We have recently experienced an issue where users that synch their Exchange email to their iPhones suddenly stopped synching their email. When setting up a new email profile the connection is made successfully but the email would not sync. The exchange synch will attempt but eventually, an error will be displayed – The connection to the server failed. The first thing I checked was connectivity to OWA and the crazy thing was I could successfully login to Outlook or Outlook Web Access and send and receive emails on the computer but the iPhone will connect and not send/receive. Now, I spent considerable time troubleshooting the issue and sifting through logs and found that the below solution resolved the issue. I stumbled across some info about setting inheritable permissions in AD and steps to ensure the user has the correct permissions to sync with the exchange. This Article from Microsoft simply outlines the permission required on the user account that’s trying to synchronize the iPhone Exchange Activesync device.
Setting these permissions correctly is just another troubleshooting step you can take to eliminate this as a possible cause and in my case, it solved my issue. This solution is not for everyone, but if you get stuck it may be something worth trying.
How to fix iPhone Exchange activesync issue
- Login to your Domain Controller using domain admin credentials
- Go into Active Directory Users & Computers
- Click View, and make sure Advanced Features is enabled.
- Now, right-click on the user with the issue and select Properties.
- Go to Security and then click Advanced.
- Click Add, choose “Exchange Servers“, and then click OK.
- In the Applies to box, click Descendant msExchActiveSyncDevices objects. (make sure to choose the correct object because they’re a lot of similarly named choices)
- Under Permissions, click and enable Modify Permissions.
- Click OK three times to get back to AD.
As long as the iPhone was already connected to ActiveSync the syncing should start almost instantaneously, you shouldn’t need to reboot or re-setup the account.
I have also seen that you may need to disable inheritance (if enabled) or enable inheritance (if disabled) in the afflicted user’s AD security settings, so…
- Follow steps 1 through 4 above
- Toggle inheritance from either enable or disable
- Or in the case of Windows Server 2008, Check or Un-Check the “include inheritable permissions from this object’s parent” option
- It will give you a warning about converting the permissions, make sure you comfortable with this change as this will adjust some of their security rights within the network
