Skip navigation

Category Archives: iPhone

How to resolve Exchange ActiveSync problems between Exchange and the iPhone

Part II

My Test Lab has moved onto Exchange 2010 on Windows Server 2008. And I now have an iPhone 4. And it’s great – I can have as many Exchange accounts as I like now. But that’s really due to the update to iOS4, and so you can do this too on your iPhone 3GS or your iPhone 3G.

And now I have four Exchange accounts. I never log on to a computer for three of these user accounts. But I access the mailboxes of all three though my main user and Exchange account, via Outlook.

But now, two of the three accounts (that I never log into) are failing on the iPhone with the following message:

Now I had a feeling that if I simply changed the password for the user accounts, that all would be well. But I wanted to find out why two accounts were working and two were not.

The ‘Cannot Get Mail‘ and the ‘Password Incorrect‘ messages that given out by the iPhone are generic messages. It would seem that there are many reasons for this error message. I searched the Internet, looking for a solution. There are many suggestions out there but I did not find one that helped in my situation. I’m not really a fan of suggestions that have no tests that would indicate that the suggestion would be valid. It means that we are no closer to a solution; if it works, it is only a fix.

The solution for this case turned out to be quite simple. You can jump straight to the solution at the end of this document if you’d like! But I’ll run through the troubleshooting steps I took now.

My Exchange and iPhone setup

My setup has moved on since my last blog on iPhone and ActiveSync problems.

Here are the relevant details to my scenario in my test lab:

  • Windows Server 2008 R2
  • Exchange 2010 Server with POP3 and IMAP services configured
  • Exchange 2010 Client Access Server (CAS) 
  • Exchange 2010 DAG with two member Mailbox Servers
  • iPhones with many mailbox accounts configured for ActiveSync.
  • A certificate (non-self-signed) configured for my Client Access Server

    
 

This scenario will probably be similar to many business implementations, though some may not configure Exchange 2010 for high availability but might elect for a single server. Of course, larger businesses will deploy more Exchange Mailbox Servers.

For the purposes of this troubleshooting exercise, it does not matter whether there is a DAG with member servers or the problem mailbox resides on a single server.

To successfully work through this document, you will need to have administrative access to your Exchange Server. If you don’t, then you may need to enlist the help of your friendly Exchange Administrator.

Key Error Messages

Cannot Get Mail – The username or password for <name> is incorrect

Password Incorrect – Please enter the password for <name>

A Web Exception occurred because an HTTP 401 – Unauthorized response was received from IIS7

Troubleshooting

For completeness, I’ll touch on some of the early things that I looked at:

  1. Re-entered the password several times on the iPhone.

    OK. So I sort of knew that this wasn’t going to work but, good to at least eliminate this as the problem.

  2. Compared Mailbox settings between one mailbox that was working and another that wasn’t.

    Found no differences.

  3. Compared User Account properties between one working user and one non-working user.

    Again, I found no differences.

  4. Increased logging for ActiveSync

    Found no significant error messages in the event logs.

 

Use the Microsoft Exchange Remote Connectivity Analyzer

This is a very useful service accessed via the web at https://www.testexchangeconnectivity.com.

This service is also accessible via the Toolbox in the Exchange Management Console.

Before using it – it can test a range of services – it is recommended that you set up a test account to use with it, in order to prevent exposing real accounts over the Internet. But in this situation, we have no choice but to use the account that we have a problem with.

We’ll at least make sure that the padlock is showing. And we will later change the password to this account.

Select the Exchange ActiveSync test and click Next.

In the next screen, you’ll be asked to fill in details that will allow the service to perform the test.

For the purposes of my setup, I will need to ‘Manually specify my ActiveSync server’ and I’ll need to select ‘Ignore Trust for SSL’ since my certificate isn’t trusted all the way to a root CA.

Fill in all other required fields and click Perform Test.

When I performed this test for one of the non-working user accounts I got the following result:

Expanding the Test Steps, I found the following error message:

ExRCA is attempting to send the OPTIONS command to the server.

Testing of the OPTIONS command failed. For more information, see Additional Details.

    Additional Details:

A Web Exception occurred because an HTTP 401 – Unauthorized response was received from IIS7

 

Searching the Internet for any information on the above error yielded no credible answer for my particular problem.

Test ‘direct’ Outlook Connectivity

As mentioned, I had never logged into a computer using any of three of the accounts I use with my iPhone. And I therefore hadn’t logged into the two that weren’t working. Would Outlook have any problems with these accounts?

Would I even be able to logon?

Here’s what happened.

The error message indicated that some password policy was in effect. I knew that I had not set such a password policy. But I remembered that Windows Server 2008 brought with it increased levels of security. A bit of research confirmed this to be the case.

http://technet.microsoft.com/en-us/library/cc264456.aspx

I noted from this page in particular that the default Maximum password age is now set to 42 days. I noted too that “…By default, the value for this policy setting in Windows Server 2008 is configured to Disabled, but it is set to Enabled in a Windows Server 2008 domain for both environments described in this guide.”

Root Cause

Most all of my user accounts have ‘Password never expires’ set. But this was not set for my three new User and Mailbox accounts. This was no doubt due to the fact that you can create a mail-enabled new user from the Exchange Management Console – ADUC is not visible in this process and so I neglected to check the User Account tab properties.

Solution

  1. Set a new password.
  2. Select ‘Password never expires’

    Note that corporate implementations will likely not allow your user account to be modified in this way. If this is the case, then you likely are already used to changing your network password every so often.

  3. On the iPhone, in Settings, navigate to the Mail settings and enter the new password.
Advertisements

 

You may have found that for some reason, your ActiveSync configuration to Exchange on your iPhone stops working. And instead it continually tells you that the password is wrong.   

 

You’ve changed the password in Active Directory Users and Computers. To no avail. Like me, you even tried putting in any old password, you know, made up ones. The message is quick and still the same. It made me think that the iPhone wasn’t actually checking the password.

   

   

My Exchange and iPhone setup

   

Now would be a good time to tell you of my setup. Here are the relevant details to my scenario in my test lab:

   

  • Exchange 2007 Server with POP3 and IMAP services configured
  • Client Access Server (CAS) 
  • Mailbox Server
  • iPhone with many mailbox accounts configured for ActiveSync, POP3 and IMAP.
  • No certificates configured for my Client Access Server

   

OK. I know that no certificates on my, or for my, CAS is not best practice. But I understand the risks and this is a test lab.     

If your scenario is similar to mine then I hope that this document is useful. To successfully work through this document, you may need to have administrative access to your Exchange Server. If you don’t, then you may need to enlist the help of your friendly Exchange Administrator.

Troubleshooting an ActiveSync Account on the iPhone

 

You’ll no doubt remember this familiar error message:     

    

The first step is to test whether the iPhone can actually connect to the server.     

    

You’ll need to start troubleshooting from the iPhone itself. We will test three areas, as follows:   

    

  1. Whether the iPhone can resolve your server name
  2. Whether the iPhone can ping your server
  3. Whether the iPhone can connect to the server

     

To do this, you’ll need to download some apps to your iPhone.      

I performed these tests using an iPod Touch as well as an iPhone and so used WiFi for connectivity. You might be using an iPhone and later need or want to repeat these tests using the cellular network. If you’d like to do this, you’d simply turn off WiFi on the iPhone.      

If you don’t use WiFi, then perform these tests using your cellular network.

   

 

Whether the iPhone can resolve your server name

   

  1. On the iPhone, find the free app ‘DNS Lookup’ from Nettica and install it. 
  2. Run DNS Lookup (see picture below)
    DNS Lookup will use the DNS servers that your iPhone is already configured up for.
  3. Enter a Server IP address, or a server name.
    This will be the server you already have configured on the iPhone, the Host Name.

   

      

If the app is able to resolve your server to an IP address, then the iPhone has passed the first test.  

But if the app can’t resolve your server name then you should check the following to get the iPhone to pass this test:   

a) Can the iPhone currently browse the internet?    

b) Can DNS Lookup resolve a well known address – news.bbc.co.uk?    

c) Is the server name or IP address correct?    

 

 

Whether the iPhone can ping your server     

 

This test may fail if your network (where your Exchange Server is) is set to ignore ping requests. Either way, it’s worth performing this test for any information that may be gleaned and for completeness.      

1. Find and install Ping Lite to the iPhone. See shot below.   

   

2. Click on the Ping button.   

3. In the resultant screen, paste in the IP address you obtained from the previous test and click the ‘Start’ button.    

    

Examine the output. If all four packets were received by the server then this is good; it further proves connectivity between your iPhone and the server. But if all packets fail, then this may simply be because your IT department has configured their routers not to respond to ping requests. We move on to the final test.      

 

 

Whether the iPhone can connect to the server   

 

You’ll need an ActiveSync client. An ActiveSync client will allow us to test whether it is possible to connect directly to the Exchange Server from the Touch or the iPhone.    

1. On the iPhone find the free app, ActiveSync Tester and install it.   

2. Run AS Tester on the iPhone (see image below):

 

   

3. Fill in the fields shown in the screenshot above.

The server will be as you had it previously configured on your iPhone before it all went wrong! This will be the Host Server you used in the first test – ‘can your iPhone resolve your server name’.   

The username is usually the user’s login name, as used to log on to the user’s computer.    

The Domain is your domain or your company’s domain (e.g. acme.com).    

 

4. Click START TEST.      

 

If you get an error at this stage then the iPhone actually can’t reach your server.      

Possible reason:
Port 433 is blocked by a firewall or router at the edge of the Exchange Server network. Port 443 is used by ActiveSync.      

You will need to verify this yourself if you are responsible for your own network, or by contacting someone responsible for the network. Most organisations will block ports, leaving open only those that are necessary. Those ports are then secured using some form of authentication. Port 443 is not normally a common port that is opened and you might need to negotiate.    

 

Otherwise, in running this test, you may get the following result:    

    

In this case the test reveals that “ActiveSync IS NOT available. (Username or Password incorrect.)”      

But I knew that ActiveSync was available because other iPhone devices were working. So I re-ran the test by putting in my credentials from my iPhone.     

This all worked. The Tester declared that ActiveSync was available (see screenshot below).    

    

      

This meant that the problem is decidedly with the user of the iPhone.

 

Looking at the Security Logs for the CAS Exchange Server, I found the following entry for one of the times I’d tried to connect as the problem user.    

     

    

 

I then remembered that this user was recently prevented from logging onto any computer except one – his desktop.  

Using ADUC (by choosing the Account tab in the user’s properties and clicking on the ‘Log On To’ button) to allow this user to also log onto the server, has now resolved the problem.    

 

    

 

I could connect as the user, using the ActiveSync tester.      

I should qualify that in doing this, taking the above step, does not allow the user to log on to the server directly.      

 

The last stage is to get the iPhone Mail app working. It won’t just work like that, it would seem. This is what I’ve experienced in my Test Lab. Like me, you may need to make a change to the existing account, like re-enter the password, or delete and re-enter the account again.      

Once you’ve done this, and if your problem is similar to this one, it should all just work again.      

 

I  hope that this guide was useful to you. The iPhone’s Mail App can fail for a number of reasons and this guide has a resolution for only one problem. But the steps outlined here is the way that I normally resolve most iPhone Mail problems. Take these troubleshooting steps and you will be much closer to resolving your particular problem.