"Synchronization failed due to an error on the server” error message when you try to synchronize a mobile device with a Exchange 2000 server

When you try to use the Microsoft Server ActiveSync component of Microsoft Mobile Information Server 2002 to synchronize the Inbox folder, the Calendar folder, and the Contacts folder on your mobile device with a server that is running Microsoft Exchange 2000 Server, you receive the following error message on your mobile device:Note You may also receive an MIS_5 error during the synchronization of your mobile device.

This problem may occur if either of the following conditions is true:

• The Exchange virtual directory on the Exchange 2000 computer is not configured for Integrated Windows authentication.
• Kerberos is disabled on the Exchange 2000 computer.

The Server ActiveSync component that is included with Microsoft Mobile Information Server 2002 uses Kerberos authentication when it communicates with the Exchange 2000 computer. If the Exchange 2000 computer is not configured for Integrated Windows authentication, the Exchange 2000 computer returns a 401 error to the Mobile Information Server 2002 computer that is running Server ActiveSync, and then Server ActiveSync returns a 500 error to the mobile device. The Server ActiveSync component does not work correctly if Kerberos is disabled.

To resolve this problem, follow these steps:

1. Review the Microsoft Internet Information Services (IIS) log files on the Exchange 2000 computer where the mailboxes are located. (Typically, the IIS log files are located in the WinDir\System32\Logfiles\W3svc# folder.) Look for 401 errors. If you know which user account is experiencing the problem, you can search for the account name.
2. Use the Microsoft Network Monitor tool to capture network traffic from Mobile Information Server 2002.
   
   Note Capture analysis proceeds more smoothly if you have all the configuration information, including the IP addresses of the Mobile Information Server 2002 and the Exchange 2000 Server.
   
   In the Network Monitor captures, when you view the response from the Exchange 2000 computer to Mobile Information Server 2002, look for "401 Access Denied," "WWW-Authenticate: NTLM," and "WWW-Authenticate: Basic" messages in the hexadecimal pane. If a "401 Access Denied" or a "WWW-Authenticate: Basic" message is listed, there is an authentication problem.
   
   For more information about how to use the Network Monitor tool, click the following article numbers to view the articles in the Microsoft Knowledge Base:
   243270  (http://support.microsoft.com/kb/243270/ ) How to install Network Monitor in Windows 2000
   148942  (http://support.microsoft.com/kb/148942/ ) How to capture network traffic with Network Monitor
3. On the Exchange 2000 computer where the mailboxes are located, make sure that the Exchange virtual directory is set to Windows Integrated authentication. To do so, follow these steps:
   1. Start Exchange System Manager.
   2. Expand Servers, expand the Exchange 2000 computer name, expand Protocols, expand HTTP, and then expand Exchange Virtual Server.
   3. Right-click the Exchange folder, and then click Properties.
   4. Click the Access tab, click Authentication, and then click to select the Integrated Windows Authentication check box.
   5. Click OK two times.
      
      Note If you enable Integrated Windows authentication, the change typically takes from 5 to 15 minutes to replicate to IIS and for the IIS cache to be updated. To force immediate replication, you can restart the IIS Admin Service and all the Exchange 2000 services.
4. Check to see if the problem is resolved. If the problem still occurs, go to step 5.
5. On the Exchange 2000 computer where the mailboxes are located, make sure that the Exchange 2000 virtual server is not forcing Secure Sockets Layer (SSL) communication. To do so, follow these steps:
   1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
   2. Expand the server name, expand Default Web Site (or the appropriate Web site that contains the HTTP virtual server), right-click the Exchange folder, and then click Properties.
   3. Click the Directory Security tab, and then, click Edit under Secure communications.
   4. In the Secure Communications dialog box, make sure that the Require secure channel (SSL) check box is not selected.
6. Make sure that Kerberos is enabled on the Exchange 2000 computer. To verify that Kerberos is enabled, follow these steps.
   
   Note If you have previously followed the steps that are outlined in the Microsoft Knowledge Base article 215383 to disable Negotiate, Kerberos is disabled. If Kerberos is disabled, Exchange Server ActiveSync will fail.
   1. From a command prompt on the Exchange 2000 computer, change to the WinDir\Inetpub\AdminScripts folder.
   2. Type the following, and then press ENTER:
      cscript adsutil.vbs get w3svc/NTAuthenticationProviders
      If Kerberos is enabled, the "Negotiate,NTLM" response appears, and you can go to step 7.
   3. If the response is "NTLM" only, Kerberos is disabled. To enable Kerberos, type the following, and then press ENTER:
      
      
      cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
7. If the cscript adsutil.vbs get w3svc/NTAuthenticationProviders command returns the "Negotiate,NTLM" response, but Kerberos still does not work, make sure that Kerberos is enabled in the registry of the Exchange 2000 computer. To do so, follow these steps.
   
   Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
   1. Click Start, click Run, type regedt32 in the Open box, and then click OK.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
   3. In the right pane, click the
      Security Packages
      registry entry.
   4. On the Edit menu, click Multi String. In the Data box, make sure that kerberos is listed as one of the values.
      
      If kerberos is not listed, create a new line at the beginning of the values, and then type kerberos.
      
      Note By default, the values in the Data box appear as follows:
      kerberos
      msv1_0
      schannel
   5. If you change the registry value, restart the Exchange 2000 computer.

For more information about Kerberos authentication, click the following article number to view the article in the Microsoft Knowledge Base:

For more information about IIS authentication, review Chapter 5 in Designing Secure Web-Based Applications for Microsoft Windows 2000. To read this sample chapter, visit the following Microsoft Web site: