Smartphone occasionally prompted for credentials (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing



Message


sbaldridge -> Smartphone occasionally prompted for credentials (24.May2007 6:29:52 PM)

We migrated from Exchange 2003 SP2 to Exch 2007 this week and our activesync users are complaining.  Every so often they are prompted for credentials when syncing.  They can hit cancel or enter the credentials, either way the sync will complete successfully on the next try, for example I get prompted, I hit cancel, and do a manual sync and there is no problem.  I can sync successfully for an hour or so and the phone prompts me again!

ISA 2006 and Exchange 2007 (single server with all roles).  For example the external IP of my ISA is 10.10.10.14 (behind a PIX) and the IP on my Exchange is 192.168.4.50.  SSL is maintained from client to exchange (bridged ssl-ssl).

I see the following in the ISA logs when the device requests credentials:
Successful sync is like this:
(date) dest192.168.4.50 Allowed (domain\username) (long URL) error information code is 0xf80
Unsuccessful sync is like this:
(date) dest10.10.10.14 Denied Connection (anonymous) (long URL) error information code is 0x200

Note that the denied request is for the 10.10.10.14 address in the log rather than the address of the Exchange box!  The long URL differs, not always the same.  The request is logged as anonymous so I assume that's where the device is prompted for credentials.  I wonder if my timeout is too short or something?  (SSL client certificate timeout 300 secs, validate credentials every 300 secs). 

Any ideas?  I have googled like crazy on this.




mylo -> RE: Smartphone occasionally prompted for credentials (25.May2007 1:10:15 PM)

Like you suggested, try upping the SSL client certificate timeout to say 900 seconds. It looks like the inbound connection on 10.10.10.14 has timed out (hence anonymous)

Regards,
Mylo




Jason Jones -> RE: Smartphone occasionally prompted for credentials (25.May2007 5:04:10 PM)

Are you using a single web listener for all Exchange services?

I had seen similar problems when using a single web listener and allowing FBA to fallback to basic for ActiveSync. We solved the problem by creating two separate web listeners, one for FBA and once for Basic auth. The downside is that this requires 2 IP's and two SSL certs :-(

May be worth a try?

Cheers

JJ




sbaldridge -> RE: Smartphone occasionally prompted for credentials (29.May2007 3:08:39 PM)

Upping the SSL client timeout to 900 didn't help.  Strange that the problem occurs after a switch from Exchange 2003 to 2007 so I guess the phone itself is not to blame....

We are using a single web listerner for all Exchange services but I'd hate to add another certificate if I don't have to.

Thanks w/ help so far.
Scott




Jason Jones -> RE: Smartphone occasionally prompted for credentials (23.Sep.2007 6:55:02 PM)

Hi Scott,

Did you ever fix this? Have you still got the problem?

We have recently moved to Exchange 2007 and getting the same issue...

Cheers

JJ




Jason Jones -> RE: Smartphone occasionally prompted for credentials (24.Sep.2007 11:57:31 AM)

Think this is sorted now.

I needed to disable the "apply session timeout to non-browser clients" in the advanced form options for the web listener that was shared for OWA and ActiveSync.

If you follow the built-in wizards, this option is disabled by default for any listener that is selected for ActiveSync use - that'll teach me! [:)]

Thanks to Jim Harrison for the pointers!

"You don't want the FBA timeout applied to EAS clients.
The folks in Exch, WM6 and ISA all agreed that a wide-open 30-minute timeout was good for  battery life.  If you close that sooner, the client has to re-authenticate."




Page: [1]