How to Make iPhones Work with Exchange 2003 without a Front-End Server

The popularity of iPhones can't be ignored and with its marketing heavily promoting its compatibility with Microsoft Exchange, users think they have all the info they need to insist that their iPhone should operate flawlessly with their employer's email server.  In reality, an organization needs more than just a single Exchange server to serve the iPhone users in the most secure fashion.  A front-end server will get you up an running easily, but what if you only have a single Exchange server?

The reason a single server model doesn't work is because ActiveSync doesn't work with forms-based authentication and SSL.  (In reality, this is a fix for all ActiveSync devices, not just for iPhones).  There is a workaround, however:

Note:   This process will interrupt Outlook Web Access service.  Be sure to plan accordingly, though it should take very long to complete these steps.

1.  On the Exchange 2003 server, open the System Manager.

2.  Expand Administrative Groups > (first group listed) > Servers > (your Exchange server) > Protocols > HTTP.

3.  Right-click "Exchange Virtual Server" and select "Properties"

4.  Click the Settings tab and uncheck "Enable Forms Based Authentication.  Click OK and close System Manager.

5.  Restart IIS.

• Option 1:   From Computer Mangement, right-click "Internet Information Services (IIS) Manager" and go to All Tasks > Restart IIS...
• Option 2:  Go to Start > Run.. and enter:   IISRESET /NOFORCE

6.   In IIS, go to Web Sites > Default Web Site.

7.  Right-click the "Exchange" virtual directory, go to All Tasks > Save Configuration to a File...

8.  For a File Name, you can use whatever you want (ExchangeVDir is in Microsoft's example).

9.  Right-click "Default Web Site" and select New > Virtal Directory (from file).

10.  Click "Browse" and locate the file you created in step 8, click "Open" and then "Read File.

11.  Under "Select a configuration to import" click "Exchange" and then OK.

12.  A message will indicate that the directory already exists, so select "Create a new virtual directory" and type "exchange-oma" in the "Alias" box.  Click OK.

13.  Right-click the "exchange-oma" virtual directory and select "Properties."

14.  Go to the Directory Security tab and click the Edit button under "Authentication and access control."

15.  Make sure only Integrated Windows authentication and Basic authentication are enabled.  Click OK.

16.  Under the Directory Security tab, click the Edit button under "IP address and domain name restrictions."

17.  Select "Denied access," click "Add," click "Single computer" and enter the IP address of your Exchange server (the one you're making all these changes on).  Click OK twice.

18.  Under "Secure communications" click the "Edit" button and verify that "Require secure channel (SSL) is not enabled.  Click OK.

19.  Close IIS Manager.

20.  In the registry, browse to this location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters

21.  Right-click "Parameters," click New > String Value. 

22.  Type "ExchangeVDir" (without quotes and exactly as capitalized).  Then modify "ExchangeVDir" and give it a value of "/exchange-oma" (again, without the quotes).

23.  Restart IIS (see Step 5).

24.  Re-enable forms-based authentication for Outlook Web Access, if desired, by re-checking the box in steps 1-4.

25.  Restart IIS once again and you should be able to connect to your Exchange server using Activesync!  If you see some glitches, try restarting the server.