Some users were getting random prompts for passwords in ActiveSync on Windows Mobile 6.1 & 6.5 en Windows Phone 7. Environment: Exchange 2007, and TMG and Kemp Load balancers, but this problem showed up months after changing ISA 2006 to TMG. It seemed random. The error on ActiveSync was the generic:
please log in access was denied 0×85010002
In the TMG Monitoring you would see a denied connection on your ActiveSync rule with this status:
12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
I tested with Windows Mobile Emulator from outside the firewall and was able to reproduce the error within hours (just letting it sit there).
I first thought this was the HTTP session timeout that changed with the Kemp Loadbalancers.
I poked around the web listener settings some more and noticed the timeout settings for forms authentication were set (this same web listener was used for OWA). TMG is supposed to be smart enough to not apply any of the forms auth settings to clients that don’t support it (falling back to basic auth as with ActiveSync).
The forms auth timeout was indeed affecting ActiveSync. To find it, look for the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked.