Error message when you try to synchronize a mobile device with Exchange Server 2003: "HTTP_403"

When you try to synchronize a mobile device with Microsoft Exchange Server 2003 by using Exchange ActiveSync, the synchronization attempt is unsuccessful. Additionally, you receive the following error message:

This problem occurs if the following conditions are true:

• The IISADMPWD application is configured on the Web site that hosts the Microsoft-Server-ActiveSync application. And, IISADMPWD is configured to generate advance notification messages to notify you when your password will expire.
• Your password is set to expire within the password expiry window for which IISADMPWD sends the advance notification message.

For example, you experience this issue if the IISADMPWD application is configured to notify you that your password will expire in 14 days. And, you try to synchronize a mobile device within those 14 days.

This issue occurs because Exchange ActiveSync clients cannot handle password expiration notification messages. Additionally, you cannot change an expired password by using an Exchange ActiveSync client.

To resolve this issue, disable the IISADMPWD application functionality on the Microsoft-Server-ActiveSync application.

Note In Microsoft Windows Server 2003, you must disable the IISADMPWD application functionality at the Web site level. However, in Microsoft Windows Server 2003 Service Pack 1 (SP1), you can disable this functionality at the virtual directory level. This change does not affect the IISADMPWD application functionality in Microsoft Outlook Web Access.

To disable this functionality, set the PasswordChangeFlags value to 6 on the Microsoft-Server-ActiveSync application. To do this, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press ENTER:
   cd drive:\inetpub\adminscripts
   In this command, drive is the letter of the drive on which Microsoft Internet Information Services (IIS) is installed.
3. Type the following command if the Microsoft-Server-ActiveSync application is hosted on the first Web site.
   
   Note This command is case sensitive.
   adsutil.vbs set w3svc/1/ROOT/Microsoft-Server-Activesync/passwordchangeflags 6
   Note The /1 parameter in this command corresponds to the first Web site. By default, this is the Default Web Site. And, the value of 6 represents the sum of the following two values:
   • 2: This value disables password changes.
   • 4: This value disables the advance notification message that notifies you when your password will expire.
4. Restart IIS. To do this, type iisreset, and then press ENTER.

The IISADMPWD application generally runs in the ExchangeApplicationPool application pool. We recommend that applications that use the functionality of IISADMPWD run in the same application pool. Because Outlook Mobile Access generally does not run in ExchangeApplicationPool, we recommend that you also set the PasswordChangeFlags value to 6 on the OMA application.

For more information about the PasswordChangeFlags values, click the following article numbers to view the articles in the Microsoft Knowledge Base: