One of the first steps in an Exchange 2010 to 2013 migration is to make Exchange 2013 internet facing to handle the requests from external and internal clients.
After my first attempt to switch from Exchange 2010 CAS and TMG to UAG and Exchange 2013 CAS servers on the frontend I noticed that some Android and iPad ActiveSync users got authentication requests.
First thing I checked was the eventlog on the CAS machines and if the inheritance was enabled on the user accounts. Both were ok so I began to check the IIS logs first on the 2013 and then on the 2010 machine because the 2013 CAS proxies the requests to the 2010 CAS.
On the 2013 CAS I could see that this users tried to logon but the session ended with a HTTP 401 (Unauthorized) Error:
On the CAS 2010 I checked the logs and filtered users and time when they tried to logon. The result was that in the IIS logs the domain of the users that did not sync was different from the users that worked.
User1 –> domain\User1
User2 –> domain.local\User2
User3 –> domain.local\User3
I checked the devices of User2 and User3 and find out that the domain was missing in the account settings. Previously when Exchange 2010 with TMG were internet facing, TMG made this stuff working.
To get this fixed with Exchange and UAG you can set the default domain in IIS on the Exchange 2013 CAS servers if the device does not send the domain.
After an IIS reset the devices can successfully connected.