• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ActiveSync proxying return 0x85010014

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Mobility >> ActiveSync proxying return 0x85010014 Page: [1]
Login
Message << Older Topic   Newer Topic >>
ActiveSync proxying return 0x85010014 - 9.Apr.2009 5:43:06 AM   
y0sh2

 

Posts: 8
Joined: 9.Apr.2009
Status: offline
Having a classic multi-site topology with appropriate roles as on this picture
http://msexchangeteam.com/photos/postpictures3/images/446915/original.aspx

the exact version of Exchange 2007  is 8.1 (build 240.6)

Users whose mailboxes are in the site with internet-facing CAS (CAS1) can Activsync their devices. (it is user1 on picture)

Users whose mailboxes are in the site with a proxied CAS (CAS2) cannot activsync with error 0x85010014. (it is user2 on picture)

I'v tried to sync the device of user2 from within the LAN, pointing it to CAS1, eliminating the possible ISA-side issues. With no suxxes, the same error.

Clients are using WM5 and WM6 devices

The possible issue is in Client Security Context (CSC) for the SID of the user or the CAS1 or the user's device(dont know exactly which ones sid)

The ActiveSync configuration on internet-facing CAS is:
-  InternalURL is set to
     https://CAS1.mydomain.local/Microsoft-Server-ActiveSync
- ExternalURL is set to
   https://as.extdomain.com/Microsoft-Server-ActiveSync
     (also tried with ExternalURL set to $null)
- on IIS ActiveSync vitrual directory: Basic and Integrated auth are selected
- CAS1 server is the member of
     Exchange Domain Servers
   Exchange Servers
    Domain Computers


The ActiveSync configuration on CAS2 is:
-  ExternalURL is set to $null,  
-  InternalURL is set to
     https://CAS2.subdomain.mydomain.local/Microsoft-Server-ActiveSync
-  on IIS ActiveSync vitrual directory: only Integrated auth is selected
- CAS2 server is the member of
       Exchange Domain Servers
      Domain Computers

And here is a traffic dump between CAS1 and CAS2 in the moment when testuser (on the picture it is User2) tries to sync: (The bold text is a CAS1 packet, the normal text- is a CAS2, and the comments are italic)
I posted the comments after each packet the way i understood what the servers are talking about.


at first time the internet-facing CAS (CAS1) is initiating the session to CAS2 without auth:

POST /Microsoft-Server-ActiveSync?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync HTTP/1.1
X-ExCompId: AirSync
Cache-Control: no-cache
Accept-Language: en-us
MS-ASProtocolVersion: 2.5
X-MS-PolicyKey: 835105261
X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser
Referer: http://CAS1.mydomain.local/Microsoft-Server-ActiveSync/default.eas?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync
Content-Type: application/vnd.ms-sync.wbxml
User-Agent: MSFT-PPC/5.1.2000
Host: CAS2.subdomain.mydomain.local
Content-Length: 0
Connection: Keep-Alive



CAS2 didnt liked it, it want the CAS1 (or the user?) to be authorized with NTLM:

HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 09 Apr 2009 07:31:06 GMT

<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
....bla-bla-bla...
<h1>You are not authorized to view this page</h1>
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.
...bla-bla-bla...
</HTML>



The CAS1 understood its mistake and now tries to auth with NTLM:

POST /Microsoft-Server-ActiveSync?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync HTTP/1.1
X-ExCompId: AirSync
Cache-Control: no-cache
Accept-Language: en-us
MS-ASProtocolVersion: 2.5
X-MS-PolicyKey: 835105261
X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser

Referer: http://CAS1.mydomain.local/Microsoft-Server-ActiveSync/default.eas?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync
Content-Type: application/vnd.ms-sync.wbxml
User-Agent: MSFT-PPC/5.1.2000
Authorization: Negotiate YIIE/AYG....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....vRfnmo=
Host: CAS2.subdomain.mydomain.local
Content-Length: 0


The CAS2 didnt like what CAS1 just sayed, it responded with 441 error wich by YHAH post means "4. When attempting to connect to a proxy request, if the Second CAS returns a HTTP_441 response, it indicates that the Second CAS did not have the Client Security Context (CSC) for the SID that was passed. The First CAS will obtain the CSC, serialized into XML and issues a proxy login request.


HTTP/1.1 441
Date: Thu, 09 Apr 2009 07:31:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYG....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....vI=
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Length: 0


The the CAS1 continue the session with AirSync proxylogin command. It want to send a big bunch of data in several packets. And here is the first packet:


POST /Microsoft-Server-ActiveSync?cmd=ProxyLogin HTTP/1.1
X-ExCompId: AirSync
Content-Type: text/xml
X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser
Authorization: Negotiate YIIE....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....LFE=
Host: CAS2.subdomain.mydomain.local
Content-Length: 1123
Expect: 100-continue


The CAS2 server suxxessfully axepted the 1st packed and allows to continue:


HTTP/1.1 100 Continue


The CAS1 server contunues:

<r at="" ln=""><s>S-1-5-21-2741877425-2279763447-2833650730-2407</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-513</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-842166729</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1143</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-3251</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1147</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-2319</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1144</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1126</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-2354</s><s a="7" t="1">S-1-5-21-2605551450-1472631703-919677652-3177</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-5085</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4617</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-2827</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4392</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4432</s></r>



Suddently CAS2 server interrupts the session with

HTTP/1.1 403 Forbidden
Date: Thu, 09 Apr 2009 07:31:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYGhMIGeo....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....l5I=
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Length: 0




thats it. the session is over. So whose' blame and what to do now?
Post #: 1
RE: ActiveSync proxying return 0x85010014 - 9.Apr.2009 11:15:23 PM   
y0sh2

 

Posts: 8
Joined: 9.Apr.2009
Status: offline
have rebooted the CAS servers and problem solved. That is strange, i'v restarted IIS'es on CAS servers with no result.

(in reply to y0sh2)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Mobility >> ActiveSync proxying return 0x85010014 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter