Test-ActiveSyncConnectivity Failure Due to Exchange ActiveSync Policies

When you are testing ActiveSync using the Test-ActiveSyncConnectivity cmdlet you may encounter failures.

Depending on the specific cause of the failure you may see different results. For example here is a failure at the FolderSync stage of the test.

[PS] C:>Test-ActiveSyncConnectivity

CasServer     LocalSite     Scenario        Result  Latency(MS) Error
---------     ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       46.88
ho-ex20... HeadOffice    FolderSync      Failure             [System.Net.WebException
                                                             ]: The remote server ret
                                                             urned an error: (403) Fo
                                                             rbidden.

                                                             HTTP response headers:

                                                             MS-Server-ActiveSync: 14
                                                             .2
                                                             Content-Length: 1233
                                                             Cache-Control: private
                                                             Content-Type: text/html
                                                             Date: Thu, 11 Apr 2013 0
                                                             8:34:58 GMT
                                                             Server: Microsoft-IIS/7.
                                                             5
                                                             X-AspNet-Version: 2.0.50
                                                             727
                                                             X-Powered-By: ASP.NET

These failures can be caused by different ActiveSync policies within your organization.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

Creating a Test CAS User

As a first step, if you are planning to use Test-ActiveSyncConnectivity you should create a CAS test user using the supplied script from Microsoft. On a mailbox server in your organization open the Exchange Management Shell and navigate to the Exchange scripts folder.

 
[PS] C:\>cd $exscripts
[PS] C:\Program Files\Microsoft\Exchange Server\V14\scripts>

Run the following script. By default it will create the user in the “Users” OU in Active Directory. If you have more than one OU named “Users” you should manually specify a different OU, or specify the exact path to the OU you want to use.

.\new-TestCasConnectivityUser.ps1 -ou "Service Accounts"

Please enter a temporary secure password for creating test users. For security
purposes, the password will be changed regularly and automatically by the system
if SCOM is installed. The password must be changed manually if SCOM is not installed.
Enter password: ***********
Create test user on: HO-EX2010-MB1.exchangeserverpro.net
Click CTRL+Break to quit or click Enter to continue.:
UserPrincipalName: extest_0bcca07661e94@exchangeserverpro.net

Take note of that generated username, eg extest_0bcca07661e94, as you’ll be using it again for the steps below.

Identifying the ActiveSync Device Access State

After a failed Test-ActiveSyncConnectivity test take a look at the ActiveSync device associated with the test user.

If you don’t know the test user account name, run the following command.

[PS] C:\>Get-ActiveSyncDevice | where {$_.userdisplayname -match "extest"} | select user*,device* | fl

If you do know the exact username, run this command instead.

[PS] C:\>Get-ActiveSyncDevice -Mailbox extest_0bcca07661e94 | select user*,device* | fl

You should see a result similar to this.

UserDisplayName         : exchangeserverpro.net/Service Accounts/extest_0bcca07661e94
DeviceId                : 704294541
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                :
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : TestActiveSyncConnectivity
DeviceUserAgent         : TestActiveSyncConnectivity
DeviceModel             : TestActiveSyncConnectivity
DeviceAccessState       : Blocked
DeviceAccessStateReason : Policy
DeviceAccessControlRule :
DeviceActiveSyncVersion : 12.0

The items of interest at this point are the device access state and the reason. You will likely see a state of “Blocked” or “Quarantined”, each of which requires a different approach. In fact you may encounter both (after solving the first the second will appear) depending on your organization’s policies.

Resolving Blocked Device Access State for Test CAS User

For a device that has been blocked with a reason of “Policy”, the likely issue is the ActiveSync mailbox policy associated with the mailbox is too strict for the capabilities of the Test-ActiveSyncConnectivity cmdlet.

To resolve this, configure an ActiveSync mailbox policy that allows non-provisionable devices with no password requirement.

exchange-test-activesync-mailbox-policy

Assign that ActiveSync mailbox policy to the test account.

Set-CasMailbox extest_0bcca07661e94 -ActiveSyncMailboxPolicy 'Connectivity Test Only'

Depending on your environment there may be some delay before this takes effect. After running Test-ActiveSyncConnectivity again you should see a successful test result.

[PS] C:\>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       46.88
ho-ex20... HeadOffice    FolderSync      Success     1656.27
ho-ex20... HeadOffice    First Sync      Success      156.25
ho-ex20... HeadOffice    GetItemEstimate Success       78.13
ho-ex20... HeadOffice    Sync Data       Success       46.88
ho-ex20... HeadOffice    Ping            Success     2468.70
ho-ex20... HeadOffice    Sync Test Item  Success      171.87

Resolving Quarantined Device Access State Due to Organization Policy

If you have a the default access level for ActiveSync in your organization set to “Quarantine” you may see a different result from Test-ActiveSyncConnectivity.

[PS] C:\>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       46.88
ho-ex20... HeadOffice    FolderSync      Success      843.75
ho-ex20... HeadOffice    First Sync      Success       62.50
ho-ex20... HeadOffice    GetItemEstimate Success       31.25
ho-ex20... HeadOffice    Sync Data       Success       46.88
ho-ex20... HeadOffice    Ping            Success       46.88
ho-ex20... HeadOffice    Sync Test Item  Failure             Syntax error in serve...

[PS] C:\>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       15.62
ho-ex20... HeadOffice    FolderSync      Success      109.37
ho-ex20... HeadOffice    First Sync      Success       62.50
ho-ex20... HeadOffice    GetItemEstimate Success       15.62
ho-ex20... HeadOffice    Sync Data       Success       46.87
ho-ex20... HeadOffice    Ping            Failure             Exchange ActiveSync c...

Look at the ActiveSync devices for the test mailbox, and you will likely see that the device has been quarantined.

[PS] C:\>Get-ActiveSyncDevice -Mailbox extest_0bcca07661e94 | select user*,device* | fl


UserDisplayName         : exchangeserverpro.net/Service Accounts/extest_0bcca07661e94
DeviceId                : 704294541
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                :
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : TestActiveSyncConnectivity
DeviceUserAgent         : TestActiveSyncConnectivity
DeviceModel             : TestActiveSyncConnectivity
DeviceAccessState       : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 12.0

Before addressing this, you should first review the existing allowed device IDs for the test user.

[PS] C:\>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs

ActiveSyncAllowedDeviceIDs
--------------------------
{}

If there are no device IDs already specified, add the device ID that you discovered above as an allowed device ID for the test user.

[PS] C:\>Set-CASMailbox extest_0bcca07661e94 -ActiveSyncAllowedDeviceIDs "704294541"

[PS] C:\>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs

ActiveSyncAllowedDeviceIDs         : {704294541}

If there were already device IDs allowed a slightly different approach is taken. Each server or management workstation that you run the Test-ActiveSyncConnectivity cmdlet from will have a different device ID. Over time you may need to allow multiple device IDs.

To append a new device ID to the existing list run the following command instead.

[PS] C:\>Set-CASMailbox extest_0bcca07661e94 -ActiveSyncAllowedDeviceIDs @{add="1560598775"}

[PS] C:\>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs

ActiveSyncAllowedDeviceIDs         : {1560598775, 704294541}

Test-ActiveSyncConnectivity should now run successfully.

[PS] C:\>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       31.25
ho-ex20... HeadOffice    FolderSync      Success      109.37
ho-ex20... HeadOffice    First Sync      Success       46.87
ho-ex20... HeadOffice    GetItemEstimate Success       31.25
ho-ex20... HeadOffice    Sync Data       Success       78.12
ho-ex20... HeadOffice    Ping            Success     2062.47
ho-ex20... HeadOffice    Sync Test Item  Success       31.25

Comments

  1. Seb says

    Hello,

    I encountered a similar error 403 because my “extest…” account had reached the maximum number of ActiveSync devices authorized by the default throttling policy (10 devices).

    I deleted some ActiveSync Devices for my test account.

    And now it works fine.

  2. Carol Ostos says

    Thanks for the article Paul. I’m troubleshooting the following event that has started appearing in one of my CAS servers since Friday.

    1040 Warning MSExchange ActiveSync

    The average of the most recent heartbeat intervals [494] for request [Sync] used by clients is less than or equal to [540].
    Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

    For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”

    I have asked one of the guys to check TMG firewall rules to see if increasing the time out helps.

    After applying the TestOnly EAS Policy to the exchange test account, Test-ActiveSyncConnectivity works like a charm

    Test-ActiveSyncConnectivity

    CasServer LocalSite Scenario Result Latency(MS) Error
    ——— ——— ——– —— ———– —–
    cas… HQ Options Success 15.60
    cas… HQ FolderSync Success 93.60
    cas… HQ First Sync Success 46.80
    cas… HQ GetItemEstimate Success 31.20
    cas… HQ Sync Data Success 78.00
    cas… HQ Ping Success 2070.06
    cas… HQ Sync Test Item Success 62.40

    I know its just a warning but you think I should worry if this event does not go away? Thanks!

  3. Valentin says

    Hello,

    Something strange appeared for me.
    After following the guide the issue with folder sync error was resolved but another error appeared.
    The test is running against 12 CAS servers from one workstation only.
    The activesync devices were allowed but the test is failing on 4 from the 12 CASes. And this 4 CASes IDs are changing. The error:

    ScenarioDescription : Issue an HTTP OPTIONS command to retrieve the Exchange ActiveSync protocol version.
    PerformanceCounterName : DirectPush Latency
    Result : Failure
    Error : The OPTIONS command returned HTTP 200, but the Exchange ActiveSync header (MS-Server-ActiveSync) wasn’t returned. The request likely did not reach a Client Access serv
    , either because

    – A proxy server intervened (check the headers below for any that may have been returned by a proxy)

    -The virtual directory could not be reached: https://XXXXX.XXXX.XXX/Microsoft-Server-ActiveSync

    – The virtual directory does not point to a Client Access server: https://XXXXX.XXXX.XXX/Microsoft-Server-ActiveSync

    HTTP response headers:

    Allow: OPTIONS, TRACE, GET, HEAD, POST
    Public: OPTIONS, TRACE, GET, HEAD, POST
    Content-Length: 0
    Date: Wed, 16 Oct 2013 09:21:21 GMT
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET

    In 30minutes start working for the same server but have the error for other – always following the pattern 4 failures from 12 :)

Leave a Reply

Your email address will not be published. Required fields are marked *