Solved

Outlook Hangs when connecting to Exchange 2010 OAB

Posted on 2013-01-29
37
1,700 Views
Last Modified: 2013-02-10
We have been running exchange 2010 in our company for almost a year without any problem. Recently the OAB has broken. When a user tries to manually update in Outlook it just hangs with no errors.

I have tried some many different things including completely removing the OAB by following this post but still no joy

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
0
Comment
Question by:V0LUME
  • 19
  • 10
  • 3
  • +2
37 Comments
 
LVL 3

Assisted Solution

by:Dhanukadam
Dhanukadam earned 50 total points
ID: 38830962
Please check the autodiscover and OAB by running “Test Email AutoConfiguration”.
If autodiscover fails, please troubleshoot the autodiscover by directly accessing the autodiscover url via IE and let us know the error code.
If autodiscover works, you need to troubleshoot the OAB generation, publishing and downloading issues. For OAB generation and publishing issues, you can check the APP log on the CAS and MBX server. For the OAB downloading issue, you can manually access the OAB url via IE and see the error codes.
0
 

Author Comment

by:V0LUME
ID: 38831090
I already run the "Test Email AutoConfiguration” in Outlook and result was ok. I also did the onlines tests here: https://www.testexchangeconnectivity.com.

The Cas and MBX are collocated together and I haven't found any errors in the event log on the server or the local machine. I did find one error related to kerberos and the exchange server on my local machine but I'm not sure if related.

I think the issue is somehow IIS related as browsing to the OAB in IE brings back a 401 unauthorized access.
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38838126
Did you tried to recreate that user email profile?
Is this the only user having this problem?
0
 

Author Comment

by:V0LUME
ID: 38838856
Thank you for your response.

The issue is affecting all users. Everyone is on Outlook 2010. These are my steps so far:

1. Test Email configuration through Outlook
2. Tested Autodiscover here: https://www.testexchangeconnectivity.com
3. Recently deployed Unified Communication role so thought this may of caused some issues with the cert so I renewed it with Comodo.
4. Switched OAB Logging to Medium.
5. Checked event logs on my local machine and the server.
6. One issue on my local machine: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the Exchange server.
7. Completed removed the OAB and virtual directories twice following instructions from Experts Exchange & Official Microsoft Documentation
8. Verified permissions on the server directory /Client Access/OAB
9. Tried enabling Anonymous authentication and Basic on the OAB virtual directory, still receiving 401 Error
10. Rebooted the Exchange Server
11. Checked if redirection was enabled on the default website. I read somewhere if you find a web.config file in the OAB dir you need to change the permissions. The file isn't there.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38838964
Do you have this problem with just clients that connect with Outlook Anywhere, or do you also have it with MAPI clients ?
Are you able to see in the logs that OAB generation has completed successfully ?

http://blogs.msdn.com/b/dgoldman/archive/2006/08/26/725860.aspx
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
0
 

Author Comment

by:V0LUME
ID: 38839060
I just read somewhere that Autodiscover also leverages and SCP in AD.

I just run the command: Get-ClientAccessServer –AutoDiscoverServiceInternalUri

and it returned an error 'object could not be found on DC'
0
 

Author Comment

by:V0LUME
ID: 38839081
Hi ArneLovius,

We are not using Outlook anywhere at the moment. I don't think it configured properly.

The problem is for Outlook 2010 clients on the LAN or over the VPN
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 350 total points
ID: 38839120
The command should be

Get-ClientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Open in new window


Are your LAN clients connecting over HTTPS ?
0
 

Author Comment

by:V0LUME
ID: 38839234
Thanks. The command came back ok:

Name                           : CASServer
AutoDiscoverServiceInternalUri : https://casserver.contoso.co.uk/Autodiscover/Autodiscover.xml

I didn't think we were using https. The OAB internal URL is set http. We have a SAN cert with the names - autodiscover, mail, casserver name and legacy which we can use if need be
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38839264
I presume that you have anonymised the output ? or is your internal domain actually contoso.co.uk ?

You should always use HTTPS rather than HTTP
0
 

Author Comment

by:V0LUME
ID: 38839302
Yeah sorry I thought it was the done thing!

Think that it may of been set to https before I reset the OAB and Virtual Directories.

 Is it just a question of setting the virtual directory to 'Require SSL' and setting the internal URL to HTTPS?
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 350 total points
ID: 38839362
As I don't know what state the OAB site is now in, I would rather suggest that all of the Web virtual directories were rebuilt

http://technet.microsoft.com/en-us/library/ff629372%28v=exchg.141%29.aspx

I usually use the external f.q.d.n for internal and external access, this does of course rely on having the external f.q.d.n resolvable to the internal IP address.

After the virtual directories are in a known good state, I would  then check, as per the links I posted previously, that OAB generation is happening correctly.

The reason for doing it this way, is that although the initial problem may have been with OAB generation, it is possible that there are now other issues, by getting everything else into its correct state first, you can rule out those problems and get to the root cause.
0
 

Author Comment

by:V0LUME
ID: 38839531
I don't feel comfortable with this. Why do I need to reset the other virtual directories when they are working correctly?

If I reset the OWA and the EWS, webmail will be down and I have 20+ mac users connecting to EWS for Outlook 2011. The profile of the IT department is already low due to the OAB being down for a week. I don't want to make things worse

What could be the cause of the 401 error when browsing to the OAB in IE?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38840114
You could always do the removal and creation out of hours

A 401 error is "unauthorised"

I can understand that you want to minimize any further disruption, but you have also been making changes.

from your post above, item 7 which instructions did you use ?, item 9, exactly what did you do to do this, and exactly what did you do to revert afterwards ?

Have you followed the links I provided for testing OAB generation ?
0
 

Author Comment

by:V0LUME
ID: 38840389
I will give it ago tonight if it is absolutely necessary.

These are the documents I followed:

7. http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
8. http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/
9. Was only a idea as I couldn't work out why I was getting not authorized (I am a domain admin) and have full control to the folder. I have reversed this step. Authentication is now set to Windows Only

I have set the logging level to medium as by your document and dumped it to a text file.
oabevents.txt
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38840554
Although it is generating, you most certainly have other issues.

Please conform the permissions match as described here

http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
0
 

Author Comment

by:V0LUME
ID: 38841203
I read your permissions document before I didn't understand what he meant by:

Allow Exchange Servers:

    Traverse Folder
    List Folder
    Read Attributes
    Read Extended Attributes
    CONTAINER_INHERIT (folder and subfolders permissions)

Allow Exchange Servers:

    Read Data
    Read Attributes
    Read Extended Attributes
    Read Permissions
    CONTAINER_INHERIT + OBJECT_INHERIT (folder, subfolders and files permissions)

Why does he repeat?:

Read Attributes
Read Extended Attributes
Read Permissions

I set my permissions as per this document:
http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/
 and made sure I ticked 'Replace all child permissions with inheritable permissions from this object'
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 100 total points
ID: 38846641
Hi,

I've reviewed this question and wanted to add my 2 cents to help things along and cover the basics:

1. Is the Exchange server up to date? SP2 UR5v2? Or at the very least SP2.
2. Has the OAB been specified at the DB level for the users hosted on it? Check the following steps and ensure yours is not blank:

You also need to specify the Offline Address Book to be used on your mailbox database on your Exchange 2010 server. Open up EMC -> Org Config -> Mailbox. In the middle pane, on the Database Management tab, right click your mailbox database -> Properties -> Client Settings tab -> Ensure your Offline Address Book is listed as 'Default Offline Address List'.

3. Have you performed BPA via Exchange 2010 ESM -> Tools. What are the errors and warnings reported? I'd suggest fixing this up first.

Let me know what your findings are.
0
 

Author Comment

by:V0LUME
ID: 38846784
Hi Netflo,

Thanks for you response. I will be working on this issue over the weekend as the boss is already talking about getting the consultants in!

1. We were running SP2, but I have just just installed SP2 UR5v2.
2. The OAB was not connected to the database. I have followed your procedure and connected it to the default database.
3. I run some scans. It picked up the OAB was set to continuously update (might of been one of my colleagues). I set it back to once a night. Permissions check was ok

I'm considering resetting all virtual directories now like Arne said, not sure what else to try
0
 

Author Comment

by:V0LUME
ID: 38846938
Arne,

I have followed your instructions and reset all client access virtual directories apart from autodiscover using the EMC. I set the all the URLs to the same FQDN for internal and external access as per your advise and all are set to HTTPS. The firewall is set to NAT to the internal IP on port 443 and 25. External DNS is set.

The issue still persists what can I do next?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38849688
I would suggest re-running the server BPA till its reporting all okay and also assuming you've performed a reboot of your server following the last round of modifications.

I would also like to know on the client machine, is Outlook fully up to date too?
0
 

Author Comment

by:V0LUME
ID: 38850543
Arne,

Total chaos in the office this morning. I reset all the virtual directories after your advice the EWS service did not reset properly with an error: ntlm not supported

I have 20+ macs unable to connect to email in Outlook 2011. The OAB is still broke
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38850655
I had suggested that could do the work out of hours...

I'm completely lost by your "ntlm" error, can you confirm the exact command that you used for creating the new EWS directory.

can you also post the output from "get-WebServicesVirtualDirectory | fl"
0
 

Author Comment

by:V0LUME
ID: 38850808
I did the work out of hours. I've been working all weekend. I reset all client access virtual directories using EMC. All went smoothly apart from EWS.

I get this in the event log:

WebHost failed to process a request.
 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/36882122
 Exception: System.ServiceModel.ServiceActivationException: The service '/EWS/Exchange.asmx' cannot be activated due to an exception during compilation.  The exception message is: The authentication scheme '“NTLM' is not supported.. ---> System.NotSupportedException: The authentication scheme '“NTLM' is not supported.
   at System.ServiceModel.Activation.MetabaseSettingsIis.RemapAuthenticationSchemes(AuthFlags flags, String[] providers)
   at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at Microsoft.Exchange.Services.Wcf.MessageEncoderWithXmlDeclarationBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
 Process Name: w3wp
 Process ID: 8868
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38850836
I presume that you meant EMS (Exchange Management Shell) not EMC.

I try removing EWS again, restarting IIS, then re-creating EWS, then restarting IIS again.

I wonder if at some point you had changed file permissions.
0
 

Accepted Solution

by:
V0LUME earned 0 total points
ID: 38850872
EWS is fixed and it looks like OAB is too.

We restored Exchange from September into a test environment and cross referenced all settings.

It seems when I done the reset of virtual directories in the console (not shell) on the windows authentication providers it set NTLM and Negotiate with " after it. When we removed the speech marks mail started flowing through and address book started downloading
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38850906
that's great to hear :-)
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38850985
Good to hear, panic over and back to business.
0
 

Author Comment

by:V0LUME
ID: 38851962
I've requested that this question be closed as follows:

Accepted answer: 0 points for V0LUME's comment #a38850872

for the following reason:

The answers from the experts helped but in the end we resolved the issue
0
 

Author Comment

by:V0LUME
ID: 38851573
Thanks for your help guys

Cheers

James
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38851963
You resolved the issue, but points should be awarded to those people that helped you reach the resolution.
0
 

Author Comment

by:V0LUME
ID: 38851976
Hey Arne, that makes sense but how do I do it?
0
 

Author Comment

by:V0LUME
ID: 38854426
Hi Modus,

I have awarded points to the most valuable troubleshooting steps given by the experts.
0
 

Author Closing Comment

by:V0LUME
ID: 38872610
The advise from the experts was helpful for troubleshooting the issue but the final fix came from our team
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Suggested Solutions

Sometimes Outlook might have problems sending a message. There may be various causes- corrupted PST, AV scanner etc. The message, instead of going to the Sent Items folder, sits in the Outbox indefinitely. To remove it you can use a free tool cal…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now