Entourage connectivity issue against Exchange 2007 mailbox running on Windows 2008 Server

In this blog post I wanted to talk about Entourage connectivity issue where the Exchange 2007 Server is running on Windows 2008 box. The key here are Windows 2008 Server and the Exchange servers are running on independent roles. I have tried to explain the setup using this diagram.

Erage connectivity

In the above diagram my CAS and Mailbox servers are on 2 independent boxes.

Issue

Using Entourage for Mac (2004 or 2008) while connecting to an Exchange 2007 mailbox running on a Windows 2008 server, user cannot connect to their exchange account.

Cause

Entourage (2004 or 2008) is a WebDAV client; to connect it sends a request to the Exchange Virtual Directory available inside DWS (Default Web Site) in IIS on Windows CAS server (recommended). The Exchange Virtual Directory on the CAS (Client Access Server) redirects this request on the Exchange Virtual Directory on the Mailbox Server. If we don’t have the correct permissions installed on the Mailbox Server Entourage fails to connect. These permissions are not installed by default if you have a dedicated mailbox role running on a Windows 2008 Server.

Resolution

As Entourage connection request talks to the IIS on the Mailbox server, we have to make sure that we have Basic Authentication and Windows Integrated Authentication installed. Along with this we also need ISAPI Extensions to be installed on the Mailbox Server.

Steps on How to install Security Role Services on Windows 2008 Mailbox Server.

1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.

2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS) .

3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

clip_image004

4. On the Select Role Services page of the Add Role Services Wizard, select ISAPI Extensions under Application Development and Basic Authentication & Windows Authentication under Security, and then click Next.

clip_image006

5. On the Confirm Installation Selections page, click Install.

6. On the Results page, click Close.

After running this command, you don't need to restart any services on server, just run the command and ask your Entourage users to see if the issue has been resolved for them, at the most you can ask them to re-launch Entourage.

More Info

If you are running into this similar issue then you may experience all this behaviour

On the Mac Client

You use Automatic Setup Assistant to configure your mailbox in Entourage. The setup assistant asks for your account information and you entered your Domain details, your Account ID (AD alias) and your password (left screen shot) and even after providing the correct credential the account still shows as Not connected (right screen shot). At the same time OWA on the same Mac machines works fine.

clip_image008 clip_image010

IIS Trace Sample from the CAS

2009-07-25 08:37:41 172.22.243.17 PROPFIND /exchange/jond/ - 80 GingerCorpjond 10.171.86.230 Entourage/12.20.0+(Intel+Mac+OS+X+10.5.7) 503 0 0 234

2009-07-25 08:37:41 172.22.243.17 GET /exchange/ - 80 GingerCorpjond 10.171.86.230 Entourage/12.20.0+(Intel+Mac+OS+X+10.5.7) 503 0 0 31

IIS Trace Sample from the Mailbox

2009-07-25 07:10:02 172.22.243.21 PROPFIND /exchange/jond/ - 80 - 10.171.86.230 Entourage/12.20.0+(Intel+Mac+OS+X+10.5.7) 401 2 5 0

2009-07-25 07:10:02 172.22.243.21 GET /exchange/ - 80 - 10.171.86.230 Entourage/12.20.0+(Intel+Mac+OS+X+10.5.7) 401 2 5 0

TCPFlow Trace Sample

010.171.086.230.56838-172.022.243.017.00080: PROPFIND /exchange/jond/ HTTP/1.1

Host: WIN-2K8CAS

From: XX.XXX.XX.XXX

User-Agent: Entourage/12.20.0 (Intel Mac OS X 10.5.7)

Accept: */*

Accept-Language: en

Content-Type: text/xml; charset="utf-8"

Brief: t

Depth: 0

Translate: F

Cookie: sessionid=b89cbc13-598a-49b1-8872-c27892fec29f; cadata="4XhWohyWZGlfUKWuGMfb30DJc1V5COWSXGkP0mNkHNuVw3+afuMtv9NqEdzLz5CiyQa09IP3y18O3IrRI"

Content-Length: 293

Accept-Encoding: gzip

Connection: Keep-Alive

010.171.086.230.56838-172.022.243.017.00080: <?xml version="1.0"?><D:propfind xmlns:D="DAV:" xmlns:hm="urn:schemas:httpmail:" xmlns:r="https://schemas.microsoft.com/repl/"><D:prop><hm:inbox/><hm:outbox/><hm:contacts/><hm:calendar/><hm:sentitems/><hm:deleteditems/>
<hm:drafts/><hm:sendmsg/><hm:junkemail/><r:repl-uid/></D:prop></D:propfind> XXX.XXX.XXX.XXX.00080-XXX.XXX.XXX.XXX.56838: HTTP/1.1 503 Service Unavailable

Content-Type: text/html

Server: Microsoft-IIS/7.0

Set-Cookie: OwaLbe={F20A247E-87A4-4F73-905B-ECDB4FCEBE5C}; path=/

MS-WebStorage: 08.01.10240

X-Powered-By: ASP.NET

Date: Sat, 25 Jul 2009 09:30:53 GMT

Connection: close

The service is unavailable.

<body><h2>HTTP/1.1 503 Service Unavailable</h2></body></HTML>tf-8">

Comments

  • Anonymous
    January 01, 2003
    Thanks for this excellent post, Pawan. We struggled with this issue for a week before calling MS support and getting in contact with Pawan.  We had been chasing numerous other leads - recreating the legacy virtual directories and such, installing WebDAV for IIS 7, etc. - to no avail. Had I come across this blog post (posted a week before we encountered the problem) it would have saved me a great deal of time.  The proper IIS role services get installed with the CAS role - but not the mailbox role.  We were without any guidance as to installing these manually on the mailbox server - although I could see in the IIS logs that something wasn't being handled properly.  I would have never guessed the ISAPI Extensions was the missing requirement, although it certainly makes sense in retrospect. Anyway, thanks again for your assistance and for this timely blog post. -Gabe