Connection problems to Exchange after user account changes

[costas.manousakis]

Hi,
Our IT dept started switching users from a win2000 env to an XP
enviroment. They're doing it to switch to an Active directory setup.
When they switch a user, they apply restrictions to his profile so that
he/she can only log in to a specific workstation. When this is done to
users who have both Mac and PCs, they cannot connect with Entourage
2004, or Outlook 2001 to the echange server from the Mac (OSX10.3.9).
We have added the Mac's name from the Sharing preferences to the list
of allowed workstations in their AD permissions. That lets them connect
to SMB shares, but not the exchange server. We have also added the name
of the exchange server to the list but still no go. The error message
they get is that the username/password is incorrect. They can connect
using OWA from Firefox to http://exchangeserver/exchange. The only
solution we've found is if they don't have any restrictions on where
they can log in to. However IT is balking seriously at this option.
Does anyone have any suggestions/solutions to this?

TIA
Costas

 

[Corentin Cras-Méneur]

Hi,

Hi Costas,

Our IT dept started switching users from a win2000 env to an XP
enviroment. They're doing it to switch to an Active directory setup.
When they switch a user, they apply restrictions to his profile so that
he/she can only log in to a specific workstation. When this is done to
users who have both Mac and PCs, they cannot connect with Entourage
2004, or Outlook 2001 to the echange server from the Mac (OSX10.3.9).

Ouch ouch... AD is a pain. I've done anything I could to stay away from
it.

We have added the Mac's name from the Sharing preferences to the list
of allowed workstations in their AD permissions. That lets them connect
to SMB shares, but not the exchange server. We have also added the name
of the exchange server to the list but still no go. The error message

If you are under Tiger (MacOS X 10.4), you can actually use AD on your
Mac. (you need to set it up with the Directory Utility application)

they get is that the username/password is incorrect. They can connect
using OWA from Firefox to http://exchangeserver/exchange. The only
solution we've found is if they don't have any restrictions on where
they can log in to. However IT is balking seriously at this option.
Does anyone have any suggestions/solutions to this?

They can connect through OWA but not Entourage???
Try copying the URL from your web browser (eg:
http://exchangeserver/me/exchange) and use it directly in the Entourage
exchange settings for the server address. That might do the trick,

Corentin

 

[CostasM]

Hi Corentin,

If you are under Tiger (MacOS X 10.4), you can actually use AD on your
Mac. (you need to set it up with the Directory Utility application)

At the moment we are at 10.3.9. I saw some instructions on using AD.
they need IT to let us join the domain or something like that.

They can connect through OWA but not Entourage???
Try copying the URL from your web browser (eg:
http://exchangeserver/me/exchange) and use it directly in the Entourage
exchange settings for the server address. That might do the trick,

I had seen this suggestion for other problems and tried it. One thing
different in our setup is that the url does not have the 'me' anywhere.
It did not work anyway. Seems Entourage authenticates differently than
the browser OWA client. Does anyone know how it might be different?

Thanks
Costas

 

[CostasM]

Hi Costas,



Ouch ouch... AD is a pain. I've done anything I could to stay away from
it.


If you are under Tiger (MacOS X 10.4), you can actually use AD on your
Mac. (you need to set it up with the Directory Utility application)


They can connect through OWA but not Entourage???
Try copying the URL from your web browser (eg:
http://exchangeserver/me/exchange) and use it directly in the Entourage
exchange settings for the server address. That might do the trick,

Corentin

--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

 

[Corentin Cras-Méneur]

At the moment we are at 10.3.9. I saw some instructions on using AD.
they need IT to let us join the domain or something like that.

Hum, I don't know about 10.3.9.... Some of the features you need might
be 10.4 only :-\

[...]

I had seen this suggestion for other problems and tried it. One thing
different in our setup is that the url does not have the 'me' anywhere.

I see. THe admin must have customized something there.

It did not work anyway. Seems Entourage authenticates differently than
the browser OWA client. Does anyone know how it might be different?

Well Entourage uses OWA to connect to Exchange servers (as of Entourage
2004). That's why using the http:// liknk works just fine in most cases
(and also why the Exchange server you connect to must have OOWA active
to allow Entourage conections).
I suspect the authentication scheme on your server is different from the
standard one :-\


Corentin

 

[CostasM]

Sorry about this one.. pressed 'Post Message' by accident

 

[CostasM]

Well Entourage uses OWA to connect to Exchange servers (as of Entourage
2004). That's why using the http:// liknk works just fine in most cases
(and also why the Exchange server you connect to must have OOWA active
to allow Entourage conections).
I suspect the authentication scheme on your server is different from the
standard one :-\

I guess that's what requires some digging. I'm not sure if they changed
anything on the exchange server. I can go on the same Mac, and create
succesfully an entourage/echange account for a user who has not been
migrated to an 'IT - XP' account. If I try a 'migrated' user I get an
error when verifying the settings ("Entourage cannot connect to the
server. Verify computer is on the network (-3260)" . Then it indicates
that the exchange server is incorrect, but it's the same as before.
Any more thoughts on this? maybe a direction that i can research or ask
IT?
Costas

 

[Corentin Cras-Méneur]

Any more thoughts on this? maybe a direction that i can research or ask
IT?

If the server is not accessed over SSL, you can try port sniffing:
http://www.entourage.mvps.org/troubleshoot/sniff.html


Corentin

 

[CostasM]

Hi Corentin,

If the server is not accessed over SSL, you can try port sniffing:
http://www.entourage.mvps.org/troubleshoot/sniff.html

I tried Interarchy to scan the open ports. Our exchange server is not
the same as the LDAP. So I scanned for port 80 on the exchange and 389
on the LDAP. they were both open. Is there something else I should be
looking for?

Thanks for your help
Costas

 

[Corentin Cras-Méneur]

I tried Interarchy to scan the open ports. Our exchange server is not
the same as the LDAP. So I scanned for port 80 on the exchange and 389
on the LDAP. they were both open. Is there something else I should be
looking for?

OWA uses port 80 (when it's not being used over SSL)
Try using Interarchy to monitor traffic on port 80 as you launch
Entourage and attempt to connect.
That will provide you with a detailed log of the communication between
the server and Entourage. Hopefully, you'll find clues of the reasons
why it fails in there :-\


Corentin

 

[CostasM]

Tried Interarchy. I see the requests from the Mac to the exchange
server :
1st is a PROPFIND with no Authorization at the end. It gets an "Access
denied" message back.
2nd another PROPFIND and it appears to have some NTLM authorization at
the end. Again "Access denied".
3rd Another PROPFIND request with the Authorization string being
longer. Then it gets a "Local Security Authority cannot be contacted".

Then there is a series of 3 GET requests with same replies.

When I tried Firefox to get to the same server, I saw GET requests. It
seems that they are similar to the GET requests from Entourage. The
first two also get "Access denied" but the 3rd one with the longer
authorization string seems to get accepted.

Does this make any sense?

Costas

 

[Corentin Cras-Méneur]

Tried Interarchy. I see the requests from the Mac to the exchange
server :
1st is a PROPFIND with no Authorization at the end. It gets an "Access
denied" message back.
2nd another PROPFIND and it appears to have some NTLM authorization at
the end. Again "Access denied".
3rd Another PROPFIND request with the Authorization string being
longer. Then it gets a "Local Security Authority cannot be contacted".

Then there is a series of 3 GET requests with same replies.

When I tried Firefox to get to the same server, I saw GET requests. It
seems that they are similar to the GET requests from Entourage. The
first two also get "Access denied" but the 3rd one with the longer
authorization string seems to get accepted.

Does this make any sense?

To some respect.... Can you connect to OWA through Safari ??
"Local Security Authority cannot be contacted " makes me wonder whether
there is some sort of certificate required.....
If yes, I wonder whether it is in your Keychain.

Safari should query the keychain and you should get a warning if there
is a certificate issue.

Corentin

 

[Jeremy Reichman]

I would point out this post on the Exchange admins newsgroup, which more or
less echoes the same problem and error message -- but just with OWA:

<http://www.archivum.info/microsoft.public.exchange.admin/2006-02/msg02673.h
tml>

That doesn't provide a solution, but the solution may be "don't do that"
(lock down accounts to computers).

* Do users with _only_ Macs (if there are any) have a problem?

* Do users who are not _simultaneously_ logged in on a Windows computer
(i.e. just sitting at the login window on Windows) have the problem?

Also, it is correct that an authorized administrator must bind a Macintosh
(or a Windows computer) to an Active Directory. It cannot be done by just
any account. There are specific privileges in the Active Directory involved.

 

[CostasM]

First of all, I'd like to thank you for your comments and help.

To some respect.... Can you connect to OWA through Safari ??
"Local Security Authority cannot be contacted " makes me wonder whether
there is some sort of certificate required.....
If yes, I wonder whether it is in your Keychain.

Tested Safari 1.3.2 on 10.3.9 and it just does not connect. There is no
message regarding a certificate of any kind. The trace shows a GET
request from safari with 'Authorization : Basic (binaryinfo)' in
there. The server responds with an Access Denied message and that's it.
Firefox works OK as I mentioned before.

 

[CostasM]

Hi Jeremy,
Thanks,

* Do users with _only_ Macs (if there are any) have a problem?

Currently users that have the problem have both a Mac and an XP
machine. There are users who are only on Macs, but they have not been
converted to the XP (one station only) setup.

* Do users who are not _simultaneously_ logged in on a Windows computer
(i.e. just sitting at the login window on Windows) have the problem?

No, we tried them being logged on to the windows and not logged on.
Same error from entourage.

 

[Corentin Cras-Méneur]

Tested Safari 1.3.2 on 10.3.9 and it just does not connect. There is no
message regarding a certificate of any kind. The trace shows a GET
request from safari with 'Authorization : Basic (binaryinfo)' in
there. The server responds with an Access Denied message and that's it.
Firefox works OK as I mentioned before.

Then I suspect you need AD support and integration at the system level.
I fear it's a no-go unless the computers are migrated to Tiger..... :-\


Corentin

 

[CostasM]

Then I suspect you need AD support and integration at the system level.
I fear it's a no-go unless the computers are migrated to Tiger..... :-\

I'll give it a try with 10.3.9 and see how it goes. Hopefully I'll post
back positive results

Thanks
Costas