Table of Contents
Exchange Activesync and Outlook Mobile Access Errors Occur When SSL or Forms-Based Authentication Is Required For Exchange Server 2003
Reprinted below are portions of the Microsoft Support Article ID: 817379 - Last Review: October 31, 2008 - Revision: 19.0 The entire Microsoft support Article can be found here: [http://support.microsoft.com/kb/817379|http://support.microsoft.com/kb/817379]
:: * * *::
Exchange Server ActiveSync and Exchange Outlook Mobile Access (OMA) use the /Exchange virtual directory to access OWA templates and DAV on Exchange back-end servers on which the user's mailbox is located. Server ActiveSync and OMA cannot access this virtual directory if either of the following conditions is true: The /Exchange virtual directory on an Exchange back-end server is configured to require SSL. Forms-based authentication is enabled. This issue does not occur when you enable these settings on the /Exchange virtual directory on a front-end server.
Note You do not have to perform either of the methods that are described in the “Resolution” section to configure a front-end server to require SSL and to enable forms-based authentication on the front-end server.
:: * * * ::
Important Method 2 (per this Microsoft Support KB article) should be used only in an environment that has no Exchange Server 2003 front-end server. The registry changes should be made only on the server on which the mailboxes are located.
Create a secondary virtual directory for Exchange that does not require SSL, and then add a registry value to point to the new virtual directory.
Note These steps affect both Outlook Mobile Access connections and Exchange ActiveSync connections. After you follow these steps, both Outlook Mobile Access and Exchange ActiveSync connections use the new virtual directory that you create.
Disable the forms-based authentication for the Exchange virtual directory
To create a secondary virtual directory for Exchange that is based on steps 1 through 7 of the following procedure, make sure that forms-based authentication is disabled for the Exchange virtual directory before you make the copy. Before you follow these steps, disable forms-based authentication in Exchange System Manager. Then restart Internet Information Services (IIS). To do this, follow these steps:
1. Open Exchange Manager (a/k/a Exchange System Manager).
2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
3. Expand the server container (your server name) for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
5. Click the Settings tab, clear the Enable Forms Based Authentication check box, and then click OK.
6. Close Exchange Manager.
7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).
Create a secondary virtual directory for Exchange server
You must use Internet IIS Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work.
If you are using Windows Server 2003, follow these steps:
1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is as follows: Web Sites\Default Web Site\Exchange
3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
7. Under Select a configuration to import, click Exchange, and then click OK.
::A dialog box will appear that states that the “virtual directory already exists.”::
8. Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.
9. Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.
10. Click the Directory Security tab.
11. Under Authentication and access control, click Edit.
12. Make sure that only the following authentication methods are enabled, and then click OK:
- a. Integrated Windows authentication
- b. Basic authentication
13. On the Directory Security tab, under IP address and domain name restrictions, click Edit.
14. Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice.
15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
16. Click OK, and then close the IIS Manager.
17. Click Start, click Run, type regedit, and then click OK.
18. Locate the following registry subkey:
19. Right-click Parameters, click to New, and then click String Value.
20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.
::Note ExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.::
21. In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /exchange-oma. Click OK.
22. Quit Registry Editor.
23. Restart the IIS Admin service. To do this, follow these steps:
- a. Click Start, click Run, type services.msc, and then click OK.
- b. In the list of services, right-click IIS Admin service, and then click Restart.
24. If you want to reuse Forms-based Authentication on the Exchange server, follow these steps to re-enable Forms-based Authentication on the /Exchange virtual directory in Exchange System Manager.
- a. Open Exchange Manager.
- b. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
- c. Expand your particularly named server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
- d. Under the HTTP container, right-click the Exchange Virtual Server container (NOT the Exchange sub-container), and then click Properties.
- e. Click the Settings tab, click to select the Enable Forms Based Authentication check box, and then click OK.
- f. Close Exchange Manager.
- g. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).
Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma.
The integrated setup of Microsoft Windows Small Business Server 2003 creates the exchange-oma virtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-oma during the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.