When you are testing ActiveSync using the Test-ActiveSyncConnectivity cmdlet you may encounter failures.
Depending on the specific cause of the failure you may see different results. For example here is a failure at the FolderSync stage of the test.
[PS] C:>Test-ActiveSyncConnectivity
CasServer LocalSite Scenario Result Latency(MS) Error
--------- --------- -------- ------ ----------- -----
ho-ex20... HeadOffice Options Success 46.88
ho-ex20... HeadOffice FolderSync Failure [System.Net.WebException
]: The remote server ret
urned an error: (403) Fo
rbidden.
HTTP response headers:
MS-Server-ActiveSync: 14
.2
Content-Length: 1233
Cache-Control: private
Content-Type: text/html
Date: Thu, 11 Apr 2013 0
8:34:58 GMT
Server: Microsoft-IIS/7.
5
X-AspNet-Version: 2.0.50
727
X-Powered-By: ASP.NET
These failures can be caused by different ActiveSync policies within your organization.
Creating a Test CAS User
As a first step, if you are planning to use Test-ActiveSyncConnectivity you should create a CAS test user using the supplied script from Microsoft. On a mailbox server in your organization open the Exchange Management Shell and navigate to the Exchange scripts folder.
[PS] C:>cd $exscripts [PS] C:Program FilesMicrosoftExchange ServerV14scripts>
Run the following script. By default it will create the user in the “Users” OU in Active Directory. If you have more than one OU named “Users” you should manually specify a different OU, or specify the exact path to the OU you want to use.
.new-TestCasConnectivityUser.ps1 -ou "Service Accounts" Please enter a temporary secure password for creating test users. For security purposes, the password will be changed regularly and automatically by the system if SCOM is installed. The password must be changed manually if SCOM is not installed. Enter password: *********** Create test user on: HO-EX2010-MB1.exchangeserverpro.net Click CTRL+Break to quit or click Enter to continue.: UserPrincipalName: extest_0bcca07661e94@exchangeserverpro.net
Take note of that generated username, eg extest_0bcca07661e94, as you’ll be using it again for the steps below.
Identifying the ActiveSync Device Access State
After a failed Test-ActiveSyncConnectivity test take a look at the ActiveSync device associated with the test user.
If you don’t know the test user account name, run the following command.
[PS] C:>Get-ActiveSyncDevice | where {$_.userdisplayname -match "extest"} | select user*,device* | fl
If you do know the exact username, run this command instead.
[PS] C:>Get-ActiveSyncDevice -Mailbox extest_0bcca07661e94 | select user*,device* | fl
You should see a result similar to this.
UserDisplayName : exchangeserverpro.net/Service Accounts/extest_0bcca07661e94 DeviceId : 704294541 DeviceImei : DeviceMobileOperator : DeviceOS : DeviceOSLanguage : DeviceTelephoneNumber : DeviceType : TestActiveSyncConnectivity DeviceUserAgent : TestActiveSyncConnectivity DeviceModel : TestActiveSyncConnectivity DeviceAccessState : Blocked DeviceAccessStateReason : Policy DeviceAccessControlRule : DeviceActiveSyncVersion : 12.0
The items of interest at this point are the device access state and the reason. You will likely see a state of “Blocked” or “Quarantined”, each of which requires a different approach. In fact you may encounter both (after solving the first the second will appear) depending on your organization’s policies.
Resolving Blocked Device Access State for Test CAS User
For a device that has been blocked with a reason of “Policy”, the likely issue is the ActiveSync mailbox policy associated with the mailbox is too strict for the capabilities of the Test-ActiveSyncConnectivity cmdlet.
To resolve this, configure an ActiveSync mailbox policy that allows non-provisionable devices with no password requirement.
Assign that ActiveSync mailbox policy to the test account.
Set-CasMailbox extest_0bcca07661e94 -ActiveSyncMailboxPolicy 'Connectivity Test Only'
Depending on your environment there may be some delay before this takes effect. After running Test-ActiveSyncConnectivity again you should see a successful test result.
[PS] C:>Test-ActiveSyncConnectivity CasServer LocalSite Scenario Result Latency(MS) Error --------- --------- -------- ------ ----------- ----- ho-ex20... HeadOffice Options Success 46.88 ho-ex20... HeadOffice FolderSync Success 1656.27 ho-ex20... HeadOffice First Sync Success 156.25 ho-ex20... HeadOffice GetItemEstimate Success 78.13 ho-ex20... HeadOffice Sync Data Success 46.88 ho-ex20... HeadOffice Ping Success 2468.70 ho-ex20... HeadOffice Sync Test Item Success 171.87
Resolving Quarantined Device Access State Due to Organization Policy
If you have a the default access level for ActiveSync in your organization set to “Quarantine” you may see a different result from Test-ActiveSyncConnectivity.
[PS] C:>Test-ActiveSyncConnectivity CasServer LocalSite Scenario Result Latency(MS) Error --------- --------- -------- ------ ----------- ----- ho-ex20... HeadOffice Options Success 46.88 ho-ex20... HeadOffice FolderSync Success 843.75 ho-ex20... HeadOffice First Sync Success 62.50 ho-ex20... HeadOffice GetItemEstimate Success 31.25 ho-ex20... HeadOffice Sync Data Success 46.88 ho-ex20... HeadOffice Ping Success 46.88 ho-ex20... HeadOffice Sync Test Item Failure Syntax error in serve... [PS] C:>Test-ActiveSyncConnectivity CasServer LocalSite Scenario Result Latency(MS) Error --------- --------- -------- ------ ----------- ----- ho-ex20... HeadOffice Options Success 15.62 ho-ex20... HeadOffice FolderSync Success 109.37 ho-ex20... HeadOffice First Sync Success 62.50 ho-ex20... HeadOffice GetItemEstimate Success 15.62 ho-ex20... HeadOffice Sync Data Success 46.87 ho-ex20... HeadOffice Ping Failure Exchange ActiveSync c...
Look at the ActiveSync devices for the test mailbox, and you will likely see that the device has been quarantined.
[PS] C:>Get-ActiveSyncDevice -Mailbox extest_0bcca07661e94 | select user*,device* | fl UserDisplayName : exchangeserverpro.net/Service Accounts/extest_0bcca07661e94 DeviceId : 704294541 DeviceImei : DeviceMobileOperator : DeviceOS : DeviceOSLanguage : DeviceTelephoneNumber : DeviceType : TestActiveSyncConnectivity DeviceUserAgent : TestActiveSyncConnectivity DeviceModel : TestActiveSyncConnectivity DeviceAccessState : Quarantined DeviceAccessStateReason : Global DeviceAccessControlRule : DeviceActiveSyncVersion : 12.0
Before addressing this, you should first review the existing allowed device IDs for the test user.
[PS] C:>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs
ActiveSyncAllowedDeviceIDs
--------------------------
{}
If there are no device IDs already specified, add the device ID that you discovered above as an allowed device ID for the test user.
[PS] C:>Set-CASMailbox extest_0bcca07661e94 -ActiveSyncAllowedDeviceIDs "704294541"
[PS] C:>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs
ActiveSyncAllowedDeviceIDs : {704294541}
If there were already device IDs allowed a slightly different approach is taken. Each server or management workstation that you run the Test-ActiveSyncConnectivity cmdlet from will have a different device ID. Over time you may need to allow multiple device IDs.
To append a new device ID to the existing list run the following command instead.
[PS] C:>Set-CASMailbox extest_0bcca07661e94 -ActiveSyncAllowedDeviceIDs @{add="1560598775"}
[PS] C:>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs
ActiveSyncAllowedDeviceIDs : {1560598775, 704294541}
Test-ActiveSyncConnectivity should now run successfully.
[PS] C:>Test-ActiveSyncConnectivity CasServer LocalSite Scenario Result Latency(MS) Error --------- --------- -------- ------ ----------- ----- ho-ex20... HeadOffice Options Success 31.25 ho-ex20... HeadOffice FolderSync Success 109.37 ho-ex20... HeadOffice First Sync Success 46.87 ho-ex20... HeadOffice GetItemEstimate Success 31.25 ho-ex20... HeadOffice Sync Data Success 78.12 ho-ex20... HeadOffice Ping Success 2062.47 ho-ex20... HeadOffice Sync Test Item Success 31.25
I’ve came across the same issue. However it says for me when I ran “Test-ActiveSyncConnectivity” that: “Could not find or sign in with user DOMAIN\extest_XXXXXXXXX. If this task is being run without credentials, sign in as a Domain Administrator, and then run Scripts\new-TestCasConnectivityUser.ps1 to verify that the user exists on Mailbox server ”
I have checked the user and it was locked in the AD. Unlocked it, and the test immediately started to work, could find the ActiveSyncDevice as well.
I hope it helps someone.
Is it supported to run against exchange 2016 or 2019?
I have an issue with the extest_ account as it it getting locked out every few hours, the lockout source are the exchange servers, I have collected information and I see a few logon failures with event id 4625
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x8ae4
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: XSserver
Source Network Address: –
Source Port: –
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
But I havent found the reason of the lockouts, any feedback?
Hello Paul,
We are looking to clear up the stale active sync devices
so one user called test as mention in your article. is it safe to remove that account device also. as last success sync was 2 year ago
Please suggest
Thanks for the article, I had a different issue when I run “Test-ActiveSyncConnectivity”
“Warning: Test user “extest_xxxxxxxx” was not accessible, so this cmdlet won’t be able to test client access server connectivity”
from the script folder ran the command to create a new test account – “Creating a Test CAS User” from this article.
This enabled back the existing account which was showing up in warning & the test of ActiveSyncConnectivty went through smoothly..
Thank Paul, your blogs regarding Exchange helped me a lot. Especially this article which talks exactly about the issue I was having about the FolderSync. Thanks again
I am getting the same a Valentin as well. Did anyone ever figure out what causes this?
I’m getting the same error as Valentin
Hello,
Something strange appeared for me.
After following the guide the issue with folder sync error was resolved but another error appeared.
The test is running against 12 CAS servers from one workstation only.
The activesync devices were allowed but the test is failing on 4 from the 12 CASes. And this 4 CASes IDs are changing. The error:
ScenarioDescription : Issue an HTTP OPTIONS command to retrieve the Exchange ActiveSync protocol version.
PerformanceCounterName : DirectPush Latency
Result : Failure
Error : The OPTIONS command returned HTTP 200, but the Exchange ActiveSync header (MS-Server-ActiveSync) wasn’t returned. The request likely did not reach a Client Access serv
, either because
– A proxy server intervened (check the headers below for any that may have been returned by a proxy)
-The virtual directory could not be reached: https://XXXXX.XXXX.XXX/Microsoft-Server-ActiveSync
– The virtual directory does not point to a Client Access server: https://XXXXX.XXXX.XXX/Microsoft-Server-ActiveSync
HTTP response headers:
Allow: OPTIONS, TRACE, GET, HEAD, POST
Public: OPTIONS, TRACE, GET, HEAD, POST
Content-Length: 0
Date: Wed, 16 Oct 2013 09:21:21 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
In 30minutes start working for the same server but have the error for other – always following the pattern 4 failures from 12 🙂
Thanks for the article Paul. I’m troubleshooting the following event that has started appearing in one of my CAS servers since Friday.
1040 Warning MSExchange ActiveSync
The average of the most recent heartbeat intervals [494] for request [Sync] used by clients is less than or equal to [540].
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.
For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”
I have asked one of the guys to check TMG firewall rules to see if increasing the time out helps.
After applying the TestOnly EAS Policy to the exchange test account, Test-ActiveSyncConnectivity works like a charm
Test-ActiveSyncConnectivity
CasServer LocalSite Scenario Result Latency(MS) Error
——— ——— ——– —— ———– —–
cas… HQ Options Success 15.60
cas… HQ FolderSync Success 93.60
cas… HQ First Sync Success 46.80
cas… HQ GetItemEstimate Success 31.20
cas… HQ Sync Data Success 78.00
cas… HQ Ping Success 2070.06
cas… HQ Sync Test Item Success 62.40
I know its just a warning but you think I should worry if this event does not go away? Thanks!
Hello,
I encountered a similar error 403 because my “extest…” account had reached the maximum number of ActiveSync devices authorized by the default throttling policy (10 devices).
I deleted some ActiveSync Devices for my test account.
And now it works fine.
The Real Person!
The Real Person!
Interesting. I suppose that would happen if you were running the test cmdlet from a bunch of different computers/servers…
this was the case for me. one of my exec users had this problem due partnership limiit. thank you.
Pingback: Test-ActiveSyncConnectivity – Cmdelts de Testeo 13/32. - CiudadanoZero