Some users unable to connect with ActiveSync

Posted: February 14, 2013 in Exchange, Solved, Surface RT, Windows General
Tags: , , , , , , , ,

So here’s one that had me stumped. I can’t get ActiveSync connections working for some users on some devices. I’ve found a lot of posts around the internet talking about it being an issue related to self-signed SSL certificates, but I don’t think that is what my problem is.

The environment:

  • 1 x Exchange 2013 running on Server 2012
  • 1 x Internal private Windows PKI handling certificates
  • 3 x Active Directory based user accounts
  • 2 x Windows RT Surface tablets
  • 1 x iPad Mini
  • 2 x PC running Windows 8
  • 1 x iPhone
  • 2 x Windows Phone 7

A fair collection of devices to compare the issue across.

So what does/used to work?

This used to be an Exchange 2010 environment until recently (see previous “Disaster” posts). It is now a “new” Exchange 2013 install after manually clearing out all the Exchange 2010 related config. When it was running under 2010, everything worked. All devices and all users could happily connect to Exchange and do mail stuff.

Now, we have the following:

  • Outlook (full desktop client) works fine for all users from a PC
  • ActiveSync using the Windows Phones and iPhone works fine for those three users (Me, Wife, Daughter)
  • OWA works fine for all users
  • My account works fine for Activesync on *all* devices
  • Wife and Daughter work fine on their phones (iPhone and WP7)

So where it goes pear shaped is when I try to setup the accounts to connect using the Windows 8 Mail App from the tablets or from Windows 8 on the PC.

The *only* account that works is mine. Any of the other accounts just get “Unable to connect. Ensure that the information you’ve entered is correct”. I’m using the same details that work on their phones, and the same details (server, domain etc) that work for my account

So what’s different? My account is not an admin account, just a standard user account the same as theirs. It does not have any permissions different to the other accounts at all. If I logon to the PC or Surface tablet using my logon, trying to configure the mail using Wife or Daughter still fails, so I figure that rules out some kind of profile specific setting or personal certificate issue. In fact, I have My account connected and working in Mail, and then try to add one of the others and it makes no difference.

The setup in Exchange2013 is the same for all accounts, I’ve tried disabling OWA and ActiveSync for those accounts and re-activating it. No change. Keep in mind that ActiveSync *does* work from their phones. We all have the same ActiveSync policy applied, and it has the same settings that were applied when it was Exchange 2010.

The *ONLY* thing I can recall that is different is that my account was created as a new account after Exchange 2013 was installed. (It was late, I accidentally deleted it instead of disabling it!). So thinking there is some “legacy” property stuck in their AD account I did a quick test.

I copied Daughters account and enabled it for mail, tried the connection and it worked. So now I’m going to hunting through the fine details of AD properties to see where the differences are.

At least in my case, the problem doesn’t seem to be related to certificates at all. Phew.

SOLUTION

After some wild goose chases and dead-ends, it turns out it’s a simple corruption of permissions issue. To resolve the issue you need to do some deleting using ADSIEdit.
WARNING: Only do this if you understand the implications of making a mistake when editing Active Directory information directly. If you don’t understand these steps, then STOP and ask someone to help you!

  1. Open ADSIEdit in the Default Naming Context
  2. Browse through the directory and locate the user object having problems
  3. If you look at the properties of the “ExchangeActiveSyncDevices” container under the user object, you will probably see some unknown SID security entries. If you do not, then you may have a different problem. The following steps won’t break anything, but they may not help
    • activesync1
    • activesync2
  4. Select the CN=ExchangeActiveSyncDevices container and delete it. Yes, The whole thing.
    • activesync5
  5. The next time a device attempts an ActiveSync connection, the folder will be automatically recreated and the correct permissions applied
    • activesync3
    • activesync4
  6. Go back to the devices that were unable to establish an ActiveSync connection and try them again.
Comments
  1. jtharp2654 says:

    Mine was the good old “Inheritance” not enabled in the security tab on the user object. Enabled it and worked.

    • Scott says:

      That would also fix it I supppse, but I think the pemissions are usually direct and not inherited so that might be enabling more permissions than required. Ill have to look and compare to a new account to see if it has inheritence enabled by default. Either way, permissions are the root cause, and deleting the stub and allowing it to be re-created “clean” was my preferred approach.

  2. I just wanted to pop on here to thank you. I had one user that got a new iPhone yesterday and his phone would “setup” properly, but then nothing would sync. I didn’t have the issue with the invalid SID, but I decided to deleted the ActiveSync container in ADSI Edit regardless and then re-setup his iPhone (deleted the old and then re-added it) and BOOM! Success! Thanks again!

  3. Sam says:

    Thanks more than I can say! I tried Microsoft’s massive web site and tried several things I found from other sites, and none of them worked, but this appears to have fixed a nasty little issue some of our users had with their new iPhones. Thanks again!

  4. Omero says:

    You are just great =D!!
    I was searching a lot, because just the new iPhone-users coldn’t connect.
    Many Thanks!🙂

  5. Jason says:

    I can’t Find what your referring to in ADSIedit. Im stuck

  6. Junaid says:

    yuuuupppppppp
    resolved problem for me🙂 thanks dear alot of thanks

  7. GIle says:

    For worked when I enable inheritance on the user account on the ActiveSync container in ADSI Edit! Worked on iPhone, also worked on Android phones too.

    • Scott says:

      I went with deleting the whole branch so it could be re-created correctly with the permissions it was expecting to have. You might find that setting permissions individually like that will fix it for a while, but problems reappear later if something resets that permission.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s