Big_Pete_L -> 449 InvalidPolicyKey for Activesync 2007 SP3 (14.Aug.2014 9:34:22 AM)
Hopefully some exchange guru will be able to help me with this problem that MS cant even seem to get to the bottom of.
1x Exchange 2007 SP3 server on 2008 x64
Internal activesync FQDN https://server.domain.local/Microsoft-Server-Activesync
External activesync FQDN https://activesync.domain.com/Microsoft-Server-Activesync
Activesync Policy: (only enabled options)
Allow non-provisionable devices
Enable PW Recovery
Require Encryption on device
Require Encryption on storage card
Number of failed attempts: 5
Minimum PW length: 4
Time with user input: 1
Password Exp: 180
Sync Cal: 2 wks
Sync Email: 2 wks
Limit msg: 50KB
Allow Direct Push
Max Size 10240
Device Tab: Allow all
Advanced Tab: only Allow Browser and Allow consumer Mail
We're use User cert based auth that happens against a Citrix Netscaler which performs Kerberos Constrained Delegation against the Exchange CAS server.
Certs etc are pushed out with an MDM solution.
Android Devices work fine and sync all mail/cal as expected.
iPhones (7.1.2) download the folder structure and some email content but then prompt for a password. The exact error is -
Password Required - Enter the password for the Exchange Account "Corp Exchange"
In the background behind the "popup" I can see some mail, though not recent.
Looking through the exchange IIS logs I can see that there is the following line -
2014-08-12 15:30:35 10.10.10.10 POST /Microsoft-Server-ActiveSync/default.eas User=User1@domain.local&DeviceId=ApplF2LASD&DeviceType=iPhone&Cmd=FolderSync&Log=V121_LdapC0_LdapL0_RpcC10_RpcL31_Ers1_Pk0_Error:InvalidPolicyKey_ 443 DOMAIN\User1 10.1.1.1 HTTP/1.1 Apple-iPhone6C2/1104.257 449 0 0 31
Followed by quite a few 401 then 200 messages (as the auth happens I assume).
As I am getting my folder structure and Android devices are working I am sure that the Auth is working (what MS are currently blaming).
I've ensured that "Inheritable Permissions" are checked on my user account as I've seen this before.
Anyone have any other ideas?