Blackberry 10 and Windows Phone 8 Password Prompts

by Ed Sparks

Now that more BB10 and WP8 devices are out in the wild, there are a few issues coming to light in regards to the connection to Exchange ActiveSync.

The most common is that users are periodically prompted for their password after having successfully synced with the server for some time.  In many cases (particularly BB 10) this results in an account lockout if the user simply cancels the prompt, or doesn't enter the password successfully.

The same issues do not seem to appear when using any iOS, Android or Windows Phone 7.x device against the same servers.  It's not yet clear why the implementation is different on these other platforms.

The solution - adjust the timeout settings on your Exchange server, or ISA/TMG or ASA gateways, so that the connections are held open for longer than the heartbeat interval of the ActiveSync device.

Exchange
Follow the steps in this article to ensure the correct configuration is in place for both Exchange (2003/2007/2010) and your ISA/TMG.

ISA/TM
Under the Web Listener
 for the EAS/OWA Rule - uncheck the "Apply session timeout to non-browser clients" setting as per this article.

Cisco ASA
Ensure any NAT rules that pass traffic to Exchange on HTTP/HTTPS have no timeouts, or very long timeout values.

Curious how all this fits together? Here's a great backgrounder on how EAS Direct Push works, heartbeat intervals, firewalls and more.  
http://technet.microsoft.com/en-us/library/cc182270.aspx