Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ActiveSync proxying return 0x85010014
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ActiveSync proxying return 0x85010014 - 9.Apr.2009 5:43:06 AM
|
|
|
y0sh2
Posts: 8
Joined: 9.Apr.2009
Status: offline
|
Having a classic multi-site topology with appropriate roles as on this picture
http://msexchangeteam.com/photos/postpictures3/images/446915/original.aspx
the exact version of Exchange 2007 is 8.1 (build 240.6)
Users whose mailboxes are in the site with internet-facing CAS (CAS1) can Activsync their devices. (it is user1 on picture)
Users whose mailboxes are in the site with a proxied CAS (CAS2) cannot activsync with error 0x85010014. (it is user2 on picture)
I'v tried to sync the device of user2 from within the LAN, pointing it to CAS1, eliminating the possible ISA-side issues. With no suxxes, the same error.
Clients are using WM5 and WM6 devices
The possible issue is in Client Security Context (CSC) for the SID of the user or the CAS1 or the user's device(dont know exactly which ones sid)
The ActiveSync configuration on internet-facing CAS is:
- InternalURL is set to
https://CAS1.mydomain.local/Microsoft-Server-ActiveSync
- ExternalURL is set to
https://as.extdomain.com/Microsoft-Server-ActiveSync
(also tried with ExternalURL set to $null)
- on IIS ActiveSync vitrual directory: Basic and Integrated auth are selected
- CAS1 server is the member of
Exchange Domain Servers
Exchange Servers
Domain Computers
The ActiveSync configuration on CAS2 is:
- ExternalURL is set to $null,
- InternalURL is set to
https://CAS2.subdomain.mydomain.local/Microsoft-Server-ActiveSync
- on IIS ActiveSync vitrual directory: only Integrated auth is selected
- CAS2 server is the member of
Exchange Domain Servers
Domain Computers
And here is a traffic dump between CAS1 and CAS2 in the moment when testuser (on the picture it is User2) tries to sync: (The bold text is a CAS1 packet, the normal text- is a CAS2, and the comments are italic)
I posted the comments after each packet the way i understood what the servers are talking about.
at first time the internet-facing CAS (CAS1) is initiating the session to CAS2 without auth:
POST /Microsoft-Server-ActiveSync?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync HTTP/1.1
X-ExCompId: AirSync
Cache-Control: no-cache
Accept-Language: en-us
MS-ASProtocolVersion: 2.5
X-MS-PolicyKey: 835105261
X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser
Referer: http://CAS1.mydomain.local/Microsoft-Server-ActiveSync/default.eas?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync
Content-Type: application/vnd.ms-sync.wbxml
User-Agent: MSFT-PPC/5.1.2000
Host: CAS2.subdomain.mydomain.local
Content-Length: 0
Connection: Keep-Alive
CAS2 didnt liked it, it want the CAS1 (or the user?) to be authorized with NTLM:
HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 09 Apr 2009 07:31:06 GMT
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
....bla-bla-bla...
<h1>You are not authorized to view this page</h1>
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.
...bla-bla-bla...
</HTML>
The CAS1 understood its mistake and now tries to auth with NTLM:
POST /Microsoft-Server-ActiveSync?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync HTTP/1.1
X-ExCompId: AirSync
Cache-Control: no-cache
Accept-Language: en-us
MS-ASProtocolVersion: 2.5
X-MS-PolicyKey: 835105261
X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser
Referer: http://CAS1.mydomain.local/Microsoft-Server-ActiveSync/default.eas?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync
Content-Type: application/vnd.ms-sync.wbxml
User-Agent: MSFT-PPC/5.1.2000
Authorization: Negotiate YIIE/AYG....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....vRfnmo=
Host: CAS2.subdomain.mydomain.local
Content-Length: 0
The CAS2 didnt like what CAS1 just sayed, it responded with 441 error wich by YHAH post means "4. When attempting to connect to a proxy request, if the Second CAS returns a HTTP_441 response, it indicates that the Second CAS did not have the Client Security Context (CSC) for the SID that was passed. The First CAS will obtain the CSC, serialized into XML and issues a proxy login request."
HTTP/1.1 441
Date: Thu, 09 Apr 2009 07:31:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYG....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....vI=
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Length: 0
The the CAS1 continue the session with AirSync proxylogin command. It want to send a big bunch of data in several packets. And here is the first packet:
POST /Microsoft-Server-ActiveSync?cmd=ProxyLogin HTTP/1.1
X-ExCompId: AirSync
Content-Type: text/xml
X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser
Authorization: Negotiate YIIE....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....LFE=
Host: CAS2.subdomain.mydomain.local
Content-Length: 1123
Expect: 100-continue
The CAS2 server suxxessfully axepted the 1st packed and allows to continue:
HTTP/1.1 100 Continue
The CAS1 server contunues:
<r at="" ln=""><s>S-1-5-21-2741877425-2279763447-2833650730-2407</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-513</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-842166729</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1143</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-3251</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1147</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-2319</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1144</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1126</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-2354</s><s a="7" t="1">S-1-5-21-2605551450-1472631703-919677652-3177</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-5085</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4617</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-2827</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4392</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4432</s></r>
Suddently CAS2 server interrupts the session with
HTTP/1.1 403 Forbidden
Date: Thu, 09 Apr 2009 07:31:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYGhMIGeo....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....l5I=
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Length: 0
thats it. the session is over. So whose' blame and what to do now?
|
|
|
|
|
RE: ActiveSync proxying return 0x85010014 - 9.Apr.2009 11:15:23 PM
|
|
|
y0sh2
Posts: 8
Joined: 9.Apr.2009
Status: offline
|
have rebooted the CAS servers and problem solved. That is strange, i'v restarted IIS'es on CAS servers with no result.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
