Re: SBS2003 - Active Sync - http_500

Hi,


Thank you for your detailed update.

As you mentioned Kerberos is disabled on the Exchange computer (it should
be enabled)
-----------------------------------
1.Make sure that Kerberos is enabled on the Exchange computer. To verify
that Kerberos is enabled, follow these steps.

Note If you have previously followed the steps that are outlined in the
Microsoft Knowledge Base article 215383 to disable Negotiate, Kerberos is
disabled. If Kerberos is disabled, Exchange Server ActiveSync will fail.
a. From a command prompt on the Exchange computer, change to the WinDir
\Inetpub\AdminScripts folder.
b. Type the following, and then press ENTER:
cscript adsutil.vbs get w3svc/NTAuthenticationProviders
If Kerberos is enabled, the "Negotiate,NTLM" response appears, and you can
go to step 2.
c. If the response is "NTLM" only, Kerberos is disabled. To enable
Kerberos, type the following, and then press ENTER:

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"

2. If the cscript adsutil.vbs get w3svc/NTAuthenticationProviders command
returns the "Negotiate,NTLM" response, but Kerberos still does not work,
make sure that Kerberos is enabled in the registry of the Exchange 2000
computer. To do so, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.

a. Click Start, click Run, type regedt32 in the Open box, and then click
OK.
b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
c. In the right pane, click the Security Packages registry entry.
d. On the Edit menu, click Multi String. In the Data box, make sure that
kerberos is listed as one of the values.

If kerberos is not listed, create a new line at the beginning of the
values, and then type kerberos .

Note By default, the values in the Data box appear as follows:
kerberos
msv1_0
schannel
e. If you change the registry value, restart the Exchange 2000 computer.


Also, please ensure the /INETSRV directory is excluded from being scanned
by AV.

The issue may be related to Antivirus/Backup application scanning the
following folders in Exchange Server. Please ensure the following folders
are excluded from the application scan list.

1. Exchange databases (default location: Exchsrvr\Mdbdata)
2. Exchange MTA files (default location: Exchsrvr\Mtadata)
3. Exchange temporary files: Tmp.edb
4. Additional log files (default location: Exchsrvr\server_name .log)
5. Virtual server folder (default location: Exchsrvr\Mailroot)
6. Site Replication Service (SRS) files (default location:
Exchsrvr\Srsdata)
7. Internet Information Service (IIS) system files (default
location:\Winnt\System32\Inetsrv)
8. Working folder for message conversion .tmp files. (default location:
Exchsrvr\Mdbdata)

For further test, you can temporarily remove the application to verify the
issue.


If the issue persists, please let me know the following questions on this
issue:

1. Please ensure you can access mailbox by OMA? For further test, please
access http://localhost/oma in Exchange Server itself and let me know the
result.

2. Do all the users have such issue or just specific users? For further
test, please create a new mail-enabled user and verify whether you can sync
PPC with this new mailbox.

3. Does the issue happens to specific PPC or all PPC?

4. Collect the IIS metabase on Exchange Server and send to me:
v-chacez@xxxxxxxxxxxxx for further analysis:

1). On Exchange Server, install .NET Framework Version 1.1:
http://www.microsoft.com/downloads/details.aspx?FamilyID=262d25e3-f589-4842-
8157-034d1e7cf3a3&DisplayLang=en.
2). Install MBExplorer by installing IIS 6 Resource Kit Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-
B628-ADE629C89499&displaylang=en.
3). Once it is installed, access it from Start, Programs, IIS Resources,
Metabase Explorer.
4). In the left pane, right click ''LM'' (under your server computer name)
to choose ''Export to file'', and then save it as IIS.mbk.
5). Compress this mbk file and send it to me for analysis. Please let me
know the password if you set on this iis mbk file.

5. Please collect the IIS log on Exchange Server so that I can perform
further research:

1). On Exchange Serves, open IIS MMC, right click Default Web Site and then
click Properties.
2). Click Website tab and then check Enable logging.
3). Stop the Default Website and RENAME the existing IIS log files under
C:\WINDOWS\system32\LogFiles\W3SVC1.
4). Restart the Default Website and reproduce the problem, which will
generate new IIS log file with the exact error.
5). Wait for a while so that IIS Log can be synced. And then go to the
following folder on Exchange Server: C:\WINDOWS\system32\LogFiles\W3SVC1.
6). Send me the log files to my working email address
v-chacez@xxxxxxxxxxxxxx And please let me know the alias of the user who
encountered the issue.

7. For further test, please create a new test account and let me know the
following information.

- Credential of this test account
- The public URL of your Exchange Server
- Domain name

I will access the mailbox by OWA in my side to verify the issue. To keep
these confidential, please let me know by mail: v-chacez@xxxxxxxxxxxxxx


Hope this helps, if you have any additional concerns or need more help,
please do not hesitate to let me know.


Have a nice day!


Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "christoph fennel" <fennel@xxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: SBS2003 - Active Sync - http_500
| Date: Tue, 10 Oct 2006 10:04:07 +0200
| Lines: 377
| Message-ID: <4p12fpFgkbavU1@xxxxxxxxxxxxxx>
| References: <4oustgFgamlvU1@xxxxxxxxxxxxxx>
<VRM7rED7GHA.4348@xxxxxxxxxxxxxxxxxxxxx>
| X-Trace: individual.net 1PPbAAkefmA8VT/lLht2vA8Y5aT5y160SbChxiH1bh9vKgZJ/b
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| X-RFC2646: Format=Flowed; Original
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEED
S02.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news.buerger.net!open-new
s-network.org!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303878
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hello,
|
| thank you for your time and your respond. Let me answer your questions as
| follow:
|
| We don't using a Front- and Backendserver. Just one SBS2003 with Exchange
| 2003.
| I verified that the /Exchange directory do not require SSL and that form
| based authentication is disabled through the Exchange System Manager.
| I also verified that the users primary SMTP Adress matches the default
| recipient policy. I thought this problem doesn't occur when I've SP2
| installed for Exchange 2003 (KB Article 886346)
| As I allread wrote there is no ISA Server installed so there's no reason
for
| running the CEICW to forward port 443. Port 443 is forwarded on the
router
| to the server. Anyway, I run the CEICW several times without any positive
| results. I also have a test enviroment where active sync works without
any
| problems and I compared every IIS directory from the productive system
where
| active sync don't work with the test server where active sync works. So
I'm
| absolutely clueless what to do next.
|
| best regards C. Fennel
|
| chace zhang wrote:
| > Hi,
| >
| > Thank you for posting here.
| >
| > I appreciate you taking time to write to me. From your post I
| > understand encountered http_500 error through ActiveSync. Is it
| > correct?
| >
| >
| > Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA)
| > use the /Exchange virtual directory to access OWA templates and DAV
| > on Exchange back-end servers on which the user's mailbox is located.
| > Server ActiveSync and OMA cannot access this virtual directory if
| > either of the following conditions is true:
| > o The /Exchange virtual directory on an Exchange back-end server is
| > configured to require SSL.
| > o Forms-based authentication is enabled.
| >
| >
| > In general, to publish ActiveSync, you just need to run the CEICW and
| > enable the firewall settings and make sure the 443 port is forwarded.
| > During CEICW wizard will create a new Exchange-oma directory. The
| > wizard should help you reconfigure the /Exchange virtual directory
| > and forms-based authentication to work with Outlook
| >
| > More info please refer to following article:
| > Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or
| > forms-based authentication is required for Exchange Server 2003
| >
| > http://support.microsoft.com/default.aspx?scid=kb;[LN];817379
| >
| > In addition, the HTTP 500 error may also occur if the user account
| > you try to use for logon and use ActiveSync does not have an SMTP
| > address that matches the default domain name as the local path of the
| > Exchange Virtual Directory.
| >
| > To determine the appropriate SMTP address, follow these steps:
| >
| > 1. Start Exchange System Manager.
| >
| > 2. Browse to Servers/<server name>/Protocols/HTTP/Exchange Virtual
| > Server/Exchange.
| >
| > 3. Get properties of the Exchange virtual directory. This is the
| > default OWA virtual directory created during Exchange Server Setup.
| >
| > 4. On the General property ***, note the value from the field
| > labeled Exchange Path. An example of this value is "company.com
| > (default)." In this example, only users with an SMTP address ending
| > with @company.com can use the Exchange virtual directory to access
| > their mailboxes.
| >
| > If the SMTP e-mail address of your problematic user doesn''t match the
| > default domain name, you need to go to Active Directory Users and
| > Computers to modify the Primary SMTP e-mail address for this user to
| > match the default SMTP domain, and then test to see if it works for
| > you.
| >
| >
| > More info:
| >
| > For your convenience, I list the detailed steps to configure CEICW
| > wizard:
| >
| > 1. On the Small Business Server 2003 computer, click "Start", and then
| > click "Server Management".
| >
| > 2. Expand "Standard Management", and then click "To Do List".
| >
| > 3. In the right pane, click "Connect to the Internet", and then click
| > "Next".
| >
| > 4. On the "Connection Type" page, click "Do not change connection
| > type", and then click "Next".
| >
| > 5. On the "Firewall page", click "Enable firewall", and then click
| > "Next". Important Do not click the "Do not change firewall
| > configuration" option.
| >
| > 6. If you receive the following message, click "OK":
| >
| > To ensure the proper configuration of ISA Server, existing custom
| > packet filters will be disabled. For information on how to re-enable
| > existing packet filters, see Small Business Server Help.
| >
| > 7. On the "Services Configuration" page, click to select the check
| > boxes of the additional services that you want to make available from
| > the Internet, and then click "Next".
| >
| > h. On the "Web Services Configuration" page, click "Allow access to
| > only the following Web site services from the Internet", click to
| > select the check boxes of the services and of the Web sites that you
| > want to make accessible from the Internet (i.e. Outlook Web Access,
| > Remote Web Workplace, Outlook Mobile Access, Outlook via the
| > Internet, Business Web site (wwwroot), etc.), and then click "Next".
| >
| > 8. On the "Web Server Certificate" page, click "Create a new Web
| > server certificate", type the Small Business Server computer's fully
| > qualified domain name in the "Web server" name box, and then click
| > "Next".
| >
| > [Important] The fully qualified domain name that you type in the "Web
| > server name" box must be the same name that you use to connect to
| > the Web site from the Internet. For example, if the URL that you use
| > to connect to a Microsoft Outlook Web Access Web site is
| > <<https://external.domain.com/exchange>>, type "external.domain.com"
| > (without the quotation marks) in the "Web server name" box.
| >
| > Note: If you don't have your own registered fully qualified domain
| > name (FQDN), we can input the "Public IP Address" (As you mentioned
| > the [valid IP address]).
| >
| > 9. On the Internet E-mail page shows, select "Enable Internet e-mail"
| > and click Next.
| >
| > 10. Select either "Use DNS to route e-mail" or "Forward all e-mail to
| > e-mail server at your ISP". If you select the latter, enter the ISP
| > SMTP server. Click Next.
| >
| > 11. Specify to receive e-mail using one or both of the following
| > methods:
| >
| > - POP3 Mailboxes
| > - Exchange
| >
| > Click Next.
| >
| > 12. Enter your e-mail domain name and click Next. The e-mail domain
| > name should match the mail exchanger (MX) resource record maintained
| > at your ISP. This must be a registered Internet domain name.
| >
| > 13. Go through the steps to finish the wizard.
| >
| >
| > 14. On the "Completing the Configure E-mail and Internet Connection
| > Wizard" page, view the configuration information to make sure that it
| > is correct, and then click "Finish".
| >
| > 825763 How to configure Internet access in Windows Small Business
| > Server 2003
| > http://support.microsoft.com/?id=825763
| >
| > A step by step explanation of the CEICW:
| > http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm
| >
| > Hope this helps, if you need more help on this issue, please do not
| > hesitate to let me know.
| >
| >
| > Best Regards,
| >
| > Chace Zhang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have
| > issues regarding other Microsoft products, you'd better post in the
| > corresponding newsgroups so that they can be resolved in an efficient
| > and timely manner. You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you
| > check the "Notify me of replies" box to receive e-mail notifications
| > when there are any updates in your thread. When responding to posts
| > via your newsreader, please "Reply to Group" so that others may learn
| > and benefit from your issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although
| > we provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please check http://support.microsoft.com for regional support phone
| > numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| >> From: "christoph fennel" <fennel@xxxxxxxxxxxxxxx>
| >> Newsgroups: microsoft.public.windows.server.sbs
| >> Subject: SBS2003 - Active Sync - http_500
| >> Date: Mon, 9 Oct 2006 14:16:51 +0200
| >> Lines: 130
| >> Message-ID: <4oustgFgamlvU1@xxxxxxxxxxxxxx>
| >> X-Trace: individual.net
| >> /HdTPCW5WHSu1NBS8WVOfgvCsueS967hALWarwYIUcCUv1WEP0 X-Priority: 3
| >> X-MSMail-Priority: Normal
| >> X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| >> X-RFC2646: Format=Flowed; Original
| >> Path:
| >
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00
| >
sul.t-online.de!newsfeed01.sul.t-online.de!t-online.de!fu-berlin.de!uni-ber
| > lin.de!individual.net!not-for-mail
| >> Xref: TK2MSFTNGXA01.phx.gbl
| >> microsoft.public.windows.server.sbs:303632 X-Tomcat-NG:
| >> microsoft.public.windows.server.sbs
| >>
| >> Hello Newsgroup,
| >>
| >> first excuse my english, because it's not my native language but I
| >> hope you will understand my problem.
| >> I've here a SBS2003 server with exchange 2003 (SP2) installed and a
| >> HP iPaq device with Windows Mobile 5 and I try to synchronize the
| >> device with the exchange server. After we solved some
| >> SSL-certificate problems I got always a http_500 error when I try to
| >> sync with the server. The folllowing solution advices I allready
| >> tried, bot none helps:
| >>
| >> 1.. Windows Integrated Authentication is not enabled on the
| >> Exchange virtual directory on the Exchange server. The Server
| >> ActiveSync component uses Kerberos authentication when communicating
| >> with the Exchange server.
| >> 2.. Windows Integrated Authentication is enabled on the Exchange
| >> virtual directory on the Exchange server, but Kerberos is disabled
| >> via the IIS metabase.
| >> 3.. Kerberos is enabled, but IIS may return HTTP Status 401 every
| >> 30 Days when using Kerberos on Windows 2000.
| >> 4.. Sync is attempted while the mailbox is being moved.
| >> 5.. User attempting sync is a member of more than 200 groups.
| >> 6.. The Left Hand Side(LHS) and Right Hand Side(RHS) of the user's
| >> primary SMTP address are both different from the SMTP address based
| >> on the default recipient policy. (Fixed with Exchange 2003 Service
| >> Pack2)
| >> 7.. The Exchange virtual directory on the Exchange Server is
| >> configured to require Secure Sockets Layer (SSL). Server ActiveSync
| >> communicates with the Exchange Server over port 80.
| >> 8.. Windows SharePoint® has been installed on the Exchange server
| >> 9.. The user composes e-mail on the device and attempts a sync when
| >> mailbox limits have been reached on the Exchange server.
| >> 10.. Anonymous authentication is enabled on the
| >> Microsoft-Server-ActiveSync virtual directory on the server.
| >> 1. verified - thats not the problem
| >> 2. verified - thats not the problem
| >> 3. verified - thats not the problem
| >> 4. verified - thats not the problem
| >> 5. verified - thats not the problem
| >> 6. verified - thats not the problem SP2 installed
| >> 7. verified - thats not the problem
| >> 8. it is installed, I followed KB 832769 HOW TO: Configure Windows
| >> SharePoint Services to Use Kerberos Authentication
| >> 9. verified - thats not the problem
| >> 10. verified - thats not the problem
| >>
| >> I also disabled "formbased authentication" on the exchange, access to
| >> https://servername/exchange / https://servername/oma und
| >> https://servername/owa works from the PDA. Sadly I got no message in
| >> the eventlog about this problem.
| >> I setup a test enviroment and there I got no problems to sync the
| >> device. I've absolutely no idea what to try next.
| >> Here are the logs from the device and from the IIS:
| >>
| >> IIS-Log:
| >> 2006-10-09 10:32:47 MAINSERVER 192.168.16.2 OPTIONS
| >> /Microsoft-Server-ActiveSync
| >>
| >
User=administrator&DeviceId=052638325941A771A8000050BF1977E0&DeviceType=Pock
| > etPC&Log=VNATNASNC:0A0C0D0FS:0A0C0D0SP:0C0I0S0R0S0L0H
| >> 443 domänenname\administrator 194.29.XXX.X Microsoft-PocketPC/3.0
| >> domänenname 200 0 0 587 353
| >> 2006-10-09 10:32:48 MAINSERVER 192.168.16.2 PROPFIND
| >>
| >
/exchange-oma/Administrator@domänenname.de/NON_IPM_SUBTREE/Microsoft-Server-
| > ActiveSync/PocketPC/052638325941A771A8000050BF1977E0
| >> - 80 - 192.168.16.2 Microsoft-Server-ActiveSync/6.5.7638.1
| >> domänenname 302 0 0 366 453
| >> 2006-10-09 10:33:17 MAINSERVER 192.168.16.2 POST
| >> /Microsoft-Server-ActiveSync
| >>
| >
User=administrator&DeviceId=052638325941A771A8000050BF1977E0&DeviceType=Pock
| > etPC&Cmd=FolderSync&Log=V2TNASNC:0A0C0D0FS:0A0C0D0SP:1C1I459S0R0S0L0H0P
| >> 443 domänenname\administrator 194.29.XXX.X Microsoft-PocketPC/3.0
| >> domänenname 500 0 0 313 451
| >>
| >> PDA-Log:
| >> =-= Build 15045 =-=
| >> =-= No XIP Information Available =-=
| >> domänenname
| >>
| >> =-=- [9/10/2006 11:19:43.0] -=-=
| >> =-=-=-= Client Request =-=-=-=
| >> OPTIONS
| >>
| >
Microsoft-Server-ActiveSync?User=administrator&DeviceId=052638325941A771A800
| > 0050BF1977E0&DeviceType=PocketPC
| >> Accept-Language: de
| >> MS-ASProtocolVersion: 2.0
| >>
| >> -=-=-=- Start of Body -=-=-=-
| >>
| >>
| >> =-=- [9/10/2006 11:19:48.0] -=-=
| >> =-=-=-= Server Response =-=-=-
| >> HTTP/1.1 200 OK
| >> Date: Mon, 09 Oct 2006 11:19:23 GMT
| >> Server: Microsoft-IIS/6.0
| >> MicrosoftOfficeWebServer: 5.0_Pub
| >> X-Powered-By: ASP.NET
| >> Pragma: no-cache
| >> Content-Length: 0
| >> Public: OPTIONS, POST
| >> Allow: OPTIONS, POST
| >> MS-Server-ActiveSync: 6.5.7638.1
| >> MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
| >> MS-ASProtocolCommands:
| >>
| >
Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateColle
| >
ction,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,F
| >
olderUpdate,MoveItems,GetItemEstimate,MeetingResponse,ResolveRecipients,Vali
| > dateCert,Provision,Search,Notify,Ping
| >>
| >>
| >>
| >> =-=- [9/10/2006 11:19:48.0] -=-=
| >> =-=-=-= Client Request =-=-=-=
| >> POST
| >>
| >
Microsoft-Server-ActiveSync?User=administrator&DeviceId=052638325941A771A800
| > 0050BF1977E0&DeviceType=PocketPC&Cmd=FolderSync
| >> Accept-Language: de
| >> MS-ASProtocolVersion: 2.0
| >> Content-Type: application/vnd.ms-sync.wbxml
| >>
| >> -=-=-=- Start of Body -=-=-=-
| >> <?xml version="1.0" encoding="utf-8"?><FolderSync
| >> xmlns="FolderHierarchy:"><SyncKey>0</SyncKey></FolderSync>
| >>
| >> =-=- [9/10/2006 11:20:30.0] -=-=
| >> =-=-=-= Server Response =-=-=-
| >> HTTP/1.1 500 Internal Server Error
| >> Date: Mon, 09 Oct 2006 11:20:06 GMT
| >> Server: Microsoft-IIS/6.0
| >> MicrosoftOfficeWebServer: 5.0_Pub
| >> X-Powered-By: ASP.NET
| >> Pragma: no-cache
| >> Content-Type: text/html
| >> Content-Length: 56
| >> MS-Server-ActiveSync: 6.5.7638.1
| >>
| >>
| >> Maybe some of you have another idea.
| >>
| >> best regards C. Fennel
|
|
|

.

Loading