Publishing Microsoft ActiveSync through IAG 2007 – Part 2 of 2

1. Introduction


We published the first part of this article, which had step by step details of how to configure Microsoft ActiveSync through IAG 2007. In this second part, we will cover troubleshooting the most common issues that we’ve encountered while publishing ActiveSync through IAG 2007.


2. Gathering Data


One of the most important areas that you need to be aware of in troubleshooting ActiveSync, is what data you need to collect.  As a rule of thumb the following logs should be enabled for this scenario:


2.1. IAG Trace logs


Follow the steps below to enable this log:


1. Browse to C:\Whale-Com\e-Gap\von\InternalSite\inc\

2. Modify trace_on = false to trace_on = true and save the file

3. Browse to C:\Whale-Com\e-Gap\common\conf\trace.ini

4. Go to the last line of the file and add the following lines:






5. Save the file


Tracing will now start for both WhlFilter and UserMgrCom,. These logs will be located in \whale-com\e-gap\logs and should be named *.usermgrcom*.log and *.whlfilter.*.log


2.2. Filter log


Follow the steps below to enable this log:


1. Run regedit

2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter

3. Locate the LogFlag DWORD

4. Modify the value from HEX 0 to HEX 4


In about 30 seconds logging will start and the log will be located in \whale-com\e-gap\von\conf\websites\[TrunkName]\Logs\*WhlFilter.log


Note: These logs are very verbose and fill up disk space quickly. Therefore enable these logs only for troubleshooting purposes. After you’re done gathering the data you need, it is strongly recommended to disable all of them.


3. Troubleshooting Scenarios


The environment used for this troubleshooting guide is the following one:


Figure 1 – Basic diagram.


3.1. After completing the IAG configuration by following part 1, I’m getting an error when I try to synchronize my mobile device. I enabled the logs but there is nothing in there.


If this is the first attempt to synchronize after enabling the ActiveSync Trunk and the logs are empty, most likely you are running into a certificate issue. If you enable Netmon trace on the external NIC of the IAG server you will notice the following:


TCP Handshake on port 443     TCP   TCP:Flags=......S., SrcPort=1032, DstPort=HTTPS(443), PayloadLen=0, Seq=337408, Ack=0, Win=32768 (scale factor 0) = 32768     TCP   TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=1032, PayloadLen=0, Seq=2541104422, Ack=337409, Win=16384 (scale factor 0) = 16384     TCP   TCP:Flags=...A...., SrcPort=1032, DstPort=HTTPS(443), PayloadLen=0, Seq=337409, Ack=2541104423, Win=33580 (scale factor 0) = 33580


SSL Handshake     SSL   SSL:  Client Hello.     SSL   SSL:  Server Hello. Certificate. Server Hello Done.v

- Ssl:   Server Hello. Certificate. Server Hello Done.

  - TlsRecordLayer:

     ContentType: HandShake

   - Version: TLS 1.0

      Major: 3 (0x3)

      Minor: 1 (0x1)

     Length: 1426 (0x592)

   - SSLHandshake: SSL HandShake TLS 1.0 Server Hello Done(0x0E)

      HandShakeType: ServerHello(0x02)

      Length: 70 (0x46)

    + ServerHello: 0x1

      HandShakeType: Certificate(0x0B)

      Length: 1344 (0x540)

    - Cert: 0x1

       CertOffset: 1341 (0x53D)

     - Certificates:

        CertificateLength: 1338 (0x53A)

      - X509Cert: Issuer: Denver CA,contoso,com, Subject: *

       + SequenceHeader:

       - TbsCertificate: Issuer: Denver CA,contoso,com, Subject: *

        + SequenceHeader:

        + Tag0:

        + Version: v3 (2)

        + SerialNumber: 0x612021a7000000000007

        + Signature: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)

        + Issuer: Denver CA,contoso,com

        + Validity: From: 09/26/06 22:45:52 UTC To: 10/10/10 09:18:23 UTC

        + Subject: *

        + SubjectPublicKeyInfo: RsaEncryption (1.2.840.113549.1.1.1)

        + Tag3:

        + Extensions:

       + SignatureAlgorithm: Sha1WithRSAEncryption (1.2.840.113549.1.1.5)

       + Signature:

      HandShakeType: Server Hello Done(0x0E)

      Length: 0 (0x0)     SSL   SSL:  Client Key Exchange. Change Cipher Spec. Encrypted Handshake Message.     SSL   SSL:  Change Cipher Spec. Encrypted Handshake Message.     TCP   TCP:Flags=...A...F, SrcPort=1032, DstPort=HTTPS(443), PayloadLen=0, Seq=337659, Ack=2541105897, Win=33580 (scale factor 0) = 33580


What happen here is that the * certificate was issued by a CA (the Denver machine) that the client (Windows Mobile) does not trust. To fix this problem follow the instructions from KB915840 to add the root CA certificate to your mobile device.


3.2. I have added the root CA certificate to my mobile device and I was able to connect and synchronize just fine. However, after working for a while, I’m now getting the message below when I try to synchronize:


Figure 2 – Error trying to synchronize


This is a very generic error, so the best approach here is to get a Netmon trace, but this time on the internal interface of the IAG server. Gather also the logs that were enabled in session 1. Let’s see the result:


From UserMgrCom log:


Authentication Request

** 25.07.08 10:05:52.257 USERMGR_SERVICE:GENERAL T5900

AuthenticateUser got [CAuthenticateUserIn:

m_repository                          = [AD]

m_user                                = [administrator]

m_password                            = [**Confidential**]

m_domain                              = [contoso]

m_param_vec                           = <EmptyField>

m_site_name                           = [activesynctrunk]

m_secure                              = [1]

m_session_id                          = [22B36058-D0B7-4A6E-A8A6-EDD7DF35E325]

m_login_type                          = [2]

m_source_ip                           = []



* at line 334, file "src/UserMgrCore.cpp".


** 25.07.08 10:05:52.257 CONFIGMGR_SERVICE:GENERAL T5900

Get the site [activesynctrunk] secure [1] info.

* at line 555, file "src/SiteContainer.cpp".


Authentication Succeed:

** 25.07.08 10:05:52.267 USERMGR_SERVICE:GENERAL T5900

Authenticate the user [administrator] domain [contoso] in the ldap server [] port [389] dn [CN=Users,DC=contoso,DC=com] type [Active Directory]

* at line 320, file "src/Ldap.cpp".


** 25.07.08 10:05:52.267 USERMGR_SERVICE:GENERAL T5900

Connect user [administrator] domain [contoso].

* at line 2178, file "src/Ldap.cpp".


** 25.07.08 10:05:52.267 USERMGR_SERVICE:GENERAL T5900

Connect with bind auth negotiate.

* at line 2209, file "src/Ldap.cpp".


** 25.07.08 10:05:52.288 USERMGR_SERVICE:GENERAL T5900

Connect success


After authentication, IAG needs to contact the Exchange Server to access the ActiveSync URL. At this point, IAG attempts to resolve the name of the Exchange server, as specified in step 6 of the previous article. If the name cannot be resolved the connection will fail, as seen below:    DNS   DNS:QueryId = 0x8442, QUERY (Standard query), Query  for of type Host Addr on class Internet    DNS   DNS:QueryId = 0x8442, QUERY (Standard query), Response - Name Error


To fix this problem enable the IAG server to resolve the name that appears in step 6 of the previous article. After fixing this problem, you should see the following traffic on the internal network:    DNS   DNS:QueryId = 0x234E, QUERY (Standard query), Query  for of type Host Addr on class Internet    DNS   DNS:QueryId = 0x234E, QUERY (Standard query), Response - Success, 49, 0    TCP   TCP:Flags=......S., SrcPort=1718, DstPort=HTTP(80), PayloadLen=0, Seq=1407512359, Ack=0, Win=32768 (scale factor 0) = 32768    TCP   TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1718, PayloadLen=0, Seq=2078452756, Ack=1407512360, Win=16384 (scale factor 0) = 16384    TCP   TCP:Flags=...A...., SrcPort=1718, DstPort=HTTP(80), PayloadLen=0, Seq=1407512360, Ack=2078452757, Win=32768 (scale factor 0) = 32768    HTTP  HTTP:Request, POST /Microsoft-Server-ActiveSync    HTTP  HTTP:Response, HTTP/1.1, Status Code = 401, URL: /Microsoft-Server-ActiveSync    TCP   TCP:[Continuation to #48]Flags=...AP..., SrcPort=HTTP(80), DstPort=1718, PayloadLen=409, Seq=2078454217 - 2078454626, Ack=1407512979, Win=64916 (scale factor 0) = 64916    HTTP  HTTP:HTTP Payload, URL: /Microsoft-Server-ActiveSync    TCP   TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=1718, PayloadLen=0, Seq=2078454626, Ack=1407512992, Win=64903 (scale factor 0) = 64903    HTTP  HTTP:Request, POST /Microsoft-Server-ActiveSync    HTTP  HTTP:Response, HTTP/1.1, Status Code = 100, URL: /Microsoft-Server-ActiveSync



5. Conclusion


This troubleshooting guide covers two common problems that might arise when configuring a Microsoft ActiveSync Trunk on IAG 2007. Although this article does not cover all possible issues and resolutions, it should give you a good overview of the troubleshooting steps, and the approach to gather and analyze data for ActiveSync publishing through IAG 2007.




Yuri Diogenes

Security Support Engineer – ISA/IAG Team

Microsoft – Texas


Dan Herzog

Security Support Engineer – IAG Team

Microsoft – Washington


Technical Reviewer

Ran Dolev

Security Consultant – IAG Team

Microsoft – Israel


Comments (4)
  1. Anonymous says:

    Guten Abend,da dieses Problem mich eine ganze Weile beschäftigte (und ebenso den von mir kontaktierten MS Support) hier die unglaublich einfache Lösung:IAG 2007 unterstützt keine NTLM Authentifizierung gegen den Exchange 2007 SP1 mit Update Rollup 5.Lösu

  2. Anonymous says:

    With the release of IAG 2007 SP2 (although this behavior can happen with any new update), we have been

  3. Anonymous says:

    A great refrence for troubleshooting ActiveSync error codes is:

  4. Anonymous says:

    132 Microsoft Team blogs searched, 59 blogs have new articles in the past 7 days. 122 new articles found

Comments are closed.

Skip to main content