You are currently offline, waiting for your internet to reconnect

Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

Notice
The Exchange Remote Connectivity Analyzer tool helps troubleshoot connectivity issues in a Microsoft Exchange Server deployment. The tool simulates several client logon and mail flow scenarios. When a test fails, many of the errors show troubleshooting tips that can help the IT Administrator resolve the problem. (The screen shot for this step is listed below.)
Screen shot for Remote Connectivity Analyzer

To use this tool, visit http://go.microsoft.com/fwlink/?LinkId=154308.


For more information about the Exchange Server Remote Connectivity Analyzer (ExRCA) tool, visit the following Microsoft TechNet websites:
Symptoms
When you try to access a Microsoft Exchange Server 2003 computer by using Microsoft Office Outlook Mobile Access or Exchange ActiveSync, you experience connection or synchronization problems. Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA) use the /Exchange virtual directory to access OWA templates and DAV on the Exchange back-end servers on which the user's mailbox is located. Exchange Server ActiveSync and OMA cannot access this virtual directory if either of the following conditions is true:
  • The Exchange virtual directory on an Exchange back-end server is configured to require SSL.
  • Forms-based authentication is enabled.
Note: These issues do not occur if these same conditions are true on the Exchange virtual directory on a front-end server.

When this issue occurs, you may experience one of the following symptoms in either Exchange Server ActiveSync or Outlook Mobile Access.

Symptoms in Outlook Mobile Access

  • You receive the following error message:
    Unable to connect to your mailbox on server Servername. Please try again later. If the problem persists contact your administrator.
    Additionally, the following error message is logged in the Application log in Event Viewer on the computer that is running Exchange Server:

    Date: Date
    Source: MSExchangeOMA
    Time: Time
    Category: (1000)
    Type: Error
    Event ID: 1805
    User: N/A
    Computer: ServerName

    Description: Request from user UserA@domain.com resulted in the Microsoft(R) Exchange back-end server <ServerName> returning an HTTP error with status code 403:Forbidden

    Response:
    Content-Length: 1409
    Content-Type: text/html
    Server: Microsoft-IIS/6.0
    MicrosoftOfficeWebServer: 5.0_Pub
    X-Powered-By: ASP.NET
    Date: Fri, 21 Feb 2003 02:25:34 GMT

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page must be viewed over a secure channel</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">

  • You receive the following error message:
    A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.
    Additionally, the following error message is logged in the Application log in Event Viewer on the server that is running Exchange Server:

    Date: Date
    Source: MSExchangeOMA
    Time: Time
    Category: (1000)
    Type: Error
    Event ID: 1507
    User: N/A
    Computer: ServerName

    Description:
    An unknown error occurred while processing the current request: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.

    Stack trace:
    at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
    at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
    at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
    at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    Inner Error: Exception has been thrown by the target of an invocation.

    Stack trace:
    at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
    at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
    at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

    Inner Error: The remote server returned an error: (440) Login Timeout.

    Stack trace:
    at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
    at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
    at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)



Symptoms in Exchange ActiveSync

You receive the following error message:
Synchronization failed due to an error on the server. Try again. Error code: HTTP_500


Additionally, on a server that is running Exchange Server 2003 Service Pack 2 (SP2), the following events are logged in the Application log on the Exchange computer.

Event 1

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3029
Description: The mailbox server [%1] has its [%2] virtual directory set to require SSL. Exchange ActiveSync cannot access the server if SSL is set to be required.

For information about how to correctly configure Exchange virtual directory settings, click the following article number to view the article in the Microsoft Knowledge Base:
817379 Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
Event 2

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3030
Description: The mailbox server [%1] has forms based authentication enabled on its virtual server. Exchange ActiveSync cannot access the server when Forms based authentication is enabled.

For information about how to correctly configure Exchange virtual directory settings, click the following article number to view the article in the Microsoft Knowledge Base:
817379 Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
Event 3

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3031
Description: The mailbox server [%1] does not allow "Negotiate" authentication to its [%2] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.

For information about how to configure Exchange virtual directory settings, click the following article number to view the article in the Microsoft Knowledge Base:
817379 Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
For information about how to correctly configure Internet Information Services (IIS) to support Kerberos and NTLM authentication, click the following article number to view the article in the Microsoft Knowledge Base:
215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
This issue may occur after you install Microsoft Windows SharePoint Services on a computer that is running Exchange Server 2003. For information about how to correctly configure a server to run both Windows SharePoint Services and Exchange Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
823265 You receive a "Page not found" error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services
Resolution
To resolve this problem, use one of the following methods.

Note You do not have to perform either of the methods that are described in the "Resolution" section to configure a front-end server to require SSL and to enable forms-based authentication on the front-end server.

Note If you are running Microsoft Small Business Server 2003, the configurations that are described in Method 1 and in Method 2 in the "Resolution" section are automatically configured during setup. If you are receiving the errors that are described in the "Symptoms" section on Small Business Server 2003, run the Configure E-Mail and Internet Connection Wizard. The wizard should help you reconfigure the /Exchange virtual directory and forms-based authentication to work with Outlook Mobile Access and with Exchange ActiveSync.

Method 1

Install and configure an Exchange Server 2003 computer as a front-end server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
818476 You can configure either Exchange Server 2003 Standard Edition or Exchange Server 2003 Enterprise Edition as a front-end server


Method 2

Important Method 2 should be used only in an environment that has no Exchange Server 2003 front-end server. The registry changes should be made only on the server on which the mailboxes are located.

Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

Note These steps affect both Outlook Mobile Access connections and Exchange ActiveSync connections. After you follow these steps, both Outlook Mobile Access and Exchange ActiveSync connections use the new virtual directory that you create.
Disable the forms-based authentication for the Exchange virtual directory
To create a secondary virtual directory for Exchange that is based on steps 1 through 7 of the following procedure, make sure that forms-based authentication is disabled for the Exchange virtual directory before you make the copy. Before you follow these steps, disable forms-based authentication in Exchange System Manager. Then restart Internet Information Services (IIS). To do this, follow these steps:
  1. Open Exchange Manager.
  2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
  3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
  4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
  5. Click the Settings tab, clear the Enable Forms Based Authentication check box, and then click OK.
  6. Close Exchange Manager.
  7. Click Start, click Run, type IISRESET/NOFORCE, and then press Enter to restart Internet Information Services (IIS).
Create a secondary virtual directory for Exchange server
You must use Internet IIS Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these steps:

Create the virtual directory
  1. Start Internet Information Services (IIS) Manager.
  2. Locate the Exchange virtual directory. The default location is as follows:
    Web Sites\Default Web Site\Exchange
  3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
  4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
  5. Right-click the root of this website. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
  6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
  7. Under Select a configuration to import , click Exchange, and then click OK.

    A dialog box will appear that states that the "virtual directory already exists."
  8. Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.

Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma. The integrated setup of Microsoft Windows Small Business Server 2003 creates the exchange-oma virtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-oma during the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.

Configure the virtual directory
  1. Right-click the new virtual directory. In this example, click exchange-oma, and then click Properties.
  2. Click the Directory Securitytab.
  3. Under Authentication and access control, click Edit.
  4. Make sure that only the following authentication methods are enabled, and then click OK:
    • Integrated Windows authentication
    • Basic authentication
  5. On the Directory Security tab, under IP address and domain name restrictions, click Edit.
  6. Click the option for Denied access, click Add, click Single computer, and then type the IP address of the server that you are configuring.
  7. lick OK two times.
  8. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
  9. Click OK, and then close IIS Manager.
  10. Click Start, click Run, type regedit, and then click OK.
  11. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters
  12. Right-click Parameters, click to New, and then click String Value.
  13. Type ExchangeVDir, and then press Enter. Right-click ExchangeVDir, and then click Modify.

    Note ExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.
  14. In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /exchange-oma. Click OK.
  15. Exit Registry Editor.
  16. Restart the IIS Admin service. To do this, follow these steps:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. In the list of services, right-click IIS Admin service, and then click Restart.

If you want to reuse Forms-based Authentication on the Exchange server, follow these steps to re-enable Forms-based Authentication on the /Exchange virtual directory in Exchange System Manager.
  1. Open Exchange Manager.
  2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
  3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
  4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
  5. Click the Settings tab, click to select the Enable Forms Based Authentication check box, and then click OK.
  6. Close Exchange Manager.
  7. Click Start, click Run, type IISRESET/NOFORCE, and then press Enter to restart Internet Information Services (IIS).WAZOO
More information
To access the contents of a user's mailbox in Exchange Server 2003, the Microsoft-Server-ActiveSync and the Outlook Mobile Access virtual directories make an explicit DAV logon to the Exchange virtual directory. The call is similar to the following:
http://netbios_name_of_mailbox_server/exchange/mailbox_alias
The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories cannot access the contents of the user's mailbox if the Exchange virtual directory is configured to require SSL. The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories only try to connect with the Exchange virtual directory over TCP port 80 (HTTP), not over TCP Port 443 (HTTPS).

Outlook Mobile Access tries to connect to the Exchange virtual directory by using all the following authentication methods:
  • Kerberos
  • NTLM
  • Basic
When you configure forms-based authentication on the Exchange Server 2003, the authentication method for the Exchange virtual directory is set to Basic authentication, and the default Domain is set to the backslash character. The Microsoft-Server-ActiveSync virtual directory can only connect to the Exchange virtual directory by using Kerberos authentication.

For information about issues related to Outlook Mobile Access (OMA) error messages, click the article numbers in the following list to view the article in the Microsoft Knowledge Base:
842023 You receive an error message when you try to create an email message, try to add a new contact, try to add a new task, try to create a new appointment in Outlook Mobile Access with Exchange Server 2003
898131 When you try to connect to an Outlook Mobile Access Web site on an Exchange 2003 computer, you may receive the "A System error has occurred while processing your request" error message
For information about issues that are related to Exchange ActiveSync (EAS) errors, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
886346 You receive an HTTP 500 error message when you synchronize your mobile device with Microsoft Exchange Server 2003
826974 "Synchronization failed due to an error on the server" error message when you try to synchronize a mobile device with an Exchange 2000 server
More information
Visit our Windows Phone Forums for more helpful hints and ideas.
Additional Resources
XCCC OMA FMA FBA
Properties

Article ID: 817379 - Last Review: 09/04/2013 08:26:00 - Revision: 24.0

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft ActiveSync 4.1
  • Microsoft ActiveSync 4.5
  • Windows Mobile 6.5 Standard
  • kbtshoot kbprb KB817379
Feedback