Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8926
  • Last Modified:

Outlook 2007 keeps asking for password

I recently created a new 2008 R2 domain with Exchange 2010, I unjoined all PC's from our old SBS 2003 domain and rejoined them to the new domain. Since then all PC's with Outlook 2007 on them ask for passwords everytime they open Outlook. I also get an error when running send receive that points to the offline address book, and last I have 2 PC's with Outlook 2007 that when they try to open OOF they get an error saying the server is unavailable.
0
reindeerauto
Asked:
reindeerauto
  • 96
  • 88
  • +2
3 Solutions
 
jerrypdCommented:
did you repoint the outlook clients to the new server?
It sounds like you may have missed that step.
0
 
reindeerautoAuthor Commented:
Yes once I rejoined the PC, I repointed the clients to the new server and when it is asking for a password it is showing the new server's name at the top of the password box.
0
 
firojkhanMessaging SMECommented:
Please create a new Outlook Profile and try
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
MegaNuk3Commented:
Sounds like autodiscover is not setup properly.
0
 
reindeerautoAuthor Commented:
I have tried creating a new Outlook profile and that did not work. I have uninstalled and reinstalled Office and that works for a few days then it starts asking for the password again. I have even tried deleting the domain profile off of the PC and recreating it.

How would I check if autodiscover is set up properly?
0
 
MegaNuk3Commented:
Time to test outlook autoconfig:
With outlook open, hold down CTRL key and right click on the Outlook icon in the bottom right hand side of your screen, them on the popup menu select the "Test Autoconfiguration". Select that, enter valid credentials and select the "autodiscover" option only and test.

Look at the URLs returned by the test  and confirm you have a certificate that contains the same subject as the URLs
0
 
reindeerautoAuthor Commented:
The results tab says it was unable to determine your settings, and the log tab shows the URL's and I have them all listed on my cert. The only difference is that I have rarexchange.reindeerauto.local and the results show RAREXCHANGE.reindeerauto.local, is it case sensitive?
0
 
MegaNuk3Commented:
Are the machines and users in the same domain as the Exchange 2010 server?

Is Outlook 2007 patched to the latest levels? Do they have the Dec 2010 hotfix installed: http://support.microsoft.com/kb/983316 
0
 
MegaNuk3Commented:
Install the above hotfix on a problem machine and then if that doesn't work, post your autodiscover test log and hide your company details if you want.
0
 
zippybungle2003Commented:
Run through the checklist on the site below, there are 3 or 4 things on there that may resolove this.

http://www.techieshelp.com/outlook-prompts-for-credentials/
0
 
reindeerautoAuthor Commented:
I have all updates and hotfixes installed.

I ran through the checklist Zippy and I am running Exchange 2010 but I did notice that all authentication in RPC virtual directory is disabled as well as the RPCwithcert directory.
0
 
reindeerautoAuthor Commented:
results from test AutoConfiguration

LegacyDN=
SMTP=bob@reindeerauto.local
Attempting URL https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml starting
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml starting
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local autodiscover for reindeerauto.local starting
Local autodiscover for reindeerauto.local FAILED (0x8004010F)
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x8004005)
Srv Record lookup for reindeerauto.local starting
Srv Record lookup for reindeerauto.local FAILED (0x8004010F)
AUTODISCOVER GET SETTINGS END
0
 
MegaNuk3Commented:
Is rarexchange.reindeerauto.local on your certificate? If you ping that name does it resolve internally to the internal IP address your Exchange 2010 CAS server?
0
 
reindeerautoAuthor Commented:
Yes that is listed on my certificate and when I ping it I get the IP address of the Exchange Server.
0
 
MegaNuk3Commented:
Confirm you are getting the INTERNAL ip address back

As a test can you create a new test user with a mailbox, send it a message. Then, logon as that test user and open Outlook and see if Autodiscover works or gives you the same error.
0
 
reindeerautoAuthor Commented:
Yes it ping's to a internal ip address.

I created the new user, logged in as that user and outlook 2007 did not find user using autodiscovery.
0
 
MegaNuk3Commented:
Ok, test the autodiscovery for Outlook and see if it gets the same error when trying to access the SCP URL

Try and access the SCP URL yourself from IE and see if it prompts you for a password, after entering the test account credentials you should see the contents of the autodiscover.XML file
0
 
reindeerautoAuthor Commented:
to try the SCP URL, dont I just replace http with SCP?
0
 
MegaNuk3Commented:
0
 
reindeerautoAuthor Commented:
here is what pops up:

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="13:05:58.0438120" Id="952582034">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>
0
 
MegaNuk3Commented:
Good. That is what you want to see,
1.) did it prompt for credentials or not?
2.) Did you get a certificate error or not?
3.) was the URL from an Internet PC that is not joined to your work network?
0
 
reindeerautoAuthor Commented:
1. Yes it did prompt for credentials
2. no I did not et a certificate error
3. I ran the URL from a PC joined to the network
0
 
MegaNuk3Commented:
From EMS try
Get-clientaccessserver | fl
And then look at the autoDiscoverInternalUri what is it set to?

Have a look at the test account with ADSIEdit and see if it has a msExchQueryBaseDN value set?
0
 
reindeerautoAuthor Commented:
the autodisoverinternaluri is:https://rarexchange.reindeerauto.local/autodiscover/autodiscover.xml

and where do I run the ADSIEdit at?
0
 
MegaNuk3Commented:
Start--> run --> adsiedit.msc

Try adding a SRV DNS record to your internal DNS:
http://support.microsoft.com/kb/940881
0
 
reindeerautoAuthor Commented:
So I created a SRV record in my reindeerauto.local/tcp as autodiscover and pointed it to rarexchange.reindeerauto.local.

Is this correct?
0
 
reindeerautoAuthor Commented:
I reran the "test email autoconfiguration" and here are the results. Lutlook 2007 is still asking for a password.

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Bob Albertson</DisplayName>
      <LegacyDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bob Albertson03b739f2</LegacyDN>
      <AutoDiscoverSMTPAddress>bob.albertson@reindeerauto.com</AutoDiscoverSMTPAddress>
      <DeploymentId>eaf9eea2-c843-4696-9fa7-b68c3b61a646</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>RAREXCHANGE.reindeerauto.local</Server>
        <ServerDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE</ServerDN>
        <ServerVersion>738180DA</ServerVersion>
        <MdbDN>/o=ReindeerAuto/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RAREXCHANGE/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>RAREXCHANGE.reindeerauto.local</PublicFolderServer>
        <AD>RARDC2.reindeerauto.local</AD>
        <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</EwsUrl>
        <EcpUrl>https://rarexchange.reindeerauto.local/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://rarexchange.reindeerauto.local/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://rarexchange.reindeerauto.local/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>mail.reindeerauto.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://mail.reindeerauto.com/ews/exchange.asmx</EwsUrl>
        <EcpUrl>https://mail.reindeerauto.com/ecp/</EcpUrl>
        <EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
        <EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
        <EcpUrl-ret>?p=organize/retentionpolicytags.slab&amp;exsvurl=1</EcpUrl-ret>
        <EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
        <OOFUrl>https://mail.reindeerauto.com/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://mail.reindeerauto.com/ews/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://mail.reindeerauto.com/OAB/be6cb01e-4706-4fe5-83a4-1ecbbfebfb57/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://rarexchange.reindeerauto.local/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://rarexchange.reindeerauto.local/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Fba">https://mail.reindeerauto.com/owa/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://mail.reindeerauto.com/ews/exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>
0
 
MegaNuk3Commented:
Start outlook with /rpcdiag
See what Outlook is connecting to when it prompts for credentials.
Does it continuously prompt for credentials?
0
 
reindeerautoAuthor Commented:
when i run the /rpcdiag it is looking at "rarexchange.reindeerauto.local", and yes it always prompts for credentials when we open outlook 2007.

Also outlook anywhere is checked, but if I uncheck it and then restart outloot 2007 it is checked again. We have one computer in the building with office 2007 that is not having this problem and the only difference is that office has not installed service pack 2 yet.
0
 
reindeerautoAuthor Commented:
I removed the Autodiscover VD and then recreated it and Autodiscover is now working.
0
 
MegaNuk3Commented:
Glad to hear you got it sorted.
0
 
reindeerautoAuthor Commented:
Ok so I removed the Autodiscover VD and recreated and it worked, now Autodiscover has stopped working again. And the whole time it worked it kept prompting for username and password again for outlook 2007 users.

Any suggestions?
0
 
MegaNuk3Commented:
Does
Outlook /rpcdiag
Show Outlook connecting over TCP/IP or HTTP?

0
 
reindeerautoAuthor Commented:
How do I tell?

I did find one thing out.

I have taken 2 different outlook 2007 clients and one autoconfigured to "user@reindeerauto.com" email address and the other was "user@reindeerauto.local".

The .com user does not get asked for a password and their Outlook Anywhere is turned off but their OOF does not work and they fail the "test e-mail autoconfiguration"

the .local user is asked for a password, their OOF works and they pass the "test e-mail autoconfiguration"
0
 
MegaNuk3Commented:
Is the .local user prompted for the password all the time?

Try
Start--run--> outlook /rpcdiag
And see if one connects over http and the other connects over TCP/IP?
0
 
reindeerautoAuthor Commented:
Yes everytime you open outlook 2007 on the .local user they are prompted for a username and password.

I did the outlook /rpcdiag and it those TCP/IP
0
 
MegaNuk3Commented:
Are they only prompted once and that is only when they open Outlook? Have you checked the Outlook authentication settings to see if it using Basic authentication? Try changing it to NTLM.

With the .com user, where did the Autoconfiguration fail? Adding an internal DNS zone for reindeerauto.com with a SRV record pointed at your CAS server will resolve that OOF and Autoconfiguration issue. Make sure that anything you add to the internal .com dns zone points at internal IP addresses for internal resources e.g. If you have an (A) record for mail.reindeerauto.com then this must point at the internal IP address of your Exchange CAS server.
0
 
reindeerautoAuthor Commented:
Yes they are prompted when they open outlook, but outlook anywhere is turned on and it shouldnt be since we in the LAN but it is set to basic and when I change it or uncheck outlook anywhere it automatically changes it back.

Here is the entire report.
LegacyDN=
SMTP=bob@reindeerauto.local
Attempting URL https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml starting
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml starting
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local autodiscover for reindeerauto.local starting
Local autodiscover for reindeerauto.local FAILED (0x8004010F)
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x8004005)
Srv Record lookup for reindeerauto.local starting
Srv Record lookup for reindeerauto.local FAILED (0x8004010F)
AUTODISCOVER GET SETTINGS END
0
 
reindeerautoAuthor Commented:
MegaNuk3,

I don't know a lot about DNS, should this record be an "_autodiscover SRV record pointing to RAREXCHANGE.reindeerauto.local" located in the _tcp or reindeerauto.com DNS?
0
 
MegaNuk3Commented:
Add a SRV record to both internal DNS zones and point it at a name on your cert that is internally resolvable to the IP address of your CAS server.

So if mail.reindeerauto.com is a name on your cert and it resolves internally to the internal IP address on your cert, then point the SRV records at that.

Don't worry about Outlook Anywhere configuring itself, that is Outlook picking up the settings from autodiscover, it does not mean Outlook is connecting over HTTP - outlook /rpcdiag will prove outlook is connecting over TCP/IP even though the Outlook Anywhere settings are present.
0
 
reindeerautoAuthor Commented:
I have 2 SRV records already.

_autodiscover  SRV  RAREXCHANGE.reindeerauto.local
0
 
MegaNuk3Commented:
Ok, are those SRV records in the following INTERNAL DNS zones reindeerauto.com and reindeerauto.local and is that name rarexchange.reindeerauto.local on your certificate?
Do
Get-exchangecertificate | fl
And post the output

Can you also post the output of
Get-autodiscoverVirtualdirectory | fl
0
 
MegaNuk3Commented:
Can you screenshot your SRV record in DNS too please
0
 
reindeerautoAuthor Commented:
Yes they are in both internal DNS zones and yes rarexchange.reindeerauto.local is on my cert.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.reindeerauto.com, www.mail.reindeerauto.com, autodiscover.reindeerauto.com, rarexchange, rar
                     exchange.reindeerauto.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 2/20/2016 2:53:01 PM
NotBefore          : 2/21/2011 2:49:32 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0412FEAE3D8318
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.reindeerauto.com, OU=Domain Control Validated, O=mail.reindeerauto.com
Thumbprint         : 7683CD77BD29CB5DC444E7B5F8F7C8D086CDA39A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {RAREXCHANGE, RAREXCHANGE.reindeerauto.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=RAREXCHANGE
NotAfter           : 2/20/2016 3:41:35 PM
NotBefore          : 2/20/2011 3:41:35 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 1910EBC470F02689498B24913EADF4DE
Services           : SMTP
Status             : Valid
Subject            : CN=RAREXCHANGE
Thumbprint         : E42817C397B73445289636A876270155CE09D988


RunspaceId                      : 4ec9fd4a-6282-4e83-967f-6c927a2a6c5f
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : False
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://RAREXCHANGE.reindeerauto.local/W3SVC/1/ROOT/Autodiscover
Path                            : E:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : RAREXCHANGE
InternalUrl                     :
ExternalUrl                     :
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=RAREXCHANGE,CN=Servers,CN=
                                  Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ReindeerA
                                  uto,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=reindeerauto,DC=local
Identity                        : RAREXCHANGE\Autodiscover (Default Web Site)
Guid                            : 58f2b2fe-f3a5-4bf5-9a53-9bdad5660d6d
ObjectCategory                  : reindeerauto.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 3/4/2011 2:02:44 PM
WhenCreated                     : 3/4/2011 2:02:44 PM
WhenChangedUTC                  : 3/4/2011 7:02:44 PM
WhenCreatedUTC                  : 3/4/2011 7:02:44 PM
OrganizationId                  :
OriginatingServer               : RARDC1.reindeerauto.local
IsValid                         : True
0
 
reindeerautoAuthor Commented:
0
 
MegaNuk3Commented:
Your screenshot of your SRV record is pointing at rarexchange.reindeerauto.com which isn't on your cert...

Let's make things simple:
 1.) Create an (A) record in your internal DNS reindeerauto.com zone called mail and point it at the Internal IP address of your CAS server.
2.) set the internal _autodiscover SRV records you have created in both zones to point at "mail.reindeerauto.com." paste in everything between the quotes
3.) test outlook autoconfig
0
 
reindeerautoAuthor Commented:
I made the changes you advised to make, and have been running the "test e-mail autoconfig" and it is still failing.
0
 
MegaNuk3Commented:
Can you post the test autoconfig please.

Can you also create a new test user with a mailbox and then logon to windows as that user and then see if outlook configures itself correctly for this user and see if it password prompts or not...
0
 
reindeerautoAuthor Commented:
0
 
MegaNuk3Commented:
Ok, now we are getting somewhere...
Go into IIS and on the AutoDiscover Virtual Directory SSL settings set "Client Certificates" = IGNORE

Then rerun the test
0
 
reindeerautoAuthor Commented:
It passed the test thank you.

But the OOF still gets the "your out of office settings cannot be displayed, because the server is currently unavailable. try again later" error.
0
 
MegaNuk3Commented:
Look at the EWS URLs returned in the autoconfig test and possibly change them to the mail.reindeerauto.com name too.
0
 
MegaNuk3Commented:
You can also check the IIS EWS virtual directory and make sure that is set to "ignore" Client certificates too.

You can also test with EMS:
Test-outlookwebservices <email address> |fl
And see what it says about the Availability service now
0
 
reindeerautoAuthor Commented:
When you say change the EWS URL's to mail.reindeerauto.com, did you mean in DNS?

I went into IIS EWS VD and set to ignore it was on accept, that fixed the OOF issue.

Should OAB be set to ignore also?

And here are the results fo the test

[PS] C:\Windows\system32>Test-outlookwebservices bob.albertson@reindeerauto.com |fl

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1019
Type       : Information
Message    : A valid Autodiscover service connection point was found. The Autodiscover URL on this object is https://RA
             REXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1006
Type       : Information
Message    : Contacted the Autodiscover service at https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml
             .

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1016
Type       : Information
Message    : [EXCH] The AS is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1015
Type       : Information
Message    : [EXCH] The OAB is configured for this user in the Autodiscover response received from https://RAREXCHANGE.
             reindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1014
Type       : Information
Message    : [EXCH] The UM is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1016
Type       : Information
Message    : [EXPR] The AS is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1015
Type       : Information
Message    : [EXPR] The OAB is configured for this user in the Autodiscover response received from https://RAREXCHANGE.
             reindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1014
Type       : Information
Message    : [EXPR] The UM is configured for this user in the Autodiscover response received from https://RAREXCHANGE.r
             eindeerauto.local/Autodiscover/Autodiscover.xml.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1022
Type       : Success
Message    : Autodiscover was tested successfully.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1024
Type       : Success
Message    : [EXCH] Successfully contacted the AS service at https://rarexchange.reindeerauto.local/EWS/Exchange.asmx.
             The elapsed time was 882 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1026
Type       : Success
Message    : [EXCH] Successfully contacted the UM service at https://rarexchange.reindeerauto.local/EWS/Exchange.asmx.
             The elapsed time was 394 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1024
Type       : Success
Message    : [EXPR] Successfully contacted the AS service at https://mail.reindeerauto.com/ews/exchange.asmx. The elaps
             ed time was 319 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1026
Type       : Success
Message    : [EXPR] Successfully contacted the UM service at https://mail.reindeerauto.com/ews/exchange.asmx. The elaps
             ed time was 145 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1124
Type       : Success
Message    : [Server] Successfully contacted the AS service at https://rarexchange.reindeerauto.local/ews/exchange.asmx
             . The elapsed time was 130 milliseconds.

RunspaceId : 7645adf0-f741-4cd8-b62f-e2bbd673918a
Id         : 1126
Type       : Success
Message    : [Server] Successfully contacted the UM service at https://rarexchange.reindeerauto.local/ews/exchange.asmx
             . The elapsed time was 47 milliseconds.
0
 
MegaNuk3Commented:
Looking good so far - is everything working now? Yes you can set client certificates to ignore on the OAB VD.
0
 
reindeerautoAuthor Commented:
Yes I believe most everything is working correctly now, with one exception. I have a few machines that when I start Outlook 2007 I get the following with Autodiscovery, when I change to my email address it prompts for password and then it finally finishes but every time I open outlook it prompts me for a password and when I try and uncheck "outlook anywhere" or change to "NTLM" close Outlook and reopen it is rechecked and prompts for password.
login.jpg
0
 
MegaNuk3Commented:
Test autoconfig on the failing machines
Check their DNS settings
Also try outlook /rpcdiag on them to see if they are connecting over HTTP or not
0
 
reindeerautoAuthor Commented:
This machine happens to be mine, and when i connect with my email address and not .local the  autoconfig test passed and when I did outlook /rpcdiag it showed tcp/ip.

Not sure what exactly I am looking for in DNS but it all looks correct
0
 
MegaNuk3Commented:
What happens if you test autoconfig with the .local address?
0
 
reindeerautoAuthor Commented:
Well when I try and set it up that way it comes up with a Security Alert for "autodiscover.reindeerauto.local" and I added the screen shot. Once I get everything set up the "outlook anywhere" will not turn off but it is not prompting me for a passoword.

I ran "outlook /rpcdiag" and it said it was using tcp

I ran the "Test e-mail AutoConfiguration" and it failed

LegacyDN=
SMTP=bob@reindeerauto.local
Attempting URL https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml starting
Autodiscover to https://RAREXCHANGE.reindeerauto.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml starting
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
AutoDiscover internet timeout against URL https://reindeerauto.local/autodiscover/autodiscover.xml
Autodiscover to https://reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x800C8203)
Local autodiscover for reindeerauto.local starting
Local autodiscover for reindeerauto.local FAILED (0x8004010F)
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml starting
Redirect check to http://autodiscover.reindeerauto.local/autodiscover/autodiscover.xml FAILED (0x8004005)
Srv Record lookup for reindeerauto.local starting
Srv Record lookup for reindeerauto.local FAILED (0x8004010F)
AUTODISCOVER GET SETTINGS END

alert.jpg
0
 
MegaNuk3Commented:
Post a screenshot of the SRV record in the reindeerauto.local DNS zone please. Did you create it like I said?
0
 
reindeerautoAuthor Commented:
0
 
MegaNuk3Commented:
It's in the wrong place it should be under reindeerauto.local\_tcp

Left click on reindeerauto.local also it is selected and then create another SRV record, hopefully it will end up in the correct location this time.

If it does end up in the correct location then test the autoconfig again
0
 
reindeerautoAuthor Commented:
Ok I made the change and it still fails the test.
Untitled.jpg
0
 
MegaNuk3Commented:
Add a full stop after mail.reindeerauto.com so it is mail.reindeerauto.com.
0
 
reindeerautoAuthor Commented:
I did that.
0
 
MegaNuk3Commented:
Does the autoconfig still fail to Lookup a SRV record at the bottom of the test?
0
 
reindeerautoAuthor Commented:
If I change it from "bob@reindeerauto.local" to bob.albertson it passes.
0
 
MegaNuk3Commented:
Bob.albertson@reindeerauto.local or bob.albertson@reindeerauto.com?

Basically when you logon to a computer you have never logged onto before Outlook should configure itself and all you should have to do is press Next --> Next --> finish and then Outlook should work.

Can you test that with a new test account and mailbox please?
0
 
MegaNuk3Commented:
You can also try the following to reset the SCP (Service Connection Point) by going into EMS and doing:
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverInternalURi "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

Then try the autoconfig test and hopefully it will find the SCP at the top of the test and not error on that.
0
 
reindeerautoAuthor Commented:
I tested the login question with a new account on my PC and it did the same thing "user@reindeerauto.local" and will not connect with autodiscover.

I formatted my PC and reinstalled and still the same thing "bob@reindeerauto.local" so not sure why some discover correctly and others do not when configuring outlook for the first time.
0
 
MegaNuk3Commented:
Did you try reset the SCP?
0
 
reindeerautoAuthor Commented:
I will try that now. do I type in the entire command including the url
0
 
MegaNuk3Commented:
Yep, the whole command with the URL and the quotes all on one line.
0
 
reindeerautoAuthor Commented:
Here is the error I got with that command.

[PS] C:\Windows\system32>Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverInternalURi "https://mail.reindeer
auto.com/autodiscover/autodiscover.xml"

A positional parameter cannot be found that accepts argument 'https://mail.reindeerauto.com/autodiscover/autodiscover.x
ml'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer

[PS] C:\Windows\system32>
0
 
MegaNuk3Commented:
Try
Set-clientaccessserver -server rarexchange -autodiscoverInternalUri "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

All on one line
0
 
reindeerautoAuthor Commented:

[PS] C:\Windows\system32>Set-clientaccessserver -server rarexchange -autodiscoverInternalUri "https://mail.reindeerauto.
com/autodiscover/autodiscover.xml"
A positional parameter cannot be found that accepts argument 'rarexchange'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer
0
 
MegaNuk3Commented:
Try
Set-clientaccessserver -Identity rarexchange.reindeerauto.local -autodiscoverInternalUri "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

All on one line
0
 
reindeerautoAuthor Commented:
Here is the error from that one, I have tried every variation that I can find and nothing seems to work.


[PS] C:\Windows\system32>Set-clientaccessserver -Identity rarexchange.reindeerauto.local -autodiscoverInternalUri "https
://mail.reindeerauto.com/autodiscover/autodiscover.xml"
A positional parameter cannot be found that accepts argument '-autodiscoverInternalUri'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer

[
0
 
MegaNuk3Commented:
This should work now

Try
Set-clientaccessserver -Identity rarexchange.reindeerauto.local -autodiscoverServiceInternalUri "https://mail.reindeerauto.com/autodiscover/autodiscover.xml"

All on one line
0
 
reindeerautoAuthor Commented:
I seems to have run, it came straight back to the [PS] C:\Windows\system32> prompt
0
 
MegaNuk3Commented:
Do
Get-clientaccessserver | fl *autodiscover*
and see if it shows the correct autodiscoverserviceinternaluri and if it does then do the autoconfig test...
0
 
reindeerautoAuthor Commented:
No it still fails.
0
 
MegaNuk3Commented:
Can you paste it please?
0
 
reindeerautoAuthor Commented:
Ok I uninstalled office 2007 and installed office 2010 and it worked correctly. The only issue I am having with it is the Offline address book is taking forever to download which probably means it's locked up.
0
 
MegaNuk3Commented:
How long have you left it for? Does it log any errors in the 'Sync Issues' folder?
0
 
reindeerautoAuthor Commented:
It has been about 5 min, and I do not see the "Sync Issues" folder in Outlook 2010
0
 
MegaNuk3Commented:
You need to click on the "Folder List" button at the bottom of the Navigation pane
0
 
reindeerautoAuthor Commented:
There are no Sync Issues.
0
 
MegaNuk3Commented:
Is it still stuck? Is it stuck for anyone who tries to download the OAB?

Do EMS:
Get-OABVirtualDirectory |fl *URL*
And post the result.
0
 
reindeerautoAuthor Commented:
I .
[PS] C:\Windows\system32>Get-OABVirtualDirectory |fl *URL*


InternalUrl : https://rarexchange.reindeerauto.local/OAB
ExternalUrl : https://mail.reindeerauto.com/OAB



[PS] C:\Windows\system32>
0
 
MegaNuk3Commented:
Ok let's change the internalURL
Set-OABVirtualDirectory -internalURL "https://mail.reindeerauto.com/OAB"

when you ping rarexchange.reindeerauto.local from a PC does it reply with the same IP address as when you ping mail.reindeerauto.com?

After making the URL change, restart Outlook and see if can download the OAB
0
 
MegaNuk3Commented:
Go to here on your exchange server
 C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB

Open properties onthe web.config in the OAB folder, and give Authenticated Users both the read and read and execute permissions. Run a iisreset /noforce on the CAS server

Also make sure Authenticated users at least have read permissions on the OAB folder too
0
 
reindeerautoAuthor Commented:
I made the change and it still just hangs.

I get the same IP reply from both.
0
 
reindeerautoAuthor Commented:
Ok I followed the patch but I have no web.config in the OAB folder, there is a oab.xml but thats it.

I gave Authenticated users read permissions of the OAB folder.
0
 
MegaNuk3Commented:
what may also be worth doing is going into the EMC turning off web distribution of your OAB, pressing OK and then waiting 15 minutes... Then turn web distribution on again. then right click on the offline address list in the EMC and choose "Update"
wait 15 minutes
then restart the Microsoft Exchange File Distribution Service on your server (it should be running)

wait 15 minutes
close and re-open outlook and see if it can download the OAB.

If it still hangs, try EMC-->Toolbox-->Best Practice Analyser --> Health Check and see if that reports any OAB errors like folder permissions etc.
0
 
reindeerautoAuthor Commented:
The first link asked me for credentials and then gave me a forbidden error, the second link brought up a page of code and the third asked for credentials and then brought up a page of code.
0
 
MegaNuk3Commented:
Ok, did the 2nd link prompt for credentials or not?

On your client machine Ensure internet Explorer is set to 'Bypass proxy for local addresses' and also add the cas name/internally resolvable cert names to the proxy exceptions list in IE (Tools-->Internet Options-->Connections-->LAN settings-->Advanced-->Exceptions)

So in your case, add mail.reindeerauto.com and rarexchange.reindeerauto.local to the Proxy exceptions
0
 
reindeerautoAuthor Commented:
Mega,

Everything seems to be working except for I cannot get the global address book to finish a download on my machine, I have office 2010.
0
 
MegaNuk3Commented:
Does it error or stall?
0
 
reindeerautoAuthor Commented:
Just stalls I let it run all weekend and never finished
0
 
MegaNuk3Commented:
0
 
reindeerautoAuthor Commented:
Mega,

Can this be done in a live environment without disrupting business, or should it be done after hours?
0
 
MegaNuk3Commented:
You can change the OAB URL and turn off the HTTPS requirement during business hours as outlook will only try and download the OAB once every 24 hours. I am not asking you to do all 9 steps of my article. Just the part where you change the internal OAB URL and OAB VD SSL requirement (the first bullet point under additional info section)
0
 
reindeerautoAuthor Commented:
I saw that in the first part you suggested "Untick 'Enable Web-based Distribution' ", should that be turned off?
0
 
MegaNuk3Commented:
You don't need to do all the steps, but you can if you want. Web distribution gets turned back on later.
0
 
reindeerautoAuthor Commented:
I followed the first bullet on your list and it still just hangs.
0
 
MegaNuk3Commented:
Hmmm, did you restart Outlook after making the change so it picks up the new URL of http:// instead of https://?
0
 
reindeerautoAuthor Commented:
Yes and I ran the "test email autoconfiguration" and it show what I have in Exchange OAB "http://mail.reindeerauto.com/oab"
0
 
MegaNuk3Commented:
Ok and did you Untick the "Require SSL" on the OAB VD?
0
 
reindeerautoAuthor Commented:
It was not ticked, and "ignore" client certificates is ticked.
0
 
MegaNuk3Commented:
If you explore your OAB VD (right click on OAB VD-> explore) is there a GUID folder in there which contains a OAB.XML and .lzx files
0
 
reindeerautoAuthor Commented:
Yes there is.
0
 
MegaNuk3Commented:
Do a search for *.OAB on that machine and delete this files if they exist. If that doesnt work try a new outlook profile
0
 
reindeerautoAuthor Commented:
Ok I removed and recreated the outlook profile and the address book updated, however all day at the bottom of outlook it has read "all folders are up to date, updating address book".
0
 
MegaNuk3Commented:
Hmmm and if you do "download address book" in Outlook, does it hang/stall?
0
 
reindeerautoAuthor Commented:
Yes it still hangs/stalls
0
 
MegaNuk3Commented:
Ok, if you have the Jan 2011 update installed for Outlook 2010 remove it and try the OAB download again

Removing the update should also make outlook detect the users email address instead of the UPN for new profiles too.
0
 
MegaNuk3Commented:
Do you have Kb2405793 installed? Consider installing kb2475877
0
 
reindeerautoAuthor Commented:
I do not have Kb2405793, and I installed Kb2475877
0
 
MegaNuk3Commented:
When did you install the latter one? Today or before? And outlook is still hanging after install?
0
 
reindeerautoAuthor Commented:
I installed it today, and yes it is still hanging.
0
 
MegaNuk3Commented:
OK here is the next plan of action:
1.) create a new test user with a mailbox
2.) logon to the problem Outlook 2010 machine
3.) confirm Outlook configures itself properly with no additional typing
4.) open Outlook wait till the profile syncs, confirm if it finishes or not
5.) try download the OAB and confirm if it hangs or stalls
0
 
reindeerautoAuthor Commented:
I did the above and still the same results, it hangs/stalls.

I looked in the event viewer and found some event ID 9328 and 9126 below is the details.
OABGen encountered error 80070070 while calculating the offline address book for address list '\Global Address List'.  This offline address book won't be available for client download.
- \Default Offline Address Book.
0
 
MegaNuk3Commented:
Have you run out of disk space on your OAB generating server? Check c: drive
0
 
reindeerautoAuthor Commented:
I was just looking at that now, C is full
0
 
MegaNuk3Commented:
Look in c:\temp for stuff to delete

Or c:\inetpub\logs\logfiles see if any of those directories are huge
0
 
reindeerautoAuthor Commented:
I restarted the server due to the page file and looked in those folder and removed what I could but it only gave me 3.4 available Gig.
0
 
MegaNuk3Commented:
That should be more than enough to generate the OAB.
Try
Get-offlineaddressbook | update-offlineaddressbook
0
 
reindeerautoAuthor Commented:
I ran the above and am trying to download the address book again and it is still hanging.
0
 
MegaNuk3Commented:
If you logon to another machine does the problem follow you?
0
 
MegaNuk3Commented:
How many Outlook 2010 machines do you have and are they all experiencing the hang/stall when you try and download the OAB?

Are the Outlook 2007 clients affected?
0
 
MegaNuk3Commented:
If only one client is affected then enable Outlook logging and we'll see if it logs anything useful:
http://support.microsoft.com/kb/300479
0
 
reindeerautoAuthor Commented:
Well it seems that it is only me, so I have enabled logging.
0
 
MegaNuk3Commented:
Only you or only you connecting with Outlook 2010?
0
 
reindeerautoAuthor Commented:
seems to be only my machine? I tried using the test user this morning on my machine and it did not work.

I logged into a machine with Office 2010 as me that I tested with a user that worked and it did work for me.
0
 
MegaNuk3Commented:
On your computer go to c:\users\<your username>\appdata\local\Microsoft\outlook\offline address book
Then rename the <GUID> folder, reopen outlook and try the download of the OAB again and see if a new <GUID> folder gets created in that area
0
 
reindeerautoAuthor Commented:
Followed those directions and it just hangs at "Copying offline address book template file."
0
 
MegaNuk3Commented:
Did you restart Outlook? And has it created a new <GUID> subfolder? Give it a few mins it can take a while to download the OAB for the first time. My fingers are crossed
0
 
reindeerautoAuthor Commented:
It did creat a new subfolder, which is empty. I did restart outlook and it just hangs, so far about 6 hours today.
0
 
MegaNuk3Commented:
Is that outlook logging doing anything useful? Maybe copy that folder off another machine and then see if outlook can manage to keep it up to date.
0
 
MegaNuk3Commented:
From what I have been reading on the Internet this morning, if you have only one machine that won't update no matter who logs on, then the best course of action is to remove that PC from the domain, delete the computer account for it from ADUC and then re-add it back to the domain and then reboot and test the OAB download.

Are you willing to try the above?
0
 
reindeerautoAuthor Commented:
I will try it first thing tomorrow and see what happens.
0
 
MegaNuk3Commented:
Ok - fingers crossed
0
 
reindeerautoAuthor Commented:
I removed it from the domain, deleted the PC from the domain and then re-joined the domain.

The thing still hangs
0
 
MegaNuk3Commented:
Grrrr, this is annoying.

Try this:
Close Outlook, go into control Panel --> mail -->profiles then select your profile and put a space on the end of the server name then press check names so it underlines again. Next next finish. Open outlook and try the OAB download.

If the above doesn't work:
Give your AD account 'Full Control' on the ClientAccess\OAB folder on the CAS server and see if that wakes Outlook up.
0
 
reindeerautoAuthor Commented:
when you click mail/profiles (show profiles), it does not give you the option to do that. It does not show a "server name".

If I go into email accounts it shows "microsoft exchange"
0
 
MegaNuk3Commented:
Go into the Exchange Account settings
0
 
reindeerautoAuthor Commented:
That did not work it still hangs.

And I am an administrator.
0
 
MegaNuk3Commented:
Have you considered uninstalling outlook 2010 and installing outlook 2007 to verify if the problem exists there?
0
 
MegaNuk3Commented:
Or before reinstalling Outlook have a look at using OABInteg to see if that sheds any light on the issue:
http://archive.msdn.microsoft.com/oabinteg/Release/ProjectReleases.aspx?ReleaseId=726

There is a usage doc on that web site, but here is another one:
http://www.msexchange.org/articles/Offline-Address-Book-Integrity-OABInteg-Utility-Explained.html
0
 
reindeerautoAuthor Commented:
I had 2007 previous when this problem was happening so I uninstalled 2007 and installed 2010 and still having the issue.

I ran the OABinteg not sure if I did it correct but here are the results

OABInteg (Offline Address Book Integrity Checker)
Version : 1, 0, 0, 1
OABInteg
Microsoft Corporation, Copyright (C) 2005
=====================================================

c:\OABinteg.txt has been opened for writing.

Program started at: 11:03:05 AM
Running OABInteg on: RAREXCHANGEUnable to obtain username.
Trying to connect to: GC://ehvms01

Failure ADsOpenObject
ADSI Error: hr = 0x8007203a
LDAP_SERVER_DOWN - ERROR_DS_SERVER_DOWN: Cannot contact the LDAP server...

Failure in function: HrGetRootDSEData on line number: 165

Performing cleanup.
Exiting application.


C:\Users\administrator.REINDEERAUTO\Desktop>
0
 
MegaNuk3Commented:
Ignore OABInteg as it only checks PF distribution.

Try this command and post the result:

C:\Windows\System32\inetsrv>appcmd.exe list config /section:WindowsAuthentication

All on one line
0
 
reindeerautoAuthor Commented:
C:\Windows\System32\inetsrv>appcmd.exe list config /section:WindowsAuthenticatio
n
<system.webServer>
  <security>
    <authentication>
      <windowsAuthentication enabled="false" useKernelMode="false">
        <providers>
          <add value="Negotiate" />
          <add value="NTLM" />
        </providers>
        <extendedProtection>
        </extendedProtection>
      </windowsAuthentication>
    </authentication>
  </security>
</system.webServer>

C:\Windows\System32\inetsrv>
0
 
MegaNuk3Commented:
Ok, that looks good.
What does
C:\Windows\System32\inetsrv>appcmd.exe list config "Default Web Site/OAB" /section:WindowsAuthentication

Result in?
0
 
MegaNuk3Commented:
Also can you do:
Set-eventloglevel "<ex server name>\msexchangeSA\OAL Generator" -level Medium

Then run
Get-offlineaddressbook | update-offlineaddressbook
And watch the application event log for errors & warnings. Restart msexchangeFDS and watch event log again.
0
 
reindeerautoAuthor Commented:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.REINDEERAUTO>cd\

C:\>cd windows

C:\Windows>cd system32/inetsrv

C:\Windows\System32\inetsrv>appcmd.exe list config "Default Web Site/OAB" /secti
on:WindowsAuthentication
<system.webServer>
  <security>
    <authentication>
      <windowsAuthentication enabled="true" useKernelMode="true">
        <providers>
          <add value="Negotiate" />
          <add value="NTLM" />
        </providers>
        <extendedProtection tokenChecking="None">
        </extendedProtection>
      </windowsAuthentication>
    </authentication>
  </security>
</system.webServer>

C:\Windows\System32\inetsrv>
0
 
reindeerautoAuthor Commented:
Here is the only error in Application errors.
 Error
0
 
reindeerautoAuthor Commented:
Is exchangeFDS the File distribution?
0
 
MegaNuk3Commented:
Yes FDS is File Distribution

Go into IIs click on the OAB then authentication, select windows auth, then right click on it --> advanced settings and UNTICk "enable kernel mode..." ok

Try download the OAB then. If that fails do an iisreset on the server, confirm the kernel mode auth is still off and then try the OAB download again
0
 
reindeerautoAuthor Commented:
The tick mark is grayed out.
0
 
MegaNuk3Commented:
Try using %windir%\system32\inetsrv\appcmd unlock config -section:WindowsAuthentication

And then try Untick that box.
0
 
reindeerautoAuthor Commented:
here is what I put in the command line with the results and the tick is still grayed out.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.REINDEERAUTO>%windir%\system32\inetsrv\appcmd unlock conf
ig -section:WindowsAuthentication
Unlocked section "system.webServer/security/authentication/windowsAuthentication
" at configuration path "MACHINE/WEBROOT/APPHOST".

C:\Users\administrator.REINDEERAUTO>
0
 
MegaNuk3Commented:
Try:
C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site/OAB" /section:WindowsAuthentication -useKernelMode="false"
0
 
reindeerautoAuthor Commented:
I ran the command and got the following error.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.REINDEERAUTO>cd c:\windows\system32\inetsrv

c:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site/OAB" /sectio
n:WindowsAuthentication -useKernelMode="false"
ERROR ( message:Unknown attribute "useKernelMode=false".  Replace with -? for he
lp. )

c:\Windows\System32\inetsrv>
0
 
MegaNuk3Commented:
C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site/OAB" /section:WindowsAuthentication -useKernelMode:false /commit:apphost

You may need an iisreset after that and them confirm the kernel mode box is unticked.

You can also use
Appcmd list config "default web site/OAB" -section:WindowsAuthentication

To confirm the useKernelMode="false"

Do an iisreset and then attempt to download the OAB on your Outlook 2010 machine.
0
 
reindeerautoAuthor Commented:
The box is now unticked and it is still hanging.
0
 
MegaNuk3Commented:
Can you confirm if you have any file level AV on the server that the OAB directories are excluded from scanning.
0
 
MegaNuk3Commented:
Try outlook /cleanprofile
Then try download the OAB again
0
 
reindeerautoAuthor Commented:
I do not have any file level AV, plus I have other users with 2010 that have no issues.

I do not know where to do the command "outlook /cleanprofile"
0
 
MegaNuk3Commented:
Close outlook
Then on your machine do
Start-->Run-->Type "outlook /cleanprofile" without the quotes
Then press enter

Then when outlook opens try to download the OAB
0
 
reindeerautoAuthor Commented:
It says the command line is not valid
0
 
MegaNuk3Commented:
Looks like it is no longer supported under outlook 2010...

Close outlook, go into
%userprofile%\appdata\local\Microsoft\outlook
 Create a new folder in there and move all the .OAB files and any files that begin with "~" into the folder

Open outlook and try and download the OAB
0
 
reindeerautoAuthor Commented:
I do not have any files that begin with "~"
0
 
MegaNuk3Commented:
Not even in the subfolders of "\Offline Address Books"?
0
 
reindeerautoAuthor Commented:
nope have one that starts with "be" but that is it.
0
 
MegaNuk3Commented:
Can you screenshot that folder and the offline address books folder and subfolder please? Sort on date with newest at the top.

Can you also open regedit on your machine and see if there is anything under the following key:
Hkey_current_user\software\Microsoft\exchange\exchange Provider\OABs?
If there is, export the subkeys under the OABs key and then delete them and restart outlook and try the OAB again
0
 
reindeerautoAuthor Commented:
OAB
I delete the subkey and retried and it just hangs.
outlook.jpg
0
 
MegaNuk3Commented:
Can you open the be... Folder and screenshot it's contents please.
0
 
reindeerautoAuthor Commented:
its empty.
0
 
MegaNuk3Commented:
Delete it and then restart Outlook, down load OAB and see if the folder gets updated and see if the reg keys update too...

Can you also try logging onto Windows as that test account ( with mailbox ) and confirm the same thing occurs?


If it does, then I am afraid it's time to manually deploy the OAB files to Outlook and see if it can keep them up to date:
http://technet.microsoft.com/en-us/library/ff969354.aspx
0
 
MegaNuk3Commented:
One more thing to try before you do the manual OAB procedure...

When outlook creates the empty <GUID> subfolder can you create an empty text file in there and rename it to OAB.XML and then restart Outlook and try the OAB download.

If that fails, then it is definitely time to perform a manual OAB update... Sorry...
0
 
MegaNuk3Commented:
Thanks for the points. Did you manage to get outlook to download the OAB in the end?
0
 
reindeerautoAuthor Commented:
You deserved them wish I could have done more, you were very helpful.

It still says updating address book all the time at the bottom of Outlook, but any new employee's I add to the network are showing up in the global address book so to me it's working.

Thanks again for the help.
0
 
MegaNuk3Commented:
If you want, feel free to open a new question about your Outlook OAB download issue to see if any experts have any fresh ideas on how to resolve it.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 96
  • 88
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now