Important This article contains information about how to modify the
registry. Make sure to back up the registry before you modify it. Make sure
that you know how to restore the registry if a problem occurs. For more
information about how to back up, restore, and modify the registry, click the
following article number to view the article in the Microsoft Knowledge Base:
When you try to use the Microsoft Server ActiveSync component
of Microsoft Mobile Information Server 2002 to synchronize the Inbox folder,
the Calendar folder, and the Contacts folder on your mobile device with a
server that is running Microsoft Exchange 2000 Server, you receive the
following error message on your mobile device:
Synchronization failed due to an error on the server. Try again.
Error code: HTTP_500
Note You may also receive an MIS_5 error during
the synchronization of your mobile device.
This problem may occur if either of the following conditions
The Exchange virtual directory on the Exchange 2000
computer is not configured for Integrated Windows authentication.
Kerberos is disabled on the Exchange 2000
The Server ActiveSync component that is included with Microsoft
Mobile Information Server 2002 uses Kerberos authentication when it
communicates with the Exchange 2000 computer. If the Exchange 2000 computer is
not configured for Integrated Windows authentication, the Exchange 2000
computer returns a 401 error to the Mobile Information Server 2002 computer
that is running Server ActiveSync, and then Server ActiveSync returns a 500
error to the mobile device. The Server ActiveSync component does not work
correctly if Kerberos is disabled.
Review the Microsoft Internet Information Services (IIS)
log files on the Exchange 2000 computer where the mailboxes are located.
(Typically, the IIS log files are located in the
folder.) Look for 401 errors. If you know which user account is experiencing
the problem, you can search for the account name.
Use the Microsoft Network Monitor tool to capture network
traffic from Mobile Information Server 2002.
Note Capture analysis proceeds more smoothly if you have all the
configuration information, including the IP addresses of the Mobile Information
Server 2002 and the Exchange 2000 Server.
In the Network Monitor
captures, when you view the response from the Exchange 2000 computer to Mobile
Information Server 2002, look for "401 Access Denied," "WWW-Authenticate:
NTLM," and "WWW-Authenticate: Basic" messages in the hexadecimal pane. If a
"401 Access Denied" or a "WWW-Authenticate: Basic" message is listed, there is
an authentication problem.
For more information about how to use the Network
Monitor tool, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
How to capture network traffic with Network Monitor
On the Exchange 2000 computer where the mailboxes are
located, make sure that the Exchange virtual directory is set to Windows
Integrated authentication. To do so, follow these steps:
Start Exchange System Manager.
Expand Servers, expand the Exchange
2000 computer name, expand Protocols, expand
HTTP, and then expand Exchange Virtual
Right-click the Exchange folder, and
then click Properties.
Click the Access tab, click
Authentication, and then click to select the
Integrated Windows Authentication check box.
Click OK two times.
Note If you enable Integrated Windows authentication, the change
typically takes from 5 to 15 minutes to replicate to IIS and for the IIS cache
to be updated. To force immediate replication, you can restart the IIS Admin
Service and all the Exchange 2000 services.
Check to see if the problem is resolved. If the problem
still occurs, go to step 5.
On the Exchange 2000 computer where the mailboxes are
located, make sure that the Exchange 2000 virtual server is not forcing Secure
Sockets Layer (SSL) communication. To do so, follow these steps:
Click Start, point to
Programs, point to Administrative Tools, and
then click Internet Services Manager.
Expand the server name, expand Default Web
Site (or the appropriate Web site that contains the HTTP virtual
server), right-click the Exchange folder, and then click
Click the Directory Security tab, and
then, click Edit under Secure
In the Secure Communications dialog
box, make sure that the Require secure channel (SSL) check box
is not selected.
Make sure that Kerberos is enabled on the Exchange 2000
computer. To verify that Kerberos is enabled, follow these steps.
Note If you have previously followed the steps that are outlined in
the Microsoft Knowledge Base article 215383 to disable Negotiate, Kerberos is
disabled. If Kerberos is disabled, Exchange Server ActiveSync will fail.
From a command prompt on the Exchange 2000 computer,
change to the WinDir\Inetpub\AdminScripts
Type the following, and then press ENTER:
cscript adsutil.vbs get w3svc/NTAuthenticationProviders
If Kerberos is enabled, the "Negotiate,NTLM"
response appears, and you can go to step 7.
If the response is "NTLM" only,
Kerberos is disabled. To enable Kerberos, type the following, and then press
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"
If the cscript adsutil.vbs get w3svc/NTAuthenticationProviders command returns the "Negotiate,NTLM" response,
but Kerberos still does not work, make sure that Kerberos is enabled in the
registry of the Exchange 2000 computer. To do so, follow these
Warning Serious problems might occur if you modify the registry
incorrectly by using Registry Editor or by using another method. These problems
might require that you reinstall your operating system. Microsoft cannot
guarantee that these problems can be solved. Modify the registry at your own
Click Start, click
Run, type regedt32 in the
Open box, and then click OK.
Locate and then click the following registry subkey:
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
For more information about IIS
authentication, review Chapter 5 in Designing Secure Web-Based Applications for Microsoft Windows 2000. To read this sample chapter, visit the following Microsoft Web