Windows Server 2008 R2 Thread, Addition iPhone user cannot connect to Active Sync on Exchange 2010 in Technical; Up until now, I have been the only user of active sync on our 2008R2 Exchange Server 2010 system. Everything ...
Addition iPhone user cannot connect to Active Sync on Exchange 2010
Up until now, I have been the only user of active sync on our 2008R2 Exchange Server 2010 system. Everything works fine using my iPhone running OS4 and prior.
Have just got another user with iPhone, same basic model, but this fails to connect to the server when trying to look at emails. Error similar to 'Cannot connect to the server'.
I have looked at active sync and it is enabled for both of us and we both use the same default active sync profile.
If I put my login details into her iphone, I can get at my emails. If I put her details into my iphone, connection fails when trying to see mails. So it looks like its not a phone error.
So I am at a loss. Everything validates when inputting/changing the settings, its just when she tries to see mails (contacts and calendar I also expect and I have not seen any of her school contacts or events on her phone). If I purposely put in an incorrect email credential, it fails with invalid xyz as expected. I can also see the phone what appears to be successfully connecting through the Forefront TMG firewall.
What I have only limited knowledge of is the last leg of the connection to exchange server 2010. I assume its something specific to the user. Apart from being only the second to attempt to use active sync, her profile differs slightly only by the prefix of her default email address not being same as her login ID, where as prefix of my email address is same as my login address. However have also tried her username as prefix of email address - an equally valid email address, but not default send. This does not work either. The other thing that she has is an additional connection to google sync - basically exchnage server sync, but I believe that 2 exchange syncs are allowed on iOS4 plus it does not explain what she cannot connect from my phone using her credentials and why I can connect on her phone using mine.
I'm sure it is probably just a setting in exchange server or somewhere that I need to check.
In active directory users and computers, go to view and tick advanced features, then on their user object properties go to security, advanced and tick use inheritable permissions. Give it 5 minutes and try again.
If this fails, go to https://www.testexchangeconnectivity.com/ and do an activesync test using their account and see what error you get.
How does the 'inheritable permissions' thing assist? Seem like it will have an impact far more ranging than exchange server?
The website at first looked a great help, but unfortunately it appears not to cope with legitimate ssl certificate issues. We do not have an external ssl certificate for our servers instead overriding the security prompt for the limited number of users who access the site remotely. Seems like there is no option in the test website to ignore certificate issues even if the potentially helpful "Ignore Trust for SSL" option is selected.
There are some permissions that Exchange 2010 activesync needs which unless you inherit permissions the account won't get them. It's not a security issue, the permissions should be inherited anyway, it's just it doesn't always take correctly, it's a known problem.
I've had some fun with iphones over the last few weeks too - our setup 2008R2, Exchange 2010SP1 - managed to get them all working now. Should have stuck to WinMo6 lime me
OS on phone had to be the latest - 4.1
Domain name needs to be the FQDN - if domain.school.com put this, not just school
The inheritable permissions has only affected us for accounts that are / have been domain admins
I tried the inheritable permissions change and it made no difference. Unfortunately the web based trouble shooter does not work either due to certificate issues (that can be ignored on iPhone) so I have not been able to progress.
Any additional ideas?
Its definitely a profile based thing ad I can easily swap between two iphones and two accounts and the problem follows the account. I had active synch on my iPhone working prior to iOS4 and its the first attempt of a new active synch users after Exchange SP1.
When trying the inheritable permissions I also noticed lots of 'invalid accounts' or something (wording inexact as It was last week when I checked) under the security tab properties.
I now have this working. I don't know what I did any different to setting inheritable permissions on the user that did not work the first time. I did however spot an error in the server logs this morning and it gave me the security settings that I needed to check so I went through them and having checked inheritable permissions again (which oddly was not set - I think I set it back the first time as it appeared not to have worked), we have connectivity for that user.
Is this something that is likely to be required for all users that may need active sync or is there a single setting that I can tick at a higher OU to propagate the setting down through the users tree? Any reason why this is needed and is not the default - it worked for me without having to do anything.