Microsoft Exchange and Blackberry Server Specialists

Exchange ActiveSync Setup for Exchange 2003

This article explains how to configure Exchange 2003 to work with the Direct Push (aka Exchange ActiveSync) functionality of Windows Mobile 5.0 or 6. If you are using Small Business Server then you should follow the guide on Microsoft's web site here:  . If you are using the full product, then this guide should help you.

This is for Exchange 2003. An Exchange 2007 Version is also available


  • Exchange 2003 with Service Pack 2 installed
  • Trusted commercial SSL certificate*
  • Windows Mobile 5.0 handheld with MSFP** or Windows Mobile 6 or another device with Exchange ActiveSync functionality.


* While it is possible to deploy this feature without SSL, it means that your username and password details are going across in the clear.
It is also possible to deploy this feature with a home grown certificate. However a certificate that is trusted by Windows Mobile 5.0 with the MSFP update can be purchased for US$30 a year (link), which provides a more professional approach.

** If your Windows Mobile device is WM6 then it has the required components. If it is version 5.0 then you need to check if it has the MSFP Upgrade. To check, on the device, tap Settings, System and then choose About. You will see a version number like this:

OS 5.1.195 (Build 14847.2.0.0).

The key information is the build number, specifically the last three digits. If they are 2.0.0 or higher, then it has the MSFP update. If they are not, then contact your service provider or handheld manufacturer for an update.

Exchange Server Configuration

The setup of this feature is very straight forward.

  1. Open Exchange System Manager on your Exchange server. Expand Global Settings.

    Screenshot - Exchange System Manager - Mobile Services
  2. Right click on Mobile Services and choose Properties.
  3. Enable all of the options.

    Screenshot - Exchange System Manager - Mobile Services Properties
  4. Click on device security and enable enforce password.
    If you do not enable enforce password, then you cannot carry out a remote wipe without a prompt on the device.

    Screenshot - Exchange System Manager - Mobile Services - Device Security Settings
  5. Apply/OK out.

Test the Settings

Before moving on the device configuration, you should test the settings.
To do this, there are a number of things that you can do.

  1. On your desktop, browse to (where is the name on your SSL certificate). You should get a username and password prompt. Enter your username in the domain\username format. Then enter your regular password. You should get your mailbox in a plain text format.
  2. Repeat the above test, but on a mobile device. If you get an SSL certificate prompt, then the ActiveSync feature will not work as it cannot cope with the certificate prompt. The certificate prompt will tell you what is wrong.
    Ensure that you are using the correct address and that the certificate you have is trusted.
  3. Use the Microsoft Test site:

If you get any other errors, that indicate you do not have permissions, and you are using forms based authentication (your users get a web page to enter their username and password credentials in) and SSL then you should see our guide to that problem here.

If you are getting errors on a frontend/backend scenario, then ensure that you are connecting the device to the frontend server, not the backend.
On the backend server check that forms based authentication is NOT enabled. Finally on the /exchange virtual directory, make sure that integrated authentication is enabled. 


Q: Should I disable SSL before trying to get this to work?
A: When you put an SSL certificate on to Exchange, most people also enable forms based authentication. Enable FBA changes the behaviour of some of the web functionality that this feature uses. Therefore if you get it to work without SSL, then enable SSL, you may run in to further problems.

Q: I am getting an error message with the code 0x85010014.
A: This is well known - see our resolution here.