We help IT Professionals succeed at work.

exchange 2013 sendas permission randomly denied

okay Experts --- brainstorming needed.
Migration from EX2007 - EX2013 CU3
all good.
Customer previously had address book segregation using ADSI edit and deny permissions for Address Lists. This have all been reset.
Upgraded CU3 - CU5 - all good
Upgraded CU5 - CU6 to fix problem with slow lookup for address books.
After that, this error appeared:
The customer have 100+ shared folders. SendAs permissions is given to a domain local group. Members of that domain  local group is a global group - in that group the users needing SendAs permissions are members.
When working with Outlook in Online mode - they randomly cannot send an email as the shared mailbox. They can send 5 messages, then the sixth message is denied - given the error message "you don't have permission to send as the shared mailbox" - then either close and reopen Outlook and send, or just wait a couple of mins - then it works.
this happens at no predefined time intervals. it happens to all shared mailboxes, regardless of amount of emails, and connections. it happens in both online and cache mode.
We upgraded to CU7 - due to this https://support.microsoft.com/en-us/kb/3009291 - but still no fix.
the customer have 1 root domain (naturally) and 2 subdomains, with exchange in one, and the other no exchange recipients.

We set throttlingpolices to unlimited - still no fix.

Then one fix - if we give the user permission directly - it works. if we use groups only, it doesn't work. But it worked from CU3 via CU5 but stopped working in CU6 ---
Microsoft Support says ---- eeeh ... we don't know -- upgrade to CU8 - but that's no solution, as customer have several 3rd party integrations not compatible with CU8

soooooo ---- anyone?
Comment
Watch Question

AmitIT Architect
Distinguished Expert 2017

Commented:
I am not surprised, that is the story with every patch MS releases. However, upgrading to latest version is always good. but I prefer n-1. Also, I don't see CU8 fixes send-as permission issue mentioned by you. If you still have MS case, escalate it to tier-3 level. They should escalate to coding team, to check what is changed in CU6.
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
Is your Domain Controllers replicating properly? Exchange continually get directory info from Active Directory and Send-As is a AD Specific permission.

I would start by checking there and making sure that the DC's are replicating and are healthy. It could be possible that there is a domain controller that does not have the replicated changes on it. Use the following commands below to check replication.

repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
dcdiag /v

Will.

Author

Commented:
Replication is okay ---- trying to move groups between OUs to see if this is AD problems

Author

Commented:
looks like it was solved (for a looooooooooooong time ago - sorry for the delay) changing group scope to universal --- even though global and domain local should be working - as confirmed by MS Support