Problems with form based authenticatie and SSL in ActiveSync

When using SSL with ActiveSync and Exchange, problems can occur when Form Based Authentication is used. One of the following errors might appear:

  • Synchronization failed due to an error on the server. Try again. Error code: HTTP_500
  • ActiveSync Error 0x85010014

The cause behind this error message is usually the OMA virtual directories using a DAV login to the Exchange virtual directory. Since DAV login is always done using http (port 80), not https (port 443), the connection cannot be made when the Exchange server is configured to only accept SSL. This problem can be solved by either:

  • Ceasing to use SSL for Exchange entirely (undesirable for safety reasons).
  • Installing an extra Exchange server as front-end server.
  • Creating an extra virtual directory which does not require use of SSL, and referring to it in the registry.

This manual describes how to execute the last option. Please note that both ActiveSync and OMA will use the new virtual directory. Follow these steps to create the directory:

  1. Start the IIS Manager.
  2. Locate the Exchange virtual directory. By default it is located here: Web Sites\Default Web Site\Exchange.
  3. Right-click on the Exchange virtual directory and select Properties.
  4. De-activate the Forms Based Authentication and SSL. This is required for export. Now click on OK.
  5. Right-click on the Exchange virtual directory.
  6. Click on All Tasks and select Save Configuration to a fileExchange Screenshot
  7. Save the file as ExchangeVDir and click on OKExchange Screenshot
  8. Right-click on the Website root (usually the Default Web Site). Click on New and thereafter on Virtual Directory (from file)Exchange Screenshot
  9. Click on Browse in the Import Configuration window and select the newly created ExchangeVDir-file. Click on Open, followed by Read fileExchange Screenshot
  10. Click on Exchange under Select a configuration to import followed by OK. A dialogue window will appear, stating that the virtual directory already exists.
  11. Enter a new name in for the virtual directory in the Alias-field that will be used by ActiveSync and OMA. Enter, for example: ExchDAV. Click on OKExchange Screenshot
  12. Right-click on the newly created virtual directory and select PropertiesExchange Screenshot
  13. Navigate to the Directory Security tab, click on Authentication and access control and thereafter click on Edit.
  14. Ensure the following methods have been activated and click on OK:
    • Integrated Windows Authentication
    • Basic Authentication
    Exchange Screenshot
  15. Click on Edit at IP address and domain name restrictions.
  16. Click on Denied access, thereafter on Add, and finally on Single computer. Enter the IP-address of the server that is now set, and click on OKExchange Screenshot
  17. Click on Edit in the Secure Communications section. Ensure Require Secure Channel (SSL) is not activated, and click on OKExchange Screenshot
  18. Close the IIS manager, and start the Registery Editor (regedit).
  19. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters.
  20. Right-click on Parameters, select New and thereafter String value.
  21. Enter ExchangeVDir and press Enter.
  22. Right-click on ExchangeVDir and select Modify.
  23. Enter the newly created virtual directory, adding a forward slash '/', so for example: /ExchDav and click on OK.
  24. Restart the IIS admin service and test whether the changes solved the problem.

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues