Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Smartphone occasionally prompted for credentials

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Smartphone occasionally prompted for credentials Page: [1]
Login
Message << Older Topic   Newer Topic >>
Smartphone occasionally prompted for credentials - 24.May2007 6:29:52 PM   
sbaldridge

 

Posts: 15
Joined: 2.May2004
Status: offline 		We migrated from Exchange 2003 SP2 to Exch 2007 this week and our activesync users are complaining.  Every so often they are prompted for credentials when syncing.  They can hit cancel or enter the credentials, either way the sync will complete successfully on the next try, for example I get prompted, I hit cancel, and do a manual sync and there is no problem.  I can sync successfully for an hour or so and the phone prompts me again!

ISA 2006 and Exchange 2007 (single server with all roles).  For example the external IP of my ISA is 10.10.10.14 (behind a PIX) and the IP on my Exchange is 192.168.4.50.  SSL is maintained from client to exchange (bridged ssl-ssl).

I see the following in the ISA logs when the device requests credentials:
Successful sync is like this:
(date) dest192.168.4.50 Allowed (domain\username) (long URL) error information code is 0xf80
Unsuccessful sync is like this:
(date) dest10.10.10.14 Denied Connection (anonymous) (long URL) error information code is 0x200

Note that the denied request is for the 10.10.10.14 address in the log rather than the address of the Exchange box!  The long URL differs, not always the same.  The request is logged as anonymous so I assume that's where the device is prompted for credentials.  I wonder if my timeout is too short or something?  (SSL client certificate timeout 300 secs, validate credentials every 300 secs). 

Any ideas?  I have googled like crazy on this.
Post #: 1
RE: Smartphone occasionally prompted for credentials - 25.May2007 1:10:15 PM   
mylo

 

Posts: 138
Joined: 26.Mar.2002
Status: offline 		Like you suggested, try upping the SSL client certificate timeout to say 900 seconds. It looks like the inbound connection on 10.10.10.14 has timed out (hence anonymous)

Regards,
Mylo

(in reply to sbaldridge)
Post #: 2
RE: Smartphone occasionally prompted for credentials - 25.May2007 5:04:10 PM   
Jason Jones

 

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Are you using a single web listener for all Exchange services?

I had seen similar problems when using a single web listener and allowing FBA to fallback to basic for ActiveSync. We solved the problem by creating two separate web listeners, one for FBA and once for Basic auth. The downside is that this requires 2 IP's and two SSL certs :-(

May be worth a try?

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mylo)
Post #: 3
RE: Smartphone occasionally prompted for credentials - 29.May2007 3:08:39 PM   
sbaldridge

 

Posts: 15
Joined: 2.May2004
Status: offline 		Upping the SSL client timeout to 900 didn't help.  Strange that the problem occurs after a switch from Exchange 2003 to 2007 so I guess the phone itself is not to blame....

We are using a single web listerner for all Exchange services but I'd hate to add another certificate if I don't have to.

Thanks w/ help so far.
Scott

(in reply to Jason Jones)
Post #: 4
RE: Smartphone occasionally prompted for credentials - 23.Sep.2007 6:55:02 PM   
Jason Jones

 

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Hi Scott,

Did you ever fix this? Have you still got the problem?

We have recently moved to Exchange 2007 and getting the same issue...

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to sbaldridge)
Post #: 5
RE: Smartphone occasionally prompted for credentials - 24.Sep.2007 11:57:31 AM   
Jason Jones

 

Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Think this is sorted now.

I needed to disable the "apply session timeout to non-browser clients" in the advanced form options for the web listener that was shared for OWA and ActiveSync.

If you follow the built-in wizards, this option is disabled by default for any listener that is selected for ActiveSync use - that'll teach me!

Thanks to Jim Harrison for the pointers!

"You don't want the FBA timeout applied to EAS clients.
The folks in Exch, WM6 and ISA all agreed that a wide-open 30-minute timeout was good for  battery life.  If you close that sooner, the client has to re-authenticate."

< Message edited by Jason Jones -- 24.Sep.2007 12:25:38 PM >

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Smartphone occasionally prompted for credentials Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts