Exchange 2013/2010 ActiveSync Coexistence and iPhones

As a consultant I tend to perform more migrations in a year than most engineers will see in 10. Every few migrations I will run into something that is ‘not normal’ or expected. For Exchange 2013 I’ve run into a few more than in migrations to previous versions of Exchange and ActiveSync has seemly cause me plenty of headaches. With Exchange 2013 and 2007 coexistence, ActiveSync has been a bit of a nightmare that is only now being sorted out by Microsoft. I’ve also done a few migrations from 2010 as well with fewer issues that 2007.

On a recent upgrade we were prepping the environment for a final move to Exchange 2013. I say final because the client had moves from 2003 to 2010 in the spring (first removing old Exchange 5.5 references, including the ADC), cleaned out Exchange 2003 and now we have a 2013 server to move to. We re-pointed AutoDiscover and client connections to the Exchange 2013 CAS server. OWA worked as expected. Outlook worked as expected as well. However, ActiveSync refused to play correctly. My Windows Phone worked. Several Android and iPhones also seemingly worked. However, we had reports of other iPhones not working properly. The head of IT department was also having an issue with his phone.

The Issue
All users at this time were on Exchange 2010 SP3. Certain, but not all, iPhone users were with getting prompted for password or complaining about not being able to verify the ActiveSync Account. I turned up diagnostic logging on Exchange 2010 and Exchange 2013. Reviewing the IIS logs we could see that some users were getting “200 0” responses from Exchange 2013 and showing up in the Exchange 2010 with the same “200 0” response. However, the problem users were getting “401 1” errors which usually an Authentication issue.

If all clients are the same, then this is a rather confusing scenario. After reviewing the logs for a bit longer I realized that the users who were able to login had their login name listed in the logs as “domain\user” and the users who could not authenticate had just “domain”. Those that authenticated successfully (200 0) were directed to connect to Exchange 2010 where another successful authentication message was logged into IIS (200 0) and the same domain\username was listed. These users were able to sync mail and never noticed the problem.

Down the Rabbit Hole
Why are some users able to connect while others were not. Was it:

  • User account related?
  • Special group related – Administrators, Domain Admins, etc.
  • Was it specific permissions on their account?
  • Different activesync policy?
  • Phone configuration?

After exploring much of the first 4 options, I received a screenshot from two devices in an attempt to confirm a configuration issue – I had asked them to recreate the mail profile on the phone to make sure it was not corrupt. The screenshot looked like this:

User1-ActiveSync
User2-ActiveSync

Notice how both are missing the domain in the configuration. Although it says optional, it really should not be. Every phone I’ve configured either with AutoDiscover or manually has had the domain in the configuration of the ActiveSync profile.

Is There a Solution / Workaround?
By default both Exchange 2010 and Exchange 2013 set the IIS security for the ActiveSync directory to Basic. A user with the domain populated in their ActiveSync profile will not have an issue making the initial connection to Exchange 2013 and then being proxied to Exchange 2010. However, a user that has left the Domain field blank in the ActiveSync profile blank will either get cannot verify account or get prompted constantly for a password. To get around this simply change the setting in IIS for Basic Authentication to specify a default domain:
First go to the ActiveSync virtual directory and double click on Authentication:

IISChange1

Click on Basic Authentication and click Edit on the right:

IISChange2
For the Domain put a’\’ and for the Realm, put in your domain name.

IISChange3
Once completed, make sure to reset iis [ iisreset /noforce ].
iPhones without the defined domain should now be able to connect to their mailboxes through Exchange 2013.

In an ideal world, this setting would not be needed as your users would have the proper domain either entered for them or by them. However, we do not live in an ideal world and do have to make compromises and workarounds.

Further Reading
Exchange Server 2013Coexistence

As a side note, this article is not mean to pick on iPhones in particular, however because the ActiveSync setup has the domain listed as ‘optional’ it is more likely to have this issue that some other mobile platforms.

Advertisements

One thought on “Exchange 2013/2010 ActiveSync Coexistence and iPhones

  1. Wow… This is EXACTLY the issue I was running into with a Exchange 2007 – 2013 coexistence/migration setup. This fixed the issue for all my iPhone users. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s