Exchange
United States - English
Home
Online
2010
2007
2003
Library
Forums
Partners
EHLO Blog
14 out of 24 rated this helpful - Rate this topic

Exchange ActiveSync Returned an HTTP 500 Error

Topic Last Modified: 2010-06-25

The Microsoft Exchange Analyzer tool sends Exchange ActiveSync commands to test for Exchange ActiveSync connectivity. If the FolderSync command (the first command in the sequence) returns an HTTP 500 error, then the Exchange Server Remote Connectivity Analyzer tool returns the following error.

"Exchange ActiveSync returned an HTTP 500 response."

You may experience this error if you have an Exchange 2003 server without a front-end server and are using Secure Sockets Layer (SSL) or forms-based authentication. If this is the case, see Microsoft Knowledge Base article, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).

In Exchange 2003, ActiveSync requires Kerberos authentication to work properly between the front-end and the back-end servers. Some common reasons for Kerberos authentication in IIS not working are:

  • Integrated Windows Authentication may not be enabled on the back-end server's "/Exchange" virtual directory.
  • The affected users may be members of too many groups causing their user tokens to be larger than the maximum allowed size.
    Dd439375.note(en-us,EXCHG.80).gifNote:
    The authentication methods on Exchange Server virtual directories should be managed using the Exchange System Manager and not Internet Information Services (IIS) Manager.

For more information, see Microsoft Knowledge Base article, "How to troubleshoot server ActiveSync HTTP error codes" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=330463).

In Exchange Server 2010, you may also experience this issue if the Exchange Servers group does not have the appropriate permission to the mailbox object in Active Directory. The most common cause for this is broken Access Control List (ACL) inheritance in Active Directory.

To check whether inheritance is disabled on the user:

  1. Open Active Directory Users and Computers.
  2. On the menu at the top of the console, click View > Advanced Features.
  3. Locate and right-click the mailbox account in the console, and then click Properties.
  4. Click the Security tab.
  5. Click Advanced.
  6. Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.

If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.

Dd439375.note(en-us,EXCHG.80).gifNote:
We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.

For more information, see TechNet Magazine article, "AdminSDHolder, Protected Groups and SDPROP" (http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx).

The Exchange Remote Connectivity Analyzer is a new tool with limited documentation at this time. In an effort to improve the documentation for each of the errors you might receive, we would like to solicit additional information from the community. Please use the Community Content section below to post additional reasons why you failed at this point. If you need technical assistance, please create a post in the appropriate Exchange TechNet forum or contact support.

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Exchange 2010 (fixed)

I had simular problems to connect through my E2010 CAS server to my mailbox on E2003.


When I looked at the IIS log files on my E2003 mailbox server, I noticed this error for my logon attempt: Error:NTLM+not+on+the+destination

After some more searching on the internet I found this article and it fixed my problems: http://blogs.technet.com/b/exchange/archive/2007/01/05/3397655.aspx


History
Changed the Subnet and Problem Started (same as @Karatecki)
We changed the Subnet of DC (in AD Sites and Services) and the problem started to occur with all of our iPhone users.

Now, we changed the 'Old IP' to 'New IP' in Exchange-OMA's Directory Security (Denied All Except Below) in IIS -- And it all started working like a charm.

God bless you Karatecki :-)

Asad Hamdani.
History
I had to enable inherited permissions and also...
I also had to set the 'admincount' for the user to 0 with Adsiedit to keep the inherited permissions box from unchecking every hour. On top of this, I couldn't get the device to syn***il browsing in Exchange 2010 Managment to Recipient Configuration> Mailbox> User> Properties> Mailbox Features. Highlight Exchange ActiveSync and click Disable, then apply. This next part seems to be important. Try and connect your activesync while it is DISABLED on your account. After it fails, then re-enable activesync and try again.


2/3 users I was having trouble with were fixed by this process. The other I've not had a chance to test with yet. Of course, you must ensure that the permissions are inherited as explained in countless other locations.

Kara

History
after moving subnet couldn't connect mobile phones
ok first of all iv'e used this tuturial in the past to make mobile phones connect to exchange 2003 standart

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

everything worked fine

after moving the subnet
mobile phones couldn't connect
and i reicieved "ActiveSync Returned an HTTP 500 Error" at https://www.testexchangeconnectivity.com

the solution was
in iis, the new exchange folder (from the article - Exchdev) was set to deny acces for all but the old server ip
after changing to the new ip
the problem was solved
History
Works
The solution suggested for Exchange 2010 ActiveSync works perfectly.

I found this solution via https://www.testexchangeconnectivity.com - a very useful tool.

Here is some more background on the problem: http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/

History
UPDATE THE INFORMATION
How about updating the information the relates to products that aren't 8 years old. There is nothing about Excahnge 2010 regarding this.
History
What if you do not have a front-end/back-end setup?
Could you post fixes that pertain to a majority of those setups like SBS 2003?
History
ActiveSync Error 500
Forms Based authentication on the listener.
History
Exchange ActiveSync Send Option Error

Domain Name in Exchange Virtual Directory is not correct. External Domain Name is the only one that worked.

History
Active Sync Error Http Error 500
Run the IIS Auth Diagnostics Tool and fix the permission errors on the Server.
History