Exchange 2013 Active Sync Fails for Android Devices

Setup:

  • Exchange 2013 SP1 CU8 CAS servers running on Windows 2012 R2.
  • Exchange 2013 SP1 CU8 Mailbox Servers running on Windows 2012 R2.
  • Windows 2012 R2 WAP (Web Application Proxy / Reverse Proxy) configured in the DMZ to accept the External OWA (Outlook Web Access), Outlook Anywhere, EAS (Exchange Active Sync) connections.

 

Issue:

(1)   Android Devices unable to connect to the Exchange 2013 SP1 CU8 CAS Servers.

(2)   Windows XP Machines running outlook 2007 version are not able to connect to the Exchange 2013 SP1 CU8 CAS Servers through Outlook Anywhere.

 

Quick overview:

After publishing Exchange through the WAP (Web Application Proxy) we found that iPhone’s & other devices were able to connect to Exchange ActiveSync however the Android devices will fail to connect.

 

The errors we were getting on Android were strange ones, “Unable to connect, Security Error occurred”. No errors logged on the exchange servers Active Sync Logs regarding ActiveSync at all.

 

However, The WAP server does show connection from the IP address of the android device. The same can be verified under Task Manager > Open Resource monitor > Network Activity section.

 

Explanation:

After much playing around we found that the issue was due to Server Name Indication (SNI). According to Wikipedia:

Server Name Indication (SNI) is an extension to the TLS protocol that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

So in a nutshell, to support Non-SNI Capable Clients you need to run a Netsh command with your certificate hash.

 

Solution Steps:

1)      Get the Certificate Hash:

To get the certificate hash, run the following command with elevated command prompt on your WAP server:

Command > netsh http show sslcert

Look for the certificate hash under the correct certificate name.

2)      Get the APP ID.

The appid parameter is the GUID of the application that created the binding but you can also manually set the same.

The following are the 2 application ID’s for Web Application Proxy and the AD FS service and using either of this would be fine:-

    {5d89a20c-beab-4389-9447-324788eb944a} –> AD FS App ID

    {f955c070-e044-456c-ac00-e9e4275b3f04} –> Web Application Proxy App ID

 

Once you have this information you can now run the following command from the same elevated command prompt.

 

  • netsh http add sslcert ipport=0.0.0.0:443 certhash=<your cert hash> appid={f955c070-e044-456c-ac00-e9e4275b3f04}

Note: Make sure you do this on all your WAP servers if you are running a cluster.

Give it a few minutes and then test ActiveSync. The account setup or sync should work fine now.

 

You might get the following error while running the above command:

Error:

SSL Certificate add failed, Error: 183 cannot create a file when that file already exists.

 

Solution:

Delete SSL certificate from a port number and add it back.

Command to delete the SSL Cert >

netsh http delete sslcert ipport=0.0.0.0:443

Command to add back the SSL Cert >

netsh http add sslcert ipport=0.0.0.0:443 certhash=<your cert hash> appid={f955c070-e044-456c-ac00-e9e4275b3f04}

Share Post

Leave a Reply

Your email address will not be published. Required fields are marked *


6 + = eight

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

google adwords google adwords google adwords google adwords