Exchange 2010 ActiveSync – HTTP 500 Internal Server Error – DeviceNotProvisioned_Mbx

Since Beta 2 I have MXS2010 running on a private machine to get in touch with it. Since a couple of weeks I have MXS2010 SP1 running in my company so we can test everything in a larger environment. It’s running parallel to our MXS2003 environment and just a few Mailboxes where moved to MXS2010. Recently we had the problem that some Mobile Devices weren’t able to sync via ActiveSync. At the beginning it seemed that just Nokia Mobiles with MFE (Mail for Exchange) were affected. But today I figured out that this also happened with an Android Phone.

On the mobiles we just got an HTTP 500 (Internal Server Error). Also in the IIS-Log file I didn’t get that much information. Also just HTTP 500. But within the request I found the following information “DeviceNotProvisioned_Mbx:<MBX-Servername>.

So, provisioned where? OK, through the ECP I checked if the authenticated user account has a mobile device associated to it. But there was no association. So after a moment of thinking I remembered that I saw “something” time ago within Active Directory. Because I always use “Advanced Features” and especially “Users, Contacts, Groups, and Computers as containers” within dsa.msc I just switched to that MMC and changed to a user account where I knew that ActiveSync is working.

So first, if not already done, activate the above mentioned features (you’ll need both).

So, beyond an ActiveSync enabled user account (which already synced with a device) you’ll find a new container called “ExchangeActiveSyncDevices“. Within that container you’ll find entries for every device this user is currently syncing or synced once in the life time (unless the device was removed within ECP or so).

So, nice, but how does that help with the above error? Actually the error occurs because Exchange isn’t able to create this container. This can happen if someone played around with the Active Directory permissions (like it happened in my company BEFORE I started there, of course) 😉

So within the Properties of a user account at the Security Tab (if you can’t see that one you have so enable the “Advanced Features” within View) -> Advanced the Check Box “Include inheritable permission from this object’s parent” should be checked.

Exchange 2010 grants special permissions to the group “Exchange Servers” at the Domain Level. Actually it grants “Create/Delete msExchActiveSyncDevices objects“.

So if Exchange isn’t able to create this container beyond a user object it can’t create the device object and so now association between the mobile device and the user and finally as consequence of that no Active Sync is working J

Conclusion: Don’t mess with Active Directory Permissions unless you really know what you do (for now and for the future) J

14 responses to “Exchange 2010 ActiveSync – HTTP 500 Internal Server Error – DeviceNotProvisioned_Mbx”

  1. Brian Jurczyk Avatar
    Brian Jurczyk

    Thank you very much!! We migrated from SBS2003 to SBS2011 running Exchange 2010 and suddenly users with Windows Mobile devices were unable to ActiveSync with error code 0x86000c09. Users were unable to create a container for the mobile device. Following your guidelines, we solved the problem.

    Danke Schoen!!

  2. Googled your entry after many hours of tracing and analyses. It was the only hint. Thanks for the detailed description!

    Vielen Dank!

  3. Muchas gracias, a mi tambien me paso lo mismo y no sabia como resolverlo, gracias de nuevo.

  4. Great help!!! Thx, but it cannot be, that you have to do that on every new user?! Any Suggestion?

    Greetz

    dave

  5. Hello… Great Help. thank you.

    Did you found a solution, to not edit each Activesync user individually?

    Greetz
    David

  6. thank you very much, for this solution of the active sync problem … 🙂

    Greetings
    Stefan

  7. Thank you very much for this perfect solution for our technical problem we solved this morning thanx to you.

  8. Thank you so much, you save me a lot of time and trouble.

  9. Thanx a lot. This soveld my problem!

  10. Saved the day for me!

  11. Excellent article, many thanks!

  12. Great tip !
    after exchange migration from 2003 > 2010 ActiveSync stopped working,
    The permissions issue solved it!
    Thank you!

  13. Gracias por la ayuda! Helped me a lot!

Leave a Reply

Your email address will not be published. Required fields are marked *