Issues With Outlook for Mac and Exchange?

Since yesterday, all of our teleworkers who use a Mac and Outlook for Mac can't get their email. Nothing has changed in our environment in weeks so I know we're good there. All other users can get email (Android, Windows, iPhone, etc.).

One of the employees said that the "last connected to Exchange" time was exactly the same for everyone in his group. Was there some kind of update that broke Outlook for Mac? Known solutions? Favorite flavor of ice cream? Mine is mint chocolate chip!

I searched the interwebs and couldn't find anything specific to the last couple days.
LVL 5
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
 
Tim LapinConnect With a Mentor Computer Consultant (Desktop analyst)Commented:
Ah, the infamous Schannel issue and TLS versions to boot!

There is a patch available for Schannel vulnerability for all flavours of Windows (KB2992611) and a related patch for additional ciphers.  Check your server for their presence and if necessary follow the yellow brick Microsoft road:

https://support.microsoft.com/en-ca/kb/2992611


I also seem to recall some issues with levels of TLS/SSL.  I can't remember the specifics but there was a problem on the server side accepting higher levels.  Have a look at:
https://support.microsoft.com/en-ca/kb/2955530
1
 
Kyle SantosCustomer RelationsCommented:
Try having them delete their password and re-enter it.  It might need to re-authenticate with the server.
0
 
AmitIT ArchitectCommented:
When you restarted your server last time?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I could see deleting passwords and re-authenticating if it was one person, but this issue is impacting ALL Mac users across the board.

The server was rebooted a couple weeks ago. How could a reboot matter for Mac users specifically?
0
 
AmitIT ArchitectCommented:
which process is taking maximum CPU and RAM currently and what is NPM value?
0
 
Kyle SantosCustomer RelationsCommented:
I'm not aware of any updates to Mac OSX Sierra.  iOS was released yesterday, but that shouldn't be related to the problem you're having.

Have you tried turning off your antivirus on the server and re-running the test?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Microsoft Exchange MDB Store is using the most RAM
Total RAM usage is sitting at 46% for the entire Exchange VM.

GFI MailEssentials Scan Engine is using the most CPU overall.
IIS Worker Process will jump up to the top at 20% CPU usage every so often.
Total CPU usage is sitting at 14-35% for the entire Exchange VM.

Yes, I've turned off AV but that didn't change anything.

I'd be happy to try a server reboot. It seems odd that would fix this, though.
0
 
Kyle SantosCustomer RelationsCommented:
I could see deleting passwords and re-authenticating if it was one person, but this issue is impacting ALL Mac users across the board.
Does this mean you already did try it with one person?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I'll try it now... gosh, you want me to do stuff?! ;-)
0
 
Kyle SantosCustomer RelationsCommented:
Hehe, just making sure we cross one item off the list at a time.  I'm a completionist, dangit! :)
0
 
Kyle SantosCustomer RelationsCommented:
The only other thing I can think of would be to recreate the group they're all in and see if that fixes it.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I just wiped the Outlook profile for a user and tried to add it back. Authentication failed. It looks like Mac dudes can't even add their Exchange account to Outlook for Mac.

Here are some screenshots of the failed process for your viewing pleasure.
Is this a certificate issue?

Initial setup of account in Outlook
Certificate error pops up
Certificate being pulled is for primary domain web server and not autodiscover/exchange? This only happens with Macs.
Authentication fails
We have not made any changes whatsoever to cause this. Something has to have changed in Mac or Office for Mac, right? Certs just don't all of sudden stop being accepted.

What's really weird to me is that Macs are pulling a cert for the web server that runs our primary domain's website. Why doesn't the Macs pull the autodiscover cert like Outlook on a PC?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I already tried that. (the problem they were having in your referenced ticket is a little different. they could add the account. we can't)
I went in to their keychain access manager and removed any certs having to do with my domain or email server and then tried to add the exchange profile.

There isn't a new cert. Nothing has changed on the web server or Exchange in weeks.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Please take the cert you downloaded in your comment above, #a41798859 and added it to the keychain of computer.

This is what I have to do in our environment.
0
 
Kyle SantosCustomer RelationsCommented:
ftfy, nappy_d ;)
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I also tried installing the cert into the keychain. Same 'authentication failed' message.
0
 
Tim LapinComputer Consultant (Desktop analyst)Commented:
Which version of Outlook are they using?  Outlook 2016 is certificate sensitive, i.e. there will almost always be a certificate to accept from the server and it should be set to "Always trust"

Outlook 2011 is a little more forgiving but it is quite old and at some point will no longer get updates to allow for compatibility.  I suppose it's possible that you are seeing one such issue right now.

It sounds like there might be a few issues:
-  the cert was not set to "Always trust"
-  there was an update on the server which reset a preference setting
-  the users need an update (triggered by the previous point)


There is another possibility, based on the fact that they get in remotely.   Are there any VPN issues that might be happening at your site?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Different versions for most but there is a cluster of them using Outlook for Mac 15.xx
0
 
Tim LapinComputer Consultant (Desktop analyst)Commented:
Paul Wagner wrote:
Different versions for most but there is a cluster of them using Outlook for Mac 15.xx

That is Office 2016.  By contrast, 14.x.y.. is Office 2011.

Given that you are experiencing an entire group of users who are:
-  now offline
-  all macs
-  using different versions of Outlook 2011, 2016 + who knows which patch update for each

I would say that the problem has to originate from the server and/or network login area.  The solution to the problem might be an update to the clients but the source of the problem is almost certainly at the server end.

How do they fare with using OWA (Outlook Web Access)?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I agree that the problem could be on the server end, but I can't imagine what is causing the issue since no changes have been made in weeks.

They can access email on phones, PCs and OWA just fine.
0
 
Tim LapinComputer Consultant (Desktop analyst)Commented:
Have you checked log files on both the clients and the various servers (exchange, certificate, network controllers, ...)  Something has to show up somewhere.


The only things I can suggest right now is to

-  Redo the account setup and set the certificate to "Always Trust".
-  Force a check for updates on the clients.  It makes sense to take that variable out of the equation.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
ok. will try and report back.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I remoted a Mac user and their profile was built without any issues.
I also got an email from another Mac user who said they are now receiving email on the MacMail app. We didn't change a thing.
We didn't make any changes on either end (didn't even restart server) and Mac users could start connecting again. Thoughts?

Sidenote: I WAS able to install the cert into keychain access for the remoted user. That part worked fine.
0
 
Tim LapinComputer Consultant (Desktop analyst)Commented:
Wait, Apple Mail?  I didn't see any mention of that in the original post.  Was that app also affected by the outage?

What about other users?  Can they try that app too?

Regardless, sounds like progress!
0
 
Kyle SantosConnect With a Mentor Customer RelationsCommented:
Wait, Apple Mail?  I didn't see any mention of that in the original post.  Was that app also affected by the outage?
Ditto.

With this in mind, what if you tried doing this on the Apple Mail account? #a41798500
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Might have left MacMail out since only two guys use it.
Yes, one or two Mac users have MacMail and the rest (most of them) are on Outlook for Mac.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Try having them delete their password and re-enter it.  It might need to re-authenticate with the server.

For their Apple Mail account? I'm not sure what that is.

More findings:
I noticed that there were a lot of SChannel errors on the Exchange server. Are these conencted? Still researching... Thoughts?
errorerror
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
KB2992611 is already installed on the Exchange server.

Great article link!
Is this going to help, you think?
https://support.microsoft.com/en-us/kb/980436
compatible mode
I assume "nonzero" means to make the setting a "1"?
0
 
Tim LapinComputer Consultant (Desktop analyst)Commented:
Yes, that would be a reasonable assumption, certainly one I would make.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Rebooting server tonight. I will report back on how it went.

UPDATE: Server reboot went well. SChannel and SSL/TLS issues are resolved by using IIS Crypto (this was actually unrelated to the Mac problem). After entering those registry changes for "AllowInsecureRenego" I'll wait to hear from the Mac users.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
A user gave me feedback that he couldn't connect after I made the changes.

He is on OSX Yosemite (10.10.5) and Outlook for Mac 2011.

Hypothesis: I think that I need to add a cipher back to the SSL cipher suite to allow Macs to connect.

I now only have TLS in my cipher list. I know that SSL is necessary for Macs, so does that mean the registry settings didn't work?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I've been reading here and someone said that Outlook for Mac needs TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Also found it mentioned here.

... and here

Amazing that Outlook for Mac can only go as high as 3DES!! :-(

Also, I have a couple guys using MacMail. Do you think that applies to them as well?
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I will award points and close the question.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
The issue was the SSL ciphers on my Exchange server. We added the correct one (and old one) back and Mac could get mail again. Thanks for the help.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.