• Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

449 InvalidPolicyKey for Activesync 2007 SP3

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Mobility >> 449 InvalidPolicyKey for Activesync 2007 SP3 Page: [1]
Message << Older Topic   Newer Topic >>
449 InvalidPolicyKey for Activesync 2007 SP3 - 14.Aug.2014 9:34:22 AM   


Posts: 3
Joined: 14.Aug.2014
Status: offline

Hopefully some exchange guru will be able to help me with this problem that MS cant even seem to get to the bottom of.

1x Exchange 2007 SP3 server on 2008 x64

Internal activesync FQDN https://server.domain.local/Microsoft-Server-Activesync
External activesync FQDN https://activesync.domain.com/Microsoft-Server-Activesync

Activesync Policy: (only enabled options)
Allow non-provisionable devices
Refresh (24hrs)
Require PW
Enable PW Recovery
Require Encryption on device
Require Encryption on storage card
Number of failed attempts: 5
Minimum PW length: 4
Time with user input: 1
Password Exp: 180
History: 15
Sync Cal: 2 wks
Sync Email: 2 wks
Limit msg: 50KB
Allow Direct Push
Allow HTML
Allow Attachments
Max Size 10240

Device Tab: Allow all
Advanced Tab: only Allow Browser and Allow consumer Mail

We're use User cert based auth that happens against a Citrix Netscaler which performs Kerberos Constrained Delegation against the Exchange CAS server.

Certs etc are pushed out with an MDM solution.

Android Devices work fine and sync all mail/cal as expected.
iPhones (7.1.2) download the folder structure and some email content but then prompt for a password. The exact error is -

Password Required - Enter the password for the Exchange Account "Corp Exchange"

In the background behind the "popup" I can see some mail, though not recent.

Looking through the exchange IIS logs I can see that there is the following line -

2014-08-12 15:30:35 POST /Microsoft-Server-ActiveSync/default.eas User=User1@domain.local&DeviceId=ApplF2LASD&DeviceType=iPhone&Cmd=FolderSync&Log=V121_LdapC0_LdapL0_RpcC10_RpcL31_Ers1_Pk0_Error:InvalidPolicyKey_ 443 DOMAIN\User1 HTTP/1.1 Apple-iPhone6C2/1104.257 449 0 0 31

Followed by quite a few 401 then 200 messages (as the auth happens I assume).

As I am getting my folder structure and Android devices are working I am sure that the Auth is working (what MS are currently blaming).

I've ensured that "Inheritable Permissions" are checked on my user account as I've seen this before.

Anyone have any other ideas?

Post #: 1
RE: 449 InvalidPolicyKey for Activesync 2007 SP3 - 14.Aug.2014 11:28:12 AM   


Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Does the device have multiple certificates installed on it from the domain? Have you tried with a new iphone that has not been synced before?


Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator

(in reply to Big_Pete_L)
Post #: 2
RE: 449 InvalidPolicyKey for Activesync 2007 SP3 - 15.Aug.2014 7:49:45 AM   


Posts: 3
Joined: 14.Aug.2014
Status: offline

I've tried the device with internal and external certs on it. I've factory reset the device and only deployed the user cert from the MDM (the real end scenario) but all have the same issues.

I'd assumed that we had gotten passed an authentication issues as I can see the mail in the background but that a activesync policy was conflicting with the device and therefore causing the password request?

(in reply to de.blackman)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Mobility >> 449 InvalidPolicyKey for Activesync 2007 SP3 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts

Follow TechGenix on Twitter