ActiveSync Random Password Prompts Fixed

Some users were getting random prompts for passwords in ActiveSync on Windows Mobile 6.1 & 6.5 en Windows Phone 7.  Environment: Exchange 2007, and TMG and Kemp Load balancers, but this problem showed up months after changing ISA 2006 to TMG.  It seemed random.  The error on ActiveSync was the generic:

Error:
please log in access was denied 0×85010002

In the TMG Monitoring you would see a denied connection on your ActiveSync rule with this status:

12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

I tested with Windows Mobile Emulator from outside the firewall and was able to reproduce the error within hours (just letting it sit there).

I first thought this was the HTTP session timeout that changed with the Kemp Loadbalancers.

I poked around the web listener settings some more and noticed the timeout settings for forms authentication were set (this same web listener was used for OWA).  TMG is supposed to be smart enough to not apply any of the forms auth settings to clients that don’t support it (falling back to basic auth as with ActiveSync).

The forms auth timeout was indeed affecting ActiveSync. To find it, look for the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked.

ISA Web Listener Advanced Form Options

Migrating to Exchange 2010 & PDA Sync Issues

Some day’s ago I was testing some PDA’s Windows Mobile and Nokia’s for a Exchange Migration to Exchange 2010.

I created a little procure to test it.

1. PDA sync at first with ISA 2006 against Exchange 2007.

2. Shutdown the ISA 2006 Server

3. Starting the TMG Server

4. Checking if the PDA would sync. (The PDA should be sync with legacy.wardvissers.nl automatically )

5. Move the Mailbox to Exchange 2010 and check again if the PDA sync works.

 

Windows Mobile PDA (6.1).

1. Works fine

2.

3.

4. The PDA will be redirected to legacy.wardvissers.nl and pda sync works great. The User had nothing to do.

5. Moving the Mailbox to Exchange 2010 there is no problem. The user will automatically redirected from legacy.wardvissers.nl to webmail.wardvissers.nl with out any problems.

Nokia E71/E72 (Mail for Exchange Client 3.0.73)

1. Works fine

2.

3.

4. PDA don’t sync anymore. The user must change the sync url manual to legacy.wardvissers.nl than it works again.

5. Moving the Mailbox to Exchange 2010 there is no problem. If you change the url to legacy.wardvissers.nl you must change it manually back.

Nokia E71/E72 With (Road Sync 4.0/5.0)

1. Works fine

2.

3.

4. PDA don’t sync anymore. The user must change the sync url manual to legacy.wardvissers.nl than it works again.

5. Moving the Mailbox to Exchange 2010 there is no problem. If you change the url to legacy.wardvissers.nl you must change it manually back.

Conclusion

Moving PDA users to Exchange 2010 can be a pain in the ass. Best practice is create a list of all PDA users and move them first to Exchange 2010 and than all other users.

The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server. Support Code: 80072F0D or 0x80072f0d

I had some Windows Mobile device that did not sync anymore. I changed the Certificates on Exchange 2007 and ISA 2006 Servers.

After some investing. The problem was I was missing the GlobalSign Domain Validation CA certificate

image 

After creating the cer file and installed on my PDA active sync works again.

Source:
http://support.microsoft.com/kb/927465

http://support.microsoft.com/kb/915438

FTP toegang door een ISA 2006 Firewall

1. Firewall Policy –> New –> Access Rule
image

2.
image

3.
image

4. All Protocols –> FTP
image

5. Ik heb hier even gekozen voor dat iedereen mag ftp maar dat kun je natuurlijk ook beperken.
image 
6. We willen natuurlijk wel naar buiten FTP.
image

7. Je kunt dus beperken op gebruiker of op machine naam.
image

8.
image

9. Open vervolgens de FTP Rule.

10. Ga naar het tapje Protocols.
image

11. Edit
12. Tabblad Parameters
13. Haal het vinkje weg bij Application Filers bij FTP Access Filter.
image 

Er zijn meerdere soorten ftp commando’s. De isa server herkent niet alle commando’s. Deze zijn ook niet handmatig toe te voegen. Daardoor werkt FTP niet. Door het FTP access filter uit te schakelen los je dit probleem op.

Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)

 

Ik had een probleempje met ISA 2006. Ik kreeg telkens de volgende error.

Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250).

Een collega van mij René Jorissen die ook een blog heeft genaamd Booches. Je kunt zijn blog HIER bekijken.

Hij heeft een mooi ARTIKEL geschreven waarin het probleem opgelost wordt. 

Oplossing is als volgt:
To allow Authentication over HTTP go to the Listener configuration. Go to the Authentication tab and Select Advanced. In the next tab enable the option Allow client authentication over HTTP.