Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1877
  • Last Modified:

Outlook Hangs when connecting to Exchange 2010 OAB

We have been running exchange 2010 in our company for almost a year without any problem. Recently the OAB has broken. When a user tries to manually update in Outlook it just hangs with no errors.

I have tried some many different things including completely removing the OAB by following this post but still no joy

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
0
V0LUME
Asked:
V0LUME
  • 19
  • 10
  • 3
  • +2
5 Solutions
 
DhanukadamCommented:
Please check the autodiscover and OAB by running “Test Email AutoConfiguration”.
If autodiscover fails, please troubleshoot the autodiscover by directly accessing the autodiscover url via IE and let us know the error code.
If autodiscover works, you need to troubleshoot the OAB generation, publishing and downloading issues. For OAB generation and publishing issues, you can check the APP log on the CAS and MBX server. For the OAB downloading issue, you can manually access the OAB url via IE and see the error codes.
0
 
V0LUMEAuthor Commented:
I already run the "Test Email AutoConfiguration” in Outlook and result was ok. I also did the onlines tests here: https://www.testexchangeconnectivity.com.

The Cas and MBX are collocated together and I haven't found any errors in the event log on the server or the local machine. I did find one error related to kerberos and the exchange server on my local machine but I'm not sure if related.

I think the issue is somehow IIS related as browsing to the OAB in IE brings back a 401 unauthorized access.
0
 
Stelian StanCommented:
Did you tried to recreate that user email profile?
Is this the only user having this problem?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
V0LUMEAuthor Commented:
Thank you for your response.

The issue is affecting all users. Everyone is on Outlook 2010. These are my steps so far:

1. Test Email configuration through Outlook
2. Tested Autodiscover here: https://www.testexchangeconnectivity.com 
3. Recently deployed Unified Communication role so thought this may of caused some issues with the cert so I renewed it with Comodo.
4. Switched OAB Logging to Medium.
5. Checked event logs on my local machine and the server.
6. One issue on my local machine: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the Exchange server.
7. Completed removed the OAB and virtual directories twice following instructions from Experts Exchange & Official Microsoft Documentation
8. Verified permissions on the server directory /Client Access/OAB
9. Tried enabling Anonymous authentication and Basic on the OAB virtual directory, still receiving 401 Error
10. Rebooted the Exchange Server
11. Checked if redirection was enabled on the default website. I read somewhere if you find a web.config file in the OAB dir you need to change the permissions. The file isn't there.
0
 
ArneLoviusCommented:
Do you have this problem with just clients that connect with Outlook Anywhere, or do you also have it with MAPI clients ?
Are you able to see in the logs that OAB generation has completed successfully ?

http://blogs.msdn.com/b/dgoldman/archive/2006/08/26/725860.aspx
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
0
 
V0LUMEAuthor Commented:
I just read somewhere that Autodiscover also leverages and SCP in AD.

I just run the command: Get-ClientAccessServer –AutoDiscoverServiceInternalUri

and it returned an error 'object could not be found on DC'
0
 
V0LUMEAuthor Commented:
Hi ArneLovius,

We are not using Outlook anywhere at the moment. I don't think it configured properly.

The problem is for Outlook 2010 clients on the LAN or over the VPN
0
 
ArneLoviusCommented:
The command should be

Get-ClientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Open in new window


Are your LAN clients connecting over HTTPS ?
0
 
V0LUMEAuthor Commented:
Thanks. The command came back ok:

Name                           : CASServer
AutoDiscoverServiceInternalUri : https://casserver.contoso.co.uk/Autodiscover/Autodiscover.xml

I didn't think we were using https. The OAB internal URL is set http. We have a SAN cert with the names - autodiscover, mail, casserver name and legacy which we can use if need be
0
 
ArneLoviusCommented:
I presume that you have anonymised the output ? or is your internal domain actually contoso.co.uk ?

You should always use HTTPS rather than HTTP
0
 
V0LUMEAuthor Commented:
Yeah sorry I thought it was the done thing!

Think that it may of been set to https before I reset the OAB and Virtual Directories.

 Is it just a question of setting the virtual directory to 'Require SSL' and setting the internal URL to HTTPS?
0
 
ArneLoviusCommented:
As I don't know what state the OAB site is now in, I would rather suggest that all of the Web virtual directories were rebuilt

http://technet.microsoft.com/en-us/library/ff629372%28v=exchg.141%29.aspx

I usually use the external f.q.d.n for internal and external access, this does of course rely on having the external f.q.d.n resolvable to the internal IP address.

After the virtual directories are in a known good state, I would  then check, as per the links I posted previously, that OAB generation is happening correctly.

The reason for doing it this way, is that although the initial problem may have been with OAB generation, it is possible that there are now other issues, by getting everything else into its correct state first, you can rule out those problems and get to the root cause.
0
 
V0LUMEAuthor Commented:
I don't feel comfortable with this. Why do I need to reset the other virtual directories when they are working correctly?

If I reset the OWA and the EWS, webmail will be down and I have 20+ mac users connecting to EWS for Outlook 2011. The profile of the IT department is already low due to the OAB being down for a week. I don't want to make things worse

What could be the cause of the 401 error when browsing to the OAB in IE?
0
 
ArneLoviusCommented:
You could always do the removal and creation out of hours

A 401 error is "unauthorised"

I can understand that you want to minimize any further disruption, but you have also been making changes.

from your post above, item 7 which instructions did you use ?, item 9, exactly what did you do to do this, and exactly what did you do to revert afterwards ?

Have you followed the links I provided for testing OAB generation ?
0
 
V0LUMEAuthor Commented:
I will give it ago tonight if it is absolutely necessary.

These are the documents I followed:

7. http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
8. http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/ 
9. Was only a idea as I couldn't work out why I was getting not authorized (I am a domain admin) and have full control to the folder. I have reversed this step. Authentication is now set to Windows Only

I have set the logging level to medium as by your document and dumped it to a text file.
oabevents.txt
0
 
ArneLoviusCommented:
Although it is generating, you most certainly have other issues.

Please conform the permissions match as described here

http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
0
 
V0LUMEAuthor Commented:
I read your permissions document before I didn't understand what he meant by:

Allow Exchange Servers:

    Traverse Folder
    List Folder
    Read Attributes
    Read Extended Attributes
    CONTAINER_INHERIT (folder and subfolders permissions)

Allow Exchange Servers:

    Read Data
    Read Attributes
    Read Extended Attributes
    Read Permissions
    CONTAINER_INHERIT + OBJECT_INHERIT (folder, subfolders and files permissions)

Why does he repeat?:

Read Attributes
Read Extended Attributes
Read Permissions

I set my permissions as per this document:
http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/ 
 and made sure I ticked 'Replace all child permissions with inheritable permissions from this object'
0
 
NetfloCommented:
Hi,

I've reviewed this question and wanted to add my 2 cents to help things along and cover the basics:

1. Is the Exchange server up to date? SP2 UR5v2? Or at the very least SP2.
2. Has the OAB been specified at the DB level for the users hosted on it? Check the following steps and ensure yours is not blank:

You also need to specify the Offline Address Book to be used on your mailbox database on your Exchange 2010 server. Open up EMC -> Org Config -> Mailbox. In the middle pane, on the Database Management tab, right click your mailbox database -> Properties -> Client Settings tab -> Ensure your Offline Address Book is listed as 'Default Offline Address List'.

3. Have you performed BPA via Exchange 2010 ESM -> Tools. What are the errors and warnings reported? I'd suggest fixing this up first.

Let me know what your findings are.
0
 
V0LUMEAuthor Commented:
Hi Netflo,

Thanks for you response. I will be working on this issue over the weekend as the boss is already talking about getting the consultants in!

1. We were running SP2, but I have just just installed SP2 UR5v2.
2. The OAB was not connected to the database. I have followed your procedure and connected it to the default database.
3. I run some scans. It picked up the OAB was set to continuously update (might of been one of my colleagues). I set it back to once a night. Permissions check was ok

I'm considering resetting all virtual directories now like Arne said, not sure what else to try
0
 
V0LUMEAuthor Commented:
Arne,

I have followed your instructions and reset all client access virtual directories apart from autodiscover using the EMC. I set the all the URLs to the same FQDN for internal and external access as per your advise and all are set to HTTPS. The firewall is set to NAT to the internal IP on port 443 and 25. External DNS is set.

The issue still persists what can I do next?
0
 
NetfloCommented:
I would suggest re-running the server BPA till its reporting all okay and also assuming you've performed a reboot of your server following the last round of modifications.

I would also like to know on the client machine, is Outlook fully up to date too?
0
 
V0LUMEAuthor Commented:
Arne,

Total chaos in the office this morning. I reset all the virtual directories after your advice the EWS service did not reset properly with an error: ntlm not supported

I have 20+ macs unable to connect to email in Outlook 2011. The OAB is still broke
0
 
ArneLoviusCommented:
I had suggested that could do the work out of hours...

I'm completely lost by your "ntlm" error, can you confirm the exact command that you used for creating the new EWS directory.

can you also post the output from "get-WebServicesVirtualDirectory | fl"
0
 
V0LUMEAuthor Commented:
I did the work out of hours. I've been working all weekend. I reset all client access virtual directories using EMC. All went smoothly apart from EWS.

I get this in the event log:

WebHost failed to process a request.
 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/36882122
 Exception: System.ServiceModel.ServiceActivationException: The service '/EWS/Exchange.asmx' cannot be activated due to an exception during compilation.  The exception message is: The authentication scheme '“NTLM' is not supported.. ---> System.NotSupportedException: The authentication scheme '“NTLM' is not supported.
   at System.ServiceModel.Activation.MetabaseSettingsIis.RemapAuthenticationSchemes(AuthFlags flags, String[] providers)
   at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at Microsoft.Exchange.Services.Wcf.MessageEncoderWithXmlDeclarationBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
 Process Name: w3wp
 Process ID: 8868
0
 
ArneLoviusCommented:
I presume that you meant EMS (Exchange Management Shell) not EMC.

I try removing EWS again, restarting IIS, then re-creating EWS, then restarting IIS again.

I wonder if at some point you had changed file permissions.
0
 
V0LUMEAuthor Commented:
EWS is fixed and it looks like OAB is too.

We restored Exchange from September into a test environment and cross referenced all settings.

It seems when I done the reset of virtual directories in the console (not shell) on the windows authentication providers it set NTLM and Negotiate with " after it. When we removed the speech marks mail started flowing through and address book started downloading
0
 
ArneLoviusCommented:
that's great to hear :-)
0
 
NetfloCommented:
Good to hear, panic over and back to business.
0
 
V0LUMEAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for V0LUME's comment #a38850872

for the following reason:

The answers from the experts helped but in the end we resolved the issue
0
 
V0LUMEAuthor Commented:
Thanks for your help guys

Cheers

James
0
 
ArneLoviusCommented:
You resolved the issue, but points should be awarded to those people that helped you reach the resolution.
0
 
V0LUMEAuthor Commented:
Hey Arne, that makes sense but how do I do it?
0
 
V0LUMEAuthor Commented:
Hi Modus,

I have awarded points to the most valuable troubleshooting steps given by the experts.
0
 
V0LUMEAuthor Commented:
The advise from the experts was helpful for troubleshooting the issue but the final fix came from our team
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 19
  • 10
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now