Exchange Activesync iOS 11 issues

Not able to connect to Exchange Activesync on iOS 11 using the Blackberry UEM Client app (App Store). All syncing items fail with an “Account error” - i.e. Calendar, contacts, mail, notes, reminders. Please investigate if possible. Thank you.

Replies

Don't bother. I already uploaded a bug report about this issue last week and the only response I got was that's it's a duplicate of another bug report. Because of privacy reasons they won't give me any other info and closed my bug report.

show you settings in your Firewall ( TMG if you use it).... 🙂


https://support.apple.com/en-us/HT208136

I have solved the issue for me! It is definitely related to the use of HTTP/2!


I have a proxy server in place between my Kerio mailserver and the outside world (as I have multiple subdomains running on my IP address). That proxy uses NGINX.


I watched my proxy log with a tail -f and saw that all IOS11 devices talk HTTP/2, older HTTP/1.1.


There is no way to force NGINX to talk 1.1 than disable HTTP2 for all VHOSTS on the same IP address. Which is what I did!


I had two proxy connections configured for HTTP2, I removed both of them in their configurations and boom - Active Sync is working again!


So, anyone who uses a proxy between the mail server and the outside world for the ports 80 and 443 must disable HTTP2 in the proxy! For NGINX this means that no VHOST can have the "http2" parameter in the listening directive for SSL connections!

I know a lot of this conversation deals with Exchange on Server 2016. We are still using Server 2008R2 with Exchange 2010. We do use certificate authentication only for activesync. Since iOS 11 we get the error "Cannot connect to the server." I disabled certificate only authentication and it does work with username/password, but the minute you require certificate only we cannot connect. Do you this this could still be the issue even with the older OS? I tried the registry edit, but it did not work. As for now we are keeping our users at iOS 10.

We had the same problem.

USed certificate but could not connect.

Out Exchange admin, changed on out TMG server, that TLS 1.2 and 1.1 was allowed, and then we could synd mail

We do not use a TMG server. We are a small shop and forward to exchange from our firewall.

We have the same CBA issues with Exchange 2010 on WS2008R2.

Didn't find a solution yet..


UPDATE: The post of birgitte lead me to the right path:


Enable TLS1.1 und TLS1.2 on WS2008, see https://tecadmin.net/enable-tls-on-windows-server-and-iis/# how this is done.

It's working for me now..

We also have a problem with ActiveSync and iOS11.

Exchange-Server 2010 SP3RU17 on W2K8R2

Sophos UTM (Firewall/Webserver-Protection) forwarding ActiveSync with TLS1 or higher

Root Certifiate: SHA1


No coonection to Server.


Can i do anything to resolve this problem?

Or have i to wait until Apple release a new iOS-Version???


Greets from Germany :-)

Cool, that worked.


I updated our Exchange Server two days ago with this registry setting and fixed it.
And then today I wanted to check this thread again but could not find it as Google now returns 30 pages with results on a search for 'iOS11 Exchange Server' :-)

You probably need to change the server certificate to SHA256 and enable TLS1.1 and TLS1.2 on the WS2008R2.

We already use a SHA256 certificate on our exchange server. We upgarded our PKI last year. I did enable TLS1.1 and TLS1.2 on our 2008R2 server and it still would not work.

Interesting. That is exactly the article I followed. However, I left out Disable SSLv3. My exchange server does not have a key named SSLv3, but itdoes have a key named SSLv2 with a DWord entry named DisabledByDefault with a value of 1. Should I try adding the additianl entries?

It's worth a try, at least I did add the SSLv3 key and disabled it.

In summary I did the following to get it working:


- issued a new SSL cert with SHA256

- enabled TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows (I don't know if that really was needed)

- enabled TLS 1.1 and TLS 1.2 and disabled SSLv3 in IIS


After a reboot the clients were able to authenticate and sync again.

Using IISCrypto tool with best practices template from https://www.nartac.com/Products/IISCrypto solved the problem with CBA for us.

This issue is fixed in 11.0.1, which was just released.