15 December 2010

Exhange 2007 Active Sync intermittent credential prompts with TMG

This is a real world issue I had.  Publishing Exchange through ISA 2006 was fairly easy.  I had a single rule that I used to publish outlook Web Access and Active Sync.  After moving over to TMG 2010 we started getting a rather annoying problem.

Windows Mobile phones would intermittently request the users credentials when attempting to sync.  This despite "save password" being checked.  Also if you just "left it" the phone would sync perfectly
a few minutes later.

It took a while to figure out but what happens is that the authentication cookie on the phone does not expire when the ip changes.  When this happens the authentication cookies is no longer valid and the user is prompted again.

So to fix this Microsoft recommended publishing Active Sync with a separate rule.  Using the same listener, same settings etc.  The only difference is that the path.  This then solved the issue.

According to MS this is why:


Our guidelines would be to create a separate rule because there are some
internal TMG setting which allow a Client Agent like
MSFT-SPhone/5.2.5080 which
doesn’t support HTML Form authentication to fall back to basic auth. This should
be transparent for the user and shouldn’t be prompted to authenticate.

2 comments:

Jason Jones said...

If using a shared listener between ActiveSync and other Exchange services, you need to make sure the listner is configured to "apply session timeout to non-browser clients" to work correctly with ActiveSync clients as discussed here:

http://blogs.isaserver.org/shinder/2007/09/24/smartphone-occasionally-prompted-for-credentials/

Cheers

JJ

Etienne Liebetrau said...

Thanks for the comment Jason, if only I posted the problem sooner Jason could have saved me the time and effort :)

Post a Comment