Infrequently we’ve been seeing the below error on some iDevices after enrolling into our MDM solution.
“Cannot Get Mail. The connection to the server failed”
Plugging those devices into a computer running iPhone Configuration Utility would reveal the following errors in the logs.
“The operation couldn’t be completed. (DAErrorDomain error 111.)”
Realising we had maybe a more Exchange side issue, we looked at the logs on the Exchange Server we were connecting to.. these logs contained the following errors:
“Log Name: Application
Source: MSExchange ActiveSync
Date: 08/11/2012 17:32:57
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer: exchangerserver.fqdn
Description:
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Users Account ,OU=Users Accounts Container,DC=domain,DC=com” container under Active Directory user “Active Directory operation failed on dc.macmule.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
“.
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.”
So this pointed to an issue with the permissions on the Users account within AD. With AD Users & Computers open, we found the account with the issue the double clicked it. Next we select Security > Advanced.
We were then presented with the below screen which does not have the option “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.” (as circled).
Ticking this option, then clicking apply to allowed the affected user to receive email on their iDevice after re-enroling. (re-enroling may not be needed, it may just work.. but better to do it clean!).