Archive for Exchange

Aug
10

Public Folder problem caused by Client-side Outlook Security update

by dave

Post to Twitter Post to Facebook Post to StumbleUpon

Just a heads up. If any of your clients have a user that complains that they can’t access public folders, they may be having a problem with a recent client-side Outlook 2007 security update. If they attempt to access public folders and are getting this error:

Cannot expand the folder. The attempt to log on to Microsoft Exchange has failed

It’s likely that they recently installed KB980376. As of today, the only known fix is to uninstall that security update from the client machine so that they can get into public folders.

0 Categories : Dave Shackelford, Exchange, SBS 2008
Jun
22

Giving one user access to another's mailbox via PowerShell

by dave

Post to Twitter Post to Facebook Post to StumbleUpon

There are plenty of reasons why you might want to give one user access to another user’s mailbox. The first user may be in the hospital, or under HR review, or maybe they’ve been dropping the ball lately and management need to make sure that certain projects have been followed up on. It’s not really our job to care. The fact is, Bill in management has requested that you give Paul Stanley access to Gene Simmon’s mailbox, and for various reasons, logging on to Gene’s mailbox to set these permissions up is not a good option. For one, you’d only be able to delegate access to certain primary folders, not to the whole mailbox, and second, you’d have to know Gene’s password to do that. Because you are a smart admin, you tell Bill you can take care of it easily from the server. And here’s how you do it with Exchange 2007 or Exchange 2010:

Using this powershell command, you can give one user the permission to open and view another user’s entire mailbox. They won’t be able to send mail from that mailbox though, unless you add the SendAs permission:

Add-MailboxPermission user1 -User user2 -AccessRights fullaccess

So if you wanted to give Paul Stanley access to Gene Simmons’ mailbox, you would do this:

Add-MailboxPermission gsimmons -user pstanley -AccessRights fullaccess

To add sending functionality, you would do this:

Add-MailboxPermission gsimmons -User pstanley -AccessRights sendas

Make sure you run the Exchange Management Shell as Admin (escalated) or you may not get the results you were expecting.

If you want to verify the permissions you’ve given Paul, you can run this command:

Get-MailboxPermission gsimmons -User pstanley | fl

After you tell Bill that you’ve taken care of it, he asks you what Paul is supposed to do to view the mailbox. You send him the following instructions:

In Outlook, go into Tools -> Account Settingss and open up the properties on your Exchange email account. Choose More Settings, and when you get to the tabbed window, choose the Advanced tab.

On the Advanced tab, you will see the option to open additional mailboxes. Click Add and type the name of the user whose mailbox you want to open. In this case, Paul could type “Gene Simmons” or “gsimmons”. OK all the way out, and you should see another root mailbox for Gene Simmons added to Paul’s Outlook.

And yes, this can be done in the Exchange Management Console, but PowerShell is quicker!

0 Categories : Dave Shackelford, Exchange, SBS 2008, Tips
Feb
10

User can't log into OWA

by dave

Post to Twitter Post to Facebook Post to StumbleUpon

Sometimes a strange situation crops up in which a user can access his Exchange 2003 email from an Outlook client without trouble, but can’t successfully log into Outlook Web Access. You will get the standard, “You could not be logged on to Outlook Web Access” error message.

Chances are this user recently had a password change, or maybe the users account was deleted and then recreated again. But you’ve checked everything: the password, the OWA feature turned on for that user, the ability to log on with other user accounts, the temporary internet files cache, IISRESET. But nothing works–no matter which workstation you use to access OWA, you can’t log on as that user.

If you really press on and actually reboot the server, you find that the problem is resolved, but you are left uneasy. What actually happened, and why did it take a server reboot to fix it? Very unsatisfactory.

The problem is actually related to how IIS caches credentials when it uses Forms Based Authentication. If you change a user password or delete and recreate a user account, sometimes IIS has a different SID/password cached for that user and any attempts to authenticate will fail until that cache is emptied. An IISRESET will not resolve the problem, but a reboot will.

But there’s another way to resolve this without a reboot.

1. Open up the Exchange System Manager and drill down into the Server section and down into Protocols.
2. Open the HTTP folder and get properties on Exchange Virtual Server.
3. Go into the Settings tab and uncheck the  Enable Forms Based Authentication checkbox. Apply it.
4. Go to the command-line and do an IISRESET.
5. Now go and recheck the Enable Forms Based Authentication checkbox.

That’s it. You should be able to log into OWA with that user now.

1 Categories : Dave Shackelford, Exchange
Dec
19

Outlook Repeatedly Prompting for Authentication

by Third Tier

Post to Twitter Post to Facebook Post to StumbleUpon

We’ve seen a large number of people posting in various newsgroups, web forums, mailing lists, etc., regarding a sudden change in behavior in Outlook where it starts prompting for authentication on a regular basis. Many of the ones we’ve seen have been Outlook 2007 against SBS 2008 (Exchange 2007).

We’ve found one possible source for this behavior, see if this matches your situation:

If you have installed any of the following updates on the workstations, it changes the authentication mechanism.

970430 Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
974318 Vulnerabilities in the Internet Authentication service could allow remote code execution
976325 MS09-072: Cumulative security update for Internet Explorer
971737 Description of the update that implements Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP)
973917 Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)

These updates can come down automatically and they are on the assumption that you have already applied the latest rollup from Exchange which was released a while back. If you have not, then Outlook will no longer be able to retain its authentication with the Exchange.

You can download it here: You will need to restart the server afterwards

Install Update Rollup 9 for Exchange Server 2007 Service Pack 1 (KB970162)
http://www.microsoft.com/downloads/details.aspx?FamilyID=55320be2-c65c-48bb-bab8-6335aa7d008c&displaylang=en

Exchange Rollup 9 should be coming down via WSUS, if you are using that. If you are not, then it is also an automatic update from Microsoft Update. If you are using another patching mechanism be sure to include Exchange Rollups in the configuration.

Other resources will point out that Exchange SP2 also includes the updates that will address this issue, but as Exchange 2007 SP2 is a challenge to install on an SBS 2008 server, we recommend holding off on installing SP2 on an SBS 2008 server and wait for updated instructions for how to safely install that update.

Hopefully this will help some of you who haven’t found the solution on your own just yet.

—–

So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN
0 Categories : Eriq Neale, SBS 2008

Search

Support

Third Tier provides advanced support services to IT Professionals. Learn about what we do at http://www.thirdtier.net or click on the support icon below to chat with one of our support representatives.

Third Tier
Copyright © 2013 All Rights Reserved
iThemes Builder by iThemes
Powered by WordPress