Inside Entourage by Amir : Microsoft

How To Setup Exchange 2007 Account Automatically in Entourage 2008 Thru Autodiscover

amir — Sat, 31 Jan 2009 18:42:21 GMT

Entourage 2008 with SP1 can use Autodiscover Service available on Exchange 2007 Server to configure your Exchange account automatically. In this post I will talk about this new feature from Entourage user perspective. I have also recorded a screencast to actually show you how you can do it in Entourage 2008. Please keep in mind that this feature is not available in earlier versions of Entourage (2004 and earlier) & Exchange (2003 & earlier).

What’s Autodiscover Service?
Microsoft Exchange Server 2007 includes a new Microsoft Exchange service named the Autodiscover service. The Autodiscover service configures client computers for Exchange mailbox access that are running Microsoft Office Outlook 2007 or Microsoft Entourage 2008 for Mac. The Autodiscover service can also configure supported mobile devices (Windows Mobile or iPhone). The Autodiscover service provides access to Microsoft Exchange features for Outlook 2007 or Entourage 2008 clients that are connected to your Microsoft Exchange messaging environment. The Autodiscover service must be deployed and configured correctly for Outlook or Entourage clients to automatically connect to Microsoft Exchange features, such as the Availability service (used for Free/Busy info pull-up), OOF Assistant and Delegate management. Additionally, these Exchange features must be configured correctly to provide their respective functionality for Outlook & Entourage clients. You can go here for more info.

Now a couple of important points:

1. Entourage Version – Check to see which version of Entourage you are using. You should be using the latest released version (build), currently its 12.1.5 (081119). In order to check for that, launch Entourage, go to ‘Entourage’ menu on top left hand corner and then click on ‘About Entourage’, the top potion of resulting window should look like this:

If your version (build) does not match, you need to install all available updates for Office 2008 for Mac. You can do that by going to ‘Help’ menu and clicking on ‘Check for Updates’. ‘Microsoft AutoUpdate’ application will launch and you can then click on ‘Check for Updates’ button there to have it look for all available updates. It will check for released updates, will come back and report to you about them and you can then install them one by one. You can also download and install all updates from Mactopia.

2. Exchange Version – Check to see which version of Exchange Server is hosting your mailbox. You can do so by logging into your mailbox thru OWA or ‘Outlook Web Access’ (explained in screencast video). Generally organizations publish a website for this purpose, like Microsoft has published this website for its employees to log into their mailboxes thru OWA. You should have one as well, if you don’t know its address or URL, you should talk to your Exchange Server Administrator or IT Help Desk/Support in your organization.

The very first mention of Exchange Server version can be found on the main login page for OWA, it looks like this if it’s not published thru Microsoft ISA Firewall Server (see ‘Microsoft Exchange’ & ‘2007’ in the screenshot below):

Screencast video also talks about this in the beginning, where OWA has been published thru Microsoft ISA Firewall Server thus the login page looks a bit different. Let’s watch the screencast now.

Make sure you have Microsoft Silverlight installed on your machine.
This screencast video is recorded in HD (Resolution: 1280x720) with 16:9 Aspect Ratio.
Please watch it in ‘Full Screen’ mode for better experience.
To go 'Full Screen', just double click on the video.
To exit 'Full Screen' mode, double click on video again or press 'Esc' button on your keyboard.

Note: If you meet the requirements listed above and automatic Exchange account configuration still does not work for you, then it could be because your Exchange Server Administrator has not published Autodiscover Service properly. You should then contact your administrator to verify that. You can provide this link to get him started on that.

Client Certificate-based Authentication in Entourage 2008

amir — Fri, 13 Jun 2008 00:46:00 GMT

Recently Microsoft released Service Pack 1 (SP1) for Office 2008 for Mac. There are some new features in SP1 for Entourage 2008 users, one of them is 'Client Certificate-based Authentication'. In this post we will walk thru the setup on server & client sides so that it will be helpful to those who want to use this feature in Entourage.

Introduction
Entourage connects to an Exchange mailbox thru 'Exchange' virtual directory under 'Default Website' in IIS (Internet Information Server) installed on an Exchange Server. IIS provides several authentication methods and they are all discussed here & here. One of them is 'Client Certificate-based Authentication' (CCA) which works thru 'Client Certificate Mapping' on server side. Most conventional ways of authentication require the provision of username, domain & password (3-tier credentials) but CCA does not require users to provide their domain credentials. It works thru a mapping of user certificates to their accounts in Windows Active Directory. It is used where high level of security is required and domain password policies are very strict or administrators simply do not want their users to remember/enter their domain credentials for any kind of access. In those environments 'Two Factor Authentication' (RSA, Smart Card) is also used & CCA helps in its implementation. Now with the new support for CCA in Entourage, you can have your Entourage users utilize 'Two Factor Authentication' when they connect to their Exchange mailbox. Let's see how we can set it up.

Setup Details
To keep things simple, I have a single box server with Windows 2003 SP2 & Exchange 2003 SP2 (most common versions out there). It also has 'Certificate Services' (a Windows component) installed on it to act as my 'Private Root Certification Authority' (one can go with Public Root CAs like VeriSign, etc.). You can install an 'Enterprise Root CA' or a 'Standalone Root CA' (steps with screenshots), if you want to read more before installation, go here.

I installed an 'Enterprise Root CA' on my server. I used it to issue an identity certificate to IIS (Default Website) so that secured connections (SSL) can be established over port 443 by Entourage clients when they connect to 'Exchange' virtual directory to get access to their Exchange mailbox. This is a pre-requisite for CCA, steps are here.

I also used it to issue client certificates to individual Entourage users so that they can use it for CCA when connecting to their Exchange mailbox (more details later in 'Client Side Setup' section below).

Server Side Setup
There are several ways to set 'Client Certificate Mapping' on IIS, they are all discussed here. I used the 'Windows Directory Service Mapper' for my setup, as its most popular & simple to setup. I followed the steps listed here.

Note: I tested this feature successfully with '1-to-1 Mapping' as well, no issues, however I didn't test it with 'Many-to-1 Mapping', I assume that scenario will also work without any issues.

After that I went to 'Exchange' virtual directory and enabled the requirement of client certificates for authentication. To do that:

Go to IIS Manager : Default Website : Exchange : Properties : Directory Security : Secure Communications : Edit : Check the 2 boxes for 'Require secure channel (SSL)' & 'Require 128 bit encryption'
On the same window, under 'Client certificates' section, select 'Require client certificates'
Also check the box for 'Enable client certificate mapping'
The final configuration will look like this

That's it, click OK twice to get back to IIS Manager.

Now when we are set to use CCA for authentication on 'Exchange' virtual directory, we can go and turn off all other authentication methods. To do that, go to IIS : Default Website : Exchange : Properties : Directory Security : Authentication & Access Control : Edit : Uncheck all boxes here (screenshot), click OK twice to get back to IIS Manager.

Repeat the above steps now for 'Public' virtual directory which is used by Entourage to access public folders on Exchange Server.

Client Side Setup
To begin with Entourage users should follow these steps for obtaining and installing a user certificate on their Mac. I used a Mac with Tiger (Mac OS 10.4.11) and Entourage 2008 SP1 installed on it.

Launch Safari browser and go to http://<server-name>/certsrv (where 'server-name' is the name of the server where 'Private Root CA' is installed) (screenshot)
Enter your username and password when prompted (screenshot)
On the 'Welcome' page of your Root CA Server, click on 'Request a certificate' link (screenshot)
On the 'Request a certificate' page, click on 'User Certificate' link (screenshot)
On the 'User Certificate – Identifying Information' page, keep the 'Key Strength' field set to '2048 (High Grade)', click on 'Submit' button (screenshot)
On the 'Certificate Issued' page, click on 'Install this certificate' link (screenshot)
You will see the 'Downloads' window from Safari and a file by the name of 'certnew.cer' will be downloaded to your desktop (screenshot)
Double click on the 'certnew.cer' file on your desktop (screenshot)
The 'Keychain Access' application will launch and you will see the 'Add Certificates' window, keep the 'Keychain' field set to 'login' and click 'OK' (screenshot)
The user certificate will then be imported in the Keychain (screenshot)
You can double click on it to view the user certificate (screenshot)
You can also launch 'Microsoft Cert Manager' application (from Mac Hard Drive : Applications : Microsoft Office 2008 : Office) to view the certificate in 'Digital Identities' container. This is a good indication that the user certificate will work fine with CCA or digital signing and encryption of outgoing mail.

Quick Admin Check: Now in order to make sure that Entourage user account is setup properly in Windows Active Directory, take a look at its properties (thru 'Active Directory Users & Computers' or 'ADUC'), you should see the user certificate there under 'Published Certificates' tab (screenshot). If not then you can also import it (use the 'cer' file from user's Mac, see Step 7 above) using the 'Add from file' button there. Another way to add & map user certificate is to do a right click on user object in ADUC, choose 'Name Mappings', then add the user certificate there under 'X.509 Certificates' tab (screenshot).

Now let's configure Exchange account settings in Entourage, this screenshot depicts how 'Account Settings' tab should look like. Note that you do not need to provide user's domain credentials, i.e. username, domain & password. The 'Advanced' tab is where you need to select user certificate under 'Client Certificate-based Authentication' section. Clicking on 'Select' button there will provide you with the 'Choose an Identity' window which will list the user certificate there. That's it, you are done.

After that Entourage will try to connect to Exchange mailbox utilizing 'Client Certificate-based Authentication', user will see a prompt 'Confirm Access to Keychain', choose 'Always Allow' on that. This allows Entourage to access 'Keychain' in Mac OS where user certificate is stored. Entourage will then go and talk to 'Exchange' virtual directory on server. User certificate will be used for CCA and connection to Exchange mailbox will be established in seconds. We are done!

But What About GAL Access?
After some research I found that currently it is not possible in Windows Server 2003 to require CCA for LDAP connections & queries. Thus if you want your Entourage users to access your Windows Global Catalog Server (LDAP Server) for 'GAL Access' (Global Address List) feature, you will need to configure it appropriately (non-SSL over ports 3268 & 389 or SSL over ports 3269 & 636) and also provide domain credentials in Exchange account settings in Entourage. Entourage uses the same set of domain credentials provided on first tab (screenshot) for authentication against Exchange & LDAP Server. The authentication processes are separate for IIS (for Exchange mailbox & public folder access) & LDAP Server (for 'GAL Access' feature). If CCA is required for authentication by IIS (at 'Exchange' & 'Public' virtual directories), then Entourage will use client certificate for that and will only use domain credentials for authentication against LDAP Server for 'GAL Access' feature.

Smart Cards
Some organizations out there use Smart Cards to store user certificate which is generally used by them for digital signing and encryption of outgoing mail. They will continue to work in the same way for CCA feature as well. Just select the same user certificate over here as well.

DST Workaround for Entourage 2004 & 2008 Users in ANZ

amir — Tue, 01 Apr 2008 02:12:00 GMT

Update: The fixes for this issue have been released in 11.5 (Entourage 2004) & 12.1 (Entourage 2008) Updates for Office for Mac.

I wanted to quickly provide this workaround to the users of Entourage 2004 & 2008 in Australia & New Zealand (ANZ) time zones until Microsoft releases fixes thru updates at Mactopia website.

Issue
When Entourage 2004 & 2008 users organize meetings by inviting other users who are using Microsoft Outlook or OWA (Outlook Web Access) against their Exchange mailboxes (version of Exchange Server does not matter here), then those meeting attendees may see the incoming meeting invite being an hour off. This issue is not seen if all meeting attendees are Entourage users.

Cause
This happens as Entourage 2004 & 2008 use DST information from related 'Timezones' files for users in ANZ time zones, which are not up to date with current information.

Resolution
Microsoft is working to release a fix for this issue in an update for both versions of Entourage but a final release date is not available yet. When that update is available, users can safely install it and it will replace the files which they will put on their systems as a result of applying the workaround provided below.

Workaround
Below are the steps to follow for both versions of Entourage. Only Entourage users will need to apply this workaround on their machines, no action is required by other users who are using Microsoft Outlook or OWA.

Entourage 2004

Quit Entourage (Entourage should not be running when you apply this workaround)
Back up the current 'Timezones' file in folder: Mac Hard Drive : Applications : Microsoft Office 2004 : Office (just copy it to a backup folder on your hard drive)
Download the updated 'Timezones' file for Entourage 2004 from here (extract its content before proceeding to next step)
Copy the downloaded 'Timezones' file to the same location as above in Step 2, replacing the existing 'Timezones' file
That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above

Entourage 2008

Quit Entourage (Entourage should not be running when you apply this workaround)
Back up the current 'Timezones.ics' file, go to folder: Mac Hard Drive : Applications : Microsoft Office 2008 : Office, locate a file by the name of 'EntourageCore.framework', now Control-Click on it and choose 'Show Package Contents' in the resulting menu, a new window will appear, in that window go to folder: Versions : 12 : Resources : en.lproj (you will find the 'Timezones.ics' file here, just copy it to a backup folder on your hard drive)
Download the updated 'Timezones.ics' file for Entourage 2008 from here (extract its content before proceeding to next step)
Copy the downloaded 'Timezones.ics' file to the same location as above in Step 2, replacing the existing 'Timezones.ics' file
That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above

Note: Any meetings which were scheduled earlier and display the issue described in this post will not automatically get fixed. If you want to fix them, you will have to open them and make a change in them (like add one character to its subject/title or notes area, etc.), then save them and send update to all attendees. This change will force Entourage to recalculate DST info as per the updated 'Timezones' file.

Workaround Removal
If at anytime you may need to remove or undo this workaround, just follow the same steps as above and replace the 'Timezones' files with the original ones which you backed up earlier.

DST 2007 Changes & Entourage 2004 for Mac

amir — Wed, 31 Jan 2007 23:05:00 GMT

I know a lot of users out there use Entourage 2004 as an Exchange Client and are thus concerned about upcoming DST Changes in March 2007. They want to know how Entourage will handle that change and what do they or their Exchange Server Administrators need to do. Here are some important points I wanted to share in this regard.

1. Earlier in 2006 Apple made changes in its Mac OS X (in 10.4.6 Update, look under 'Other' section) so that Mac OS X is aware of new DST 2007 changes.

2. Entourage 2004 at that time wasn't updated/aware of those changes, thus users were seeing the issue as described in KB: 924606

3. Microsoft released Office 2004 for Mac 11.3.3 Update (see KB: 930402) recently to resolve that issue, so now Entourage 2004 is aware of DST 2007 changes, and thus you don't see the issue in KB: 924606.

4. If you are a consumer level user, who uses Entourage with POP/IMAP/SMTP type of accounts, you are good, issue is taken care of for you, BUT if you will exchange meetings with another user who uses an application to handle meetings which is not up to date or aware of DST 2007 changes then you or that user may still see 'meeting times not correct or off by an hour' issue.

5. This same issue will also be experienced by Entourage users who connect to mailboxes on an Exchange server, IF the Exchange server and other users (Entourage and Outlook for Windows) are not updated to be aware of DST 2007 Changes. They can test this right now to confirm this behavior with an Entourage user who has installed 11.3.3 Update and working with other Outlook users who are not updated.

6. Thus we advise customers to follow the same strategy which is outlined here, i.e. when they upgrade their other clients using Outlook for Windows (which happens after server upgrade), they can then upgrade Entourage clients as well, i.e. install 11.3.3 Update.

7. Another important point to keep in mind is that Entourage clients updated with 11.3.3 Update will work fine today but issues will come up only when they interact with clients which are not updated with DST 2007 changes. Thus in order to make sure that everyone works fine, the updates need to happen in suggested manner, i.e. severs first and then clients.

8. The 11.3.3 Update will make sure that Entourage handles all new meetings which span during the new DST time period properly. For meeting invites sent out prior to the 11.3.3 Update and in the new DST window, Entourage will not send meeting updates to announce the adjusted times. As long as the Outlook attendees apply the upcoming patch and Entourage users are up to date, this should not be an issue. They will all have their events adjusted consistently. For attendees using an application unaware of the new DST rules, the meeting times will be off for these events. Entourage product group will not be releasing any client side Update Tool either like you will have for Outlook for Windows. If you are concerned about this specific issue as this may impact your Entourage users working with other internal and external users, we advise to test and use the Time Zone Update Tools (when they become available). The Exchange server side version specifically would be better in my view. Using that Exchange Server Administrators can then take care of the issue with existing meetings in Entourage users' calendars.