V0LUME
asked on
Outlook Hangs when connecting to Exchange 2010 OAB
We have been running exchange 2010 in our company for almost a year without any problem. Recently the OAB has broken. When a user tries to manually update in Outlook it just hangs with no errors.
I have tried some many different things including completely removing the OAB by following this post but still no joy
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
I have tried some many different things including completely removing the OAB by following this post but still no joy
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you tried to recreate that user email profile?
Is this the only user having this problem?
Is this the only user having this problem?
ASKER
Thank you for your response.
The issue is affecting all users. Everyone is on Outlook 2010. These are my steps so far:
1. Test Email configuration through Outlook
2. Tested Autodiscover here: https://www.testexchangeconnectivity.com
3. Recently deployed Unified Communication role so thought this may of caused some issues with the cert so I renewed it with Comodo.
4. Switched OAB Logging to Medium.
5. Checked event logs on my local machine and the server.
6. One issue on my local machine: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the Exchange server.
7. Completed removed the OAB and virtual directories twice following instructions from Experts Exchange & Official Microsoft Documentation
8. Verified permissions on the server directory /Client Access/OAB
9. Tried enabling Anonymous authentication and Basic on the OAB virtual directory, still receiving 401 Error
10. Rebooted the Exchange Server
11. Checked if redirection was enabled on the default website. I read somewhere if you find a web.config file in the OAB dir you need to change the permissions. The file isn't there.
The issue is affecting all users. Everyone is on Outlook 2010. These are my steps so far:
1. Test Email configuration through Outlook
2. Tested Autodiscover here: https://www.testexchangeconnectivity.com
3. Recently deployed Unified Communication role so thought this may of caused some issues with the cert so I renewed it with Comodo.
4. Switched OAB Logging to Medium.
5. Checked event logs on my local machine and the server.
6. One issue on my local machine: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the Exchange server.
7. Completed removed the OAB and virtual directories twice following instructions from Experts Exchange & Official Microsoft Documentation
8. Verified permissions on the server directory /Client Access/OAB
9. Tried enabling Anonymous authentication and Basic on the OAB virtual directory, still receiving 401 Error
10. Rebooted the Exchange Server
11. Checked if redirection was enabled on the default website. I read somewhere if you find a web.config file in the OAB dir you need to change the permissions. The file isn't there.
Do you have this problem with just clients that connect with Outlook Anywhere, or do you also have it with MAPI clients ?
Are you able to see in the logs that OAB generation has completed successfully ?
http://blogs.msdn.com/b/dgoldman/archive/2006/08/26/725860.aspx
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
Are you able to see in the logs that OAB generation has completed successfully ?
http://blogs.msdn.com/b/dgoldman/archive/2006/08/26/725860.aspx
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
ASKER
I just read somewhere that Autodiscover also leverages and SCP in AD.
I just run the command: Get-ClientAccessServer –AutoDiscoverServiceIntern alUri
and it returned an error 'object could not be found on DC'
I just run the command: Get-ClientAccessServer –AutoDiscoverServiceIntern
and it returned an error 'object could not be found on DC'
ASKER
Hi ArneLovius,
We are not using Outlook anywhere at the moment. I don't think it configured properly.
The problem is for Outlook 2010 clients on the LAN or over the VPN
We are not using Outlook anywhere at the moment. I don't think it configured properly.
The problem is for Outlook 2010 clients on the LAN or over the VPN
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. The command came back ok:
Name : CASServer
AutoDiscoverServiceInterna lUri : https://casserver.contoso.co.uk/Autodiscover/Autodiscover.xml
I didn't think we were using https. The OAB internal URL is set http. We have a SAN cert with the names - autodiscover, mail, casserver name and legacy which we can use if need be
Name : CASServer
AutoDiscoverServiceInterna
I didn't think we were using https. The OAB internal URL is set http. We have a SAN cert with the names - autodiscover, mail, casserver name and legacy which we can use if need be
I presume that you have anonymised the output ? or is your internal domain actually contoso.co.uk ?
You should always use HTTPS rather than HTTP
You should always use HTTPS rather than HTTP
ASKER
Yeah sorry I thought it was the done thing!
Think that it may of been set to https before I reset the OAB and Virtual Directories.
Is it just a question of setting the virtual directory to 'Require SSL' and setting the internal URL to HTTPS?
Think that it may of been set to https before I reset the OAB and Virtual Directories.
Is it just a question of setting the virtual directory to 'Require SSL' and setting the internal URL to HTTPS?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't feel comfortable with this. Why do I need to reset the other virtual directories when they are working correctly?
If I reset the OWA and the EWS, webmail will be down and I have 20+ mac users connecting to EWS for Outlook 2011. The profile of the IT department is already low due to the OAB being down for a week. I don't want to make things worse
What could be the cause of the 401 error when browsing to the OAB in IE?
If I reset the OWA and the EWS, webmail will be down and I have 20+ mac users connecting to EWS for Outlook 2011. The profile of the IT department is already low due to the OAB being down for a week. I don't want to make things worse
What could be the cause of the 401 error when browsing to the OAB in IE?
You could always do the removal and creation out of hours
A 401 error is "unauthorised"
I can understand that you want to minimize any further disruption, but you have also been making changes.
from your post above, item 7 which instructions did you use ?, item 9, exactly what did you do to do this, and exactly what did you do to revert afterwards ?
Have you followed the links I provided for testing OAB generation ?
A 401 error is "unauthorised"
I can understand that you want to minimize any further disruption, but you have also been making changes.
from your post above, item 7 which instructions did you use ?, item 9, exactly what did you do to do this, and exactly what did you do to revert afterwards ?
Have you followed the links I provided for testing OAB generation ?
ASKER
I will give it ago tonight if it is absolutely necessary.
These are the documents I followed:
7. https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
8. http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/
9. Was only a idea as I couldn't work out why I was getting not authorized (I am a domain admin) and have full control to the folder. I have reversed this step. Authentication is now set to Windows Only
I have set the logging level to medium as by your document and dumped it to a text file.
oabevents.txt
These are the documents I followed:
7. https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
8. http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/
9. Was only a idea as I couldn't work out why I was getting not authorized (I am a domain admin) and have full control to the folder. I have reversed this step. Authentication is now set to Windows Only
I have set the logging level to medium as by your document and dumped it to a text file.
oabevents.txt
Although it is generating, you most certainly have other issues.
Please conform the permissions match as described here
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
Please conform the permissions match as described here
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx
ASKER
I read your permissions document before I didn't understand what he meant by:
Allow Exchange Servers:
Traverse Folder
List Folder
Read Attributes
Read Extended Attributes
CONTAINER_INHERIT (folder and subfolders permissions)
Allow Exchange Servers:
Read Data
Read Attributes
Read Extended Attributes
Read Permissions
CONTAINER_INHERIT + OBJECT_INHERIT (folder, subfolders and files permissions)
Why does he repeat?:
Read Attributes
Read Extended Attributes
Read Permissions
I set my permissions as per this document:
http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/
and made sure I ticked 'Replace all child permissions with inheritable permissions from this object'
Allow Exchange Servers:
Traverse Folder
List Folder
Read Attributes
Read Extended Attributes
CONTAINER_INHERIT (folder and subfolders permissions)
Allow Exchange Servers:
Read Data
Read Attributes
Read Extended Attributes
Read Permissions
CONTAINER_INHERIT + OBJECT_INHERIT (folder, subfolders and files permissions)
Why does he repeat?:
Read Attributes
Read Extended Attributes
Read Permissions
I set my permissions as per this document:
http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/
and made sure I ticked 'Replace all child permissions with inheritable permissions from this object'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Netflo,
Thanks for you response. I will be working on this issue over the weekend as the boss is already talking about getting the consultants in!
1. We were running SP2, but I have just just installed SP2 UR5v2.
2. The OAB was not connected to the database. I have followed your procedure and connected it to the default database.
3. I run some scans. It picked up the OAB was set to continuously update (might of been one of my colleagues). I set it back to once a night. Permissions check was ok
I'm considering resetting all virtual directories now like Arne said, not sure what else to try
Thanks for you response. I will be working on this issue over the weekend as the boss is already talking about getting the consultants in!
1. We were running SP2, but I have just just installed SP2 UR5v2.
2. The OAB was not connected to the database. I have followed your procedure and connected it to the default database.
3. I run some scans. It picked up the OAB was set to continuously update (might of been one of my colleagues). I set it back to once a night. Permissions check was ok
I'm considering resetting all virtual directories now like Arne said, not sure what else to try
ASKER
Arne,
I have followed your instructions and reset all client access virtual directories apart from autodiscover using the EMC. I set the all the URLs to the same FQDN for internal and external access as per your advise and all are set to HTTPS. The firewall is set to NAT to the internal IP on port 443 and 25. External DNS is set.
The issue still persists what can I do next?
I have followed your instructions and reset all client access virtual directories apart from autodiscover using the EMC. I set the all the URLs to the same FQDN for internal and external access as per your advise and all are set to HTTPS. The firewall is set to NAT to the internal IP on port 443 and 25. External DNS is set.
The issue still persists what can I do next?
I would suggest re-running the server BPA till its reporting all okay and also assuming you've performed a reboot of your server following the last round of modifications.
I would also like to know on the client machine, is Outlook fully up to date too?
I would also like to know on the client machine, is Outlook fully up to date too?
ASKER
Arne,
Total chaos in the office this morning. I reset all the virtual directories after your advice the EWS service did not reset properly with an error: ntlm not supported
I have 20+ macs unable to connect to email in Outlook 2011. The OAB is still broke
Total chaos in the office this morning. I reset all the virtual directories after your advice the EWS service did not reset properly with an error: ntlm not supported
I have 20+ macs unable to connect to email in Outlook 2011. The OAB is still broke
I had suggested that could do the work out of hours...
I'm completely lost by your "ntlm" error, can you confirm the exact command that you used for creating the new EWS directory.
can you also post the output from "get-WebServicesVirtualDir ectory | fl"
I'm completely lost by your "ntlm" error, can you confirm the exact command that you used for creating the new EWS directory.
can you also post the output from "get-WebServicesVirtualDir
ASKER
I did the work out of hours. I've been working all weekend. I reset all client access virtual directories using EMC. All went smoothly apart from EWS.
I get this in the event log:
WebHost failed to process a request.
Sender Information: System.ServiceModel.Servic eHostingEn vironment+ HostingMan ager/36882 122
Exception: System.ServiceModel.Servic eActivatio nException : The service '/EWS/Exchange.asmx' cannot be activated due to an exception during compilation. The exception message is: The authentication scheme '“NTLM' is not supported.. ---> System.NotSupportedExcepti on: The authentication scheme '“NTLM' is not supported.
at System.ServiceModel.Activa tion.Metab aseSetting sIis.Remap Authentica tionScheme s(AuthFlag s flags, String[] providers)
at System.ServiceModel.Channe ls.HttpCha nnelListen er.ApplyHo stedContex t(VirtualP athExtensi on virtualPathExtension, Boolean isMetadataListener)
at System.ServiceModel.Channe ls.HttpsCh annelListe ner.ApplyH ostedConte xt(Virtual PathExtens ion virtualPathExtension, Boolean isMetadataListener)
at System.ServiceModel.Channe ls.HttpsTr ansportBin dingElemen t.BuildCha nnelListen er[TChanne l](Binding Context context)
at System.ServiceModel.Channe ls.Binding Context.Bu ildInnerCh annelListe ner[TChann el]()
at Microsoft.Exchange.Service s.Wcf.Mess ageEncoder WithXmlDec larationBi ndingEleme nt.BuildCh annelListe ner[TChann el](Bindin gContext context)
at System.ServiceModel.Channe ls.Binding Context.Bu ildInnerCh annelListe ner[TChann el]()
at System.ServiceModel.Channe ls.Binding .BuildChan nelListene r[TChannel ](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
at System.ServiceModel.Descri ption.Disp atcherBuil der.MaybeC reateListe ner(Boolea n actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
at System.ServiceModel.Descri ption.Disp atcherBuil der.BuildC hannelList ener(Stuff PerListenU riInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
at System.ServiceModel.Descri ption.Disp atcherBuil der.Initia lizeServic eHost(Serv iceDescrip tion description, ServiceHostBase serviceHost)
at System.ServiceModel.Servic eHostBase. Initialize Runtime()
at System.ServiceModel.Servic eHostBase. OnOpen(Tim eSpan timeout)
at System.ServiceModel.Channe ls.Communi cationObje ct.Open(Ti meSpan timeout)
at System.ServiceModel.Servic eHostingEn vironment. HostingMan ager.Activ ateService (String normalizedVirtualPath)
at System.ServiceModel.Servic eHostingEn vironment. HostingMan ager.Ensur eServiceAv ailable(St ring normalizedVirtualPath)
--- End of inner exception stack trace ---
at System.ServiceModel.Servic eHostingEn vironment. HostingMan ager.Ensur eServiceAv ailable(St ring normalizedVirtualPath)
at System.ServiceModel.Servic eHostingEn vironment. EnsureServ iceAvailab leFast(Str ing relativeVirtualPath)
Process Name: w3wp
Process ID: 8868
I get this in the event log:
WebHost failed to process a request.
Sender Information: System.ServiceModel.Servic
Exception: System.ServiceModel.Servic
at System.ServiceModel.Activa
at System.ServiceModel.Channe
at System.ServiceModel.Channe
at System.ServiceModel.Channe
at System.ServiceModel.Channe
at Microsoft.Exchange.Service
at System.ServiceModel.Channe
at System.ServiceModel.Channe
at System.ServiceModel.Descri
at System.ServiceModel.Descri
at System.ServiceModel.Descri
at System.ServiceModel.Servic
at System.ServiceModel.Servic
at System.ServiceModel.Channe
at System.ServiceModel.Servic
at System.ServiceModel.Servic
--- End of inner exception stack trace ---
at System.ServiceModel.Servic
at System.ServiceModel.Servic
Process Name: w3wp
Process ID: 8868
I presume that you meant EMS (Exchange Management Shell) not EMC.
I try removing EWS again, restarting IIS, then re-creating EWS, then restarting IIS again.
I wonder if at some point you had changed file permissions.
I try removing EWS again, restarting IIS, then re-creating EWS, then restarting IIS again.
I wonder if at some point you had changed file permissions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
that's great to hear :-)
Good to hear, panic over and back to business.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for V0LUME's comment #a38850872
for the following reason:
The answers from the experts helped but in the end we resolved the issue
Accepted answer: 0 points for V0LUME's comment #a38850872
for the following reason:
The answers from the experts helped but in the end we resolved the issue
ASKER
Thanks for your help guys
Cheers
James
Cheers
James
You resolved the issue, but points should be awarded to those people that helped you reach the resolution.
ASKER
Hey Arne, that makes sense but how do I do it?
ASKER
Hi Modus,
I have awarded points to the most valuable troubleshooting steps given by the experts.
I have awarded points to the most valuable troubleshooting steps given by the experts.
ASKER
The advise from the experts was helpful for troubleshooting the issue but the final fix came from our team
ASKER
The Cas and MBX are collocated together and I haven't found any errors in the event log on the server or the local machine. I did find one error related to kerberos and the exchange server on my local machine but I'm not sure if related.
I think the issue is somehow IIS related as browsing to the OAB in IE brings back a 401 unauthorized access.