User account created in AD several months ago when on Exchange 2010 SP 1. After upgrade to Exchange 2010 SP 2, attached mailbox to AD account. Login to webmail works successfully but login via Activesync from a mobile device fails.
The problem is verifiable by going to https://%5Bservername%5D.com/microsoft-server-activesync and credentials fail despite working at the OWA portal. .
The issue is that when installing an Exchange service pack the existing objects get properly extended and any new accounts created after the service pack is applied receives the updated attribute scheme. However an account that existed previous to the application of the service pack and a mailbox is attached afterwards does not receive all the correct attributes.
More of a workaround…This problem can be fixed by turning on inheritance on the Advanced Security proprieties of the AD object. This will cause all of the current AD permissions including all of the Exchange groups to re-copy to the object. While I’ve verified this does work it is a lousy work around if you have a large number of objects this has happened to.
Will update this post is the system is resolved by an Roll Up (RU) from Microsoft. As of Exchange 2010 SP 2 RU 3, this is an issue.