OAB issues after simplifying the OWA 2010 URL?
Back since Exchange Server 5.0 which was the first version to include a webmail service (at the time known as Exchange Web Connect before renamed to Outlook Web Access, and now with Exchange 2010 renamed to Outlook Web App), customers typically required the webmail URL to be simplified. That is changed in such a way that users could simply enter “mail.domain.com” instead of https://mail.domain.com/exchange” or “https://mail.domain.com/owa”.
Back when we installed Exchange Server on top of Windows Server NT/2000/2003 this was often accomplished using an ASP or HTM webpage with some redirection code in it.
Then came Windows Server 2008/2008 R2 and a new IIS feature called “HTTP Redirect”. As you can see in the figure below this feature makes it possible to redirect incoming requests to a web site or a virtual directory underneath it. For details on how to redirect “mail.domain.com” to “https://mail.domain.com/owa” see this previous blog post of mine.
So why this post? Well, because I hit a nasty issue where the “HTTP Redirect” feature was the unforgiving sinner. After having performed the steps required for simplifying the OWA 2010 URL, internal Outlook MAPI clients as well as Outlook Anywhere clients had trouble downloading the offline address book (OAB). I didn’t get any sync error or anything in Outlook, the progress bar just stopped halfway through!
In this specific scenario Exchange was published using ISA 2006. Then why the re-direct configured in IIS and not on the ISA array you grumble? Because I had Exchange 2007 and 2010 co-existence configured and needed SSO experience for OWA hitting the Exchange 2010 CAS server. As some of you probably know you cannot pre-authenticate at the ISA layer and still experience SSO, when redirection occurs between Exchange 2007 and 2010 CAS servers in the same AD site (read more about this in the end of Ross Smith’s excellent blog post over the MSExchangeTeam.com blog).
So I quickly blamed ISA but I was wrong. Very very wrong. As those of you who have read my blog post on how to simplify the OWA 2010 URL knows, when you enable “HTTP redirect” on the default web site, all virtual directories underneath it inherits this setting. So you need to uncheck the setting on all vdirs afterwards. When “HTTP redirect” is enabled for a vdir, IIS configures/creates a web.config file for each vdir and “Authenticated users” are given read/execute permissions on this file. But unlike the web.config file for the other vdirs (Autodiscover, ECP, EWS, OWA and so on), the web.config file associated with the OAB vdir is configured so that “System” and “local administrators” are given full control but “Authenticated users” for some reason doesn’t get read/execute permissions assigned when it comes to this specific file.
Guess what the solution was? Yes correct I added “Authenticated users” with read/execute permissions as shown in figure 2:
…and voilá, clients could once again download the OAB file.
Cheers,
Henrik Walther
Technology Architect/Writer
MCM: Exchange 2007 | MVP: Exchange Architecture
MCITP: EMA + EA | MCSE: M + S | TechNet Influent
Brian Desmond Says:
March 22nd, 2010 at 2:09 pm
I ran in to a similiar problem at a customer - ended up just creating a new OAB vdir and that did the trick as well.
Reda Sherief Says:
March 27th, 2010 at 5:22 am
Thanks Henrik,
I really faced the same phenomenon, even after removing the IIS redirection, the OAB couldn’t be downloaded.
Welcome to IIS 7.5
enrique Says:
November 5th, 2010 at 5:07 am
Thanks man, you just saved me from spending a weekend in the office trying to fix it.
great post
btw, I have exchange 2007, your solution works perfectly
Mike Niccum Says:
December 16th, 2010 at 12:35 pm
I have been fighting this for days. Thanks for the post.
Mark Says:
January 18th, 2011 at 8:04 pm
Hi Guys,
Were you getting Event 1309 ASP.NET 2.0.50727.0 errors when the OAB wasnt working?
Henrik Walther Says:
January 19th, 2011 at 2:22 am
Actually I can’t remember. But have you tried to change the permissions on the web.config file?
Alan Says:
February 15th, 2011 at 8:08 pm
Henrik,
I cannot find the web.config file for OAB on Exchange 2010 SP1…?
Can you please provide the path?
Thanks!
Henrik Walther Says:
February 16th, 2011 at 12:21 am
Alan - It won’t be created before you have setup HTTPS redirect on the default web site.
Henrik
Alan Says:
February 16th, 2011 at 11:53 am
I do have HTTP Redirect (to https://…/owa) on the default web site on my CAS servers. But vdir for OAB on the CAS do not create any web.config file at all, I’m running SP1 RU2 and all my roles are seperated.
Reason I’m chasing this I currently have Event 9359s and 9339 happening and going nuts
Eric Says:
June 18th, 2011 at 7:05 pm
A billion thanks to you Henrik !!!
I just spent hours going through endless tests, reconfigurations and finger exhausting scripting commands with no luck. I simply changed AU permissions on the config file, went on a client’s 2007 outlook and send/receive -> download address book……and what do you know? It worked. Thank you….
Henrik Walther Says:
June 19th, 2011 at 1:35 am
Glad to hear you nailed it….
Mattias Says:
June 19th, 2011 at 2:13 pm
Yes! I have spent hours and hours at a customer to work this out. Thanks Henrik!
Claes Abrahamsson Says:
July 4th, 2011 at 2:11 pm
Thanks a lot! Spent the whole weekend migrating the entire organization and I couldn´t work this particular problem out.
Henrik Walther Says:
July 5th, 2011 at 1:51 pm
Good to hear the blog post helped you Claes…
Henrik
Mike Koch Says:
August 25th, 2011 at 10:10 pm
I added the permission to the OAB folder itself, but the permissions get reset every time the server is rebooted.
Clem Says:
September 19th, 2011 at 8:29 pm
OMG this worked….. TMG was unable to access the OAB site and i had no idea why. Thanks so much
Henrik Walther Says:
September 20th, 2011 at 12:28 am
Glad to hear it worked for you and you’re welcome…
» Set-Exchange2010RedirectSSL.ps1 – Redirecting the root web site to /owa and forcing SSL in Exchange 2010 Ehlo World! Says:
September 22nd, 2011 at 9:47 pm
[…] Server Tags: Exchange Management Shell, Exchange Server 2010, Outlook Web Access Comments (0) Trackbacks (0) Leave a commentTrackback […]
Jan Kovar Says:
March 18th, 2012 at 8:15 am
Thank you very much. I spent three days with it. I ended up with network monitor a cheking all the communication. I tried to create a new virtual directory, disable redirection, lot of other stupid or less stupid ideas. I was already thinking about installation of new exchange server and moving all services there. I am soooo glad that I did not have to do that.
Henrik Walther Says:
March 18th, 2012 at 11:50 am
Glad to hear you got the issue resolved. There’s nothing as frustrating and boring as troubleshooting an OAB issue
Henrik
Redirecting OWA Urls in Exchange 2010 | HOW EXCHANGE WORKS Says:
April 19th, 2012 at 4:30 am
[…] Check Pat Richard’s article if you want the process to be scripted and Henrik Walther’s post for a related OAB issue once the redirection is in place. SUBSCRIBE FOR DAILY ARTICLE UPDATES VIA EMAILGet the published articles delivered straight to your inbox. Your details will not be passed to any third party company.Your Email: […]