Connecting mobile devices to our new Exch 2010 install...HELP?? (Full Version)

All Forums >> [Microsoft Exchange 2010] >> Mobility


bcontento -> Connecting mobile devices to our new Exch 2010 install...HELP?? (6.Nov.2012 10:13:28 PM)

We were an SBS2003 house and have just stood up an entirely new domain including standard servers for AD (Server 2012) and Exchange 2010 (2008R2). I created all new accounts...nothing migrated. I got and installed a certificate for our domains/servers. Internal emails are working fine. External emails are flowing in and out.

MX records for the domain point to and that resolves an IP address in my firewall where I have NAT rules setup for SMTP, HTTPS.

My issue is connecting the mobile devices (WinPhones, Androids, iPhones, and Tablets). I have a WIN7 phone and can't get it to sync (it wont autodiscover settings...I have to enter everything). I've installed the certificates on the phone, but no luck. I have a user with an Android that used a third-party app to ALMOST connect. The app says it can't get a PUSH connection, but can do a request pull. The app indicates there is no ActiveSync policy applied (but it looks like there is one in the Exchange console)

I've tried all of the different testing functions I can are some results:

- I can hit the OWA from inside and outside the firewall both on desktops and mobiles (

- I run the ServerActiveSync tests from and get all green checks until:

Testing HTTP Authentication Methods for URL
The HTTP authentication test failed.

Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
#content{margin:0 0 0 2%;position:relative;}
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>

- OWA "about" info:

Mailbox owner: Bryce D. Contento []
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; Touch)
The required version of Silverlight is installed: Yes
Required version of Silverlight: 2.0.31005.0
Outlook Web App experience: Premium
User language: English (United States)
User time zone: (UTC-05:00) Eastern Time (US & Canada)
Exchange mailbox address: /o=CAS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bryce D. Contento82a
Host address:
Version: 14.1.421.2
Host name:
S/MIME control: not installed
Exchange Client Access server name: CAS-EXCH.CASNET.CRAIGASMITH.COM
Exchange Client Access server .NET Framework version: 2.0.50727.5456
Client Access server operating system version: Microsoft Windows NT 6.1.7601 Service Pack 1
Client Access server operating system language: en-US
Client Access server version:
Client Access server language: en-US
Client Access server time zone: (UTC-05:00) Eastern Time (US & Canada)
Client Access server platform: 64bit
Mailbox server Microsoft Exchange version:
Other Microsoft Exchange server roles currently installed on the Client Access server: Mailbox, Hub Transport, Unified Messaging
Authentication type associated with this Outlook web application session: Kerberos
Public logon: No
Internal POP setting:
Port: 995
Encryption method: SSL
Internal IMAP setting:
Port: 993
Encryption method: SSL
Segmentation settings: fffffffeefc3ffff
Restricted functionality settings: fffffffeefc3ffff

- OWA options screen, where you click on "Settings for POP, IMAP, and SMTP access... " returns "Not Available" for all three

- I used the Exchange ActiveSync MD application and get this for the Autodiscover process:
Test #1:

Testing following Autodiscover address:
Response: The remote server returned an error: (401) Unauthorized.
Wrong username/password. May also occur if you're using a reverse proxy which performs authentication.
Could also be caused by authenticating with if Active Directory doesn't accept this.
Status: FAIL

Test #2:

Testing following Autodiscover address:
Status: PASS

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="">
<Response xmlns="">
<DisplayName>Bryce D. Contento</DisplayName>
Test #3:

Testing following Autodiscover address:
Response: The remote server returned an error: (403) Forbidden.
You are either running a non-provisionable device, or a provisionable device that haven't been provisioned yet.
First check: Tick off "Provisionable device" and run test again.
Second check Tick off "Support security policies" and run test again.
Status: Further action required


I'm at a real loss here as to what to do next. Any help is GREATLY appreciated!

de.blackman -> RE: Connecting mobile devices to our new Exch 2010 install...HELP?? (7.Nov.2012 8:06:33 AM)

Do you have the name registered on your certificate?

bcontento -> RE: Connecting mobile devices to our new Exch 2010 install...HELP?? (7.Nov.2012 8:16:47 AM)

thanks for the reply. No, the autodiscover child domain is not on the cert yet.

good news though. I found a post mentioning setting "inheritable permissions" on the user's account in AD/security and VIOLA. My WinPhone synced! I also just heard one of my Android users is in!

iOS working!

Interesting note: once it gets to the point of connecting, the users are prompted to create a PIN number on their device.

Page: [1]