Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ActiveSync proxying return 0x85010014
Users viewing this topic:
none
|
Logged in as: Guest
|
Login | |
|
ActiveSync proxying return 0x85010014 - 9.Apr.2009 5:43:06 AM
|
|
|
y0sh2
Posts: 8
Joined: 9.Apr.2009
Status: offline
|
Having a classic multi-site topology with appropriate roles as on this picture http://msexchangeteam.com/photos/postpictures3/images/446915/original.aspx the exact version of Exchange 2007 is 8.1 (build 240.6) Users whose mailboxes are in the site with internet-facing CAS (CAS1) can Activsync their devices. (it is user1 on picture) Users whose mailboxes are in the site with a proxied CAS (CAS2) cannot activsync with error 0x85010014. (it is user2 on picture) I'v tried to sync the device of user2 from within the LAN, pointing it to CAS1, eliminating the possible ISA-side issues. With no suxxes, the same error. Clients are using WM5 and WM6 devices The possible issue is in Client Security Context (CSC) for the SID of the user or the CAS1 or the user's device(dont know exactly which ones sid) The ActiveSync configuration on internet-facing CAS is: - InternalURL is set to https://CAS1.mydomain.local/Microsoft-Server-ActiveSync - ExternalURL is set to https://as.extdomain.com/Microsoft-Server-ActiveSync (also tried with ExternalURL set to $null) - on IIS ActiveSync vitrual directory: Basic and Integrated auth are selected - CAS1 server is the member of Exchange Domain Servers Exchange Servers Domain Computers The ActiveSync configuration on CAS2 is: - ExternalURL is set to $null, - InternalURL is set to https://CAS2.subdomain.mydomain.local/Microsoft-Server-ActiveSync - on IIS ActiveSync vitrual directory: only Integrated auth is selected - CAS2 server is the member of Exchange Domain Servers Domain Computers And here is a traffic dump between CAS1 and CAS2 in the moment when testuser (on the picture it is User2) tries to sync: (The bold text is a CAS1 packet, the normal text- is a CAS2, and the comments are italic) I posted the comments after each packet the way i understood what the servers are talking about. at first time the internet-facing CAS (CAS1) is initiating the session to CAS2 without auth: POST /Microsoft-Server-ActiveSync?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync HTTP/1.1 X-ExCompId: AirSync Cache-Control: no-cache Accept-Language: en-us MS-ASProtocolVersion: 2.5 X-MS-PolicyKey: 835105261 X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser Referer: http://CAS1.mydomain.local/Microsoft-Server-ActiveSync/default.eas?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync Content-Type: application/vnd.ms-sync.wbxml User-Agent: MSFT-PPC/5.1.2000 Host: CAS2.subdomain.mydomain.local Content-Length: 0 Connection: Keep-Alive CAS2 didnt liked it, it want the CAS1 (or the user?) to be authorized with NTLM: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 09 Apr 2009 07:31:06 GMT <HTML><HEAD><TITLE>You are not authorized to view this page</TITLE> ....bla-bla-bla... <h1>You are not authorized to view this page</h1> You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. ...bla-bla-bla... </HTML> The CAS1 understood its mistake and now tries to auth with NTLM: POST /Microsoft-Server-ActiveSync?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync HTTP/1.1 X-ExCompId: AirSync Cache-Control: no-cache Accept-Language: en-us MS-ASProtocolVersion: 2.5 X-MS-PolicyKey: 835105261 X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser Referer: http://CAS1.mydomain.local/Microsoft-Server-ActiveSync/default.eas?User=testuser&DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC&Cmd=FolderSync Content-Type: application/vnd.ms-sync.wbxml User-Agent: MSFT-PPC/5.1.2000 Authorization: Negotiate YIIE/AYG....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....vRfnmo= Host: CAS2.subdomain.mydomain.local Content-Length: 0 The CAS2 didnt like what CAS1 just sayed, it responded with 441 error wich by YHAH post means "4. When attempting to connect to a proxy request, if the Second CAS returns a HTTP_441 response, it indicates that the Second CAS did not have the Client Security Context (CSC) for the SID that was passed. The First CAS will obtain the CSC, serialized into XML and issues a proxy login request." HTTP/1.1 441 Date: Thu, 09 Apr 2009 07:31:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET WWW-Authenticate: Negotiate oYG....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....vI= X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Length: 0 The the CAS1 continue the session with AirSync proxylogin command. It want to send a big bunch of data in several packets. And here is the first packet: POST /Microsoft-Server-ActiveSync?cmd=ProxyLogin HTTP/1.1 X-ExCompId: AirSync Content-Type: text/xml X-EAS-Proxy: S-1-5-21-2741877425-2279763447-2833650730-2407,subdomain\testuser Authorization: Negotiate YIIE....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....LFE= Host: CAS2.subdomain.mydomain.local Content-Length: 1123 Expect: 100-continue The CAS2 server suxxessfully axepted the 1st packed and allows to continue: HTTP/1.1 100 Continue The CAS1 server contunues: <r at="" ln=""><s>S-1-5-21-2741877425-2279763447-2833650730-2407</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-513</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-842166729</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1143</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-3251</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1147</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-2319</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1144</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-1126</s><s a="7" t="1">S-1-5-21-2741877425-2279763447-2833650730-2354</s><s a="7" t="1">S-1-5-21-2605551450-1472631703-919677652-3177</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-5085</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4617</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-2827</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4392</s><s a="7" t="1">S-1-5-21-200888222-685076124-4057346178-4432</s></r> Suddently CAS2 server interrupts the session with HTTP/1.1 403 Forbidden Date: Thu, 09 Apr 2009 07:31:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET WWW-Authenticate: Negotiate oYGhMIGeo....BLA-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH....l5I= X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Length: 0 thats it. the session is over. So whose' blame and what to do now?
|
|
|
RE: ActiveSync proxying return 0x85010014 - 9.Apr.2009 11:15:23 PM
|
|
|
y0sh2
Posts: 8
Joined: 9.Apr.2009
Status: offline
|
have rebooted the CAS servers and problem solved. That is strange, i'v restarted IIS'es on CAS servers with no result.
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|