0

Androids can't connect to an Exchange Server 2013 via the ActiveSync protocol. Any other devices can work without problems. We tested the 2.x branch and 4.x branch. Even with an stock Google Nexus 4 we can't connect to our Exchange Server 2013. In Exchange Server 2010 everything works just fine.

With Googling techniques, I've found this workaround:

  1. Log onto Domain Controller
  2. Start AD Users and Computers
  3. Click on View - Advanced Features
  4. Double-click on the user who's account wont work with ActiveSync
  5. Go to the security tab and then select the advanced button
  6. Select Exchange Servers, and tick the Include inheritable permissions toggle then Apply and OK.
  7. Reconfigure your phone and walk away happy

The problem is: is this secure? Is this recommended? What are the implications of this approach? And finally: if it safe; there's a way to change the default behaviour, so new users with those Android devices can use the mail systems without problems?

Thanks,

Vinícius Ferrão
  • 5,520
  • 11
  • 55
  • 95
  • Instead of specifying 'tick', you may want to specify 'check' or 'uncheck'. You may want to test this with Touchdown to see if that works. It may be a policy/compliance issue. – Greg Askew Apr 13 '13 at 17:32
  • Greg, I just copy & pasted the process from Google. And I don't know what is Touchdown. Can you explain a little more? – Vinícius Ferrão Apr 13 '13 at 17:37
  • TouchDown is an ActiveSync client. If it doesn't work, there is probably something amiss on the server. If it does work, I would suspect a mismatch in the server policies and what the native Android client supports or understands. You can get TouchDown from the Play Store. It works for free for 30-days. – Greg Askew Apr 13 '13 at 17:43
  • Thanks Greg, I will look at this. Now I need to get the Android back again since I don't have one :) – Vinícius Ferrão Apr 13 '13 at 17:44

2 Answers2

2

Security inheritance is not set by selecting a specific permission. It's a global setting per user object. The step about "select exchange servers" is pointless, you're doing this for all ACL's.

Every AD user should have security inheritance enabled. A ton of software that utilizes these security attributes (especially Exchange and Lync) rely on them.

The only way that option is disabled by default is if it's a domain admin account.

Are you running ActiveSync as an domain admin? Please, don't....

pauska
  • 19,620
  • 5
  • 57
  • 75
  • Hello Pauska. I'm not running it as an Domain Admin. I'm testing it with my normal user account. – Vinícius Ferrão Apr 14 '13 at 00:06
  • Your normal users account should have inheritance enabled. Does it solve your problem? – pauska Apr 14 '13 at 17:38
  • Yes pauska; it solves. But what I cannot understand is why my account wasn't with this permission. Now that you pointed it, and pointed that inheritance should be enabled I think the problem is solved. – Vinícius Ferrão Apr 16 '13 at 01:48
0

I know this is an old post but it keeps coming up near the top of searches so I would like to add to it.

As for the problem and solution related to the post, the short answer is YMMV.

Why? It is because in my experience with my Exchange 2013 cu17 and whatever Android version is availble nowadays, the "inheritable permissions" doesn't have to be enabled for the users. After configuration, emails can be sent/receive just like that. The only problem I ever encountered is the default Android mail client does not work. I have to use BlueMail from the appstore. Even Microsoft's Outlook at times doesn't work.

Go figure.

badbanana
  • 11
  • 1
  • 2