guid=&sloc=en-
us&dg=microsoft.public.windows.server.sbs&p=1&tid= f66d2c49-2cae-426b-9c64-2e3a2c0bd267>

Hope this helps.



Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

================================================== ================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/...i/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/...i/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/arch...ewsgroups.aspx
================================================== ================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ================
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ================

"charles_nana" <> wrote in message
news:...
>
> Hi Robbin,
> Thanks for your suggestions.
> This was a old installation, but activesync never worked, but OWA
> worked.
> Last Saturday I was able to make it work with iphones after giving
> permision to Microsoft-server-Activesync folder under IIS.
> IIS --->Microsoft-server-ActiveSync-->properties-->Directory
> Security-->IP address and domain name restrictions --> Grant access.( it
> was set only to local IP address)
>
> But I have a different issue now with OWA. It works internally with
> https:\\127.0.0.1\exchange, but when try to access from outside, it ask
> for the user name and password and trying to load the page without
> success. I think OWA page is directing to exchange-oma folder. Could you
> tell me how to resolve this issue.
>
> Thanks
> Charles
>
>
> --


How are you trying to connect to OWA from the outside? By IP or by FQDN? You
must use the FQDN name, such as http://mail.yourdomain.com/exchange. Using
the IP will give you either undesirable results, or may not work at all.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.