Problems with Forms-Based Authentication and SSL in ActiveSync

Problems in Synchronizing a Pocket PC with Exchange Server 2003 when using SSL and Forms-Based Authentication in OWA

As written in my other article (How to Synchronize a Pocket PC with Exchange 2003?), Exchange Server 2003 has many new features tailored for mobile users. One of them is ActiveSync which can be used to establish a connection between your Pocket PC 2002 or 2003 and Exchange Server 2003. If you have an Internet connection on your PPC, you can ActiveSync your calendar, contacts and inbox wirelessly over the Internet.

However, if you’ve configured either SSL (read Configure SSL on OWA and Configure SSL on Your Website with IIS for more info) or (read Configuring Forms-Based Authentication in OWA and Exchange 2003 for more info), when you try to access a Microsoft Exchange Server 2003 computer by using Microsoft Outlook Mobile Access or Exchange ActiveSync, you may receive the following error message:

Synchronization failed due to an error on the server. Try again. Error code: HTTP_500

This issue can occur if the Exchange virtual directory in Microsoft Internet Information Server (IIS) is configured to accept only Secure Sockets Layer (SSL) connections or if Integrated Windows authentication is not enabled on the Exchange virtual directory. With Exchange ActiveSync, this issue can occur if forms-based authentication is enabled on the Exchange Server.

MS KB 817379 has more info and more error messages.

This occurs because ActiveSync and OMA virtual directories make an explicit DAV logon to the Exchange virtual directory. The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories cannot access the contents of the user’s mailbox if the Exchange virtual directory is configured to require SSL. The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories only try to connect with the Exchange virtual directory over TCP port 80 (HTTP), not over TCP Port 443 (HTTPS).

To resolve this problem, use one of the following methods.

Method #1 (not secure)

You can configure FBA not to use SSL. This configuration is not recommended for production environments because of security issues. If you would like to test this configuration – read the Using Forms-Based Authentication withot SSL article.

Method #2 (expensive)

Install and configure an Exchange Server 2003 computer as a front-end server. Installing another server just for this purpose might be way over your budget. However if you already have a front-end server this solution might suit you. If not, read on.

Method #3 (easy and cheap)

Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory. You must use Internet Information Services (IIS) Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these instructions:

Note: These steps affect both Outlook Mobile Access connections and Exchange ActiveSync connections. After you follow these steps, both Outlook Mobile Access and Exchange ActiveSync connections use the new virtual directory that you create.

  1. Start Internet Information Services (IIS) Manager.

  2. Locate the Exchange virtual directory. The default location is the following:

Web Sites\Default Web Site\Exchange

  1. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.

Important note: You must first disable Forms Based Authentication from the ESM BEFORE you export the virtual directory. Also, you must disable SSL on the virtual directory BEFORE you export it. After exporting you can return to FBA and SSL.

  1. In the File name box, type a name. For example, type ExchangeVDir. Click OK.

  1. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).

  1. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.

  1. Under Select a configuration to import , click Exchange, and then click OK. A dialog box will appear that states that the "virtual directory already exists."

  2. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type ExchDAV. Click OK.

  1. Right-click the new virtual directory. In this example, click ExchDAV. Click Properties.

  1. Click the Directory Security tab.

  2. Under Authentication and access control, click Edit.

  3. Make sure that only the following authentication methods are enabled, and then click OK:

  • Integrated Windows authentication

  • Basic authentication

  1. Under IP address and domain name restrictions, click Edit.

  2. Click Denied access, click Add, click Single computer, type the IP address of the server that you are configuring, and then click OK.

  1. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.

  1. Click OK, and then close the IIS Manager.

  2. Click Start, click Run, type REGEDIT, and then click OK.

  3. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters
  1. Right-click Parameters, click to New, and then click String Value.

  2. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.

  3. In the Value data box, type the name of the new virtual directory that you created in step 8 preceded by a forward slash (/). For example, type /ExchDAV. Click OK.

  4. Quit Registry Editor.

  5. Restart the IIS Admin service. To do this, follow these steps:

  1. Click Start, click Run, type services.msc, and then click OK.

  2. In the list of services, right-click IIS Admin service, and then click Restart.