Announcement

Collapse
No announcement yet.

Exchange ActiveSync / Integrated authentication

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange ActiveSync / Integrated authentication

    Much thanks for amset.info. I have hit upon something that seems contradictory to me, however, when using the testexchangeconnectivity.com site.

    I have my IIS settings set as described here (Exchange 2003 section). The first 4 were already correct. This is the 5th one:
    /Microsoft-Server-ActiveSync: Integrated and Basic ONLY
    Mine was set only on Basic, which is the default.

    When I also checked Integrated, the test page spits back this warning (it still passes; it's only a warning):
    Testing Http Authentication Methods for URL https://mydomain.com/Microsoft-Server-Activesync/
    The test passed with some warnings encountered. The following authentication methods are enabled but are not allowed Authentication methods for this service. Methods: Negotiate, NTLM
    It brings up this help page, which says that "Integrated Windows Authentication is not a supported Authentication method for Exchange ActiveSync and can cause Windows Mobile Devices prior to Windows Mobile 6.0 to fail to connect."

    With Integrated UNchecked in IIS, however, which is the default, I get an outright failure:
    Attempting an Activesync session with server
    Errors were encountered while testing the ActiveSync session. Attempting to send OPTIONS command to server
    Testing the OPTIONS command failed. A Web Exception occured because an HTTP 401 - Unauthorized response was received from Unknown
    So I'm a little confused here. If Integrated is not supported, why is it recommended in the first place? Also, why is it the only way I can pass the test?

    Note: This is in support of an iPhone, however that may pertain. I also have the test set to "Ignore Trust for SSL," because we're still using a self-signed cert.

    SBS 2003 R2

    Thanks

  • #2
    Re: Exchange ActiveSync / Integrated authentication

    If its a Single exchange 2003 server then you need only basic authentication on Microsoft-Server-Activesync vdir

    Also if you are using formbased authentication(FBA) using SSL then below KB needs to be followed

    Mehod 2:-support.microsoft.com/kb/817379
    /Microsoft-Server-ActiveSync
    ________
    California medical marijuana
    Last edited by Dks; 13th March 2011, 00:22.
    Rgds,

    Dks
    MCP E2K3 & MCITP E2K7
    MCITP Enterprise Win2k8

    Comment


    • #3
      Re: Exchange ActiveSync / Integrated authentication

      It is a single and FBA (which is a default), but it's also part of SBS, and the article says SBS is already covered (thankfully, as that procedure looks hideous). Which makes sense, since I've seen many comments from people saying ActiveSync pretty much just works with SBS. I've yet to confirm that myself, and I have had to make the noted change to get testexchange not to balk.

      This still leaves all my questions, however, and adds another one: are you saying that if you have multiple Exchanges, then you need something more than Basic authentication, such as Integrated? Is testexchange wrong in saying it's not supported? It is recommended in the link I provided in the first message, so evidence seems to be mounting now.

      Comment


      • #4
        Re: Exchange ActiveSync / Integrated authentication

        SBS is only covered if you have SBS 2003 R2. Otherwise you have to do the procedure in 817379.

        The settings in my article linked to originally are the ones that I have used for some time, although it has only been recently that Microsoft have said that NTLM has caused problems. The article was actually updated months ago, but I never uploaded it.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Exchange ActiveSync / Integrated authentication

          OK, thanks. We do have R2 SP2.

          And I see that you updated your article, but the problem is if we have Microsoft-Server-ActiveSync on Basic ONLY, testexchange fails (all of the OPTIONS stuff as shown below cannot be performed).

          At least with the "unsupported" NTLM (which paradoxically seems to be necessary for us), it passes, albeit with a warning about NTLM.

          It mentions that it can cause Windows Mobile Devices prior to Windows Mobile 6.0 to fail to connect, but we don't have those devices. We'll be using iPhones with it, which hopefully won't be a problem but with my luck will be.

          Comment


          • #6
            Re: Exchange ActiveSync / Integrated authentication

            I usually suggest that you simply reset the virtual directories.
            http://support.microsoft.com/default.aspx?kbid=883380

            Then run the wizard so that SBS sets things up as it wants.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X