Troubleshooting 0x85010004 for Exchange 2003 and Windows Mobile 5

Troubleshooting 0x85010004 for Exchange 2003 and Windows Mobile 5

This is not a very interesting issue for the “masses.” I’m posting this in the hope that someone else will find it later and be spared some time troubleshooting.

Here was the scenario:

  • Server: SBS 2003 Standard SP1, Exchange 2003 SP2
  • Don and Jorge have WM5 phones
  • Don had absolutely no problem synchronizing his phone with Exchange.
  • Jorge cannot sync either over the air or while cabled to a laptop. We had tried with three different WM5 devices (Treo 700w, Motorola Q, XV6700) over the air and while cradled from two completely separate remote locations. We had tried using both ActiveSync 4.5 on XP and the Mobile Device Center on Vista.
  • Server is using a GoDaddy SSL certificate. SSL settings on the server had been triple-checked, and as noted above Don could sync without difficulty (on two different devices, no less).
  • Jorge was able to get to log into OWA and see his mail from the WM5 device.
  • David – a domain admin account being used for test purposes – was unable to sync from one of the same devices successfully synched for Don.
  • Mabel – another (non-domain-admin) account also used for test purposes  – was also unable to sync from that device.

The error on the server when trying to sync was:

Log: Application
Type: Error
Event: 3005
Time: Oct 2 2007 5:44PM
Source: Server ActiveSync
Category: None
Username: jorge
Computer: SERVER
Description: Unexpected Exchange mailbox Server error: Server: [server.internaldomain.com] User: [jorge@externaldomain.com] HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.

The error on the device when trying to sync was:

Your account in Microsoft Exchange Server does not have permission to synchronize with your current settings. Contact your Exchange Server administrator. Support code: 0x85010004.

I checked Jorge’s Exchange Features in Active Directory and all are enabled. Jorge is in the same AD OU and same security groups as Don.

Unfortunately, these error messages are rather non-specific. I went through dozens of pages found via Google searches. Most suggested that the problem was related to SSL certificates, host headers, firewall settings, and other issues that turned out not to be the cause.

Fortunately, I am a Microsoft Small Business Specialist, and that entitles me to free support from Microsoft engineers in Shanghai through a managed newsgroup. I posted my problem there, and got this thorough troubleshooting checklist:

Step one:
Please install the hotfix below to see if it helps:
Error message when you try to synchronize a Windows Mobile 5.0-based device in Exchange Server 2003: “0x85010004”
http://support.microsoft.com/kb/919864/en-us
 
Step two:
This issue can be caused if you have a Firewall and not allowed a rule on the Firewall for Microsoft-Server-ActiveSync. So I would like to check if you have run the CEICW Wizard. Please open Server Management console, navigate to ‘To Do List’ and click ‘Connect to the internet’ in the right panel. The wizard can help us configure the networking settings for a SBS server. It automatically creates the ISA rules for internet access and site publishing. It’s strongly recommended to use the wizard to configure the SBS server. More info:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
XCSI/PRE/E2K3/Unable to synchronize with Exchange server using Active Sync
http://support.microsoft.com/default.aspx?scid=kb;EN-US;924216

Step three:
Please checked the properties of Microsoft-Server-ActiveSync, is the
Directory Security properties for IP Address and Domain Name Restrictions
configured as ” DENIED ACCESS”? To check it:
1. Open IIS.
2. Expand Web Sites -> Default Web Site.
3. Open the Properties page of Microsoft-Server-ActiveSync.
4. In Directory Security tab, click Edit under “IP address and domain name
restrictions”.
5. Make sure that you configured as Granted access.

Step four:
Please check the following IIS settings:

For Exchange/Exchange-oma virtual directory:
1. Open IIS Manager
2. Open properties of virtual directory Exchange/Exchange-oma
3. Select Directory Security tab
4. Select Edit in Authentication and access control box. Make sure the authentication setting as below:
Authentication Methods
Enabled Basic authentication
Enabled Integrated Windows authentication
Disabled anonymous access

For OMA virtual directory and Microsoft-Server-ActiveSync virtual directory:
1. Open IIS Manager
2. Open properties of OMA virtual directory and Microsoft-Server-ActiveSync virtual directory respectively.
3. Select Directory Security tab
4. Select Edit in Authentication and access control box. Make sure the
authentication setting as below:
Authentication Methods
Uncheck Enable anonymous access
Uncheck Integrated Windows authentication
Check Basic authentication

Of all the items that were listed here, the only ones that were off on my server were that the hotfix had not been installed and that anonymous access on Exchange-oma was not disabled. I made both of these changes, and I am 99% sure that it was the Exchange-oma change that finally solved the problem.

Posted in All, Exchange, SBS, Software, Technology, Windows Mobile + PPC on Oct 4th, 2007, 7:16 am by David Schrag   

11 Responses

  1. October 16th, 2007 | 8:02 pm

    David,
    I’m having this EXACT problem, but in my case I’m a minoan in my company trying to convince my company’s Exchange support team there’s a problem on the server. I’m not entirely sure it’s a server-side problem, but your post almost has me convinced. Any idea why this only affect some users and not others? That’s the part about your post I’m not clear on.

    My story is this:

    * ~6 months ago I had a T-Mobile SDA WM5 happily synching over the air with my company’s Exchange server. No problems
    * Soon after the T-Mobile Dash on WM5 was released I bought that, and like above, was happily synching. No problems.
    * Soon after T-Mobile offered a free upgrade to WM6 for the Dash and I took it. I was happily synching. No problems.
    * All this time coworkers with other WM devices (Sprint PocketPC KJam equivalent, MotoQ, BlackJack, etc. all running v5 and a few other Dash devices running WM6) are happily synching
    * ~2 months ago my company roles out some Exchange security policy that requires a passcode to unlock your device after it’s been locked by the user. I’m not sure what this is called, but it’s a server side feature that gets propagated down to the device. It’s annoying, but no problems.
    * Last weekend, I smashed the screen on my Dash 🙁 It’s dead and gone
    * I brought back my T-Mobile SDA WM5 and try to synch and expecting it to work flawlessly and immediately I get: “Your account in Microsoft Exchange does not have permission to synchronize with your current settings. Contact your Exchange Server administrator. Support Code:8501004”

    I’ve reset my factory settings multiple times, twiddled with my device certs, etc. and tried various rapiconfig.exe things I’ve read on google and I can’t seem to get passed this. My Exchange support team is telling me I have an expired cert, but they’re not being much more specific than that. My problem is exactly what you’re describing.

    My gut tells me I’ve ran across a server side problem, but I’m not 1000% sold since I don’t understand the randomness of this – why me and not others?

    Any info you could provide would be greatly appreciated.

    Thanks -kelly

  2. October 16th, 2007 | 8:41 pm

    Microsoft could not explain this part, and unfortunately the error code does not seem to be much help in terms of pointing to the root cause. All the research I did, like yours, pointed to a certificate problem. The only thing I can suggest is that you show my blog entry to your Exchange team and have them run through the checklist that the Microsoft tech gave me. Good luck!

  3. brad44
    February 22nd, 2008 | 5:55 pm

    David,

    I have a problem with WM5 and exchange OTA sync.

    I can make the connection with the exchange server, however, emails arn’t pushed to me. My co worker had the same hardware and his worked fine, notice the past tense, he did a hard reset on the handheld and now his isn’t working.

    Our exchange is hosted off site at an ISP so our Exchange settings are identical. The difference between the two was the send and receive in outlook on the handheld was greyed out on the working device and not on the other.

    Any Ideas?

    Brad

  4. Norman Turner
    October 7th, 2008 | 4:22 am

    Many thanks for this the step 4 solved the problem
    best regards norman

  5. October 9th, 2008 | 5:16 pm

    Thanks for the fix, unfortunately I only got one step closer but not close enough to drop emails onto my client’s Moto Q. Step 3 got me past the original error listed in this dialog. Now it gives me ‘ActiveSync encountered a problem on the server’ Support Code 0x85010014.

    Any thoughts on this?

  6. Bas
    October 25th, 2008 | 6:57 am

    You are the MAN! Me and my Admin have been fiddling for weeks! THANK YOU!

  7. Alexei Apalkov
    June 20th, 2009 | 8:33 am

    David:

    Thanks a lot for this article. I’ve spent a lot of time to fix the same issue. Finally, I found your advice and everything is working now.

    Regards,

    Alexei

  8. Eric
    June 10th, 2010 | 7:50 am

    Tahnks for your hint.

    Changing the Exchange-Oma access settings solved my problem.

    Regards,
    Eric

  9. Alex
    September 15th, 2010 | 11:28 am

    Grand article – Step 4 worked for me.

    Cheers for sharing 🙂

  10. ch4ron
    October 17th, 2012 | 10:02 am

    We had exactly the same problem with some of our phones (like lumia 610).

    Disabling anonymous access on exchange-oma directory helped.

  11. Andy Simpson
    October 20th, 2012 | 6:44 am

    Thank you
    Thank you
    Thank you

Leave a reply