What causes Event ID 1100 ActiveSync blocked in Exchange Server?

Event ID 1100 occurs when ActiveSync connections are blocked at the protocol level. Common causes include disabled ActiveSync for the user, authentication failures, IIS configuration issues, SSL certificate problems, virtual directory misconfiguration, or firewall/proxy blocking ActiveSync traffic. Unlike device-specific blocks, this affects all devices for the affected user or all users if server-wide.

How is Event ID 1100 different from Event ID 1053?

Event ID 1100 indicates protocol-level blocking where ActiveSync connections are rejected before device evaluation. Event ID 1053 indicates device-specific blocking after successful authentication. Event 1100 typically means configuration or authentication issues, while 1053 means policy-based device restrictions.

Can disabled basic authentication cause ActiveSync to be blocked?

Yes, if basic authentication is disabled on the ActiveSync virtual directory and devices are configured to use basic auth, connections will be blocked. Modern authentication (OAuth) requires proper configuration and compatible devices. Check Get-ActiveSyncVirtualDirectory to verify authentication settings match device capabilities.

Why would ActiveSync work for some users but not others?

User-specific ActiveSync issues often result from CAS mailbox settings where ActiveSync is disabled, user-specific throttling policies, mailbox location on a problematic database, or user account issues in Active Directory. Check Get-CASMailbox -Identity user to verify ActiveSync is enabled for the affected user.

How do I test if ActiveSync is working at the server level?

Use Test-ActiveSyncConnectivity cmdlet to test the full ActiveSync workflow including authentication and mailbox access. You can also use the Exchange Remote Connectivity Analyzer (ExRCA) at https://testconnectivity.microsoft.com for external testing. For internal testing, direct HTTPS requests to the /Microsoft-Server-ActiveSync endpoint.

What causes Event ID 1100 ActiveSync blocked in Exchange Server?

Event ID 1100 occurs when ActiveSync connections are blocked at the protocol level. Common causes include disabled ActiveSync for the user, authentication failures, IIS configuration issues, SSL certificate problems, virtual directory misconfiguration, or firewall/proxy blocking ActiveSync traffic. Unlike device-specific blocks, this affects all devices for the affected user or all users if server-wide.

How is Event ID 1100 different from Event ID 1053?

Event ID 1100 indicates protocol-level blocking where ActiveSync connections are rejected before device evaluation. Event ID 1053 indicates device-specific blocking after successful authentication. Event 1100 typically means configuration or authentication issues, while 1053 means policy-based device restrictions.

Can disabled basic authentication cause ActiveSync to be blocked?

Yes, if basic authentication is disabled on the ActiveSync virtual directory and devices are configured to use basic auth, connections will be blocked. Modern authentication (OAuth) requires proper configuration and compatible devices. Check Get-ActiveSyncVirtualDirectory to verify authentication settings match device capabilities.

Why would ActiveSync work for some users but not others?

User-specific ActiveSync issues often result from CAS mailbox settings where ActiveSync is disabled, user-specific throttling policies, mailbox location on a problematic database, or user account issues in Active Directory. Check Get-CASMailbox -Identity user to verify ActiveSync is enabled for the affected user.

How do I test if ActiveSync is working at the server level?

Use Test-ActiveSyncConnectivity cmdlet to test the full ActiveSync workflow including authentication and mailbox access. You can also use the Exchange Remote Connectivity Analyzer (ExRCA) at https://testconnectivity.microsoft.com for external testing. For internal testing, direct HTTPS requests to the /Microsoft-Server-ActiveSync endpoint.

Event ID 1100: ActiveSync Blocked

Event ID 1100 indicates that Exchange ActiveSync connections are being blocked at the server or protocol level. Unlike device-specific blocking, this error typically affects all devices for a user or potentially all ActiveSync connections to the server, causing widespread mobile email access failures.

ActiveSync blocking at this level usually points to authentication configuration issues, virtual directory problems, or security policy conflicts. This guide provides comprehensive troubleshooting to identify and resolve the root cause, restoring mobile email access for affected users.

Understanding Event ID 1100 ActiveSync Blocked

When Exchange logs Event ID 1100, it indicates that the ActiveSync protocol handler rejected a connection attempt before normal processing could occur. This happens during the initial connection phase, before device evaluation or mailbox access.

Typical Event Log Entry

Log Name: Application
Source: MSExchange ActiveSync
Event ID: 1100
Level: Error
Message: Exchange ActiveSync blocked the connection for user [username]. The connection was blocked because: [reason]. Client IP: [IP address].

The blocking reason in the event message helps identify the specific cause. Common reasons include authentication failure, protocol version mismatch, disabled access, and security policy violations.

Symptoms of ActiveSync Protocol Blocking

User-Facing Issues

All mobile devices fail to sync for a user
Cannot add Exchange account on any device
Immediate connection failures without prompts
Web browsers work but mobile apps fail
"Cannot connect to server" errors on devices
Authentication prompts that always fail

Server-Side Indicators

Event ID 1100 in Application log
HTTP 401/403 in IIS logs for ActiveSync
Test-ActiveSyncConnectivity failures
Virtual directory showing errors in EAC
Certificate warnings in connectivity tests
Authentication failures in security logs

Common Causes

ActiveSync Disabled for User

The most common cause is ActiveSync being disabled at the user mailbox level. This can happen through CAS mailbox policies, individual settings, or inherited from mailbox plans.

Authentication Configuration Mismatch

If the ActiveSync virtual directory authentication settings don't match what devices are sending, connections are blocked. This is common after security hardening or disabling legacy authentication.

Virtual Directory Corruption

The ActiveSync virtual directory in IIS can become corrupted or misconfigured, causing all connections to fail. This often happens after failed updates or manual IIS changes.

SSL/TLS Certificate Issues

Invalid, expired, or untrusted SSL certificates cause ActiveSync to fail. Devices may not clearly report certificate errors, making this hard to diagnose from the user side.

Throttling Policy Exceeded

Users hitting ActiveSync throttling limits experience connection blocks. This is common for users with many devices or applications using EAS protocol.

Diagnostic Steps

Step 1: Check User's ActiveSync Status

# Verify ActiveSync is enabled for the user
$user = "affected.user@contoso.com"
Get-CASMailbox -Identity $user | Format-List DisplayName, ActiveSyncEnabled, ActiveSyncMailboxPolicy, HasActiveSyncDevicePartnership

# Check all CAS protocols for the user
Get-CASMailbox -Identity $user | Format-List *Enabled

# Verify the mailbox is accessible
Get-Mailbox -Identity $user | Format-List DisplayName, Database, ServerName, ProhibitSendReceiveQuota

Step 2: Check ActiveSync Virtual Directory

# Get ActiveSync virtual directory configuration
Get-ActiveSyncVirtualDirectory | Format-List Server, Name, InternalUrl, ExternalUrl, *Authentication*

# Check IIS authentication settings
Import-Module WebAdministration
Get-WebConfigurationProperty -Filter /system.webServer/security/authentication/* -Name enabled -PSPath "IIS:\Sites\Default Web Site\Microsoft-Server-ActiveSync"-ActiveSync" | Format-Table ItemXPath, Value

# Verify virtual directory health
Get-ActiveSyncVirtualDirectory | Test-ActiveSyncConnectivity -ClientAccessServer $env:COMPUTERNAME

Step 3: Test ActiveSync Connectivity

# Test ActiveSync with specific user credentials
$cred = Get-Credential -Message "Enter test user credentials"
Test-ActiveSyncConnectivity -ClientAccessServer $env:COMPUTERNAME -MailboxCredential $cred -TrustAnySSLCertificate | Format-List Scenario, Result, Latency, Error

# Test using specific URL
Test-ActiveSyncConnectivity -URL "https://mail.contoso.com/Microsoft-Server-ActiveSync"-ActiveSync" -MailboxCredential $cred | Format-List

# Test Autodiscover for ActiveSync
Test-OutlookWebServices -Identity $user -TargetAddress $user -MailboxCredential $cred | Where-Object { $_.Type -eq "ActiveSyncProvider" }

Step 4: Check SSL Certificate

# Get certificates assigned to IIS
Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | Format-List Subject, Thumbprint, NotAfter, Status, Services

# Verify certificate is valid
$cert = Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" }
if ($cert.NotAfter -lt (Get-Date)) {
    Write-Host "WARNING: Certificate is EXPIRED!" -ForegroundColor Red
} else {
    Write-Host "Certificate valid until: $($cert.NotAfter)" -ForegroundColor Green
}

# Check certificate SAN includes ActiveSync URL
$cert | ForEach-Object {
    Write-Host "Certificate: $($_.Subject)"
    Write-Host "SANs: $($_.CertificateDomains -join ', ')"-join ', ')"
}

Step 5: Check Throttling Policies

# Check user's throttling policy
$user = "affected.user@contoso.com"
$mailbox = Get-Mailbox -Identity $user
$throttlingPolicy = $mailbox.ThrottlingPolicy

if ($throttlingPolicy) {
    Get-ThrottlingPolicy -Identity $throttlingPolicy | Format-List Name, EAS*
} else {
    Write-Host "User has default throttling policy"
    Get-ThrottlingPolicy | Where-Object { $_.IsDefault } | Format-List Name, EAS*
}

# Check for budget exceeded events
Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ProviderName = 'MSExchange ActiveSync'
    StartTime = (Get-Date).AddHours(-24)
} -ErrorAction SilentlyContinue | Where-Object { $_.Message -match "budget|throttl" } | Select-Object -First 5

Step 6: Review IIS Logs

# Find IIS log location
$iisLogPath = "C:\inetpub\logs\LogFiles\W3SVC1"

# Search for ActiveSync errors
$today = Get-Date -Format "yyMMdd"
$logFile = Get-ChildItem $iisLogPath -Filter "u_ex$today*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1

if ($logFile) {
    Write-Host "Analyzing: $($logFile.Name)" -ForegroundColor Cyan
    # Find 401 and 403 errors for ActiveSync403 errors for ActiveSync
    Get-Content $logFile.FullName | Where-Object {
        $_ -match "Microsoft-Server-ActiveSync"-ActiveSync" -and $_ -match " (401|403|500) "403|500) "
    } | Select-Object -Last 20
}

Quick Fix: Enable ActiveSync for User

# Enable ActiveSync for specific user
$user = "affected.user@contoso.com"
Set-CASMailbox -Identity $user -ActiveSyncEnabled $true

# Verify the change
Get-CASMailbox -Identity $user | Format-List DisplayName, ActiveSyncEnabled

# If using OWA mailbox policy restrictions, check and update
$policy = (Get-CASMailbox -Identity $user).ActiveSyncMailboxPolicy
if ($policy) {
    Get-MobileDeviceMailboxPolicy -Identity $policy | Format-List Name, AllowNonProvisionableDevices
    # Enable non-provisionable devices if needed
    Set-MobileDeviceMailboxPolicy -Identity $policy -AllowNonProvisionableDevices $true
}

# Test connectivity after enabling
$cred = Get-Credential -UserName $user -Message "Enter user password to test"
Test-ActiveSyncConnectivity -MailboxCredential $cred | Format-List Result, Error

Detailed Solutions

Solution 1: Reconfigure ActiveSync Virtual Directory

# Get current configuration
Get-ActiveSyncVirtualDirectory | Format-List *

# Set correct internal and external URLs
$serverFqdn = [System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName
Set-ActiveSyncVirtualDirectory -Identity "$serverFqdn\Microsoft-Server-ActiveSync (Default Web Site)"-Server-ActiveSync (Default Web Site)" -InternalUrl "https://$serverFqdn/Microsoft-Server-ActiveSync"-Server-ActiveSync" -ExternalUrl "https://mail.contoso.com/Microsoft-Server-ActiveSync"-ActiveSync"

# Reset authentication to defaults
Set-ActiveSyncVirtualDirectory -Identity "$serverFqdn\Microsoft-Server-ActiveSync (Default Web Site)"-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled $true -WindowsAuthEnabled $false

# Restart IIS to apply changes
iisreset /noforce

# Verify configuration
Get-ActiveSyncVirtualDirectory | Format-List InternalUrl, ExternalUrl, *Auth*

Solution 2: Recreate ActiveSync Virtual Directory

Warning: This removes and recreates the virtual directory. Ensure you document current settings first.

# Document current settings
$vdir = Get-ActiveSyncVirtualDirectory
$vdir | Export-Clixml "C:\Temp\ActiveSyncVDir_Backup.xml"

# Remove the virtual directory
Remove-ActiveSyncVirtualDirectory -Identity "$env:COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)"-Server-ActiveSync (Default Web Site)" -Confirm:$false

# Recreate the virtual directory
New-ActiveSyncVirtualDirectory -Server $env:COMPUTERNAME -WebSiteName "Default Web Site" -InternalUrl "https://mail.contoso.com/Microsoft-Server-ActiveSync"-ActiveSync" -ExternalUrl "https://mail.contoso.com/Microsoft-Server-ActiveSync"-ActiveSync"

# Configure authentication
Set-ActiveSyncVirtualDirectory -Identity "$env:COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)"-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled $true

# Restart IIS
iisreset /noforce

Solution 3: Fix Authentication Issues

# Enable both Basic and Windows authentication for compatibility
Set-ActiveSyncVirtualDirectory -Identity "$env:COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)"-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled $true -WindowsAuthEnabled $true

# For OAuth/Modern Auth environments
Set-ActiveSyncVirtualDirectory -Identity "$env:COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)"-Server-ActiveSync (Default Web Site)" -OAuthEnabled $true

# Check organization OAuth configuration
Get-OrganizationConfig | Format-List OAuth2ClientProfileEnabled

# Enable OAuth at organization level if needed
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

# Verify authentication configuration
Get-ActiveSyncVirtualDirectory | Format-List *Auth*, OAuth*

Solution 4: Fix Certificate Issues

# Identify correct certificate
$certs = Get-ExchangeCertificate | Where-Object { $_.Status -eq "Valid" -and $_.NotAfter -gt (Get-Date) }
$certs | Format-Table Thumbprint, Subject, NotAfter, Services -AutoSize

# Assign certificate to IIS if not already assigned
$certThumbprint = "YOUR_CERTIFICATE_THUMBPRINT"
Enable-ExchangeCertificate -Thumbprint $certThumbprint -Services IIS -Force

# Verify the binding in IIS
Import-Module WebAdministration
Get-ChildItem IIS:\SslBindings | Format-Table *

# Test SSL connectivity
$testUrl = "https://mail.contoso.com/Microsoft-Server-ActiveSync"-ActiveSync"
try {
    $response = Invoke-WebRequest -Uri $testUrl -UseDefaultCredentials -ErrorAction Stop
    Write-Host "SSL connection successful" -ForegroundColor Green
} catch {
    Write-Host "SSL Error: $($_.Exception.Message)" -ForegroundColor Red
}

Solution 5: Adjust Throttling Policies

# Create a more permissive throttling policy for ActiveSync
New-ThrottlingPolicy -Name "HighVolumeActiveSync" -EASMaxDevices 20 -EASMaxConcurrency 20

# Assign to affected user
Set-Mailbox -Identity "affected.user@contoso.com" -ThrottlingPolicy "HighVolumeActiveSync"

# Or modify the default policy
Set-ThrottlingPolicy -Identity GlobalThrottlingPolicy_<guid> -EASMaxDevices Unlimited -EASMaxConcurrency 20

# Verify policy assignment
Get-Mailbox -Identity "affected.user@contoso.com" | Format-List ThrottlingPolicy

Verification Steps

# Comprehensive ActiveSync health verification

Write-Host "=== ActiveSync Virtual Directory ===" -ForegroundColor Cyan
Get-ActiveSyncVirtualDirectory | Format-List InternalUrl, ExternalUrl, BasicAuthEnabled, WindowsAuthEnabled

Write-Host ""; Write-Host "=== SSL Certificate ===" -ForegroundColor Cyan
$cert = Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" }
Write-Host "Subject: $($cert.Subject)"
Write-Host "Expires: $($cert.NotAfter)"
Write-Host "Status: $($cert.Status)"

Write-Host ""; Write-Host "=== User ActiveSync Status ===" -ForegroundColor Cyan
$user = "affected.user@contoso.com"
$casMailbox = Get-CASMailbox -Identity $user
Write-Host "ActiveSync Enabled: $($casMailbox.ActiveSyncEnabled)"
Write-Host "Policy: $($casMailbox.ActiveSyncMailboxPolicy)"

Write-Host ""; Write-Host "=== Connectivity Test ===" -ForegroundColor Cyan
$cred = Get-Credential -UserName $user -Message "Enter credentials for connectivity test"
$result = Test-ActiveSyncConnectivity -MailboxCredential $cred -TrustAnySSLCertificate
Write-Host "Test Result: $($result.Result)"
if ($result.Error) { Write-Host "Error: $($result.Error)" -ForegroundColor Red }

Write-Host ""; Write-Host "=== Recent Events ===" -ForegroundColor Cyan
$events = Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    Id = 1100
    StartTime = (Get-Date).AddHours(-1)
} -ErrorAction SilentlyContinue

if ($events) {
    Write-Host "Warning: $($events.Count) blocking events in the last hour" -ForegroundColor Yellow
} else {
    Write-Host "No blocking events in the last hour" -ForegroundColor Green
}

Prevention Measures

Configuration Best Practices

Document ActiveSync virtual directory settings
Test connectivity after any Exchange updates
Monitor certificate expiration proactively
Use consistent authentication methods
Plan for modern auth migration carefully
Maintain throttling headroom for growth

Monitoring Recommendations

Alert on Event ID 1100 occurrences
Monitor IIS 401/403 errors for ActiveSync
Track Test-ActiveSyncConnectivity results
Review throttling budget consumption
Monitor ActiveSync request latency
Track helpdesk mobile connectivity tickets

When to Escalate

Contact Microsoft Support or an Exchange specialist if:

Virtual directory recreation does not resolve issues
Authentication failures persist after configuration changes
All users experience ActiveSync blocking simultaneously
Issues started after Exchange cumulative update
Hybrid deployment causes ActiveSync routing issues
Load balancer or reverse proxy complications