Exchange 2016 CU23 EAS error 500

Question

Hello,

currently we are experiencing issues with Exchange Active Sync on Exchange 2016. We suspect the installation of CU23 with the latest SU. We are running two Exchange 2016 servers in a DAG.

Some, not all users, get an HTTP 500 error as soon as their mobile device sends EAS requests to the server. This prevents the users from accessing their mailbox.
We cannot use the Microsoft Remote Connectivity Analyzer for debugging because our server is behind a management application that acts as a proxy. Therefore, direct access to Active-Sync from the Internet is not possible.

The only error message we find in IIS is the following:

2022-08-30 00:16:44 [xxx.xxx.xxx.xxx] POST /Microsoft-Server-ActiveSync/default.eas User=username&DeviceId=IJHHVHF2E51SRBBVNP7227LFB4&DeviceType=iPad&Cmd=Ping&CorrelationID=<empty>;&cafeReqId=70a5ec3e-bc05-428f-8a6f-19f908b3d914; 443 domain\user xxx.xxx.xxx.xxx Apple-iPad8C3/1806.72 - 500 0 0 45  
2022-08-30 12:42:18 [xxx.xxx.xxx.xxx] OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&cafeReqId=5c56de56-402f-40d1-b2e3-fe9c2c3517d9; 443 domain\secondusername xxx.xxx.xxx Apple-iPhone14C5/1907.71 - 500 0 0 23  

There are no messages in the Application log in the Event Viewer indicating EAS misbehavior.

We tried several things, such as mailbox migration to another mailbox database, since users on the other mailbox database did not have errors. Unfortunately, this attempt was not successful. We also disabled and re-enabled EAS permissions once for one of the problem users, hoping that the problem was with the permissions and that this would fix the error. Unfortunately, that did not lead to success either.
The last thing we did was restart the server, which also did not fix the error.

We also found the following page on the Internet: https://learn.microsoft.com/en-us/connectivity-analyzer/exchange-activesync-returned-http-500-error.

Besides our Exchange version, which is already newer, the inheritance is already active for the affected users.

We have also tested the command, which returns the following for users where access works, as well as for those where access does not work:

[PS] C:\Windows\system32>Test-ActiveSyncConnectivity -ClientAccessServer server -MailboxCredential (get-credential user)  
CasServer  LocalSite     Scenario        Result  Latency(MS) Error  
---------  ---------     --------        ------  ----------- -----  
server    location       Optionen         Fehler              [System.Net.WebException]: Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert.  HTTP-Antwortkopfzeilen:  request-id: 2c44c76d-ffcb-483f-ac2b-5371ab00acb8 X-OWA-Version: 15.1.2507.12 X-FailureContext: FrontEnd;401;VW5hdXRob3JpemVk; ;;;Server: Microsoft-IIS/10.0 WWW-Authenticate: Negotiate,NTLM,Basic realm="server.domain.de" X-Powered-By: ASP.NET  X-FEServer: SERVER Date: Wed, 31 Aug 2022 12:10:41 GMTContent-Length: 0  

The authentication settings in the IIS location look like this.

At this point, unfortunately, we do not know how to proceed to fix the error. Is there a procedure on how to specifically approach the problem? If further information is needed, I will provide it.

Best regards
Lukas

Answer 1

Hi @Lukas ,

We solved the problem.

Great to know that you've already thought of a solution and really appreciate it for your sharing!
By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others." and according to the scenario introduced here: Answering your own questions on Microsoft Q&A, I would make a brief summary of this thread:

[Exchange 2016 CU23 EAS error 500 ]

Issue Symptom:
There are running two Exchange 2016 servers in a DAG.
Some, not all users, get an HTTP 500 error as soon as their mobile device sends EAS requests to the server. This prevents the users from accessing their mailbox.

The only error message we find in IIS is the following:

	 2022-08-30 00:16:44 [xxx.xxx.xxx.xxx] POST /Microsoft-Server-ActiveSync/default.eas User=username&DeviceId=IJHHVHF2E51SRBBVNP7227LFB4&DeviceType=iPad&Cmd=Ping&CorrelationID=<empty>;&cafeReqId=70a5ec3e-bc05-428f-8a6f-19f908b3d914; 443 domain\user xxx.xxx.xxx.xxx Apple-iPad8C3/1806.72 - 500 0 0 45  
	 2022-08-30 12:42:18 [xxx.xxx.xxx.xxx] OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&cafeReqId=5c56de56-402f-40d1-b2e3-fe9c2c3517d9; 443 domain\secondusername xxx.xxx.xxx Apple-iPhone14C5/1907.71 - 500 0 0 23  

There are no messages in the Application log in the Event Viewer indicating EAS misbehavior.
And EAS troubleshooting was performed ,don’t had any changes.

The Solution:
By running

	 curl -v -k -u user@domain -H "Host:servername" --request OPTIONS https://serverip/Microsoft-Server-ActiveSync  

we pointed out an XML Error in the eas backend Web.config.
After correcting this and restaring the IIS everything worked normally.
The issue was related to only some users, because we have two servers and only one iis location was misconfigured.

You could click the "Accept Answer" button for this summary to close this thread, and this can make it easier for other community member's to see the useful information when reading this thread. Thanks!

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi @Lukas ,
I would like to know if the users who received http 500 error use the Outlook app to connect to Exchange? Or use other mail application?

As a workaround ,I would suggest that you could refer to the following steps to empty the cache and see if it works.

1. Open the ADUC ,locate the user with issue and right click.
2. Select “ Disable Account”.
3. Open ADSI Edit in the Default Naming Context.
4. Browse through the directory and locate the user object having problems
5. If you look at the properties of the “ExchangeActiveSyncDevices” container under the user object, you will probably see some devices or unknown SID security entries.
6. Select the CN=ExchangeActiveSyncDevices container and delete it.
7. And clear the cache of related mail apps on your mobile device.
8. Now re-enable this account and try to connect to Exchange with new mobile device to see if it works.

In addition, since you are using a management application that acts as a proxy ,we can't rule out whether the problem is caused by this application. Therefore, I recommend that you review the logs of this application to compare whether the incoming and outgoing processes are consistent between normal and unhealthy users.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

We solved the problem.

By running

curl -v -k -u user@domain -H "Host:servername" --request OPTIONS https://serverip/Microsoft-Server-ActiveSync  

we pointed out an XML Error in the eas backend Web.config.

After correcting this and restaring the IIS everything worked normally.
The issue was related to only some users, because we have two servers and only one iis location was misconfigured.

Greetings
Lukas