OAB is horribly broken
Hello all, we have an Exchange 2010 server on one domain (lets call it Company.local) in one location, and a second location
that is operating on a different domain/forest altogether (City.Company). The two domains have a two way trust set up between them so that user accounts are recognized between them, and communicate via a hardware-based VPN tunnel.
To set up City.Company users with mailboxes in Exchange we made linked mailboxes, which has worked fine for the most part.
Historically users have had no problems logging in to OWA, and their Outlook 2010 clients worked normally.
Yesterday, users began reporting from the secondary site that they were getting password prompts, and regardless of what was
tried it just looped the request. If the "Connection Status" of the Outlook client was opened it showed that the request was due to the Offline Address Book (and indeed the prompt would always appear *after* the client would sync all of the mail, so it wasn't
as if the client couldn't connect to Exchange at all).
Going down that rabbit hole, I ran ProcessMon on the server and found that the w3wp service was trying to use the NT AUTHORITY\IUSR
account to access the OAB.xml file found on the Exchange server, and sure enough on the parent GUID folder the IUSR account was set to have its Read permissions denied. Setting this to allow fixed the issue, letting users download the OAB. However, when the
Exchange File Distribution Service runs it resets the permissions, so it is only a temporary fix.
Any ideas?
April 20th, 2012 12:38pm
Check this site for OAB defaults.
http://technet.microsoft.com/en-us/library/gg247612.aspx
Also check the DefaultAppPool on your CAS to make sure the Identity the pool is running under is ApplicationPoolIdentity. This is assuming you have not changed OAB into a standalone application with it's own AppPool.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 2:10pm
I'm showing the DefaultAppPool is running as ApplicationPoolIdentity, and all MSExchange* pools are running as LocalSystem. Additionally, I noticed that I had Anonymous and Basic enabled for OAB in addition to Windows authentication. Disabling
Basic had no effect either way, but disabling Anonymous access results in the authentication loop even with the IUSR read access band-aid in place on the "...\ClientAccess\OAB\GUID" folder. This is starting to make some sense; as I recall the IUSR account
is only used for anonymous access.
What is odd is that users on the Company.local domain have no issues, it is only those coming from the City.Company domain. It's acting like Exchange simply doesn't know who those users are, and even then only for the OAB functionality. Even
more odd is that this worked before, and only broke during a patch a couple months ago.
April 23rd, 2012 2:29pm
Check this article on permissions for linked mailboxes in remote forests:
http://technet.microsoft.com/en-us/library/dd298099.aspx#Configure
Also, have you verified that your trust is fully functional?
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 8:28am
How is your DNS setup across the two domains? Are you using 2008 servers? It sounds like a problem with the DNS queries between the two domains.
Have a look at this : http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/7c2a21c4-4e0f-43c8-8089-3dc6441bb1aa--Mike--
April 30th, 2012 10:36am
Check on your Client Access Servers, if the web.config file under the OAB vdir (typically at C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB), make sure Authenticated Users is listed with read/execute permissions. It's
a long shot, but something else to check.
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 12:01pm