Resolving Windows Mobile Exchange ActiveSync Issues

Here's 2 quick articles to troubleshoot your Windows Mobile Exchange ActiveSync issues:

Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

http://support.microsoft.com/default.aspx?scid=kb;EN-US;817379

Background:

The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories cannot access the contents of the user's mailbox if the Exchange virtual directory is configured to require SSL. The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories only try to connect with the Exchange virtual directory over TCP port 80 (HTTP), not over TCP Port 443 (HTTPS).

Instructions:

1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is as follows:

Web Sites\Default Web Site\Exchange

3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
7. Under Select a configuration to import , click Exchange, and then click OK.
A dialog box will appear that states that the "virtual directory already exists."
8. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. Type exchange-oma. Click OK.
9. Right-click the new virtual directory, click exchange-oma, and cick Properties.
10. Click the Directory Security tab.
11. Under Authentication and access control, click Edit.
12. Make sure that only the following authentication methods are enabled, and then click OK:

• Integrated Windows authentication
• Basic authentication

13. Under IP address and domain name restrictions, click Edit.
14. Click Denied access, click Add, click Single computer, type the IP address of the server that you are configuring, and then click OK.
15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
16. Click OK, and then close the IIS Manager.
17. Click Start, click Run, type regedit, and then click OK.
18. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters

19. Right-click Parameters, click to New, and then click String Value.
20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.

Note: ExchangeVDir is case-sensitive.
If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.

21. In the Value data box, type the name of the new virtual directory that you created in step 8.
For example, type /exchange-oma. Click OK.
22. Quit Registry Editor.
23. Restart the IIS Admin service. To do this, follow these steps:

a. Click Start, click Run, type services.msc, and then click OK.
b. In the list of services, right-click IIS Admin service, and then click Restart.

How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication

http://support.microsoft.com/default.aspx?scid=kb;EN-US;215383

Background:

When you configure forms-based authentication on the Exchange Server 2003, the authentication method for the Exchange virtual directory is set to Basic authentication, and the default Domain is set to the backslash character. The Microsoft-Server-ActiveSync virtual directory can only connect to the Exchange virtual directory by using Kerberos authentication.

Instructions:

1. Click Start, click Run, type cmd, and then press ENTER.

2. Locate the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.

3. Use the following command to retrieve the current values for the NTAuthenticationProviders metabase property:

cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders

In this command, WebSite is a placeholder for the Web site ID number. The Web site ID number of the default Web site is 1.

Warning: Do not perform a copy-and-paste operation to paste the command from this article. This operation may cause issues with the property setting. To avoid these issues, type the whole command at a command prompt.

Note This command fails if the NTAuthenticationProviders metabase property is not defined. For more information, see the note earlier in this section.

If the Negotiate process is enabled, this command returns the following information:

NTAuthenticationProviders : (STRING) "Negotiate,NTLM"

4. If the command in step 3 does not return the string "Negotiate,NTLM," use the following command to enable the Negotiate process:

cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate,NTLM"

5. Repeat step 3 to verify that the Negotiate process has been enabled.