http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
Topic Last Modified: 2010-06-25
The Microsoft Exchange Analyzer tool sends Exchange ActiveSync commands to test for Exchange ActiveSync connectivity. If the FolderSync command (the first command in the sequence) returns an HTTP 500 error, then the Exchange Server Remote Connectivity Analyzer tool returns the following error.
"Exchange ActiveSync returned an HTTP 500 response."
You may experience this error if you have an Exchange 2003 server without a front-end server and are using Secure Sockets Layer (SSL) or forms-based authentication. If this is the case, see Microsoft Knowledge Base article, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=817379).
In Exchange 2003, ActiveSync requires Kerberos authentication to work properly between the front-end and the back-end servers. Some common reasons for Kerberos authentication in IIS not working are:
Integrated Windows Authentication may not be enabled on the back-end server's "/Exchange" virtual directory.
The affected users may be members of too many groups causing their user tokens to be larger than the maximum allowed size.
Note: The authentication methods on Exchange Server virtual directories should be managed using the Exchange System Manager and not Internet Information Services (IIS) Manager.
For more information, see Microsoft Knowledge Base article, "How to troubleshoot server ActiveSync HTTP error codes" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=330463).
In Exchange Server 2010, you may also experience this issue if the Exchange Servers group does not have the appropriate permission to the mailbox object in Active Directory. The most common cause for this is broken Access Control List (ACL) inheritance in Active Directory.
To check whether inheritance is disabled on the user:
Open Active Directory Users and Computers.
On the menu at the top of the console, click View > Advanced Features.
Locate and right-click the mailbox account in the console, and then click Properties.
Click the Security tab.
Click Advanced.
Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.
If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.