This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 2%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWW%3C/text%3E%3C/svg%3E)
We keep running into issues every Thursday between 9am-2pm CST, where mobile email clients 9iOS with native app) ask for a password, even though they are configured with certificate based authentication (CBA). All other days this works fine. We have the CRL published in Azure and there are no issues there that I can see. Any ideas what could be happening?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
Do you enable Basic authentification for the Activesync virtual directory? You cannot use multiple authentication methods and have client certificates enabled on the virtual directory. The client must either use client certificate or username and password to authenticate, not both.
You can follow the guidance here to create another virtual directory for Basic authentification: CONFIGURE A SINGLE EXCHANGE SERVER TO HOST 2 ACTIVESYNC VIRTUAL DIRECTORIES
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
And SSL settings should be set to “Require” not “Accept”.
Check the IIS log of Thursday and look for requests for /Microsoft-Server-ActiveSync, there might be an error code returned. You can refer to this documentation for detailed meaning: The HTTP status code in IIS 7.0 and later versions
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Apologies for a late reply. My issue is for Exchange Online.
Enable Activesync device log and reproduce the issue, then check the log:
Set-CASMailbox alias -ActiveSyncDebugLogging:$true
Get-MobileDeviceStatistics -Mailbox alias -GetMailboxLog:$true -NotificationEmailAddresses "admin@contoso.com"
I actually have these logs from the past but could not see anything stand out, any ideas what am I looking for?
Have you checked this:
The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds. If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.