Solved

Issues With Outlook for Mac and Exchange?

Posted on 2016-09-14
37
84 Views
Last Modified: 2016-10-17
Since yesterday, all of our teleworkers who use a Mac and Outlook for Mac can't get their email. Nothing has changed in our environment in weeks so I know we're good there. All other users can get email (Android, Windows, iPhone, etc.).

One of the employees said that the "last connected to Exchange" time was exactly the same for everyone in his group. Was there some kind of update that broke Outlook for Mac? Known solutions? Favorite flavor of ice cream? Mine is mint chocolate chip!

I searched the interwebs and couldn't find anything specific to the last couple days.
0
Comment
Question by:Paul Wagner
  • 18
  • 8
  • 6
  • +2
37 Comments
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
Try having them delete their password and re-enter it.  It might need to re-authenticate with the server.
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
When you restarted your server last time?
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I could see deleting passwords and re-authenticating if it was one person, but this issue is impacting ALL Mac users across the board.

The server was rebooted a couple weeks ago. How could a reboot matter for Mac users specifically?
0
 
LVL 41

Expert Comment

by:Amit
Comment Utility
which process is taking maximum CPU and RAM currently and what is NPM value?
0
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
I'm not aware of any updates to Mac OSX Sierra.  iOS was released yesterday, but that shouldn't be related to the problem you're having.

Have you tried turning off your antivirus on the server and re-running the test?
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
Microsoft Exchange MDB Store is using the most RAM
Total RAM usage is sitting at 46% for the entire Exchange VM.

GFI MailEssentials Scan Engine is using the most CPU overall.
IIS Worker Process will jump up to the top at 20% CPU usage every so often.
Total CPU usage is sitting at 14-35% for the entire Exchange VM.

Yes, I've turned off AV but that didn't change anything.

I'd be happy to try a server reboot. It seems odd that would fix this, though.
0
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
I could see deleting passwords and re-authenticating if it was one person, but this issue is impacting ALL Mac users across the board.
Does this mean you already did try it with one person?
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I'll try it now... gosh, you want me to do stuff?! ;-)
0
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
Hehe, just making sure we cross one item off the list at a time.  I'm a completionist, dangit! :)
0
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
The only other thing I can think of would be to recreate the group they're all in and see if that fixes it.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I just wiped the Outlook profile for a user and tried to add it back. Authentication failed. It looks like Mac dudes can't even add their Exchange account to Outlook for Mac.

Here are some screenshots of the failed process for your viewing pleasure.
Is this a certificate issue?

Initial setup of account in Outlook
Certificate error pops up
Certificate being pulled is for primary domain web server and not autodiscover/exchange? This only happens with Macs.
Authentication fails
We have not made any changes whatsoever to cause this. Something has to have changed in Mac or Office for Mac, right? Certs just don't all of sudden stop being accepted.

What's really weird to me is that Macs are pulling a cert for the web server that runs our primary domain's website. Why doesn't the Macs pull the autodiscover cert like Outlook on a PC?
0
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I already tried that. (the problem they were having in your referenced ticket is a little different. they could add the account. we can't)
I went in to their keychain access manager and removed any certs having to do with my domain or email server and then tried to add the exchange profile.

There isn't a new cert. Nothing has changed on the web server or Exchange in weeks.
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
Please take the cert you downloaded in your comment above, #a41798859 and added it to the keychain of computer.

This is what I have to do in our environment.
0
 
LVL 13

Expert Comment

by:Kyle Santos
Comment Utility
ftfy, nappy_d ;)
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I also tried installing the cert into the keychain. Same 'authentication failed' message.
0
 
LVL 8

Expert Comment

by:Tim Lapin
Comment Utility
Which version of Outlook are they using?  Outlook 2016 is certificate sensitive, i.e. there will almost always be a certificate to accept from the server and it should be set to "Always trust"

Outlook 2011 is a little more forgiving but it is quite old and at some point will no longer get updates to allow for compatibility.  I suppose it's possible that you are seeing one such issue right now.

It sounds like there might be a few issues:
-  the cert was not set to "Always trust"
-  there was an update on the server which reset a preference setting
-  the users need an update (triggered by the previous point)


There is another possibility, based on the fact that they get in remotely.   Are there any VPN issues that might be happening at your site?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
Different versions for most but there is a cluster of them using Outlook for Mac 15.xx
0
 
LVL 8

Expert Comment

by:Tim Lapin
Comment Utility
Paul Wagner wrote:
Different versions for most but there is a cluster of them using Outlook for Mac 15.xx

That is Office 2016.  By contrast, 14.x.y.. is Office 2011.

Given that you are experiencing an entire group of users who are:
-  now offline
-  all macs
-  using different versions of Outlook 2011, 2016 + who knows which patch update for each

I would say that the problem has to originate from the server and/or network login area.  The solution to the problem might be an update to the clients but the source of the problem is almost certainly at the server end.

How do they fare with using OWA (Outlook Web Access)?
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I agree that the problem could be on the server end, but I can't imagine what is causing the issue since no changes have been made in weeks.

They can access email on phones, PCs and OWA just fine.
0
 
LVL 8

Expert Comment

by:Tim Lapin
Comment Utility
Have you checked log files on both the clients and the various servers (exchange, certificate, network controllers, ...)  Something has to show up somewhere.


The only things I can suggest right now is to

-  Redo the account setup and set the certificate to "Always Trust".
-  Force a check for updates on the clients.  It makes sense to take that variable out of the equation.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
ok. will try and report back.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I remoted a Mac user and their profile was built without any issues.
I also got an email from another Mac user who said they are now receiving email on the MacMail app. We didn't change a thing.
We didn't make any changes on either end (didn't even restart server) and Mac users could start connecting again. Thoughts?

Sidenote: I WAS able to install the cert into keychain access for the remoted user. That part worked fine.
0
 
LVL 8

Expert Comment

by:Tim Lapin
Comment Utility
Wait, Apple Mail?  I didn't see any mention of that in the original post.  Was that app also affected by the outage?

What about other users?  Can they try that app too?

Regardless, sounds like progress!
0
 
LVL 13

Assisted Solution

by:Kyle Santos
Kyle Santos earned 50 total points
Comment Utility
Wait, Apple Mail?  I didn't see any mention of that in the original post.  Was that app also affected by the outage?
Ditto.

With this in mind, what if you tried doing this on the Apple Mail account? #a41798500
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
Might have left MacMail out since only two guys use it.
Yes, one or two Mac users have MacMail and the rest (most of them) are on Outlook for Mac.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
Try having them delete their password and re-enter it.  It might need to re-authenticate with the server.

For their Apple Mail account? I'm not sure what that is.

More findings:
I noticed that there were a lot of SChannel errors on the Exchange server. Are these conencted? Still researching... Thoughts?
errorerror
0
 
LVL 8

Accepted Solution

by:
Tim Lapin earned 450 total points
Comment Utility
Ah, the infamous Schannel issue and TLS versions to boot!

There is a patch available for Schannel vulnerability for all flavours of Windows (KB2992611) and a related patch for additional ciphers.  Check your server for their presence and if necessary follow the yellow brick Microsoft road:

https://support.microsoft.com/en-ca/kb/2992611


I also seem to recall some issues with levels of TLS/SSL.  I can't remember the specifics but there was a problem on the server side accepting higher levels.  Have a look at:
https://support.microsoft.com/en-ca/kb/2955530
1
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
KB2992611 is already installed on the Exchange server.

Great article link!
Is this going to help, you think?
https://support.microsoft.com/en-us/kb/980436
compatible mode
I assume "nonzero" means to make the setting a "1"?
0
 
LVL 8

Expert Comment

by:Tim Lapin
Comment Utility
Yes, that would be a reasonable assumption, certainly one I would make.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
Rebooting server tonight. I will report back on how it went.

UPDATE: Server reboot went well. SChannel and SSL/TLS issues are resolved by using IIS Crypto (this was actually unrelated to the Mac problem). After entering those registry changes for "AllowInsecureRenego" I'll wait to hear from the Mac users.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
A user gave me feedback that he couldn't connect after I made the changes.

He is on OSX Yosemite (10.10.5) and Outlook for Mac 2011.

Hypothesis: I think that I need to add a cipher back to the SSL cipher suite to allow Macs to connect.

I now only have TLS in my cipher list. I know that SSL is necessary for Macs, so does that mean the registry settings didn't work?
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I've been reading here and someone said that Outlook for Mac needs TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Also found it mentioned here.

... and here

Amazing that Outlook for Mac can only go as high as 3DES!! :-(

Also, I have a couple guys using MacMail. Do you think that applies to them as well?
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
I will award points and close the question.
0
 
LVL 3

Author Comment

by:Paul Wagner
Comment Utility
The issue was the SSL ciphers on my Exchange server. We added the correct one (and old one) back and Mac could get mail again. Thanks for the help.
1

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Outlook Free & Paid Tools
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now