In this blog I wanted to talk about an issue which we have seen enough number of times working with our enterprise customers that it warrants a blog.
Issue
When connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop. We have seen this on all currently supported versions of Exchange & Entourage. This error can also come up when:
a. User tries to permanently delete or move a large number of messages from his Exchange mailbox
b. User tries to send/receive new mail after deleting or moving a large number of messages from his Exchange mailbox
Cause
When Entourage tries to permanently delete messages from a folder in Exchange mailbox, Exchange Server utilizes the TEMP (temporary) folder for that operation. If Entourage user does not have required permissions on that TEMP folder, server issues a '401, Access Denied' error. Moving messages in Entourage involves permanent deletion from source folder, thus it results in the same issue.
Resolution
There are two parts of it.
1. Locating TEMP & TMP Folders
a. Non-Clustered Servers
First determine which TEMP folder is set as default on Exchange Mailbox Server on the back-end, cos that's where the delete operation actually takes place. The default location of TEMP folder is set under the following registry key:
HKEY_LOCAL_MACHINE\System\CurrrentControlSet\Control\Session Manager\Environment
REG_EXPAND_SZ: TEMP
Value: <PATH>\TEMP
By default, the TEMP folder is located at: '%SystemRoot%\TEMP' which is usually 'C:\WINDOWS\TEMP'
Another place to check this is: Bring up 'Control Panel' on Exchange Server, go to System : Advanced : Environment Variables : System Variables (see the screenshot below)
Same check applies for TMP folder, if there is one located on your drive. The above registry key should have an entry for TMP folder as well.
b. Clustered Servers
On clustered servers, the following registry keys are used to specify the locations of TEMP & TMP folders (Ref.).
HKEY_USERS\<Cluster service account SID>\Environment\TEMP
HKEY_USERS\<Cluster service account SID>\Environment\TMP
2. Verifying Permissions
Now let's verify the permissions assigned on TEMP folder. The 'Authenticated Users' group (Entourage user belongs to this group) should have the following special permissions:
Traverse Folder / Execute File
Create Files / Write Data
Create Folders / Append Data
In order to check these permissions, locate the TEMP folder and then right click on it to take 'Properties', go to 'Security' tab, highlight 'Authenticated Users', under 'Permissions for Authenticated Users' section, click on 'Advanced' button (see the screenshot below)
You will then see the 'Advanced Security Settings for TEMP' folder window (see the screenshot below)
Highlight the entry for 'Authenticated Users' in the above window and then click on 'Edit' button to view/edit the permissions. The screenshot below displays the required permission assigned properly.
Same check applies for TMP folder, if there is one located on your drive.
Redirected TEMP/TMP Folder
If the TEMP/TMP folder has been redirected to D (or any other) drive on the Exchange Server, it is suggested to specify the above permissions at the following three levels:
1. Drive level, especially at the root of drive if you notice that 'Authenticated Users' group is simply missing
2. TEMP/TMP folder
3. Any sub-folders inside TEMP folder which may have numerical (like 1, 2, etc.) names as such folders have been seen on clustered servers
Important
You will need to restart IIS (Internet Information Server) on all those servers where you made these changes in permissions, i.e. mailbox servers on the back-end and front-end servers as well to which Entourage users are connecting for mailbox access.
More Info
If your Entourage users are running into this issue then IIS Log on Exchange Server (front-end and/or back-end) & TCPFlow Log on Entourage Client will show the following:
a. 'BDELETE' request from client
b. '401' error response from server
IIS Trace Sample
2008-08-10 07:05:33 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 5 0
2008-08-10 07:05:35 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 1 0
TCPFlow Trace Sample
192.168.120.110.54103-192.168.137.121.00080:
BDELETE /exchange/john/Deleted%20Items/ HTTP/1.1
192.168.137.121.00080-192.168.120.110.54103:
HTTP/1.1 401 Unauthorized
In this blog post I wanted to talk about another new issue being experienced by our customers who are working with Exchange 2007 on Windows 2008. Windows Server 2008 is the key here as it relates to IIS 7 (Internet Information Server) and it's default security restrictions.
Issue
Using Entourage for Mac (2004 or 2008) while connecting to an Exchange 2007 mailbox on a Windows 2008 Server, user cannot download any e-mail message which has a plus sign in it's subject line, like 'Test + Mail'.
Cause
Entourage's request to download this e-mail message goes thru IIS 7 on Windows 2008 Server, which is configured (by default) to deny 'double escape sequences' in any HTTP request and thus it rejects the request with a '404.11' error.
Resolution
As Entourage talks to 'Exchange' virtual directory (for mailbox access) under 'Default Website' on IIS, thus you can use the following procedure to allow the use of 'double escape sequence' only at that level to address this issue. This will minimize the risk you will be taking to enable the usage of double escape sequence. Enabling the use of 'double escape sequence' does carry some risk, please go thru the links below under 'More Info' section to get yourself educated on the issue & involved risks before you work on the steps below.
Quick & Easy Way
You will need to run this command on all of your Exchange 2007 CAS and Mailbox Servers as IIS is installed on them by default.
Bring up a Windows 'Command Prompt', type the following command and hit 'Enter' on keyboard, that's it, you are done!
%windir%\system32\inetsrv\appcmd set config "http://localhost/Exchange" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true /commit:apphost
You will see the following response after running the above command in the same window.
Applied configuration changes to section "system.webServer/security/requestFiltering" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchange" at configuration commit path "MACHINE/WEBROOT/APPHOST"
After running this command, you don't need to restart any services on server, just run the command and ask your Entourage users to see if the issue has been resolved for them, at the most you can ask them to re-launch Entourage.
OR if you are a guy who is interested in details, then you can follow the manual steps outlined below.
Manual Steps
1. Bring up Notepad : File : Open, type %windir%\System32\inetsrv\config\applicationHost.config in the 'File name' box, and then click 'Open'.
2. Locate the section titled as: <location path="Default Web Site/Exchange">
3. Under that section locate </authentication> tag
4. Just after that insert the following text on a new line: <requestFiltering allowDoubleEscaping="true" />
5. Save the file and 'Exit' Notepad
Again, no restart of any service is required.
Note:
As Entourage talks to 'Public' virtual directory (for public folder access) under 'Default Website' on IIS, thus you will need to follow the same procedure for 'Public' virtual directory as well. Same instructions apply, just replace 'Exchange' with 'Public' in all steps mentioned above.
Details
Let's go into the details of this issue. First of all let's see how this issue would look like to an Entourage user when he looks at his Inbox thru Outlook Web Access & Entourage.
Outlook Web Access thru Safari (note the presence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')
Entourage 2008 (note the absence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')
So how did it happen? Let's review the TCPFlow Trace pasted below, which I took on Entourage user's machine. Important parts are highlighted in red.
65.53.65.121 = Entourage Client
172.30.142.217 = Exchange 2007 CAS Server
In the trace snippet pasted below Entourage client is requesting (thru SEARCH command) if there are any changes in user's Inbox, i.e. if there are any new items there for Entourage to retrieve and sync down to its local database.
065.053.065.121.51253-172.030.142.217.00080:
SEARCH /exchange/john/Inbox/ HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Brief: t
Translate: F
Range: Rows=0-512
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4w+C87pKQrHkOOeTHX4IiYZdRzhFlUtMQICwpFE3
/xSe3jJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 743
Accept-Encoding: gzip
Connection: Keep-Alive
065.053.065.121.51253-172.030.142.217.00080:
<?xml version="1.0"?><D:searchrequestxmlns:D="DAV:"
xmlns:R="<http://schemas.microsoft.com/repl/>">
<R:repl><R:collblob>toCTAAMAAQIgzWX+UAA=</R:collblob>
</R:repl><D:sql>SELECT
"<http://schemas.microsoft.com/repl/repl-uid>",
"<http://schemas.microsoft.com/repl/resourcetag>",
"<http://schemas.microsoft.com/mapi/proptag/x001A001F>",
"<http://schemas.microsoft.com/mapi/sensitivity>",
"urn:schemas:httpmail:read", "urn:schemas:httpmail:datereceived"
FROM SCOPE ('SHALLOW TRAVERSAL OF "/exchange/john/Inbox/"')
WHERE "<http://schemas.microsoft.com/mapi/proptag/0x67aa000b>"
= false AND "DAV:isfolder" = false</D:sql></D:searchrequest>
And here comes the response from server with the URL of the new item, which is an e-mail with the subject 'Test + Mail' (we are working with only one message to keep things simple) …
172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 207 Multi-Status
Transfer-Encoding: chunked
Content-Type: text/xml
Content-Range: rows 0-0; total=*
Accept-Ranges: rows
Server: Microsoft-IIS/7.0
Set-Cookie: OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}; path=/
MS-WebStorage: 08.01.10240
MS-WebStorage: 08.01.10240
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT
172.030.142.217.00080-065.053.065.121.51253:
<?xml version="1.0"?><a:multistatusxmlns:b="urn:
uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
xmlns:g="urn:schemas:httpmail:"
xmlns:f="<http://schemas.microsoft.com/mapi/>"
xmlns:c="xml:"
xmlns:e="<http://schemas.microsoft.com/mapi/proptag/>"
xmlns:d="<http://schemas.microsoft.com/repl/>"
xmlns:a="DAV:"><a:contentrange>
0-0</a:contentrange><a:response><a:href>
<http://172.30.142.217/exchange/john/Inbox/Test%20%2B%20Mail.EML
</a:href><d:changetype>new</d:changetype><a:propstat><a:status>
HTTP/1.1> 200 OK</a:status><a:prop><d:repl-uid>
rid:d17078df5926b048921786b466da7185000220cd63ff
</d:repl-uid><d:resourcetag>rt:d5926b04892185000220cd728e
</d:resourcetag><e:x001A001F>IPM.Note</e:x001A001F>
<f:sensitivity b:dt="int">0</f:sensitivity><g:readb:dt="boolean">0
</g:read><g:datereceived b:dt="dateTime.tz">
20080620T21:46:46.895Z</g:datereceived></a:prop></a:propstat>
</a:response><d:repl><d:collblob>toaUAABAAYAAiDNY/8A</d:collblob>
</d:repl></a:multistatus>
In the snippet below Entourage tries to fetch the new mail message using the URL provided by server …
065.053.065.121.51253-172.030.142.217.00080:
PROPFIND /exchange/john/Inbox/Test%20%2B%20Mail.EML HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Depth: 0
Brief: t
Translate: F
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4wJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 646
Accept-Encoding: gzip
Connection: Keep-Alive
And Entourage's receives a 404 error from server for it's request, as IIS7 installed on that Windows 2008 Server (with Exchange 2007) does not allow the use of 'double escape sequence' in any incoming HTTP request.
172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"<http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>">
<htmlxmlns="<http://www.w3.org/1999/xhtml>">
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial,
Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;
font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;
padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed,
had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
Now if you look in IIS Log on Exchange 2007 CAS or Mailbox Servers, you will find the following entry there:
CAS
2008-06-20 14:38:09 172.30.142.217 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 65.53.65.121 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0
Mailbox
2008-06-20 14:38:09 172.30.142.218 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 172.30.142.217 Exchange-Server-Frontend-Proxy/6.5+Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0
More Info
For more info, you can go thru the following links:
Blog : IIS7 Rejecting URLs Containing Plus Sign '+'
Article : Double Encoding
KB 942076 : Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
KB 943891 : The HTTP status codes in IIS 7.0
Hello Readers,
Here is a guest post from our director who needs your input which will help us in making these blogs better. Thanks for your time!
---------------------------------------------------------------
Greetings Blog Readers,
My name is Ed Jolly, and I am a director in the Commercial Technical Support (CTS) organization at Microsoft. I am here to request a few minutes of your time.
We would like to learn more about blog readership through a brief survey. This is an opportunity for us to better understand what is valuable to you and what you would like to see in the future.
Below is a link that will take you to another website to complete the survey. Based on what we learn, we may request more feedback in future surveys like this. When you open the survey, you will see a list of blogs that CTS engineers contribute to across many different products. We have not posted a listing of these blogs in the past, and I hope it helps you find other blogs that are helpful to you.
The blog survey is completely anonymous.
Location: < Survey Period Expired, Link Removed >
Availability: Until August 22. You may receive a request to complete this survey through multiple RSS feeds. You need only to complete it one time.
Length: The survey can be a maximum of 11 questions.
Time: Less than 5 minutes (but providing more information in the open text fields may take a minute or two extra, improving our ability to understand your needs in these blogs).
Thank you in advance for your time, participation and assistance.
Ed Jolly (edjolly@microsoft.com)
Update: The fix for this issue has been released in the 12.1.2 Update for Office 2008 for Mac.
Here is another known issue we are working to fix these days.
Issue
Entourage 2008 users are reporting that it is stripping parts of hyperlinks (URLs) in messages they receive from other users. It always strips parts of those hyperlinks right after '&', including the ampersand sign. This is only being reported by those users who have recently upgraded to Office 2008 for Mac Service Pack 1 (SP1). Examples of stripped URLs are:
Original Link:
https://www.contoso.com/dept/sales/abc.php?ABCD=0987654321&UID=987612345
Stripped Link:
https://www.contoso.com/dept/sales/abc.php?ABCD=0987654321=987612345
Note that '&UID' has been stripped
Original Link:
https://www.litwareinc.com/EntApp/ViewMsg.asp?MsgID=897&SaveID=7843~2945
Stripped Link:
https://www.litwareinc.com/EntApp/ViewMsg.asp?MsgID=897=7843~2945
Note that '&SaveCaseID' has been stripped
Cause
This happens as '&' is not properly encoded as '&' in the message source
Resolution
Microsoft is working to release a fix for this issue in an update for Entourage 2008 but a final release date is not available yet. I plan to update this post with new information in this regard when it becomes available.
Update: The fix for this issue has been released in the 12.1.2 Update for Office 2008 for Mac.
In this post I wanted to quickly provide an update on an ongoing issue with some specifics to make sure our customers are well informed on its current status.
Issue
After installing Office 2008 for Mac Service Pack 1 (SP1) when Entourage 2008 users connect to their mailbox on an Exchange 2007 Server, they may see an error like this (you can substitute 'contoso' in the screenshot below with your own root domain):
If you click on 'OK', Entourage will continue to work and you won't see this error message again until the end of that session when you close Entourage. Clicking on 'Cancel' you may end up in 'Not Connected' state with your Exchange account. This error may also come up when:
1. You try to configure your Exchange account using 'Account Setup Assistant' which now uses Autodiscover Service on Exchange 2007 to automatically configure your account or
2. You use any 'Exchange Web Services' based feature in Entourage 2008, like OOF Assistant, Free/Busy Info pull-up, etc. as they also utilize Autodiscover feature or
3. Entourage tries to talk to Autodiscover Service while its running connected to your mailbox to see if any updates were made to Autodiscover Service on server side by your Exchange Administrator, this happens automatically in the background based on a pre-set interval which cannot be modified by user
Cause
This happens as Entourage 2008 tries to establish a secured connection to the first of the 2 default addresses (URLs) in its attempt to contact the Autodiscover Service on your Exchange 2007 Server. This is explained in the Autodiscover Whitepaper, see 'How the Autodiscover Service Works with Clients' section. Most organizations using Exchange 2007 do not publish Autodiscover Service thru the first URL mentioned over there, i.e. 'https://contoso.com/autodiscover/autodiscover.xml', rather they use the other URL, i.e. 'https://autodiscover.contoso.com/autodiscover/autodiscover.xml'. When Entourage finds an error (mostly its 'Common Name' mismatch) with the certificate published at the root of your domain (if there is one, many organizations do, but 'Common Name' on that certificate is 'www.contoso.com', not just 'contoso.com' and Autodiscover Service is not published thru that URL), it displays the above error. It does not move silently to try the other possible URL. Clicking 'OK' on above error makes it exactly do that and thus it finds the Autodiscover Service responding on the other URL and everything then works fine from there.
This issue can also happen in Entourage 2008 if Autodiscover Service is not configured properly as per the guidelines in Autodiscover Whitepaper. See 'Note' below on how to quickly check to see if Autodiscover Service is properly configured and published for users.
Resolution
Microsoft is working to release a fix for this issue in an update for Entourage 2008 but a final release date is not available yet. I plan to update this post with new information in this regard when it becomes available.
Note
We need to make sure that when Entourage looks for Autodiscover Service, the related URL as mentioned above in 'Cause' section is configured and published to respond to those requests. A quick way is to look up the A Record (a type of DNS record which is used to map a hostname or URL to the IP Address of the host) which you will have to register with your DNS provider.
A Working Example:
For Microsoft, the Autodiscover Service is configured and published at 'https://autodiscover.microsoft.com/autodiscover/autodiscover.xml', you can look it up using this URL in your browser:
http://codeflux.com/exec/tools/?method=nslookup&query=autodiscover.microsoft.com&type=A
You will see an IP Address is mapped to the URL for Autodiscover Service to respond to incoming requests.
Now, if I go and hit the URL for Autodiscover Service in my browser, i.e. 'https://autodiscover.microsoft.com/autodiscover/autodiscover.xml'
I will get a window to enter my user credentials (domain\username & password) and after that I will see the following lines in the main browser window:
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="10:29:57.7332076" Id="59171512">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
The response above says 'Error 600, Invalid Request' as the Autodiscover Service URL is not supposed to be accessed thru a browser. This is an expected response in this scenario and confirms the proper configuration and publishing of Autodiscover Service.
A Non-Working Example:
Let's use Contoso as a non-working example, the Autodisover Service should be configured and published at 'https://autodiscover.contoso.com/autodiscover/autodiscover.xml', if you look it up using this URL in your browser:
http://codeflux.com/exec/tools/?method=nslookup&query=autodiscover.contoso.com&type=A
You won't find an IP Address mapped to the URL for Autodiscover Service, instead you will see an error there saying 'server can't find autodiscover.contoso.com'.
Recently Microsoft released Service Pack 1 (SP1) for Office 2008 for Mac. There are some new features in SP1 for Entourage 2008 users, one of them is 'Client Certificate-based Authentication'. In this post we will walk thru the setup on server & client sides so that it will be helpful to those who want to use this feature in Entourage.
Introduction
Entourage connects to an Exchange mailbox thru 'Exchange' virtual directory under 'Default Website' in IIS (Internet Information Server) installed on an Exchange Server. IIS provides several authentication methods and they are all discussed here & here. One of them is 'Client Certificate-based Authentication' (CCA) which works thru 'Client Certificate Mapping' on server side. Most conventional ways of authentication require the provision of username, domain & password (3-tier credentials) but CCA does not require users to provide their domain credentials. It works thru a mapping of user certificates to their accounts in Windows Active Directory. It is used where high level of security is required and domain password policies are very strict or administrators simply do not want their users to remember/enter their domain credentials for any kind of access. In those environments 'Two Factor Authentication' (RSA, Smart Card) is also used & CCA helps in its implementation. Now with the new support for CCA in Entourage, you can have your Entourage users utilize 'Two Factor Authentication' when they connect to their Exchange mailbox. Let's see how we can set it up.
Setup Details
To keep things simple, I have a single box server with Windows 2003 SP2 & Exchange 2003 SP2 (most common versions out there). It also has 'Certificate Services' (a Windows component) installed on it to act as my 'Private Root Certification Authority' (one can go with Public Root CAs like VeriSign, etc.). You can install an 'Enterprise Root CA' or a 'Standalone Root CA' (steps with screenshots), if you want to read more before installation, go here.
I installed an 'Enterprise Root CA' on my server. I used it to issue an identity certificate to IIS (Default Website) so that secured connections (SSL) can be established over port 443 by Entourage clients when they connect to 'Exchange' virtual directory to get access to their Exchange mailbox. This is a pre-requisite for CCA, steps are here.
I also used it to issue client certificates to individual Entourage users so that they can use it for CCA when connecting to their Exchange mailbox (more details later in 'Client Side Setup' section below).
Server Side Setup
There are several ways to set 'Client Certificate Mapping' on IIS, they are all discussed here. I used the 'Windows Directory Service Mapper' for my setup, as its most popular & simple to setup. I followed the steps listed here.
Note: I tested this feature successfully with '1-to-1 Mapping' as well, no issues, however I didn't test it with 'Many-to-1 Mapping', I assume that scenario will also work without any issues.
After that I went to 'Exchange' virtual directory and enabled the requirement of client certificates for authentication. To do that:
- Go to IIS Manager : Default Website : Exchange : Properties : Directory Security : Secure Communications : Edit : Check the 2 boxes for 'Require secure channel (SSL)' & 'Require 128 bit encryption'
- On the same window, under 'Client certificates' section, select 'Require client certificates'
- Also check the box for 'Enable client certificate mapping'
- The final configuration will look like this
That's it, click OK twice to get back to IIS Manager.
Now when we are set to use CCA for authentication on 'Exchange' virtual directory, we can go and turn off all other authentication methods. To do that, go to IIS : Default Website : Exchange : Properties : Directory Security : Authentication & Access Control : Edit : Uncheck all boxes here (screenshot), click OK twice to get back to IIS Manager.
Repeat the above steps now for 'Public' virtual directory which is used by Entourage to access public folders on Exchange Server.
Client Side Setup
To begin with Entourage users should follow these steps for obtaining and installing a user certificate on their Mac. I used a Mac with Tiger (Mac OS 10.4.11) and Entourage 2008 SP1 installed on it.
- Launch Safari browser and go to http://<server-name>/certsrv (where 'server-name' is the name of the server where 'Private Root CA' is installed) (screenshot)
- Enter your username and password when prompted (screenshot)
- On the 'Welcome' page of your Root CA Server, click on 'Request a certificate' link (screenshot)
- On the 'Request a certificate' page, click on 'User Certificate' link (screenshot)
- On the 'User Certificate – Identifying Information' page, keep the 'Key Strength' field set to '2048 (High Grade)', click on 'Submit' button (screenshot)
- On the 'Certificate Issued' page, click on 'Install this certificate' link (screenshot)
- You will see the 'Downloads' window from Safari and a file by the name of 'certnew.cer' will be downloaded to your desktop (screenshot)
- Double click on the 'certnew.cer' file on your desktop (screenshot)
- The 'Keychain Access' application will launch and you will see the 'Add Certificates' window, keep the 'Keychain' field set to 'login' and click 'OK' (screenshot)
- The user certificate will then be imported in the Keychain (screenshot)
- You can double click on it to view the user certificate (screenshot)
- You can also launch 'Microsoft Cert Manager' application (from Mac Hard Drive : Applications : Microsoft Office 2008 : Office) to view the certificate in 'Digital Identities' container. This is a good indication that the user certificate will work fine with CCA or digital signing and encryption of outgoing mail.
Quick Admin Check: Now in order to make sure that Entourage user account is setup properly in Windows Active Directory, take a look at its properties (thru 'Active Directory Users & Computers' or 'ADUC'), you should see the user certificate there under 'Published Certificates' tab (screenshot). If not then you can also import it (use the 'cer' file from user's Mac, see Step 7 above) using the 'Add from file' button there. Another way to add & map user certificate is to do a right click on user object in ADUC, choose 'Name Mappings', then add the user certificate there under 'X.509 Certificates' tab (screenshot).
Now let's configure Exchange account settings in Entourage, this screenshot depicts how 'Account Settings' tab should look like. Note that you do not need to provide user's domain credentials, i.e. username, domain & password. The 'Advanced' tab is where you need to select user certificate under 'Client Certificate-based Authentication' section. Clicking on 'Select' button there will provide you with the 'Choose an Identity' window which will list the user certificate there. That's it, you are done.
After that Entourage will try to connect to Exchange mailbox utilizing 'Client Certificate-based Authentication', user will see a prompt 'Confirm Access to Keychain', choose 'Always Allow' on that. This allows Entourage to access 'Keychain' in Mac OS where user certificate is stored. Entourage will then go and talk to 'Exchange' virtual directory on server. User certificate will be used for CCA and connection to Exchange mailbox will be established in seconds. We are done!
But What About GAL Access?
After some research I found that currently it is not possible in Windows Server 2003 to require CCA for LDAP connections & queries. Thus if you want your Entourage users to access your Windows Global Catalog Server (LDAP Server) for 'GAL Access' (Global Address List) feature, you will need to configure it appropriately (non-SSL over ports 3268 & 389 or SSL over ports 3269 & 636) and also provide domain credentials in Exchange account settings in Entourage. Entourage uses the same set of domain credentials provided on first tab (screenshot) for authentication against Exchange & LDAP Server. The authentication processes are separate for IIS (for Exchange mailbox & public folder access) & LDAP Server (for 'GAL Access' feature). If CCA is required for authentication by IIS (at 'Exchange' & 'Public' virtual directories), then Entourage will use client certificate for that and will only use domain credentials for authentication against LDAP Server for 'GAL Access' feature.
Smart Cards
Some organizations out there use Smart Cards to store user certificate which is generally used by them for digital signing and encryption of outgoing mail. They will continue to work in the same way for CCA feature as well. Just select the same user certificate over here as well.
Update: The fixes for this issue have been released in 11.5 (Entourage 2004) & 12.1 (Entourage 2008) Updates for Office for Mac.
I wanted to quickly provide this workaround to the users of Entourage 2004 & 2008 in Australia & New Zealand (ANZ) time zones until Microsoft releases fixes thru updates at Mactopia website.
Issue
When Entourage 2004 & 2008 users organize meetings by inviting other users who are using Microsoft Outlook or OWA (Outlook Web Access) against their Exchange mailboxes (version of Exchange Server does not matter here), then those meeting attendees may see the incoming meeting invite being an hour off. This issue is not seen if all meeting attendees are Entourage users.
Cause
This happens as Entourage 2004 & 2008 use DST information from related 'Timezones' files for users in ANZ time zones, which are not up to date with current information.
Resolution
Microsoft is working to release a fix for this issue in an update for both versions of Entourage but a final release date is not available yet. When that update is available, users can safely install it and it will replace the files which they will put on their systems as a result of applying the workaround provided below.
Workaround
Below are the steps to follow for both versions of Entourage. Only Entourage users will need to apply this workaround on their machines, no action is required by other users who are using Microsoft Outlook or OWA.
Entourage 2004
- Quit Entourage (Entourage should not be running when you apply this workaround)
- Back up the current 'Timezones' file in folder: Mac Hard Drive : Applications : Microsoft Office 2004 : Office (just copy it to a backup folder on your hard drive)
- Download the updated 'Timezones' file for Entourage 2004 from here (extract its content before proceeding to next step)
- Copy the downloaded 'Timezones' file to the same location as above in Step 2, replacing the existing 'Timezones' file
- That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above
Entourage 2008
- Quit Entourage (Entourage should not be running when you apply this workaround)
- Back up the current 'Timezones.ics' file, go to folder: Mac Hard Drive : Applications : Microsoft Office 2008 : Office, locate a file by the name of 'EntourageCore.framework', now Control-Click on it and choose 'Show Package Contents' in the resulting menu, a new window will appear, in that window go to folder: Versions : 12 : Resources : en.lproj (you will find the 'Timezones.ics' file here, just copy it to a backup folder on your hard drive)
- Download the updated 'Timezones.ics' file for Entourage 2008 from here (extract its content before proceeding to next step)
- Copy the downloaded 'Timezones.ics' file to the same location as above in Step 2, replacing the existing 'Timezones.ics' file
- That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above
Note: Any meetings which were scheduled earlier and display the issue described in this post will not automatically get fixed. If you want to fix them, you will have to open them and make a change in them (like add one character to its subject/title or notes area, etc.), then save them and send update to all attendees. This change will force Entourage to recalculate DST info as per the updated 'Timezones' file.
Workaround Removal
If at anytime you may need to remove or undo this workaround, just follow the same steps as above and replace the 'Timezones' files with the original ones which you backed up earlier.
As my blog is focused on Entourage as an 'Exchange Client', let's start with the most obvious topic which will provide details on how Entourage works with a mailbox on an Exchange Server. This blog will encompass the currently supported versions of Entourage & Exchange Server, i.e. Entourage 2004 & 2008, and Exchange 2000, 2003 & 2007. Let's list all the different features in Entourage for which it needs to talk to Exchange Server or any other server in a Windows Active Directory based environment. (Note: All ports mentioned below are server side ports)
Entourage Setup Assistant (screenshot)
The very first feature which you use in Entourage is the 'Entourage Setup Assistant' (or 'Account Setup Assistant') after you create a new identity. If you try to configure your Exchange account using the setup assistant, it talks to available DNS server configured in Mac OS X 'Network Preferences' to locate a Windows Domain Controller or Global Catalog Server hosting Active Directory and then authenticates & inquires about Exchange mailbox server for user. The whole process is described over here in detail. Server side ports used are 53 (for DNS queries) and 3268 (for authentication & LDAP queries to locate mailbox server).
Mailbox Synchronization (screenshot)
After you have setup your Exchange account (using setup assistant or manually), Entourage goes and talks to the Exchange server (front-end or back-end mailbox server) thru IIS (Internet Information Server) to get connected to your mailbox. This communication is HTTP (WebDAV protocol) in nature, thus can happen over port 80 (without SSL) or 443 (with SSL) as per your server side requirements.
Public Folders (screenshot)
Another server you have to enter in Exchange account settings is your public folders server. Generally in big enterprises public folder servers are maintained separately from mailbox servers on the back-end. Entourage communicates with the public folder server in the same way as with an Exchange mailbox server, i.e. HTTP (WebDAV) over port 80 (without SSL) or 443 (with SSL).
Global Address List (screenshot)
In Entourage you also have to provide a Directory or LDAP server name, which in a Windows Active Directory based environment is your Global Catalog Server so that you can have access to 'Global Address List' (GAL) of your Exchange organization. Entourage uses ports 389 (without SSL) & 636 (with SSL) for authentication and then to access GAL, it sends LDAP queries over ports 3268 (without SSL) or 3269 (with SSL), so a combination of two ports is used for GAL feature, i.e. 389 & 3268 (without SSL) or 636 & 3269 (with SSL).
Out of Office Assistant
This is a new feature only in Entourage 2008. When connecting to Exchange 2000/2003 based mailboxes, Entourage sends a WebDAV query to pull up 'Options' page from OWA (Outlook Web Access) thru which it sets the OOF Assistant. The port usage for this feature is same as described above under 'Mailbox Synchronization' section.
When connecting to an Exchange 2007 CAS, it works thru 'Exchange Web Services' ('OOFURL' in 'autodiscover.xml') to configure 'OOF Assistant' with appropriate settings. Entourage 2008 uses port 80 (without SSL) or 443 (with SSL) for this feature depending on related configuration on Exchange 2007 CAS. Keep in mind that this feature does not work and fails with an error if you connect directly to an Exchange 2007 mailbox server on back-end as 'autodisover' and 'Exchange Web Services' are not present on it, they are only present on an Exchange 2007 CAS.
Free/Busy Info (screenshot)
When Entourage users schedule a meeting with other users in their Exchange organization, they can also view their free/busy information, i.e. whether other users are free or busy on particular day/time slots.
Entourage 2004 retrieves free/busy information for other users by talking to a public folder server hosting consolidated free/busy info for all users. This communication is also HTTP (WebDAV) in nature thus happens over port 80 (without SSL) or 443 (with SSL). Entourage 2004 pulls free/busy information in this way in all cases. It does not matter where Entourage user's mailbox is located, i.e. on Exchange 2000, 2003 or 2007 Server. Therefore, it is necessary to provide a public server name in Exchange account settings (under 'Advanced' tab) in Entourage 2004.
Entourage 2008 utilizes 'Availability Service' (AS, part of 'Exchange Web Services') on Exchange 2007 to retrieve free/busy information for other users (having mailboxes located on any version of Exchange Server) if it is connecting directly to an Exchange 2007 Client Access Server (CAS). For mailboxes located on Exchange 2007 server, AS pulls free/busy info directly from users' mailboxes while for mailboxes located on Exchange 2003 server (or earlier versions), AS sends the WebDAV query (HTTP, this query always goes over port 80 from CAS to an internal Public Folder server) to respective public folder server hosting those users' free/busy information. Entourage 2008 uses port 80 (without SSL) or 443 (with SSL) for this feature depending on related configuration on Exchange 2007 CAS. You also don't need to enter a public folder server name in Exchange account settings (under 'Advanced' tab) in Entourage for this feature to work, just the name of Exchange 2007 CAS (in 'Exchange server' field under 'Account Settings' tab) is enough.
If Entourage 2008 is connecting directly to a backend mailbox server (Exchange 2007 or earlier versions) or a front-end server (Exchange 2003 or earlier versions) then it utilizes the same WebDAV (HTTP) procedure to pull up the free/busy info as Entourage 2004 does (discussed above). It cannot use AS in this scenario as its only available on an Exchange 2007 CAS.
Folder Sharing
When an Entourage user (User1) accesses a shared folder of another user (User2) in his Exchange organization, it uses the same WebDAV (HTTP) based communication which it uses to access the mailbox of Entourage user (User1). The port usage is also the same as described above under 'Mailbox Synchronization' section. Same applies when you use Entourage to assign folder sharing permissions (Folder : <right click> : Sharing : Permissions tab).
Delegate Management (screenshot)
Using Entourage you can also assign access permissions to your delegates so that they can access your folders such as Inbox, Calendar & Contacts. Entourage 2004 establishes a direct connection to your mailbox server for this purpose, which utilizes MAPI (RPC over TCP). Why? Please read the 'CAUSE' section in KB 909269. Entourage 2004 first connects to port 135 ('End-point Mapper' or 'epmap') on Exchange mailbox server, which refers it to 'Exchange System Attendant Service' ('MAD.exe', there is no fixed port for 'MAD', its assigned dynamically). Exchange server then authenticates Entourage client by talking to a 'Domain Controller' or 'Global Catalog Server'. After successful authentication Entourage finally connects to mailbox store on Exchange server (there is no fixed port for 'store' either) and sets two parameters as mentioned in KB 909269. Entourage 2004 uses this procedure irrespective of the version of Exchange server (2007 or earlier versions) to which its connecting for mailbox access. Entourage 2008 works in the same way except when its connecting to an Exchange 2007 CAS with SP1 installed.
Entourage 2008 utilizes the new delegate management web service if its connecting to an Exchange 2007 CAS with Service Pack 1 installed. This communication happens over port 80 (without SSL) or 443 (with SSL) as per the server side configuration. The major advantage of this feature is that Entourage users can now assign delegation rights to other users independent of their location, i.e. they can do it while connected from internal or external locations.
Mailbox Quota Management (screenshot)
Entourage users can also find how much space their mailbox is utilizing on server at different levels, like at the top mailbox level, at each folder level, etc. They can do that by going to any folder, right click on it, choose 'Folder Properties' and then go to 'Storage' tab. The port usage for this feature is same as described above under 'Mailbox Synchronization' section.
Password Expiration Notice (screenshot)
Entourage also checks for Windows domain (where your Exchange server resides) password expiration on every launch or every 24 hours afterwards to see if user's password is going to expire in the next 10 days or not. It does that thru an LDAP query to your Windows 'Domain Controller' or 'Global Catalog Server' configured in Exchange account settings (under 'Advanced' tab). This communication happens over port 389 (without SSL) or 636 (with SSL).
Now let's talk about features which are exclusive to Entourage 2008 users in an Exchange organization where they are working with other Outlook users. Some of them, like Calendar features below may also apply to non-Exchange users as well.
Calendar Features
Entourage 2008 contains several new features and improvements in the area of event & calendar management. They are:
Accept, Tentative & Decline Buttons on Meeting (screenshot) - After a single instance or recurring meeting is accepted or tentatively added to the calendar (like by 'Calendar Assistant' in Exchange 2007), Entourage 2008 users are now able to act on the resulting event from the event itself. This is essentially the same as acting on a meeting request when it arrives in user's Inbox. This feature can also be used to decline a previously accepted meeting request later when user's plan changes.
Event Deletion Update (screenshot) - If an Entourage user (as a meeting attendee) deletes a previously accepted single instance or recurring meeting (or a single instance of a recurring meeting), the user is prompted to send a response to meeting organizer.
Time Zone Mismatch Warning (screenshot) - Outlook for Windows handles time zones differently when sending recurring vs. single instance meeting invites. In the recurring case, Outlook stamps the invite with sender's time zone and thus they are received & displayed appropriately in Entourage. On single instance meeting invites, Outlook does not stamp sender's time zone and thus Exchange Server stamps its own time zone on the invite. When Entourage receives such an invite, it uses the time zone stamped by Exchange to calculate start and end times. Some issues may occur if Exchange server is in a different time zone than the Entourage user (see KB 925376). Entourage 2008 displays better event status text related to event and local computer's time zones to handle this situation.
Processing of Incoming New Meeting Requests - Entourage 2008 behaves like Outlook and moves invites to 'Deleted Items' folder after they are processed in the Inbox by user. Invites having attachments with them are still left in the Inbox so that user can access them later when needed. Entourage 2008 does not support having attachments with events placed on Calendar.
Conflict Status (screenshot) - When an invite arrives, Entourage now compares it to the contextually related primary calendar (like Exchange Calendar) to determine if the invite conflicts with an existing event or not. If any portion of the time span of the invite intersects or overlaps with an existing event, an appropriate status text to that effect is displayed on the incoming new meeting request.
Adjacent Status (screenshot) – Same determination as above is made for detecting new invite being adjacent to an existing invite and if the beginning and/or end of the new invite's time span equals an existing event's time span, an appropriate status text to that effect is displayed on the incoming invite.
New Events Are Always Added to December - When the Mac OS X 'International Language' preference is set to Portuguese or Spanish, all new events created using Entourage 2004 appear in December of the respective year, though it preserves the day and date of event. This issue has been resolved in Entourage 2008 through adding support for 'Textual Separators' (like 'de') which is used to separate day, month and year in Portuguese, Spanish & some other languages.
To Do List (screenshot)
Entourage 2008 does not support synching with 'Tasks' folder in an Exchange mailbox but it does support the new 'To Do' based tasks feature (also in Outlook 2007 & Exchange 2007 OWA Premium) which lacks tasks assignment and progress tracking. This feature allows users to easily create and view their daily action items as well as provide a consistent experience with Outlook. Though 'To Do List' appears with the local 'Tasks' folder in Entourage, 'To Dos' are synchronized to the Exchange server and users will find consistent experience working with their 'To Do' items no matter which client they are using at a particular instant, be it Outlook 2007, Entourage 2008 or Exchange 2007 OWA Premium. The 'To Do List' can also be printed which provides a handy resource for users who are mostly in and out of meetings.
Out of Office Assistant (screenshot)
Using 'OOF Assistant' feature in Entourage 2008 users can set their out of office (OOF) status along with an OOF message when connecting to an Exchange Server. The feature is supported for Exchange 2000 or higher versions. This feature requires 'Outlook Web Access' to be functional on Exchange Server (2000 & 2003). Its implementation is based upon the 'OOF Assistant' available in OWA (2000 & 2003) and thus provides equivalent feature-set. It does not provide support for 'OOF Rules' which is available in Outlook for Windows. Support for separate internal and external OOF messages is only available for Entourage 2008 users connecting to a mailbox on Exchange 2007 Server. Such users can also set the OOF period (i.e. start and end date & times) and they can also send rich text or HTML based OOF messages. Entourage 2008 utilizes 'Exchange Web Services' and 'autodiscover' on Exchange 2007 for this feature.
Kerberos Authentication (screenshot)
Entourage 2008 supports Kerberos for authentication only for Exchange and LDAP (used for GAL access in Exchange organizations) accounts. It is not supported for all other types of accounts which you can configure in Entourage, like POP/SMTP, IMAP, Hotmail & News (NNTP) accounts. Mac OS X (Tiger and later) includes built-in support for Microsoft Kerberos (MSK) authentication and Active Directory authentication policies, such as password changes, expiration and forced password changes. By leveraging the OS's Kerberos service, Entourage provides better password handling and a cleaner setup experience. Kerberos authentication will mainly work only inside the corpnet environments as obtaining a Kerberos ticket (first step before you can use Kerberos authentication in Entourage) requires access to a Kerberos ticket or 'Key Distribution Center' (KDC), which generally in a Microsoft Windows Active Directory based environment is a 'Domain Controller' or a DC serving in Global Catalog Server (GC) role. Exchange Servers that are internally accessible are primarily the ones serving in back-end mailbox server roles, they support Kerberos authentication thus they can be used for connecting to Exchange mailboxes by Entourage users using Kerberos. Front-end or Client Access Servers (CAS) do not support Kerberos authentication for mailbox connectivity (by default) for users thus users will have to use three-tier domain credentials (i.e. username, domain & password for Windows Integrated/NTLM or Basic Authentication with SSL) to connect to their mailboxes. If Entourage is configured to use Kerberos authentication with Exchange account and user tries to assign delegation rights to another user on his own mailbox, then Entourage may try to establish a MAPI connection with user's mailbox server (see KB 909269 for more info) and it does not use Kerberos authentication for that purpose. MAPI library code which is used for delegation does not support Kerberos authentication. MAPI connection is established by Entourage for delegation rights assignment if mailbox server is running Exchange 2007 RTM or lower, like Exchange 2003 or 2000 (any version or build). For MAPI connectivity to user's mailbox server Entourage uses NTLM v2 authentication and thus it prompts the user with domain credentials dialog, asking user to enter username, password and domain.
Interoperability with Exchange 2007
Exchange 2007 introduced a whole new set of 'Web Services' which can be utilized thru SOAP (which is based on XML, another widely used protocol) based programming to interact with users' mailboxes and most of the other major components of Exchange. Entourage 2008 utilizes some of those features provided by 'Exchange Web Services' (EWS) thru SOAP based calls which are sent directly to CAS (Client Access Server) as EWS (and 'autodiscover') virtual directory is hosted only on a CAS server. The new features in Entourage 2008 which utilize 'Exchange Web Services' on server side are: 'Out of Office Assistant' (discussed above), 'Free/Busy Info Pull-up' & 'Delegate Rights Management'. Another new feature that's available on Exchange 2007 Server and supported in Entourage 2008 is working with 'Managed Folders'. This comes under the area of 'Messaging Records Management' which has been emphasized in Exchange 2007 (see demo here).
Free/Busy Info Pull-up - In Exchange environment when an Entourage user tries to schedule meetings with other users, the classic way to pull up their free/busy information is to send a WebDAV based query (Get /public/?Cmd=freebusy) to Public Folder server configured in Entourage (Exchange Account Settings : Advanced tab). Entourage 2004 still works in this way while Entourage 2008 can also utilize 'Exchange Web Services' (available only on Exchange 2007 Server) for this purpose. If Entourage 2008 is connecting to a CAS server for mailbox connectivity (Entourage : Exchange Account Settings), then it utilizes the 'autodiscover' & web services (EWS) running on CAS for querying free/busy information for Exchange users. On initial connection Entourage always requests the 'autodiscover' service on CAS to provide the contents of 'autodiscover.xml' file, that file contains URL information for EWS and related services which are used by Entourage for OOF assistant, F/B info pull-up and delegation. There is an 'Availability Service' (AS) also there offered by EWS, using the URL for AS (which is there in 'autodiscover.xml') called as 'ASURL', Entourage can pull up F/B info for attendees of a meeting. If Entourage is connecting directly to a mailbox server (back-end) for mailbox contents (Entourage : Exchange Account Settings), then a call to retrieve the contents of 'autodiscover.xml' fails as 'autodiscover' and EWS only run on a CAS server thus in that case, even if you point Entourage to a CAS server for Public Folder access (Entourage : Exchange Account Settings : Advanced tab), it can't use ASURL to pull up F/B info, and thus it falls back to classic mechanism described above, i.e. send a WebDAV based query to Public Folder server.
Delegate Rights Management - In Exchange 2007 Service Pack 1, a new web service is included for delegate management. Entourage 2008 uses that for delegate management if it is available on server side, i.e. if SP1 is installed on Exchange 2007 server. Again it works thru CAS server only because it's a web service and EWS is only available thru CAS as described above. If Entourage is connecting to Exchange 2007 RTM build or earlier versions like Exchange 2003 or 2000, then it falls back to classic delegate rights assignment procedure which uses a direct MAPI connection to mailbox server of Entourage user (discussed above). The best part of using the web service for delegate management on server side is that it can work thru a pure HTTPS connection, no need to have a direct connection to mailbox server and thus it's location independent as CAS servers in enterprise environments are published to Internet for OWA access. Entourage feature-set in this regard has not changed, meaning the options available for delegate rights management process (i.e. add/remove delegate, set desired permissions, etc.) are still the same but now it can use delegate management web service if its available on server side to assign delegate rights, which is great new for remote users.
Support For Managed Folders (screenshot) - Exchange 2007 has a new feature known as 'Managed Folders' as part of Microsoft's effort to help our customers with 'Messaging Records Management'. Using managed folders Exchange administrators can provide their users with extra folders in their mailboxes to be used for archiving and journaling (or any other use) which are managed by them on server side thru custom policies configured for retention and size quota. Users interact with them like they do with any other folder in their mailboxes, the limited control makes sure that they are not able to delete the top level managed folder created and provided by their administrators, but they sure can create subfolders of any type under it and manage them as they desire. The same policies (size or quota mainly) apply to all subfolders created under a managed folder. Entourage 2008 provides identical experience to Outlook & OWA 2007 when working with managed folders on Exchange 2007 server. It syncs the contents of managed folders just like it syncs the contents of all other folders in a user's mailbox. With every managed folder administrator can also have some policy statement text which describes what that folder's purpose is and any other related information, Entourage displays that on top of the items list view where it lists all items in that folder. The size quota is also mentioned in terms of percentage used & available and the actual size in megabytes. If user exceeds the quota, an appropriate warning is displayed for user's information.
Support For Message Classification (screenshot) - Exchange 2007 also has a new feature using which users can classify a message based on administrator's provided message classifications, which can be defined and set on server side and are then available for use in different Exchange clients like OWA & Outlook 2007. This feature can be used for company wide distribution and exchange of important documents and information thru e-mail. Examples include legal documents, contract information, classified or confidential information, etc. All such classified messages usually display some text informing user what kind of information they contain and if any corporate or company policy applies with regards to the provision or exchange of such info. Entourage 2008 supports the display of those text labels at the top of such messages for its users' information.
Interoperability with Outlook 2007
Entourage 2008 also has some features which improves its interoperability with Outlook 2007. This increases the feature parity between Outlook and Entourage. Some limitations of Entourage 2008 are also mentioned below for the purpose of full disclosure.
Free/Busy Permissions (screenshot) - Outlook 2007 has added a new set of permissions for 'Free/Busy' (F/B) data for users having mailboxes on Exchange 2007 server. Users can now determine what level of free/busy information should be available and visible to other users who are trying to schedule meetings with them. These levels are: None (no F/B data is visible), Free/Busy time (only F/B time is visible in the graphic form, new permission level), Free/Busy time, subject, location (meeting time, subject and location is visible, new permission level) & Full Details (all meeting information is visible, i.e. equal to Reviewer permission). These new F/B permission levels however are not available in Entourage 2008. Using Entourage 2004 a user cannot retrieve this level of information even if he has required permissions assigned to him. Entourage 2008 though works identically to Outlook 2007 and shows appropriate F/B info to its users according to assigned permissions. Entourage uses the new 'Availability Service' provided by 'Exchange Web Services' running on an Exchange 2007 'CAS' Server for this feature. The F/B info is displayed via a tooltip above a particular free/busy block when Entourage user views F/B info for other attendees in a meeting request being composed.
Payload Calendars (screenshot) - In Outlook 2007, a user can send another person a partial or full copy of his calendar by e-mail, including free/busy information with or without details and attachments (if there are any with events). All details are included in that e-mail within an '.ics' file along with an HTML representation of sender's calendar. If recipient is an Entourage 2004 user then opening the '.ics' file launches Apple's iCal application and Entourage does not handle it itself. HTML representation of the senders calendar though appears fine in that e-mail. Even if the user changes the association of '.ics' file to Entourage, user can only see one event, not multiple events if that file contains multiple events. Now in Entourage 2008 when such an '.ics' file is opened from a mail attachment, Entourage handles the file even if another application is the registered '.ics' file handler at Mac OS level. It also handles an '.ics' file containing multiple events and the collection of individual events including their free/busy information is automatically added to default calendar in Entourage. Attachments with any events in this case will not show up with events after they are imported to Calendar in Entourage.
Flagging & To Do Tasks - Outlook 2007 users can flag a mail item or contact and create a 'To Do' task. Entourage 2008 also includes the same feature which works identically (discussed above).
Electronic Business Card (screenshot) - Outlook 2007 contact items have a new 'Business Card' area as well as a built-in editor. A 'Send as Business Card' option allows users to exchange contacts (vCard format including images and formatting) via e-mail. Outlook users can also insert their own business cards as signatures at the end of e-mail messages. Both Entourage 2004 & 2008 display the HTML representation of incoming 'Business Card' correctly in-line in the message. Using the attached 'vcf' file that contact can also be opened and added into default 'Contacts' folder in Entourage. If that contact also has a picture embedded in it, that's also imported into Entourage when that contact is added thru its corresponding 'vcf' file. Keep in mind that Entourage 2008 does not sync the associated pictures in contacts added thru Outlook 2007, when user connects to the same Exchange mailbox using Entourage.
Meeting Updates (screenshot) - Meeting updates in Outlook 2007 now have an improved status description of any changes from preceding invite(s). The original invite data (i.e. time, location, etc.) is shown in the status area with a strikethrough directly next to the current or new value. Both Entourage 2004 & 2008 show a standard message in info bar which says: 'This is an update to an existing event'.
Sharing Messages (screenshot) - Outlook 2007 has a new method of quickly sharing calendar and contacts folders via e-mail. Using this option results in reviewer rights for the recipient as well as a request for the recipient to share the same folder. Entourage 2004 and 2008 both do not support this feature, the sharing message displays fine but has no effect on Entourage.
Delegate Changes - Outlook 2007 has added a new meeting requests forwarding option, i.e. 'My delegates only, but send a copy of meeting requests and responses to me (recommended)'. This option sends the original meeting request to the delegate, while the principal receives an informational message with the details of the invite. Entourage 2004 & 2008 users in principal roles still receive original meeting request with Accept/Decline buttons, so there is no change in Entourage's behavior due to this new feature in Outlook.
Categories - Outlook 2007 has improved its category feature which is also very identical to Entourage but Entourage still does not sync category information to & from Exchange Server thus if a user is using multiple clients to connect to his mailbox, and uses categories in Entourage, that information is still kept local in Entourage database and is not synched back to server.
RSS, InfoPath & SharePoint Integration (screenshot) - Outlook 2007 has added support for RSS feeds, improved InfoPath integration and Windows SharePoint support. These features are not supported in Entourage 2008. Only RSS Feeds folder is accessible thru Entourage if a user is also using Outlook 2007 to connect to the same mailbox. Any RSS feed to which user has subscribed thru Outlook are also synchronized by Entourage to its local database so that user can access them.
Since the release of Entourage 2008 for Mac, I have been watching the newsgroups, blogs and forums and I see one request more than any other which is to have a comprehensive list of features in Entourage 2008. In this blog I will try to provide exactly what our customers and Entourage users are looking for. As my expertise mainly lies with Entourage's interaction with Exchange Server thus I will also highlight the features important to Exchange users. This blog provides a list of features and a brief description of them, later I will blog on those specific features in detail from users' and administrators' perspectives.
Let's start with features which are common for all Entourage 2008 users irrespective of the type of mail server they are connecting to (Part I). In Part II I will talk about those features which are exclusive to Entourage 2008 users in an Exchange organization where they are working with other Outlook users
Application Shell (screenshot)
The main user interface of Entourage 2008 has been redesigned to provide a modern and compelling user experience that demonstrates to its users that Entourage is a premium messaging application and an integrated part of Office for Mac suite. It consists of 4 main areas, i.e. Toolbar (on top), Folder List (on left hand side), Item List (in the middle) & Preview Pane (on right hand side). There is a new 'View Switcher' panel (top left hand corner) to switch to different available modules, i.e. Mail, Address Book, Calendar, Notes, Tasks & Projects. The new 'MiniCal' (bottom left hand corner) can now be displayed in all folder views and it can be turned on or off using the toggle button.
Customizable Toolbars (screenshot)
Every toolbar you find in Entourage 2008 is now customizable, i.e. toolbar for every folder view, item view & composition window. Users can customize it by right clicking on it and choosing the option 'Customize Toolbar' or use the same option under 'View' menu.
Favorites Bar (screenshot)
This is a new addition in Entourage 2008 and provides feature parity with Outlook for Windows. Its located just below the toolbar in the main UI. Users can drag and drop any folder (or saved search) in their 'Folder List' to 'Favorites' bar and that creates a shortcut (or alias) for that folder which can then be used by the user to quickly get to that folder from any view in Entourage. 'Favorites' bar remains visible and accessible from all views in Entourage 2008 just like the main toolbar on top. Some really cool features of 'Favorites' bar are: it displays the number of unread items right beside the folder name, drag & drop folders to add/remove & re-organize them, drag and drop items to move them from one folder to another, etc.
Folder List (screenshot)
In the new 'Folder List' the folders related to the default mail account are displayed on the top and then rest are displayed according to alphabetical order with respect to the account names. Local folders (related to 'On My Computer') show up after all the other accounts if they are not associated with a default POP mail account. The first level children folders have been shifted to the left and start at the same position as their parent folder.
To Dos (in Item List) (screenshot)
Working thru 'Item List', users can now quickly toggle the state of flag for an item and use the contextual menu to take more precise actions to create 'To Dos'. This new feature provides more consistency with Outlook for Windows. These flags are also synched back to user's mailbox on Exchange server and thus also reflect in Outlook for Windows & OWA (Premium only, not Basic), similarly if user flags an item as a 'To Do' item using Outlook or OWA Premium, its also reflected in Entourage.
Preview Pane (screenshot)
Entourage 2008 also displays the e-mail sender's picture in 'Preview Pane' if user receives an e-mail from a contact with a picture saved in contacts folder. The pictures associated with contacts are not synchronized with Exchange server or the one saved thru Outlook for Windows will not be available in Entourage either. All pictures are saved with associated contacts in local database only. The message headers also display the category color in their background when viewed in preview pane. A new effect known as 'Glass' can be experienced in the message header area, where background color (reflects category) has two distinct shades. This effect is also available in Calendar when viewing appointments and meetings in any view.
New Calendar Experience (screenshot)
All calendar views have been redesigned to provide more solid look and feel which enhances end user experience. There is a new 'Today' button which brings a user back to the current day in any view. 'To Do List' (discussed later in Part II) can be displayed on the right hand side of all calendar views. It lists all 'to do' tasks (created by flagging items in Inbox) & tasks (from local Tasks folder which is not synchronized with Exchange server). The new 'All Day Events Area' is designed to display events that transpire over a full day or set of dates. All events have tile like appearance when they are placed on calendar, they inherit the category color and exhibit glass effect as well. They are composed of many elements like free/busy indicator, meeting title/subject, meeting location, travel time indicator & several different status icons. For users who create events on their calendars very frequently, Entourage provides a way to create them quickly by dragging the mouse from start to end time (works in both directions, up or down) and then popula