So here’s one that had me stumped. I can’t get ActiveSync connections working for some users on some devices. I’ve found a lot of posts around the internet talking about it being an issue related to self-signed SSL certificates, but I don’t think that is what my problem is.
The environment:
- 1 x Exchange 2013 running on Server 2012
- 1 x Internal private Windows PKI handling certificates
- 3 x Active Directory based user accounts
- 2 x Windows RT Surface tablets
- 1 x iPad Mini
- 2 x PC running Windows 8
- 1 x iPhone
- 2 x Windows Phone 7
A fair collection of devices to compare the issue across.
So what does/used to work?
This used to be an Exchange 2010 environment until recently (see previous “Disaster” posts). It is now a “new” Exchange 2013 install after manually clearing out all the Exchange 2010 related config. When it was running under 2010, everything worked. All devices and all users could happily connect to Exchange and do mail stuff.
Now, we have the following:
- Outlook (full desktop client) works fine for all users from a PC
- ActiveSync using the Windows Phones and iPhone works fine for those three users (Me, Wife, Daughter)
- OWA works fine for all users
- My account works fine for Activesync on *all* devices
- Wife and Daughter work fine on their phones (iPhone and WP7)
So where it goes pear shaped is when I try to setup the accounts to connect using the Windows 8 Mail App from the tablets or from Windows 8 on the PC.
The *only* account that works is mine. Any of the other accounts just get “Unable to connect. Ensure that the information you’ve entered is correct”. I’m using the same details that work on their phones, and the same details (server, domain etc) that work for my account
So what’s different? My account is not an admin account, just a standard user account the same as theirs. It does not have any permissions different to the other accounts at all. If I logon to the PC or Surface tablet using my logon, trying to configure the mail using Wife or Daughter still fails, so I figure that rules out some kind of profile specific setting or personal certificate issue. In fact, I have My account connected and working in Mail, and then try to add one of the others and it makes no difference.
The setup in Exchange2013 is the same for all accounts, I’ve tried disabling OWA and ActiveSync for those accounts and re-activating it. No change. Keep in mind that ActiveSync *does* work from their phones. We all have the same ActiveSync policy applied, and it has the same settings that were applied when it was Exchange 2010.
The *ONLY* thing I can recall that is different is that my account was created as a new account after Exchange 2013 was installed. (It was late, I accidentally deleted it instead of disabling it!). So thinking there is some “legacy” property stuck in their AD account I did a quick test.
I copied Daughters account and enabled it for mail, tried the connection and it worked. So now I’m going to hunting through the fine details of AD properties to see where the differences are.
At least in my case, the problem doesn’t seem to be related to certificates at all. Phew.
SOLUTION
After some wild goose chases and dead-ends, it turns out it’s a simple corruption of permissions issue. To resolve the issue you need to do some deleting using ADSIEdit.
WARNING: Only do this if you understand the implications of making a mistake when editing Active Directory information directly. If you don’t understand these steps, then STOP and ask someone to help you!
WARNING: Only do this if you understand the implications of making a mistake when editing Active Directory information directly. If you don’t understand these steps, then STOP and ask someone to help you!
- Open ADSIEdit in the Default Naming Context
- Browse through the directory and locate the user object having problems
- If you look at the properties of the “ExchangeActiveSyncDevices” container under the user object, you will probably see some unknown SID security entries. If you do not, then you may have a different problem. The following steps won’t break anything, but they may not help
- Select the CN=ExchangeActiveSyncDevices container and delete it. Yes, The whole thing.
- The next time a device attempts an ActiveSync connection, the folder will be automatically recreated and the correct permissions applied
- Go back to the devices that were unable to establish an ActiveSync connection and try them again.
