Alright, so we are having some issues with about 3 mailbox users on our Exchange Server. There may be more. The main changes lately were moving a SSL certificate from exchange.ourdomain.local to exchange.ourdomain.com.

So far, when setting up new iPads and iPhones with Outlook or even the built-in mail app (only one seems to be working with the Apple mail app), it cannot add the account with these 3 user accounts. It says Unable to Login.

I've used the Microsoft Remote Connectivity Analyzer with the ActiveSync option on my account, and it works fine. However, when I run it on these problematic user accounts I see the following FolderSync Command Failed Error:

An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;}
.content-container{background:#FFF;width:96%;margin-padding:10px;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
HTTP Response Headers:
MS-Server-ActiveSync: 14.3
X-MS-RP: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Content-Length: 1233
Cache-Control: private
Content-Type: text/html
Date: Wed, 15 Jul 2015 00:50:06 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 20364 ms.

I don't know why some work and some do not.

• Edited by jrmoat 6 hours 32 minutes ago

Also in active directory "inherit permissions" are enabled on the user accounts. So that is not the issue. Thought I'd throw that out there as well.

I may have found the issue. Very interesting, researching this more... I think there were too many mobile device memberships on the account. I removed 3 old ones, and this iPad added instantly.

• Marked as answer by jrmoat 5 hours 32 minutes ago

I may have found the issue. Very interesting, researching this more... I think there were too many mobile device memberships on the account. I removed 3 old ones, and this iPad added instantly.

That was definitely the problem. Too many mobile device partnerships. Unfortunately I could not remove half of them because the object could not be found, so I needed to use the workaround by removing them using the remove-activesyncdevice -id GUID.

• Marked as answer by jrmoat 5 hours 7 minutes ago
• Edited by jrmoat 5 hours 6 minutes ago