Outlook Hangs when connecting to Exchange 2010 OAB

I already run the "Test Email AutoConfiguration” in Outlook and result was ok. I also did the onlines tests here: https://www.testexchangeconnectivity.com.

The Cas and MBX are collocated together and I haven't found any errors in the event log on the server or the local machine. I did find one error related to kerberos and the exchange server on my local machine but I'm not sure if related.

I think the issue is somehow IIS related as browsing to the OAB in IE brings back a 401 unauthorized access.

Did you tried to recreate that user email profile?
Is this the only user having this problem?

Thank you for your response.

The issue is affecting all users. Everyone is on Outlook 2010. These are my steps so far:

1. Test Email configuration through Outlook
2. Tested Autodiscover here: https://www.testexchangeconnectivity.com 
3. Recently deployed Unified Communication role so thought this may of caused some issues with the cert so I renewed it with Comodo.
4. Switched OAB Logging to Medium.
5. Checked event logs on my local machine and the server.
6. One issue on my local machine: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the Exchange server.
7. Completed removed the OAB and virtual directories twice following instructions from Experts Exchange & Official Microsoft Documentation
8. Verified permissions on the server directory /Client Access/OAB
9. Tried enabling Anonymous authentication and Basic on the OAB virtual directory, still receiving 401 Error
10. Rebooted the Exchange Server
11. Checked if redirection was enabled on the default website. I read somewhere if you find a web.config file in the OAB dir you need to change the permissions. The file isn't there.

Do you have this problem with just clients that connect with Outlook Anywhere, or do you also have it with MAPI clients ?
Are you able to see in the logs that OAB generation has completed successfully ?

http://blogs.msdn.com/b/dgoldman/archive/2006/08/26/725860.aspx
http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx

I just read somewhere that Autodiscover also leverages and SCP in AD.

I just run the command: Get-ClientAccessServer –AutoDiscoverServiceInternalUri

and it returned an error 'object could not be found on DC'

Hi ArneLovius,

We are not using Outlook anywhere at the moment. I don't think it configured properly.

The problem is for Outlook 2010 clients on the LAN or over the VPN

Thanks. The command came back ok:

Name                           : CASServer
AutoDiscoverServiceInternalUri : https://casserver.contoso.co.uk/Autodiscover/Autodiscover.xml

I didn't think we were using https. The OAB internal URL is set http. We have a SAN cert with the names - autodiscover, mail, casserver name and legacy which we can use if need be

I presume that you have anonymised the output ? or is your internal domain actually contoso.co.uk ?

You should always use HTTPS rather than HTTP

Yeah sorry I thought it was the done thing!

Think that it may of been set to https before I reset the OAB and Virtual Directories.

 Is it just a question of setting the virtual directory to 'Require SSL' and setting the internal URL to HTTPS?

I don't feel comfortable with this. Why do I need to reset the other virtual directories when they are working correctly?

If I reset the OWA and the EWS, webmail will be down and I have 20+ mac users connecting to EWS for Outlook 2011. The profile of the IT department is already low due to the OAB being down for a week. I don't want to make things worse

What could be the cause of the 401 error when browsing to the OAB in IE?

You could always do the removal and creation out of hours

A 401 error is "unauthorised"

I can understand that you want to minimize any further disruption, but you have also been making changes.

from your post above, item 7 which instructions did you use ?, item 9, exactly what did you do to do this, and exactly what did you do to revert afterwards ?

Have you followed the links I provided for testing OAB generation ?

I will give it ago tonight if it is absolutely necessary.

These are the documents I followed:

7. https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_5064-9-Steps-to-end-OAB-nightmares.html
8. http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/ 
9. Was only a idea as I couldn't work out why I was getting not authorized (I am a domain admin) and have full control to the folder. I have reversed this step. Authentication is now set to Windows Only

I have set the logging level to medium as by your document and dumped it to a text file.
oabevents.txt

Although it is generating, you most certainly have other issues.

Please conform the permissions match as described here

http://blogs.msdn.com/b/dgoldman/archive/2010/04/01/what-are-the-default-permissions-on-the-exchangeoab-directory.aspx

I read your permissions document before I didn't understand what he meant by:

Allow Exchange Servers:

    Traverse Folder
    List Folder
    Read Attributes
    Read Extended Attributes
    CONTAINER_INHERIT (folder and subfolders permissions)

Allow Exchange Servers:

    Read Data
    Read Attributes
    Read Extended Attributes
    Read Permissions
    CONTAINER_INHERIT + OBJECT_INHERIT (folder, subfolders and files permissions)

Why does he repeat?:

Read Attributes
Read Extended Attributes
Read Permissions

I set my permissions as per this document:
http://pkjayan.wordpress.com/2010/07/25/downloading-exchange-2010-offline-address-book-fails/ 
 and made sure I ticked 'Replace all child permissions with inheritable permissions from this object'

Hi Netflo,

Thanks for you response. I will be working on this issue over the weekend as the boss is already talking about getting the consultants in!

1. We were running SP2, but I have just just installed SP2 UR5v2.
2. The OAB was not connected to the database. I have followed your procedure and connected it to the default database.
3. I run some scans. It picked up the OAB was set to continuously update (might of been one of my colleagues). I set it back to once a night. Permissions check was ok

I'm considering resetting all virtual directories now like Arne said, not sure what else to try

Arne,

I have followed your instructions and reset all client access virtual directories apart from autodiscover using the EMC. I set the all the URLs to the same FQDN for internal and external access as per your advise and all are set to HTTPS. The firewall is set to NAT to the internal IP on port 443 and 25. External DNS is set.

The issue still persists what can I do next?

I would suggest re-running the server BPA till its reporting all okay and also assuming you've performed a reboot of your server following the last round of modifications.

I would also like to know on the client machine, is Outlook fully up to date too?

Arne,

Total chaos in the office this morning. I reset all the virtual directories after your advice the EWS service did not reset properly with an error: ntlm not supported

I have 20+ macs unable to connect to email in Outlook 2011. The OAB is still broke

I had suggested that could do the work out of hours...

I'm completely lost by your "ntlm" error, can you confirm the exact command that you used for creating the new EWS directory.

can you also post the output from "get-WebServicesVirtualDirectory | fl"

I did the work out of hours. I've been working all weekend. I reset all client access virtual directories using EMC. All went smoothly apart from EWS.

I get this in the event log:

WebHost failed to process a request.
 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/36882122
 Exception: System.ServiceModel.ServiceActivationException: The service '/EWS/Exchange.asmx' cannot be activated due to an exception during compilation.  The exception message is: The authentication scheme '“NTLM' is not supported.. ---> System.NotSupportedException: The authentication scheme '“NTLM' is not supported.
   at System.ServiceModel.Activation.MetabaseSettingsIis.RemapAuthenticationSchemes(AuthFlags flags, String[] providers)
   at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at Microsoft.Exchange.Services.Wcf.MessageEncoderWithXmlDeclarationBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
 Process Name: w3wp
 Process ID: 8868

I presume that you meant EMS (Exchange Management Shell) not EMC.

I try removing EWS again, restarting IIS, then re-creating EWS, then restarting IIS again.

I wonder if at some point you had changed file permissions.

that's great to hear :-)

Good to hear, panic over and back to business.

I've requested that this question be closed as follows:

Accepted answer: 0 points for V0LUME's comment #a38850872

for the following reason:

The answers from the experts helped but in the end we resolved the issue

Thanks for your help guys

Cheers

James

You resolved the issue, but points should be awarded to those people that helped you reach the resolution.

Hey Arne, that makes sense but how do I do it?

Hi Modus,

I have awarded points to the most valuable troubleshooting steps given by the experts.

The advise from the experts was helpful for troubleshooting the issue but the final fix came from our team