Microsoft Outlook RCA Fails For Some Users But Passes For Other Users

Configuration:

Exchange Servers 2007 With SP1 On Server 2008 (Qty=3) All servers have OutlookAnywhere configured.

Newly Installed Exchange Server 2013 With CU9 on Windows 2012 R2 With all updates.

OWA and Mobile email works perfectly.

When I use the Microsoft RCA tool, for user 1, All tests pass.

When I test with user 2, Test fails. Both users are located on the same legacy 2007 Server and are contained in the same mailbox database. THey are also located in the same OU. The user that works is a normal user. The user that fails is a domain admin (not sure if that matters). Enable inheritance is enabled for both users. Have been working with Microsoft Support for the last week and still not resolved.

Here is the result for the failing user:

Attempting to ping RPC proxy mydomain.myorg.com.
  RPC Proxy can't be pinged.
 
 Additional Details
 
An unexpected network-level exception was encountered. Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
Stack trace:
 at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
 at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()
Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: System.Net.WebException
Stack trace:
 at System.Net.HttpWebRequest.GetResponse()
 at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)
 at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)


Elapsed Time: 392 ms. 

Here is the result of the working user:

Testing Outlook connectivity.
  The Outlook connectivity test completed successfully.
 
 Additional Details
 
Elapsed Time: 9279 ms.  

 
 
 Test Steps
 
 Testing RPC over HTTP connectivity to server mydomain.myorg.com
  RPC over HTTP connectivity was verified successfully.
 
 Additional Details
 
HTTP Response Headers:
request-id: 12b3bcd6-ea1a-4658-b2c5-a06adf5ad78d
Set-Cookie: ClientId=BRASCDK0XUESOOXJZSNLA; expires=Wed, 31-Aug-2016 18:40:28 GMT; path=/; HttpOnly
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="mydomain.myorg.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: 01SERVER014
Date: Tue, 01 Sep 2015 18:40:28 GMT
Content-Length: 0


Elapsed Time: 9279 ms.  

 
 
 Test Steps
 
 Attempting to resolve the host name mydomain.myorg.com in DNS.
  The host name resolved successfully.
 
 Additional Details
 
IP addresses returned: 8.36.32.164

Elapsed Time: 240 ms.  

 

 Testing TCP port 443 on host mydomain.myorg.com to ensure it's listening and open.
  The port was opened successfully.
 
 Additional Details
 
Elapsed Time: 176 ms.  

 

 Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
 
 Additional Details
 
Elapsed Time: 189 ms.  

 
 
 Test Steps
 
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mydomain.myorg.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
 Additional Details
 
Remote Certificate Subject: CN=01SERVER.myorg.com, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

Elapsed Time: 146 ms.  

 

 Validating the certificate name.
  The certificate name was validated successfully.
 
 Additional Details
 
Host name mydomain.myorg.com was found in the Certificate Subject Alternative Name entry.

Elapsed Time: 1 ms.  

 

 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
 
 Test Steps
 
 The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=01server.myorg.com, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
 
 Additional Details
 
A total of 1 chains were built. The highest quality chain ends in root certificate CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

Elapsed Time: 17 ms.  

 

 Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
 
 Additional Details
 
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Elapsed Time: 3 ms.  

 
 
 

 Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
 
 Additional Details
 
The certificate is valid. NotBefore = 8/31/2015 5:22:03 PM, NotAfter = 8/17/2016 5:19:38 PM

Elapsed Time: 0 ms.  

 
 
 

 Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
 
 Additional Details
 
Accept/Require Client Certificates isn't configured.

Elapsed Time: 333 ms.  

 

 Testing HTTP Authentication Methods for URL https://mydomain.myorg.com/rpc/rpcproxy.dll?01server14.myorg.com:6002.
  The HTTP authentication methods are correct.
 
 Additional Details
 
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM
HTTP Response Headers:
request-id: 12b3bcd6-ea1a-4658-b2c5-a06adf5ad78d
Set-Cookie: ClientId=BRASCDK0XUESOOXJZSNLA; expires=Wed, 31-Aug-2016 18:40:28 GMT; path=/; HttpOnly
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="mydomain.myorg.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: 01SERVER14
Date: Tue, 01 Sep 2015 18:40:28 GMT
Content-Length: 0


Elapsed Time: 221 ms.  

 

 Attempting to ping RPC proxy mydomain.myorg.com.
  RPC Proxy was pinged successfully.
 
 Additional Details
 
Elapsed Time: 470 ms.  

 

 Attempting to ping the MAPI Mail Store endpoint with identity: 01SERVER14.myorg.com:6001.
  The endpoint was pinged successfully.
 
 Additional Details
 
The endpoint responded in 78 ms.

Elapsed Time: 83 ms.  

 

 Testing the MAPI Address Book endpoint on the Exchange server.
  The address book endpoint was tested successfully.
 
 Additional Details
 
Elapsed Time: 2463 ms.  

 
 
 Test Steps
 
 Attempting to ping the MAPI Address Book endpoint with identity: 01SERVER14.myorg.com:6004.
  The endpoint was pinged successfully.
 
 Additional Details
 
The endpoint responded in 906 ms.

Elapsed Time: 1904 ms.  

 

 Testing the address book "Check Name" operation for user user.name@myorg.com against server 01SERVER14.myorg.com
  Check Name succeeded.
 
 Additional Details
 
DisplayName: Name, User, LegDN: /o=MYORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user.name

Elapsed Time: 558 ms.  

 
 
 

 Testing the MAPI Referral service on the Exchange Server.
  The Referral service was tested successfully.
 
 Additional Details
 
Elapsed Time: 4301 ms.  

 
 
 Test Steps
 
 Attempting to ping the MAPI Referral Service endpoint with identity: 01server14.myorg.com:6002.
  The endpoint was pinged successfully.
 
 Additional Details
 
The endpoint responded in 359 ms.

Elapsed Time: 3354 ms.  

 

 Attempting to perform referral for user /o=MYORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user.name on server 01server14.myorg.com.
  We got the address book server successfully.
 
 Additional Details
 
The server returned by the Referral service: 01SERVER14.myorg.com

Elapsed Time: 946 ms.  

 
 
 

 Testing the MAPI Address Book endpoint on the Exchange server.
  The address book endpoint was tested successfully.
 
 Additional Details
 
Elapsed Time: 568 ms.  

 
 
 Test Steps
 
 Attempting to ping the MAPI Address Book endpoint with identity: 01SERVER14.myorg.com:6004.
  The endpoint was pinged successfully.
 
 Additional Details
 
The endpoint responded in 78 ms.

Elapsed Time: 83 ms.  

 

 Testing the address book "Check Name" operation for user user.name@mydomain.com against server 01SERVER14.myorg.com.
  Check Name succeeded.
 
 Additional Details
 
DisplayName: Name, User, LegDN: /o=MYORG/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user.name

Elapsed Time: 485 ms.  

 
 
 

 Testing the MAPI Mail Store endpoint on the Exchange server.
  We successfully tested the Mail Store endpoint.
 
 Additional Details
 
Elapsed Time: 229 ms.  

 
 
 Test Steps
 
 Attempting to ping the MAPI Mail Store endpoint with identity: 01server14.myorg.com:6001.
  The endpoint was pinged successfully.
 
 Additional Details
 
The endpoint responded in 78 ms.

Elapsed Time: 72 ms.  

 

 Attempting to log on to the Mailbox.
  We were able to log on to the Mailbox.
 
 Additional Details
 
Elapsed Time: 157 ms.  
 
 
 
 
 
 
 

September 1st, 2015 2:50pm

Hi,

I noticed that the issue only happens to Domain Admin account. Please double confirm whether the issue happens to new created Exchange account. Please move the problematic account to another database to have a try.

Additionally, please run the following command for the problematic user to check whether the Outlook Anywhere is blocked for this user:

Get-CASMailbox -Identity admin@domain.com | fl *mapi*

Please make sure the MAPIBlockOutlookRpcHttp is set to False:

Set-CASMailbox -Identity "admin@domain.com" -MapiBlockOutlookRPCHttp $False

If there is any other event logs related to this domain admin account in Event Viewer, please collect some for further analysis.

Regards,

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 11:25pm

"Please double confirm whether the issue happens to new created Exchange account. Please move the problematic account to another database to have a try."

Moved the user to a new database and have the same issue. This issue is happening to more than one user also. And those users are not Domain admins.

I created a brand new account and mailbox and it does not have the issue.

"Additionally, please run the following command for the problematic user to check whether the Outlook Anywhere is blocked for this user:"

Get-CASMailbox -Identity admin@domain.com | fl *mapi*

MAPIEnabled                   : True
MAPIBlockOutlookNonCachedMode : False
MAPIBlockOutlookVersions      :
MAPIBlockOutlookRpcHttp       : False

I even went as far as copying the AD account and creating a mailbox for the newly copied user. With the new user, it works.

Is there a flag/AD setting for the account that I need to check/reset? Cannot afford to recreate all the users having the issue.

Thanks in advance.

September 2nd, 2015 7:14am

Go to ADSIEdit and open the working user and the failing user and compare the Exchange attributes. You may find the issue here. 

You can also try disabling the mailbox then reconnecting it to the user. I think this may rewrite the Exchange attributes. 

Thanks.

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 7:34pm

"Please double confirm whether the issue happens to new created Exchange account. Please move the problematic account to another database to have a try."

Moved the user to a new database and have the same issue. This issue is happening to more than one user also. And those users are not Domain admins.

I created a brand new account and mailbox and it does not have the issue.

"Additionally, please run the following command for the problematic user to check whether the Outlook Anywhere is blocked for this user:"

Get-CASMailbox -Identity admin@domain.com | fl *mapi*

MAPIEnabled                   : True
MAPIBlockOutlookNonCachedMode : False
MAPIBlockOutlookVersions      :
MAPIBlockOutlookRpcHttp       : False

I even went as far as copying the AD account and creating a mailbox for the newly copied user. With the new user, it works.

Is there a flag/AD setting for the account that I need to check/reset? Cannot afford to recreate all the users having the issue.

Thanks in advance.

September 3rd, 2015 11:33pm

If I create a new mailbox on the old 2007 Server, it works.

If I move a user that is broken to the new 2013 Exchange Server, the problem is resolved.

I tried disabling a users mailbox and then reconnecting it to that user. Same result. Fails. Its only some of the existing users who are on the 2007 Servers.

Where/How would I look at the attributes using adsiedit to compare? Eventually we are migrating all of the users to 2013 but we need to fix the issue for the interim.

Free Windows Admin Tool Kit Click here and download it now
September 4th, 2015 9:05am

You need to open ADSIEdit.msc from the run menu > right click the top node > connect to > leave defaults and press OK > drill down to a working user and failed user and compare the Exchange attributes.

See more information here on ADSIEdit: https://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx#BKMK_UsingADSIEdit 

As for permissions, please check the permissions on the OU for the user includes inheritable permissions from the parent and also ensure that the user object also includes this. You can also test by moving the user account into the users container as then there are no OU permissions in play.

Are users moving into the same database and are they moving to the same E2K13 server? 

Thanks.

September 4th, 2015 11:49am

User are in the same OU. One works and the other doesnt. Looked at the attributes for msExch and the only differences are the GUId's for each. Nothing denied. Inheritable permissions is enabled for the users.

Users are being moved to same database when migrated to 2013 exchange.

The working and failing users are current on the same 2007 server and in the same database. Tried moving the failing user to another 2007 Database. Same result.

Is there a way to copy the rights on one user and apply them to a non-working user?

Totally baffled by this one.

Free Windows Admin Tool Kit Click here and download it now
September 4th, 2015 12:53pm

Hi,

Since everything can work fine in Exchange 2013 and the issue only happens to some old users in Exchange 2007, I suggest we can consider moving all problematic users to Exchange 2013 as a workaround.

Regards,

September 7th, 2015 2:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics