Microsoft KB Archive/817379

= Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003 =

Article ID: 817379

Article Last Modified on 11/29/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition
 * Microsoft ActiveSync 4.1

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When you try to access a Microsoft Exchange Server 2003 computer by using Microsoft Outlook Mobile Access or Exchange ActiveSync, you may experience one of the following symptoms.

Outlook Mobile Access
  You receive the following error message:

Unable to connect to your mailbox on server. Please try again later. If the problem persists contact your administrator.

Additionally, the following error message is logged in the Application log in Event Viewer on the Exchange computer: Date:

Source: MSExchangeOMA

Time:

Category: (1000)

Type: Error

Event ID: 1805

User: N/A

Computer:

Description: Request from user UserA@domain.com resulted in the Microsoft(R) Exchange back-end server  returning an HTTP error with status code 403:Forbidden

Response:

Content-Length: 1409

Content-Type: text/html

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Date: Fri, 21 Feb 2003 02:25:34 GMT

<!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.01//EN&quot; &quot;http://www.w3.org/TR/html4/strict.dtd&quot;> The page must be viewed over a secure channel 

  You receive the following error message:

A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.

Additionally, the following error message is logged in the Application log in Event Viewer on the Exchange computer: Date:

Source: MSExchangeOMA

Time:

Category: (1000)

Type: Error

Event ID: 1507

User: N/A

Computer:

Description:

An unknown error occurred while processing the current request: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.

Stack trace:

at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

at System.Web.SessionState.SessionStateModule.CompleteAcquireState

at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)

at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Error: Exception has been thrown by the target of an invocation.

Stack trace:

at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)

at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)

at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

Inner Error: The remote server returned an error: (440) Login Timeout.

Stack trace:

at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream

at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders

at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user) 

Exchange ActiveSync
You receive the following error message:

Synchronization failed due to an error on the server. Try again. Error code: HTTP_500

Exchange Server 2003
On a server that is running Exchange Server 2003 Service Pack 2 (SP2), the following events are logged in the Application log.

Event 1
Event Type: Error

Event Source: Server ActiveSync

Event Category: None

Event ID: 3029

Description: The mailbox server [%1] has its [%2] virtual directory set to require SSL. Exchange ActiveSync cannot access the server if SSL is set to be required.

For information about how to correctly configure Exchange virtual directory settings, click the following article number to view the article in the Microsoft Knowledge Base:

817379 Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

Event 2
Event Type: Error

Event Source: Server ActiveSync

Event Category: None

Event ID: 3030

Description: The mailbox server [%1] has forms based authentication enabled on its virtual server. Exchange ActiveSync cannot access the server when Forms based authentication is enabled.

For information about how to correctly configure Exchange virtual directory settings, click the following article number to view the article in the Microsoft Knowledge Base:

817379 Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

Event 3
Event Type: Error

Event Source: Server ActiveSync

Event Category: None

Event ID: 3031

Description: The mailbox server [%1] does not allow &quot;Negotiate&quot; authentication to its [%2] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.

For information about how to configure Exchange virtual directory settings, click the following article number to view the article in the Microsoft Knowledge Base:

817379 Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003

For information about how to correctly configure Internet Information Services (IIS) to support Kerberos and NTLM authentication, click the following article number to view the article in the Microsoft Knowledge Base:

215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication

This issue may occur after you install Microsoft Windows SharePoint Services on a server that is running Exchange Server 2003. For information about how to correctly configure a server to run both Windows SharePoint Services and Exchange Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

823265 You receive a &quot;Page not found&quot; error message when you use Outlook Web Access (OWA) to browse the Exchange Server 2003 client after you install Windows SharePoint Services



CAUSE
Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA) use the /Exchange virtual directory to access OWA templates and DAV on Exchange back-end servers on which the user's mailbox is located. Server ActiveSync and OMA cannot access this virtual directory if either of the following conditions is true:
 * The /Exchange virtual directory on an Exchange back-end server is configured to require SSL.
 * Forms-based authentication is enabled.

This issue does not occur when you enable these settings on the /Exchange virtual directory on a front-end server.

Note You do not have to perform either of the methods that are described in the &quot;Resolution&quot; section to configure a front-end server to require SSL and to enable forms-based authentication on the front-end server.

Note If you are running Microsoft Small Business Server 2003, the configurations that are described in Method 1 and in Method 2 in the &quot;Resolution&quot; section are automatically configured during Setup. If you are receiving the errors that are described in the &quot;Symptoms&quot; section on Small Business Server 2003, run the Configure E-Mail and Internet Connection Wizard. The wizard should help you reconfigure the /Exchange virtual directory and forms-based authentication to work with Outlook Mobile Access and with Exchange ActiveSync.



RESOLUTION
To resolve this problem, use one of the following methods.

Method 1
Install and configure an Exchange Server 2003 computer as a front-end server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

818476 You can configure either Exchange Server 2003 Standard Edition or Exchange Server 2003 Enterprise Edition as a front-end server

Method 2
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Important Method 2 should be used only in an environment that has no Exchange Server 2003 front-end server. The registry changes should be made only on the server on which the mailboxes are located.

Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory. To create a secondary virtual directory for Exchange that is based on steps 1 to 4 in the following procedure, make sure that forms-based authentication is disabled for the Exchange virtual directory before you make the copy. Before you follow these steps, disable forms-based authentication in Exchange System Manager, and then restart IIS.

Additionally, you must use Internet Information Services (IIS) Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these steps.

Note These steps affect both Outlook Mobile Access connections and Exchange ActiveSync connections. After you follow these steps, both Outlook Mobile Access and Exchange ActiveSync connections use the new virtual directory that you create. <ol> Start Internet Information Services (IIS) Manager.</li> Locate the Exchange virtual directory. The default location is as follows:

Web Sites\Default Web Site\Exchange

</li> Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.</li> In the File name box, type a name. For example, type ExchangeVDir. Click OK.</li> Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).</li> In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.</li> Under Select a configuration to import, click Exchange, and then click OK.

A dialog box will appear that states that the &quot;virtual directory already exists.&quot;</li> In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.</li> Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.</li> Click the Directory Security tab.</li> Under Authentication and access control, click Edit.</li> Make sure that only the following authentication methods are enabled, and then click OK:  Integrated Windows authentication</li> Basic authentication</li></ul> </li> Under IP address and domain name restrictions, click Edit.</li> <li>Click Denied access, click Add, click Single computer, type the IP address of the server that you are configuring, and then click OK.</li> <li>Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.</li> <li>Click OK, and then close the IIS Manager.</li> <li>Click Start, click Run, type regedit, and then click OK.</li> <li>Locate the following registry subkey:

</li> <li>Right-click Parameters, click to New, and then click String Value.</li> <li>Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.

Note ExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.</li> <li>In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /exchange-oma. Click OK.</li> <li>Quit Registry Editor.</li> <li>Restart the IIS Admin service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type services.msc, and then click OK.</li> <li>In the list of services, right-click IIS Admin service, and then click Restart.</li></ol> </li></ol>

Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma.

The integrated setup of Microsoft Windows Small Business Server 2003 creates the exchange-oma virtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-oma during the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.

<div class="moreinformation_section">

MORE INFORMATION
To access the contents of a user's mailbox in Exchange Server 2003, the Microsoft-Server-ActiveSync and the Outlook Mobile Access virtual directories make an explicit DAV logon to the Exchange virtual directory. The call is similar to the following:

http:// /exchange/

The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories cannot access the contents of the user's mailbox if the Exchange virtual directory is configured to require SSL. The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories only try to connect with the Exchange virtual directory over TCP port 80 (HTTP), not over TCP Port 443 (HTTPS).

Outlook Mobile Access tries to connect to the Exchange virtual directory by using all the following authentication methods:
 * Kerberos
 * NTLM
 * Basic

When you configure forms-based authentication on the Exchange Server 2003, the authentication method for the Exchange virtual directory is set to Basic authentication, and the default Domain is set to the backslash character. The Microsoft-Server-ActiveSync virtual directory can only connect to the Exchange virtual directory by using Kerberos authentication.

Additional query words: XCCC OMA FMA FBA

Keywords: kbtshoot kbprb KB817379

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.