The end-user reported that he had copied the settings from another iPhone user and he was able to get the Exchange account setup, but it would error out when he tried to send an email.
We had him delete the account and we went through the setup a second time; same results - no sendy no receivey
I attempted to reproduce the issue on an iPad I had available. I was able to create the account and confirmed that the security certificate was accepted correctly but still was unable to send or receive email.
Remotely accessed the client's Exchange 2010 email server and confirmed that the user's mailbox and Active Directory account looked correct when compared to a user who was using their iPhone successfully with the company's exchange email and had 'Manage Mobile Phone' showing their iPhone had successfully made a partnership with Exchange via ActiveSync but the account for the user I was working with did not show that any devices have been synced/partnered successfully. ARGH!
Things smarter people would do = With ActiveSync enabled correctly in Exchange/AD etc; this is where, if I was smarter, I would have gone directly to using the Microsoft Remote Connectivity Analyzer
But ... Alas .. I didn't
The next thing I did was review the Event logs and found ActiveSync errors in the Application log.
I researched resolutions for the following error:
Source: MSExchange ActiveSync
Event ID: 1053
Task Category: Configuration
Description:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=MailboxName,OU=
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
I applied a few fixes but was still having issues ... it was at this point inspiration hit and I started using the Microsoft Remote Connectivity Analyzer and was eventually able to get ActiveSync working on the iPad and then on the user's iPhone.
The Microsoft Remote Connectivity Analyzer linked me to this TechNet entry which fixed the issue:
“In Exchange Server 2010, you may also experience
this issue if the Exchange Servers group does not have the appropriate
permission to the mailbox object in Active Directory. The most common
cause for this is broken Access Control List
(ACL) inheritance in Active Directory.
To check whether inheritance is disabled on the user:
- Open Active Directory Users and Computers.
- On the menu at the top of the console, click View then Advanced Features.
- Locate and right-click the mailbox account in the console, and then click Properties.
- Click the Security tab.
- Click Advanced.
- Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.
So this brings me to my real point here: Be smarter than me ...
** Always use the Microsoft Remote Connectivity Analyzer FIRST to test for ActiveSync issues by default with the user’s email account and credentials" **
Note: Admin accounts will not work with the Microsoft Remote Connectivity Analyzer or with ActiveSync at all (Check to make sure the user having the issue is not a member of an adminstrators group in AD)
I hope this information helps you resolve this issue faster than I did! :)
No comments:
Post a Comment