Proxy site users are getting password prompt for ActiveSync

Here are a couple of troubleshooting tips to help you narrow down your search if you run into something similar in your environment.

Check the health of all CAS server, check all services are running or reachable or not

First and the remedy of this issue is IISReset /noforce for making to work,

for further troubleshooting dig the issue,

If you have TMG in place then below config change can help out.

The forms auth timeout may affect ActiveSync. Please open the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked.

Try using a host file on the internet facing site CAS to bypass the LB if any and see if the same issues reoccur.

Suppose if you have internet facing side called Boston and the connection proxy to non internet facing site called BLR then on Boston CAS make a host file that proxy directly to BLR site CAS and test one by one if you have more then one non-internet facing CAS server in BLR location,


Need to look at the IIS log and find if any log entry like

3 POST /Microsoft-Server-ActiveSync/Proxy Cmd=Sync&DeviceId=C6DF512A54018EBC194C25ED147FDB8A&DeviceType=WP8 443 – – 401

Need to make sure if you have two CAS in non-internet facing site , both are serving connection.  if any CAS server has count 0 the that is the culprit server,

Get-Counter “\MSExchange ActiveSync\Current Requests” -ComputerName CAS_Server


try DNS flus on All CAS server specially on non internet facing CAS.

ipconfig /flushDNS

Check performance on the server, 

it should not be abnormal then 2 or close to 2 max, Waiters and Timeouts should remains Zero,

Check severe latency in communicating with Domain Controller,

Read time for reached as high as 6 seconds ,Search Time for reached as high as 5 seconds, Search time for reached as high as 5.5 seconds.

Recommendations for DC connectivity is listed here:

MSExchange ADAccess Domain Controllers(*)\LDAP Read Time Shows the time in milliseconds (ms) to send an LDAP read request to the specified domain controller and receive a response. Should be below 50 ms on average. Spikes (maximum values) shouldn’t be higher than 100 ms.
MSExchange ADAccess Domain Controllers(*)\LDAP Search Time Shows the time (in ms) to send an LDAP search request and receive a response. Should be below 50 ms on average. Spikes (maximum values) shouldn’t be higher than 100 ms.


perform the health check for domain Controller by below command and possibly reboot them, reboot CAS as well (Hoping you would have done this before troubleshooting 🙂 )


Recreate the EAS vdir on BLRcas01 on Non-internet facing site or on problematic CAS server.

Here are the steps:

  1. In Exchange Management Shell, run
  2. Get-ActiveSyncVirtualDirectory -Server BLRcas01 | fl > c:\temp\BLRcas01_EASVDIR.txt

This is our backup of the settings.  You will need to make sure the path exists before running the cmd.

  1. Run this command to remove the ActiveSync Virtual Directory:

Remove-ActiveSyncVirtualDirectory -Identity “BLRcas01\Microsoft-Server-ActiveSync (Default Web Site)”

Then confirm the removal by hitting Y

  1. Verify the command was successful by confirming there is no MSExchangeSyncAppPool and ActiveSync virtual Directory in IIS
  2. Now recreate the virtual directory with this command:

New-ActiveSyncVirtualDirectory -InternalUrl -WebSiteName “Default Web Site”

  1. Verify the MSExchangeSyncAppPool and the ActiveSync Virtual Directory now exist
  2. Also make sure the Proxy folder in the ActiveSync virtual directory has only Windows Authentication enabled:



Leave a Reply

Your email address will not be published. Required fields are marked *