Integrated Windows authentication is turned off

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2010-04-01

The Microsoft Exchange Best Practices Analyzer parses the authentication settings for the Microsoft-Server-ActiveSync virtual directory to determine whether the appropriate authentication settings are configured.

In a mixed Exchange environment that contains computers that are running Exchange Server 2007 and Exchange Server 2003, the Analyzer determines whether the following conditions are true:

  • An Exchange 2007 server is running the Client Access role.

  • An Exchange 2003 server is hosting the Microsoft-Server-ActiveSync virtual directory.

  • The Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server does not have Integrated Windows authentication enabled.

The Analyzer expects Integrated Windows authentication to be enabled on the Microsoft-Server-ActiveSync virtual directory. In this scenario, if Integrated Windows authentication is not enabled, the Analyzer generates a warning message.

This message indicates that users may experience authentication issues when they access the Microsoft-Server-ActiveSync virtual directory.

Microsoft Exchange ActiveSync allows for the synchronization of mailbox information with mobile devices. To do this, Exchange uses the Microsoft-Server-ActiveSync virtual directory in Internet Information Services (IIS).

In the scenario that is described in this topic, mobile device users may be repeatedly prompted for their credentials when they access the Microsoft-Server-ActiveSync virtual directory. Access to the Microsoft-Server-ActiveSync virtual directory may fail.

To address this issue, follow these steps:

  1. Install the hotfix that is mentioned in Microsoft Knowledge Base article 937031, Event ID 1036 is logged on an Exchange 2007 server that is running the CAS role when mobile devices connect to the Exchange 2007 server to access mailboxes on an Exchange 2003 back-end server.

  2. Modify the authentication settings on the Microsoft-Server-ActiveSync virtual directory to enable Integrated Windows authentication.

To configure authentication on the Microsoft-Server-ActiveSync virtual directory in IIS 6.0

  1. On the Exchange 2003 server, start the Internet Information Services (IIS) Manager tool.

  2. Expand the computer name, expand Web Sites, expand Default Web Site, right-click Microsoft-Server-ActiveSync, and then click Properties.

  3. Click the Directory Security tab, and then click Edit under Authentication and access control.

  4. Click to select the Integrated Windows authentication check box, and then click OK two times.

  5. Start a command prompt, and then run the iisreset command to apply the changes.