Exchange 2010 ActiveSync – HTTP 500 Internal Server Error – DeviceNotProvisioned_Mbx
Since Beta 2 I have MXS2010 running on a private machine to get in touch with it. Since a couple of weeks I have MXS2010 SP1 running in my company so we can test everything in a larger environment. It’s running parallel to our MXS2003 environment and just a few Mailboxes where moved to MXS2010. Recently we had the problem that some Mobile Devices weren’t able to sync via ActiveSync. At the beginning it seemed that just Nokia Mobiles with MFE (Mail for Exchange) were affected. But today I figured out that this also happened with an Android Phone.
On the mobiles we just got an HTTP 500 (Internal Server Error). Also in the IIS-Log file I didn’t get that much information. Also just HTTP 500. But within the request I found the following information “DeviceNotProvisioned_Mbx:<MBX-Servername>.
So, provisioned where? OK, through the ECP I checked if the authenticated user account has a mobile device associated to it. But there was no association. So after a moment of thinking I remembered that I saw “something” time ago within Active Directory. Because I always use “Advanced Features” and especially “Users, Contacts, Groups, and Computers as containers” within dsa.msc I just switched to that MMC and changed to a user account where I knew that ActiveSync is working.
So first, if not already done, activate the above mentioned features (you’ll need both).
So, beyond an ActiveSync enabled user account (which already synced with a device) you’ll find a new container called “ExchangeActiveSyncDevices“. Within that container you’ll find entries for every device this user is currently syncing or synced once in the life time (unless the device was removed within ECP or so).
So, nice, but how does that help with the above error? Actually the error occurs because Exchange isn’t able to create this container. This can happen if someone played around with the Active Directory permissions (like it happened in my company BEFORE I started there, of course) 😉
So within the Properties of a user account at the Security Tab (if you can’t see that one you have so enable the “Advanced Features” within View) -> Advanced the Check Box “Include inheritable permission from this object’s parent” should be checked.
Exchange 2010 grants special permissions to the group “Exchange Servers” at the Domain Level. Actually it grants “Create/Delete msExchActiveSyncDevices objects“.
So if Exchange isn’t able to create this container beyond a user object it can’t create the device object and so now association between the mobile device and the user and finally as consequence of that no Active Sync is working J
Conclusion: Don’t mess with Active Directory Permissions unless you really know what you do (for now and for the future) J