Whether or not you're using Exchange ActiveSync with a network address translation (NAT) firewall, ActiveSync problems occur in organizations that don't utilize a dedicated front-end Exchange server. Fortunately, some workarounds are available to troubleshoot this ActiveSync issue.
If an organization doesn't use a dedicated front-end Exchange server, it's very common for users to receive the HTTP_500 error, along with a message stating that "Synchronization failed due to an error on the server." This occurs because Exchange ActiveSync uses the /Exchange virtual directory to access DAV on the back-end Exchange server. While this isn't a problem, there are two conditions that can prevent the /Exchange virtual directory from working properly.
- If no front-end server is present, the /Exchange virtual directory cannot be configured to require Secure Sockets Layer (SSL). If SSL is required, directory access will fail. This is only the case for back-end Exchange servers. If the /Exchange virtual directory is located on a front-end server, then SSL is supported and recommended.
- If forms-based authentication is enabled, you can't enable it on a back-end Exchange server if you want to use ActiveSync. Enabling forms-based authentication on a front-end Exchange server isn't problematic.
There are two ways to correct a forms-based authentication failure. The preferred method is to deploy a front-end Exchange server. If you're trying to use ActiveSync without a dedicated front-end server, deploying one may not be an option because of budgetary issues. A workaround that involves editing the mailbox server registry can be helpful in this situation. I recommend making a full-system backup before continuing.
If you have SSL and/or forms-based authentication enabled, there is probably a logical reason for this. They don't need to be disabled permanently. Instead, we will create a second instance of the /Exchange virtual directory that doesn't require SSL or use forms-based authentication. Before beginning this procedure, disable forms-based authentication on your /Exchange virtual directory. You can re-enable it afterward.
- Open the Internet Information Services (IIS) Manager, and navigate through the console tree to the \Web Sites\Default Web Site\Exchange container.
- Right click on the Exchange container, and choose the All Tasks -> Save Configuration to a File commands from the menu. You will be prompted to enter a path and a filename. You can name the file anything that you want.
- Go into the IIS Manager's console tree to the Default Web Site container. Right click on this container, and choose the New -> Virtual Directory (From File) commands.
- Windows will display the Import Configuration dialog box. Click Browse, choose the file that you created earlier and click Open and then Read File. You should now see the Exchange virtual directory listed in the Import Configuration dialog box (Figure 1).
Figure 1. The Exchange virtual directory will be listed in the Import Configuration dialog box.
- Select your virtual directory, and click OK. A screen will ask if you want to create a new virtual directory or replace the existing one. Select the option to create a new virtual directory, and enter Exchange-OMA as the directory's alias. The virtual directory that you have just created should now be listed among the list of virtual directories, as shown in Figure 2.
Figure 2. The new Exchange virtual directory will be listed in the IIS Manager console.
- To configure the new virtual directory, right click on it and choose Properties from the menu. The console will display the virtual directory's properties sheet.
- Go to the Directory Security tab and click Edit from the Authentication and Access Control section. The console then will open the Authentication Methods dialog box. Make sure that either the Integrated Windows Authentication or Basic Authentication checkbox is selected – not both. Figure 3 shows what this will look like.
Figure 3. Select either the Integrated Windows Authentication or Basic Authentication checkbox.
- Click OK, and then click the Edit button found in the IP Address and Domain Name Restrictions section.
- When the IP Address and Domain Name Restrictions dialog box appears, click the Denied Access button and then click Add. Choose Single Computer, enter the server's IP address and then click OK.
- Click Edit in the Secure Communications section. When IIS displays the Secure Communications dialog box, be sure that the Require Secure Channel (SSL) checkbox isn't selected.
- Click OK twice and then close the IIS Manager.
You must modify the server's registry to make Exchange Server aware that the virtual directory you created exists. To do so:
- Open the Registry Editor and navigate through the tree to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MassSync\Parameters
- Right click on the Parameters container and choose New -> String Value.
- Enter ExchangeVDir as the value's name. NOTE: This value name is case sensitive.
- Right click on the value you created, and choose Modify from the menu. Enter the name of the new virtual directory -- /Exchange-OMA.
- Click OK, close the Registry Editor and reboot the server.
About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Microsoft Exchange, Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.
