James pointed out in a previous thread:"Mobile devices (active sync) only work when listener authentication is set to Basic (with basic delegation) on ISA"I have an ISA 2006 server sitting in front of my CAS Farm and cannot for the life of me figure out how to get AutoDiscovery working without breaking activesync. Our ISA Active sync rule uses a listener with HTML Form and AD authentication. Active Sync is working great . Autodiscovery from an Active sync device is broke.If I add an external redirect to the virtual directory on my CAS servers that are in the same site as ISA... then AutoDiscovery works but Active sync breaks.I'm starting to think I just need to create a new ISA listener just for Active sync and/or Autodiscovery. Anyone that can help me out here, I'd sure appreciate it.edit: Autodiscovery for RCP/HTTP (Outlook Anywhere works fine). Only Active Sync Autodiscovery is broke.

Mobile phones can only use Basic clear text HTTP auth. so your Listener must alow clients to use it.If you set ISA Listener to FBA auth mobile devices should work, since ISA is smart enough to fall back to Basic auth when the client is not a browser as the mobile device is.I understand that ISA is using basic auth delegation, how is the autodiscover directory on CAS configured?have you configured external URL for activesync on CAS?have you tried the https://www.testexchangeconnectivity.com/? lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

To set up a second web listener with basic authentication is for ISA 2004, ISA 2006 has the ability to failback from forms-based authentication to Basic authentication as Lasse said, which is one of the new features in the ISA 2006 When ISA Server needs to authenticate a client, including a mobile client, in a Web publishing scenario and the Web listener is configured to use the FBA with AD, FBA with LDAP, or FBA with RADIUS authentication scheme, ISA Server reads the User-Agent header in the Hypertext Transfer Protocol (HTTP) GET request. ISA Server then finds the first User-Agent mapping defined in the list that matches the User-Agent header. Note that the last User-Agent mapping in the list is a default mapping that specifies Basic authentication as a fallback authentication method. ---------Refer to <Managing User-Agent Mappings> Check info: 1. I saw that you have FBA + AD on the listener, and the ActiveSync is working without AutoDiscover, right? 2. Whats the version of the windows mobile, 6.1 or 6.5? 3. Have you configured Autodiscover Settings for ActiveSync before? 4. Please try to use the link from Lasse for testing Resources: Authentication in ISA Server 2006 Understanding Exchange ActiveSync Autodiscover How to Configure Exchange ActiveSync Autodiscover Settings

Thanks for the fast replies guys. I'll elaborate more on my configuration.2 AD Sites with Exchange 20071 Legacy 2003 server still hanging around partially decomishioned (ie.. all mailboxes and pub folder replicas have been moved).Site A has the ISA, 2 CAS/HUB, and a 2 node CCR Cluster. Site B has 2 CAS/HUB and 2 node CCR Cluster.No servers have Edge or UM roles.All the CAS.Hub Servers presently have no external URL configured on the ActiveSync Virtual Dirs. I found that to make proxying to the second site work, I could only put the External URL on CAS1(SiteA). I left ExternalUrl blank onthe CAS Servers in SiteB. With this configuration, AutoDiscovery worked fine for ActiveSync, however we had alot of issues with frequent disconnects from the users.I did some reading and it's my understanding that when ISA hands off an Active snyc request to Exchange in its own site (SiteA in my case) that it makes a determination who the Best CAS server is to take the request. Then if the Best Server has an external URL defined, it causes issues.So that led me to removing all External URLs on the ActiveSync Virtual Dirs on the CAS servers. When I did this and restarted IIS, I immediately saw a big improvment with Active Sync reliability and performance. It was working for everyone. To answer James on Mobile Ver, we have every device possible I think. (New Palm, iPhones, New Moto-Q, Old Moto-Q, and probably a few others).As for the testexchangeconnectivty site, that is what I have used for a couple months for almost all testing since I dont have "one" of every device we have int he field. When I run the tests, I find that Autodiscovery actually still works for RPC/Outlook Anywhere. But it fails miserably on ActiveSync. ACtiveSync itself when tested without Autodiscovery passes with flying colors.As for ISA configuration:note: CAS Farm has only the 2 CAS servers in the Same site as ISAnote: All Exchange Rules use the same Listener with is the CAS Farmnote:The Cas Farm Listener is configured to use HTML FBA / AD authentication using a single Cert from Entrust ( I can gladly set up a test account for OWA if someone wants to take a look at the Cert). Also, Single Sign On is enabled on the listener.Rule 1 (top of list) - ActiveSync Web Publishing Rule, Only path is "/Microsoft-Server-ActiveSync/*"Rule 2 NetbiosRule 3 Outlook Anywhere Publishing Rule.Rule 3 paths:/unifiedmessaging/*/rpc/*/OAB/*/ews/*/AutoDiscover/*Rule 4 A Deny for OWA redirectRule 5 OWA Publishing Rule set with appropriate OWA Paths. (Btw.. OWA works fine)Another note from my testing: If I browse to the XML file (https://autodiscover.MYCOMPANY.com/AutoDiscover/AutoDiscover.xml ) I get the ISA Form based login page and if I log in, I can view the XML file. Which Appears to be ok. <?xml version="1.0" encoding="utf-8" ?> - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> - <Response> - <Error Time="06:51:51.1920517" Id="3046467086"> <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> <DebugData /> </Error> </Response> </Autodiscover> Hope this information is useful and you guys can help me get going in the right direction. The fact that Autodiscover is only broke for the ActiveSync devices is really not that huge of an issue, but I would really like to get it fixed since it does make like alot easier for my sales force.thanks very much for your help.

Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.lkqcorp.com/AutoDiscover/AutoDiscover.xml for user rawatkins@lkqcorp.com Failed to obtain AutoDiscover XML response. Additional Details No Settings, Error, or Redirect element present in XML response Attempting to contact the AutoDiscover service using the HTTP redirect method. Attempting to test potential AutoDiscover URL https://autodiscover.lkqcorp.com/Autodiscover/Autodiscover.xml Failed testing this potential AutoDiscover URL Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.lkqcorp.com/Autodiscover/Autodiscover.xml for user rawatkins@lkqcorp.com Failed to obtain AutoDiscover XML response. Additional Details Attempting to contact the AutoDiscover service using the DNS SRV redirect method. Failed to contact AutoDiscover using the DNS SRV redirect method. Test Steps Attempting to locate SRV record _autodiscover._tcp.lkqcorp.com in DNS. Failed to find AutoDiscover SRV record in DNS.

1. Quote: Site A has the ISA So, site A is the one that face the Internet, and site B isnt Internet-facing, right? 2. Quote: we had alot of issues with frequent disconnects from the users Do problematic users all locate in the site B? Which rollup has been applied on the exchange servers? The exchange previous than rollup 4 has Autodiscover ActiveSync issue for site that dont have ExternalURL property set (KB 952152) 3. Quote: When I run the tests, I find that Autodiscovery actually still works for RPC/Outlook Anywhere. But it fails miserably on ActiveSync. ACtiveSync itself when tested without Autodiscovery passes with flying colors. Then, is the error info that you posted in last post from Exchange ActiveSync with AutoDiscover test on the testexchangeconnectivty site? 4. Is the ExternalURL property in the ActiveSync setting match to the one that you published (autodiscover.lkqcorp.com)? Im not an ISA expert, however, per my knowledge, the rule will apply to specific web site (FQDN and IP). I assume that AutoDiscovers FQDN has been set in the Public Name tab of the rule 3, right? Then, when ActiveSync uses AutoDiscover to configure the settings on the mobile, it shall use AutoDiscovers FQDN, so rule 3 should be applied. However, rule 3 doesnt contain Microsoft-Server-ActiveSync virtual directory as an accessible path Could we put Microsoft-Server-ActiveSync in the Paths of rule 3?

I'm going to patch the ISA 2006 Server up to SP1 and then add the external URL back and see how it does.Re: James-Luo's questions:1. Yes Site B doesnt face the internet, however when the external URL is on the ASVD and AutoDiscover is working, the problematic disconnects for Mobile devices are on both sites.2. All exchange servers are on the latest rollup (roll up 8) and all are identical in ver when checked through the mgmt shell.3. Yes. I use the testconnectivity site for all testing whenever any change is made. Great resource!4. We have an Entrust Unified Communications certificate and the common name is used in all External URLS.I'll see if anything improves after patching up ISA and report back.

Well I added the external URL back on the 2 CAS Farm members and re-ran the tests. Now since the ISA SP1, everything is passing including the Certificate checks. I'll have to wait a few days and see if any of the random disconnects return. So far so good though.

Awesome! Waiting for update

Looks like SP1 for ISA addressed the UUC certificate issue and fixed my issue. Autodiscovery is working in tandom with reliable Active Sync finally.Thanks again..