When you are testing ActiveSync using the Test-ActiveSyncConnectivity cmdlet you may encounter failures.

Depending on the specific cause of the failure you may see different results. For example here is a failure at the FolderSync stage of the test.

[PS] C:>Test-ActiveSyncConnectivity

CasServer     LocalSite     Scenario        Result  Latency(MS) Error
---------     ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       46.88
ho-ex20... HeadOffice    FolderSync      Failure             [System.Net.WebException
                                                             ]: The remote server ret
                                                             urned an error: (403) Fo
                                                             rbidden.

                                                             HTTP response headers:

                                                             MS-Server-ActiveSync: 14
                                                             .2
                                                             Content-Length: 1233
                                                             Cache-Control: private
                                                             Content-Type: text/html
                                                             Date: Thu, 11 Apr 2013 0
                                                             8:34:58 GMT
                                                             Server: Microsoft-IIS/7.
                                                             5
                                                             X-AspNet-Version: 2.0.50
                                                             727
                                                             X-Powered-By: ASP.NET

These failures can be caused by different ActiveSync policies within your organization.

Creating a Test CAS User

As a first step, if you are planning to use Test-ActiveSyncConnectivity you should create a CAS test user using the supplied script from Microsoft. On a mailbox server in your organization open the Exchange Management Shell and navigate to the Exchange scripts folder.

 
[PS] C:>cd $exscripts
[PS] C:Program FilesMicrosoftExchange ServerV14scripts>

Run the following script. By default it will create the user in the “Users” OU in Active Directory. If you have more than one OU named “Users” you should manually specify a different OU, or specify the exact path to the OU you want to use.

.new-TestCasConnectivityUser.ps1 -ou "Service Accounts"

Please enter a temporary secure password for creating test users. For security
purposes, the password will be changed regularly and automatically by the system
if SCOM is installed. The password must be changed manually if SCOM is not installed.
Enter password: ***********
Create test user on: HO-EX2010-MB1.exchangeserverpro.net
Click CTRL+Break to quit or click Enter to continue.:
UserPrincipalName: extest_0bcca07661e94@exchangeserverpro.net

Take note of that generated username, eg extest_0bcca07661e94, as you’ll be using it again for the steps below.

Identifying the ActiveSync Device Access State

After a failed Test-ActiveSyncConnectivity test take a look at the ActiveSync device associated with the test user.

If you don’t know the test user account name, run the following command.

[PS] C:>Get-ActiveSyncDevice | where {$_.userdisplayname -match "extest"} | select user*,device* | fl

If you do know the exact username, run this command instead.

[PS] C:>Get-ActiveSyncDevice -Mailbox extest_0bcca07661e94 | select user*,device* | fl

You should see a result similar to this.

UserDisplayName         : exchangeserverpro.net/Service Accounts/extest_0bcca07661e94
DeviceId                : 704294541
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                :
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : TestActiveSyncConnectivity
DeviceUserAgent         : TestActiveSyncConnectivity
DeviceModel             : TestActiveSyncConnectivity
DeviceAccessState       : Blocked
DeviceAccessStateReason : Policy
DeviceAccessControlRule :
DeviceActiveSyncVersion : 12.0

The items of interest at this point are the device access state and the reason. You will likely see a state of “Blocked” or “Quarantined”, each of which requires a different approach. In fact you may encounter both (after solving the first the second will appear) depending on your organization’s policies.

Resolving Blocked Device Access State for Test CAS User

For a device that has been blocked with a reason of “Policy”, the likely issue is the ActiveSync mailbox policy associated with the mailbox is too strict for the capabilities of the Test-ActiveSyncConnectivity cmdlet.

To resolve this, configure an ActiveSync mailbox policy that allows non-provisionable devices with no password requirement.

exchange-test-activesync-mailbox-policy

Assign that ActiveSync mailbox policy to the test account.

Set-CasMailbox extest_0bcca07661e94 -ActiveSyncMailboxPolicy 'Connectivity Test Only'

Depending on your environment there may be some delay before this takes effect. After running Test-ActiveSyncConnectivity again you should see a successful test result.

[PS] C:>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       46.88
ho-ex20... HeadOffice    FolderSync      Success     1656.27
ho-ex20... HeadOffice    First Sync      Success      156.25
ho-ex20... HeadOffice    GetItemEstimate Success       78.13
ho-ex20... HeadOffice    Sync Data       Success       46.88
ho-ex20... HeadOffice    Ping            Success     2468.70
ho-ex20... HeadOffice    Sync Test Item  Success      171.87

Resolving Quarantined Device Access State Due to Organization Policy

If you have a the default access level for ActiveSync in your organization set to “Quarantine” you may see a different result from Test-ActiveSyncConnectivity.

[PS] C:>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       46.88
ho-ex20... HeadOffice    FolderSync      Success      843.75
ho-ex20... HeadOffice    First Sync      Success       62.50
ho-ex20... HeadOffice    GetItemEstimate Success       31.25
ho-ex20... HeadOffice    Sync Data       Success       46.88
ho-ex20... HeadOffice    Ping            Success       46.88
ho-ex20... HeadOffice    Sync Test Item  Failure             Syntax error in serve...

[PS] C:>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       15.62
ho-ex20... HeadOffice    FolderSync      Success      109.37
ho-ex20... HeadOffice    First Sync      Success       62.50
ho-ex20... HeadOffice    GetItemEstimate Success       15.62
ho-ex20... HeadOffice    Sync Data       Success       46.87
ho-ex20... HeadOffice    Ping            Failure             Exchange ActiveSync c...

Look at the ActiveSync devices for the test mailbox, and you will likely see that the device has been quarantined.

[PS] C:>Get-ActiveSyncDevice -Mailbox extest_0bcca07661e94 | select user*,device* | fl


UserDisplayName         : exchangeserverpro.net/Service Accounts/extest_0bcca07661e94
DeviceId                : 704294541
DeviceImei              :
DeviceMobileOperator    :
DeviceOS                :
DeviceOSLanguage        :
DeviceTelephoneNumber   :
DeviceType              : TestActiveSyncConnectivity
DeviceUserAgent         : TestActiveSyncConnectivity
DeviceModel             : TestActiveSyncConnectivity
DeviceAccessState       : Quarantined
DeviceAccessStateReason : Global
DeviceAccessControlRule :
DeviceActiveSyncVersion : 12.0

Before addressing this, you should first review the existing allowed device IDs for the test user.

[PS] C:>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs

ActiveSyncAllowedDeviceIDs
--------------------------
{}

If there are no device IDs already specified, add the device ID that you discovered above as an allowed device ID for the test user.

[PS] C:>Set-CASMailbox extest_0bcca07661e94 -ActiveSyncAllowedDeviceIDs "704294541"

[PS] C:>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs

ActiveSyncAllowedDeviceIDs         : {704294541}

If there were already device IDs allowed a slightly different approach is taken. Each server or management workstation that you run the Test-ActiveSyncConnectivity cmdlet from will have a different device ID. Over time you may need to allow multiple device IDs.

To append a new device ID to the existing list run the following command instead.

[PS] C:>Set-CASMailbox extest_0bcca07661e94 -ActiveSyncAllowedDeviceIDs @{add="1560598775"}

[PS] C:>Get-CASMailbox extest_0bcca07661e94 | select ActiveSyncAllowedDeviceIDs

ActiveSyncAllowedDeviceIDs         : {1560598775, 704294541}

Test-ActiveSyncConnectivity should now run successfully.

[PS] C:>Test-ActiveSyncConnectivity

CasServer  LocalSite     Scenario        Result  Latency(MS) Error
---------  ---------     --------        ------  ----------- -----
ho-ex20... HeadOffice    Options         Success       31.25
ho-ex20... HeadOffice    FolderSync      Success      109.37
ho-ex20... HeadOffice    First Sync      Success       46.87
ho-ex20... HeadOffice    GetItemEstimate Success       31.25
ho-ex20... HeadOffice    Sync Data       Success       78.12
ho-ex20... HeadOffice    Ping            Success     2062.47
ho-ex20... HeadOffice    Sync Test Item  Success       31.25

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Csabulator

    I’ve came across the same issue. However it says for me when I ran “Test-ActiveSyncConnectivity” that: “Could not find or sign in with user DOMAIN\extest_XXXXXXXXX. If this task is being run without credentials, sign in as a Domain Administrator, and then run Scripts\new-TestCasConnectivityUser.ps1 to verify that the user exists on Mailbox server ”

    I have checked the user and it was locked in the AD. Unlocked it, and the test immediately started to work, could find the ActiveSyncDevice as well.

    I hope it helps someone.

    1. mohamed

      Is it supported to run against exchange 2016 or 2019?

  2. Jesus Marin

    I have an issue with the extest_ account as it it getting locked out every few hours, the lockout source are the exchange servers, I have collected information and I see a few logon failures with event id 4625

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc000006a

    Process Information:
    Caller Process ID: 0x8ae4
    Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

    Network Information:
    Workstation Name: XSserver
    Source Network Address: –
    Source Port: –

    Detailed Authentication Information:
    Logon Process: Advapi
    Authentication Package: Negotiate
    Transited Services: –
    Package Name (NTLM only): –
    Key Length: 0

    But I havent found the reason of the lockouts, any feedback?

  3. Navneet

    Hello Paul,

    We are looking to clear up the stale active sync devices
    so one user called test as mention in your article. is it safe to remove that account device also. as last success sync was 2 year ago

    Please suggest

  4. Rekha Joshi

    Thanks for the article, I had a different issue when I run “Test-ActiveSyncConnectivity”
    “Warning: Test user “extest_xxxxxxxx” was not accessible, so this cmdlet won’t be able to test client access server connectivity”

    from the script folder ran the command to create a new test account – “Creating a Test CAS User” from this article.
    This enabled back the existing account which was showing up in warning & the test of ActiveSyncConnectivty went through smoothly..

  5. Glen

    Thank Paul, your blogs regarding Exchange helped me a lot. Especially this article which talks exactly about the issue I was having about the FolderSync. Thanks again

  6. Chuck

    I am getting the same a Valentin as well. Did anyone ever figure out what causes this?

  7. Pete Rod

    I’m getting the same error as Valentin

  8. Valentin

    Hello,

    Something strange appeared for me.
    After following the guide the issue with folder sync error was resolved but another error appeared.
    The test is running against 12 CAS servers from one workstation only.
    The activesync devices were allowed but the test is failing on 4 from the 12 CASes. And this 4 CASes IDs are changing. The error:

    ScenarioDescription : Issue an HTTP OPTIONS command to retrieve the Exchange ActiveSync protocol version.
    PerformanceCounterName : DirectPush Latency
    Result : Failure
    Error : The OPTIONS command returned HTTP 200, but the Exchange ActiveSync header (MS-Server-ActiveSync) wasn’t returned. The request likely did not reach a Client Access serv
    , either because

    – A proxy server intervened (check the headers below for any that may have been returned by a proxy)

    -The virtual directory could not be reached: https://XXXXX.XXXX.XXX/Microsoft-Server-ActiveSync

    – The virtual directory does not point to a Client Access server: https://XXXXX.XXXX.XXX/Microsoft-Server-ActiveSync

    HTTP response headers:

    Allow: OPTIONS, TRACE, GET, HEAD, POST
    Public: OPTIONS, TRACE, GET, HEAD, POST
    Content-Length: 0
    Date: Wed, 16 Oct 2013 09:21:21 GMT
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET

    In 30minutes start working for the same server but have the error for other – always following the pattern 4 failures from 12 🙂

  9. Carol Ostos

    Thanks for the article Paul. I’m troubleshooting the following event that has started appearing in one of my CAS servers since Friday.

    1040 Warning MSExchange ActiveSync

    The average of the most recent heartbeat intervals [494] for request [Sync] used by clients is less than or equal to [540].
    Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

    For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”

    I have asked one of the guys to check TMG firewall rules to see if increasing the time out helps.

    After applying the TestOnly EAS Policy to the exchange test account, Test-ActiveSyncConnectivity works like a charm

    Test-ActiveSyncConnectivity

    CasServer LocalSite Scenario Result Latency(MS) Error
    ——— ——— ——– —— ———– —–
    cas… HQ Options Success 15.60
    cas… HQ FolderSync Success 93.60
    cas… HQ First Sync Success 46.80
    cas… HQ GetItemEstimate Success 31.20
    cas… HQ Sync Data Success 78.00
    cas… HQ Ping Success 2070.06
    cas… HQ Sync Test Item Success 62.40

    I know its just a warning but you think I should worry if this event does not go away? Thanks!

  10. Seb

    Hello,

    I encountered a similar error 403 because my “extest…” account had reached the maximum number of ActiveSync devices authorized by the default throttling policy (10 devices).

    I deleted some ActiveSync Devices for my test account.

    And now it works fine.

    1. Rodney Turner

      this was the case for me. one of my exec users had this problem due partnership limiit. thank you.

Leave a Reply