Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results of the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2001 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveSync, IntelliShrink, Microsoft Press, MSDN, Visual Studio, and Outlook are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
This document contains the following sections:
This document provides important updated information about the final release of Microsoft Mobile Information Server 2002. The final release of Mobile Information Server 2002 includes new features such as the Enterprise Device Setup and Personal Device Setup tools. This document lists known issues that can potentially affect your ability to successfully install and deploy Mobile Information Server (MIS).
The following new features have not been documented in the product documentation on the Mobile Information Server 2002 CD-ROM. Documentation for these features is available in the updated product documentation, which you can download from http://www.microsoft.com/miserver/support. Documentation for the unsupported tools, which are described in the "Additional Tools" section of this document, is available in the folder for each tool.
Before users can synchronize their Pocket PC 2002 devices, they may need to first install an update on their Pocket PCs. This update consists of a file (ActiveSyncUpdate.cab) that users must copy to their Pocket PCs and then run. This update file includes the changes necessary for users to be able to synchronize their Pocket PC devices with Server ActiveSync, in addition to several improvements to the Pocket PC 2002 software. Instructions on updating a Pocket PC with this file can be found in Mobile Device User Help (Userhelp.chm). Userhelp.chm is available on the MIS CD-ROM in the \<Lang>\Docs folder. You should provide this help file to your users. Instructions for configuring synchronization are also available by means of a Web page that you can make available to users. The Server ActiveSync ROM Update file and the Web page instructions are available on the MIS CD-ROM in the \<Lang>\PocketPC folder.
WARNING - Important Notice for HP Jornada Model 56X users
If you are using a European (non-English language) HP Jornada Pocket PC with one of the following model numbers:
HP Jornada 564
HP Jornada 565
HP Jornada 567
HP Jornada 568
Before you install the ActiveSync ROM update on your European HP Jornada, you must first download and install the latest updates for your HP Jornada Pocket PC. These updates are available directly from Hewlett Packard. If you install the ActiveSync ROM update before you install the HP Jornada Pocket PC updates, your Jornada will fail to operate properly. DO NOT install the ActiveSync ROM update until you have installed the updates from Hewlett Packard. To download the updates from Hewlett Packard, visit: http://www.hp.com/cposupport/software.html.
After you have installed the latest updates for your HP Jornada Pocket PC, you can install the ActiveSync ROM update.
To determine whether the Pocket PC 2002 device requires this update
Mobile Information Server 2002 includes a new Web-based tool that users can access to manage their devices for notifications. Users can navigate to the tool using their regular Web browser software and create, edit, and delete the devices that they use for notifications. This tool supplements the existing Personalization page interface (Airweb page) by allowing users to perform some of the device management tasks that were previously performed by administrators. You install this tool by running the Setup.exe file in the D:\Support\Tools\MIS Personal Device Setup\
Mobile Information Server 2002 includes a new tool that administrators can use to perform MIS-related administrative tasks on many users at once. With Enterprise Device Setup, you can enable users for wireless access, manage devices and wireless passwords, and configure default settings for any number of users simultaneously. This tool is installed automatically when you install MIS. To access Enterprise Device Setup, click Start, point to Programs, point to MMIS, and then click MIS Enterprise Device Setup.
The following information will help you get started using Enterprise Device Setup. To use Enterprise Device Setup to modify many users at once for use with MIS, perform the following steps:
With Enterprise Device Setup, you can import the users you want to modify from a comma separated value (.csv) file. You create the .csv file by exporting user information from Active Directory. You can select specific users to export, or you can export an entire Active Directory container. For example, you can export all the users in a specific organizational unit. Alternatively, you can create your own .csv file using your own scripts or a text editor. Once you have the .csv file, you can load the users into Enterprise Device Setup and enable them for wireless access, add devices, and so on.
While Enterprise Device Setup can recognize a number of fields, including existing devices and wireless settings, the .csv file need only contain the names of the users to import from Active Directory. The first line of the file lists the column headers (generally you just need the Name column), while the subsequent lines of the file list the specific users. A typical .csv file that you import into Enterprise Device Setup looks like this:
The first line lists the columns (the Name field in Active Directory) and each subsequent line lists the users to import. Note that each entry must end with a comma.
To export users from Active Directory to a .csv file
Once you have a .csv file with the users you want to modify, you must import them into Enterprise Device Setup.To import users into Enterprise Device Setup
Once you have imported all the users you want modify into Enterprise Device Setup, you can modify several of the default settings for all imported users simultaneously. You can modify the following settings:
You can also enable all of the imported users for wireless access simultaneously. This is the equivalent of selecting the Enable wireless access for this user check box on the MIS Wireless Mobility tab for an individual user, but the setting is applied to all imported users at once.
To enable the imported users for wireless access
You can fine-tune the settings for the imported users by manually modifying rows in the user table, or by using the Find and Replace option, which is available from the Edit menu. You can also manually add or delete rows from the user table from the Edit menu.
When you are done modifying the settings for the imported users, you must update the actual user accounts by writing the new settings to Active Directory.
To update Active Directory with the new user settings
Mobile Information Server 2002 includes support for deploying MIS servers inside an intranet behind Internet Security and Acceleration (ISA) servers, which are located in a perimeter network. Deploying MIS behind ISA offers increased security by allowing you to physically and logically isolate your MIS servers and Windows network from the Internet. ISA forces incoming requests to be verified before allowing access to your internal Windows network and MIS servers. You can implement this ISA deployment topology by installing a special MIS filter on the ISA server. Using Lightweight Directory Access Protocol (LDAP) binds, the MIS ISA filter performs pre-authentication for incoming traffic before routing it to the MIS server. The filter also allows ISA to work with any of the MIS security topologies. You install the ISA filter on an ISA server by running the Setup.exe file in the D:\Support\Tools\ISA Filter folder, where D is the drive letter of your CD-ROM drive. Also included is a tool that provides support for synchronizing to multiple domains. Using this tool, you map URLs to internal domain names. Synchronization requests for a given URL are routed by the ISA server to the associated domain.
Caution If you are using a version of ISA earlier than Service Pack 1 (SP 1), you must apply ISA hotfix number 68. Do not use versions of ISA earlier than SP 1 with MIS unless you apply the hotfix. Information about this hotfix and download instructions are available in Microsoft Knowledge Base (KB) article Q289503.
For detailed technical information about deploying MIS with ISA Server, see the MIS Web site at http://www.microsoft.com/miserver.
You can deploy only the Server ActiveSync feature of MIS. Because Server ActiveSync does not extend Active Directory, you can deploy an MIS server that runs only Server ActiveSync without having to run MIS ForestPrep or DomainPrep. This deployment also does not require that you install anything on the Exchange server. You can perform a Server ActiveSync stand-alone installation by running Setup.exe with the /vMSAS=1 switch.
After you install the Server ActiveSync stand-alone version of MIS, you must enable users to synchronize by means of MIS. Setup creates a new security group called MIS Mobile Users. Members of this group can synchronize their Pocket PC devices using Server ActiveSync. Because the Wireless Mobility tab is not available in a Server ActiveSync stand-alone installation, you must add users who synchronize their Pocket PC devices to the MIS Mobile Users security group. Two administrative mechanisms are available for granting users the capability to synchronize:
Once users have been added to MIS Mobile Users, they can begin synchronizing their Exchange 2000 data to their Pocket PC devices using Server ActiveSync. Instructions for synchronizing with Server ActiveSync are available in Mobile Device User Help. This file is available on the MIS CD-ROM in the \<Lang>\Docs folder. The name of the Help file is Userhelp.chm.
Mobile Information Server 2002 includes support for using RSA SecurID to perform two-factor authentication when users browse through Outlook Mobile Access or the intranet from a mobile device. SecurID support requires the Access User security topology. If you have not deployed the Access User topology, when you enable SecurID support your deployment is modified to use the Access User topology. In this case, you must re-enable users for wireless access. You must also have deployed SecurID and you should already be familiar with both MIS and SecurID. You enable SecurID support by running MIS Setup with a special parameter: /vSecurID=1.
For detailed technical information about deploying MIS with SecurID, see the MIS Web site at http://www.microsoft.com/miserver.
Mobile Information Server 2002 includes numerous additional unsupported tools. These tools are available in the D:\Support folder, where D is the drive letter of your CD-ROM drive. The following tools are included:
If you deployed the Release Candidate (RC) 1 pre-release of Mobile Information Server 2002, you can upgrade to the final version by performing the following steps:
You must uninstall Mobile Information Server 2002 RC 1 from each server on which it is installed. This includes MIS servers and Exchange servers with Exchange 2000 Event Source installed.
To uninstall MIS
To update your Active Directory instance data for the final version of MIS, you must run the forest-wide update program.
To run the update
You must reinstall MIS on each server on which MIS or Exchange 2000 Event Source was installed for your RC 1 deployment. For information about running MIS setup, see Chapter 4: "Deploying Mobile Information Server" in Mobile Information Server Planning and Installation. This document is available as a .pdf file on the MIS CD-ROM in the \Docs folder.
Mobile Information Server 2002 includes the following product documentation, which is available on the Mobile Information Server 2002 CD-ROM in the \<Lang>\Docs folder. You should make sure to download the latest version of this documentation from the Web at http://www.microsoft.com/miserver/support. The updated documentation is the most complete and accurate version and includes new information about features such as Personal Device Setup and Enterprise Device Setup:
This section describes known issues for Mobile Information Server 2002. These issues may impede your ability to successfully deploy and use MIS. You should familiarize yourself with all of the known issues listed here prior to installing the software.
Using Microsoft Security Toolkit, which is available at http://www.microsoft.com/security, you can automatically lock down your MIS and Exchange servers (or other servers) in a secure configuration. Locking down the MIS or Exchange servers with the default settings used by Microsoft Security Toolkit causes some features of MIS to function improperly. This section explains the functionality that is affected, and describes how to modify the default settings so that those features work properly. To modify the default settings, you must edit a configuration file called Urlscan.ini. The Urlscan.ini file is located in the %systemroot%\System32\Inetsrv\Urlscan directory.
This section assumes you have applied the following settings to your Exchange and MIS servers using Microsoft Security Toolkit version 2.1:
Important Make sure to stop Mobile Information Server Message Processor Service (Mobiinfo.exe) before running the IIS lockdown feature of Microsoft Security Toolkit on the MIS server.
If you lock down the security on your Exchange servers by running Microsoft Security Toolkit, the Configuration option does not work when users try to access it from the Outlook Mobile Access Main Menu. This is because the URLScan.dll component of Microsoft Security Toolkit does not allow a World Wide Web Distributed Authoring and Versioning (Webdav) verb that MIS requires. The list of verbs used by the URLScan.dll component are stored in a configuration file called Urlscan.ini.
You can fix this problem by adding the following verb to the list of allowed verbs in Urlscan.ini:
If you lock down the security of your MIS servers by running Microsoft Security Toolkit, users with international characters in their user names cannot log on with Mobile Information Server. This is because the configuration file used by the URLScan.dll component (Urlscan.ini) does not allow international characters by default.
You can fix this issue by changing the AllowHighBitCharacters setting in the Urlscan.ini file on the MIS server. Change the setting from the default (AllowHighBitCharacters=0) to AllowHighBitCharacters=1.
AllowHighBitCharacters is turned off by default because certain security exploits use international (high bit) characters. To protect yourself against possible security exploits, you should modify this setting only if your user's user names contain international characters.
If you lock down the security on your MIS servers or Exchange servers by running Microsoft Security Toolkit, by default, periods (".") are not allowed in URLs. This can cause problems; for example, if users have periods in their user names, they cannot log on. Similarly, performing actions on messages with periods in the subject may fail, such as trying to delete a message with a period in the subject. This is because the configuration file used by the URLScan.dll component (Urlscan.ini) does not allow a period in the path by default.
You can fix these issues by changing the AllowDotInPath setting in the Urlscan.ini file on the MIS servers and Exchange servers. Change the setting from the default (AllowDotInPath=0) to AllowDotInPath=1.
AllowDotInPath is turned off by default because certain security exploits use a period in the path. To protect your network from such exploits, consider not allowing periods in user names, message subjects, and so on. If you choose to allow periods, you can modify the AllowDotInPath setting in Urlscan.ini after you run Microsoft Security Toolkit on the MIS server and any Exchange servers. After you modify the AllowDotInPath setting, you must restart the IIS Admin service.
If you lock down the security on your Exchange or MIS servers by running Microsoft Security Toolkit, by default, certain characters, such as the percent ("%"), ampersand ("&"), and, on the MIS server, colon (":") are not allowed in URLs. This can cause problems when users try to perform certain actions, such as deleting a message or accepting a meeting request, when the message in question contains these characters in the subject line. The colon (":") character is especially common in e-mail messages; for example, replies and forwarded messages usually contain a colon in the subject.
You can fix these issues by changing the [DenyUrlSequences] section of the Urlscan.ini file on the Exchange servers that you have locked down. You must remove the characters that you want to allow from the DenyUrlSequences list in the Urlscan.ini file. For example, this section typically looks like this on the MIS server:
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
Messages with any of the characters or character sequences listed in the subject are affected. To be able to delete messages with colons in the subject using Outlook Mobile Access, you must remove the following line from this section of the Urlscan.ini file on the MIS server:
: ; Don't allow alternate stream access
These characters are denied by default because certain security exploits use these characters in URLs. To protect yourself from such exploits, consider not allowing as many of these characters as possible. If you choose to remove some of the denied characters, you can modify the DenyUrlSequences setting in Urlscan.ini after you run Microsoft Security Toolkit on the Exchange or MIS servers. After you modify the DenyUrlSequences setting, you must restart the IIS Admin service.
Installing Exchange 2000 components, such as the Exchange 2000 system tools, on an MIS server (a server with the core MIS components installed, as opposed to an Exchange server with Exchange 2000 Event Source installed) alters the SMTP metabase on the server and may cause MIS to function incorrectly. Do not install Exchange system tools or other Exchange components on an MIS server.
The Personalization Web page that users access to configure their device settings is always accessed on the user's Exchange server. If you install the Personalization page on another server, such as the MIS server, users who access the page on that server are automatically redirected to the page on their Exchange 2000 server. If the Personalization page is not installed on the user's Exchane 2000 server, the user receives an error when he or she tries to access the page on another server, because the redirection to the Exchange server fails. Make sure to install the Personalization page on each Exchange 2000 server that has mailboxes for users who must access the Personalization page.
Pocket PC 2002 includes a number of well-known root SSL certificates installed. If the MIS server has an SSL certificate issued by a certification authority other than those installed by default, users receive an Internet_45 error when attempting to synchronize using Server ActiveSync. Pocket PC 2002 supports the following certification authorities:
With Microsoft Outlook, you can apply labels (typically a special color and text label) to appointments in Calendar. Appointments with labels cannot synchronize with Server ActiveSync. Users who synchronize Calendar with Server ActiveSync cannot see labeled appointments on their Pocket PCs. To synchronize an appointment that has a label, use Outlook to set the label for the appointment to None, and then synchronize again.
If a user adds a contact in Outlook from the Exchange Global Address List, the SMTP address for that contact may not look correct on the Pocket PC after synchronization. However, it is a valid SMTP address and sending e-mail messages to the contact functions correctly. The user can manually edit the address so that it appears as a regular SMTP address on the device.
Notifications will fail if you restrict the permissions on the Exchange 2000 pickup folder. For notifications to work, permissions on the pickup folder must be set to allow the ENTEVENTSOURCE user account (an MIS system account) to have write permissions on the folder. If the ENTEVENTSOURCE user account does not have write permissions, Exchange 2000 Event Source fails when it attempts to write to this folder. The Exchange 2000 pickup folder is located at C:\Program Files\Exchsrvr\Mailroot\Vsi 1\Pickup, where C is the drive on which Exchange is installed. Make sure that the security settings on this folder include write access for the ENTEVENTSOURCE user account.
If you deploy a stand-alone Server ActiveSync installation, confirmation mail is not sent to users after they are enabled for synchronization. You should notify users that they are enabled to synchronize their Pocket PC devices.
When uninstalling MIS without the correct permissions, or when uninstalling a stand-alone installation of Server ActiveSync, you may receive a fatal error message.
To uninstall MIS, you must be a member of both the local Administrators group and the Microsoft Mobility Admins group. If you try to uninstall MIS and you are not a member of Microsoft Mobility Admins, a message appears stating that you do not have the correct permissions. After this message appears, you see a message stating that a fatal error during setup has occurred.
When uninstalling a stand-alone Server ActiveSync installation of MIS, if users remain in the domain who have synchronization permissions, you see a message asking if you want to continue uninstalling MIS. If you select No, you see a message stating that a fatal error during setup has occurred.
In both cases, this error is benign and indicates that the uninstallation did not complete successfully. You must log on as a user with the correct permissions to uninstall MIS.
If the User must change password at next logon option is set for a user account, synchronization using Server ActiveSync fails until the user logs on to the network and changes his or her account password. Synchronization also fails if the user account is disabled or if it expires. If users have problems using Server ActiveSync, make sure that neither of these issues exist.
If the domain controller that your server is connected to is busy when you run Setup, you may receive an error stating that the directory service is busy. If you receive this error, reboot the server and run Setup again.
On servers running Windows 2000 SP 2 or earlier with MIS installed, restarting the IIS Admin Service for the first time from the Services snap-in disables any security certificates that are installed. If you need to restart IIS Admin Service, the first time you do so, restart the service from a command prompt.
If you do restart IIS Admin Service using the Services snap-in, any certificates that are installed are disabled. You can reassign the certificates using the Internet Information Services MMC snap-in.
This issue is fixed in Windows 2000 SP 3 and later.
If you use auxiliary accounts for MIS authentication, the auxiliary account is granted Send As permissions from each user who is enabled for wireless access. As a security precaution, Windows 2000 overwrites this setting if the setting is granted by a member of the Domain Admins group. This means that members of Domain Admins cannot send e-mail messages using Outlook Mobile Access if you use an auxiliary accounts topology. Note that this problem does not affect the Access User topology.
The actual mailbox on a user's Exchange 2000 server is not created until the user first accesses the mailbox with an e-mail client. The e-mail client program provides certain information to the Exchange server, such as the client language, which is required to create the mailbox. Outlook Mobile Access reads language settings from the MIS server. This can cause problems if the user's language is different than the language of the MIS server. For this reason, Outlook Mobile Access does not create a mailbox when it is the first e-mail client to access the user's Exchange server. Users with new mailboxes must access their mailboxes with another e-mail client prior to browsing with Outlook Mobile Access. This issue does not affect Exchange 5.5 users.
If you install MIS over Terminal Services, you must run Setup from a local CD-ROM drive, a local hard drive, or by using a UNC path to access the MIS setup file. For example, if your MIS setup file resides on the network at \\<Server>\<Share>\Setup.exe, you point to Start, point to Run, and then type \\<Server>\<Share>\Setup.exe. If you try to run Setup over Terminal Services without using a UNC path, you see errors such as: Internal error 2755.3, z:\<Server>\Enterprise\Retail\Setup\Mobile Information Server.msi.
The date format of Outlook Mobile Access notification and browse messages is determined by the system locale set on the MIS server. This can be confusing to users if the client language they normally use is different from that of the MIS server. For example, a US English MIS server uses the date format mm/dd/yyyy, while a user with UK English client settings is used to seeing the date format dd/mm/yyyy. Let users know if the date format is different than the one they are used to.
You can install the English version of MIS on any version of Windows 2000. Non-English versions of MIS must be installed on a server running Windows 2000 in the same language as MIS. For example, Italian MIS must be installed on Italian Windows 2000. Prior to installation, make sure that the language of your Windows 2000 computer matches the language of your MIS software.
Some devices do not send international characters in a user name or password correctly. If a user whose user name or password contains international characters has problems logging on from his or her device, either change the user name or password so that it does not include international characters, or use a different device.
The first time you install the Exchange 5.5 Data Provider component of MIS, certain instance data is written to Active Directory. If you install Exchange 5.5 Data Provider on another server before the original installation instance data has replicated to all domain controllers, you may have conflicting sets of instance data in Active Directory, which causes errors in your MIS installation. This occurs only after the first installation of Exchange 5.5 Data Provider. After you first install Exchange 5.5 Data Provider, make sure you allow sufficient time for Active Directory replication prior to installing Exchange 5.5 Data Provider on another server.
The MMISNotify and MMISDeviceInfo virtual directories on your MIS server do not support SSL. If you have installed a certificate and enabled SSL on your MIS server, MMISNotify and MMISDeviceInfo are set to use SSL. This causes notifications to fail, in addition to applications that access MMISDeviceInfo. Disable SSL on MMISNotify and MMISDeviceInfo and use an alternate security method. For example, you can restrict the IP addresses that can access MMISNotify and MMISDeviceInfo to only those servers that require access to these virtual directories.