In this blog I wanted to talk about an issue which we have seen enough number of times working with our enterprise customers that it warrants a blog.

Issue
When connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop. We have seen this on all currently supported versions of Exchange & Entourage. This error can also come up when:

a. User tries to permanently delete or move a large number of messages from his Exchange mailbox

b. User tries to send/receive new mail after deleting or moving a large number of messages from his Exchange mailbox

Cause
When Entourage tries to permanently delete messages from a folder in Exchange mailbox, Exchange Server utilizes the TEMP (temporary) folder for that operation. If Entourage user does not have required permissions on that TEMP folder, server issues a '401, Access Denied' error. Moving messages in Entourage involves permanent deletion from source folder, thus it results in the same issue.

Resolution
There are two parts of it.

1. Locating TEMP & TMP Folders

a. Non-Clustered Servers
First determine which TEMP folder is set as default on Exchange Mailbox Server on the back-end, cos that's where the delete operation actually takes place. The default location of TEMP folder is set under the following registry key:

HKEY_LOCAL_MACHINE\System\CurrrentControlSet\Control\Session Manager\Environment
REG_EXPAND_SZ: TEMP
Value: <PATH>\TEMP

By default, the TEMP folder is located at: '%SystemRoot%\TEMP' which is usually 'C:\WINDOWS\TEMP'

Another place to check this is: Bring up 'Control Panel' on Exchange Server, go to System : Advanced : Environment Variables : System Variables (see the screenshot below)

Same check applies for TMP folder, if there is one located on your drive. The above registry key should have an entry for TMP folder as well.

b. Clustered Servers
On clustered servers, the following registry keys are used to specify the locations of TEMP & TMP folders (Ref.).

HKEY_USERS\<Cluster service account SID>\Environment\TEMP

HKEY_USERS\<Cluster service account SID>\Environment\TMP

2. Verifying Permissions
Now let's verify the permissions assigned on TEMP folder. The 'Authenticated Users' group (Entourage user belongs to this group) should have the following special permissions:

Traverse Folder / Execute File
Create Files / Write Data
Create Folders / Append Data

In order to check these permissions, locate the TEMP folder and then right click on it to take 'Properties', go to 'Security' tab, highlight 'Authenticated Users', under 'Permissions for Authenticated Users' section, click on 'Advanced' button (see the screenshot below)

You will then see the 'Advanced Security Settings for TEMP' folder window (see the screenshot below)

Highlight the entry for 'Authenticated Users' in the above window and then click on 'Edit' button to view/edit the permissions. The screenshot below displays the required permission assigned properly.

Same check applies for TMP folder, if there is one located on your drive.

Redirected TEMP/TMP Folder
If the TEMP/TMP folder has been redirected to D (or any other) drive on the Exchange Server, it is suggested to specify the above permissions at the following three levels:

1. Drive level, especially at the root of drive if you notice that 'Authenticated Users' group is simply missing

2. TEMP/TMP folder

3. Any sub-folders inside TEMP folder which may have numerical (like 1, 2, etc.) names as such folders have been seen on clustered servers

Important
You will need to restart IIS (Internet Information Server) on all those servers where you made these changes in permissions, i.e. mailbox servers on the back-end and front-end servers as well to which Entourage users are connecting for mailbox access.

More Info
If your Entourage users are running into this issue then IIS Log on Exchange Server (front-end and/or back-end) & TCPFlow Log on Entourage Client will show the following:

a. 'BDELETE' request from client

b. '401' error response from server

IIS Trace Sample

2008-08-10 07:05:33 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 5 0

2008-08-10 07:05:35 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 1 0

TCPFlow Trace Sample

192.168.120.110.54103-192.168.137.121.00080:
BDELETE /exchange/john/Deleted%20Items/ HTTP/1.1

192.168.137.121.00080-192.168.120.110.54103:
HTTP/1.1 401 Unauthorized

In this blog post I wanted to talk about another new issue being experienced by our customers who are working with Exchange 2007 on Windows 2008. Windows Server 2008 is the key here as it relates to IIS 7 (Internet Information Server) and it's default security restrictions.

Issue
Using Entourage for Mac (2004 or 2008) while connecting to an Exchange 2007 mailbox on a Windows 2008 Server, user cannot download any e-mail message which has a plus sign in it's subject line, like 'Test + Mail'.

Cause
Entourage's request to download this e-mail message goes thru IIS 7 on Windows 2008 Server, which is configured (by default) to deny 'double escape sequences' in any HTTP request and thus it rejects the request with a '404.11' error.

Resolution
As Entourage talks to 'Exchange' virtual directory (for mailbox access) under 'Default Website' on IIS, thus you can use the following procedure to allow the use of 'double escape sequence' only at that level to address this issue. This will minimize the risk you will be taking to enable the usage of double escape sequence. Enabling the use of 'double escape sequence' does carry some risk, please go thru the links below under 'More Info' section to get yourself educated on the issue & involved risks before you work on the steps below.

Quick & Easy Way
You will need to run this command on all of your Exchange 2007 CAS and Mailbox Servers as IIS is installed on them by default.

Bring up a Windows 'Command Prompt', type the following command and hit 'Enter' on keyboard, that's it, you are done!

%windir%\system32\inetsrv\appcmd set config "http://localhost/Exchange" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true /commit:apphost

You will see the following response after running the above command in the same window.

Applied configuration changes to section "system.webServer/security/requestFiltering" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchange" at configuration commit path "MACHINE/WEBROOT/APPHOST"

After running this command, you don't need to restart any services on server, just run the command and ask your Entourage users to see if the issue has been resolved for them, at the most you can ask them to re-launch Entourage.

OR if you are a guy who is interested in details, then you can follow the manual steps outlined below.

Manual Steps
1. Bring up Notepad : File : Open, type %windir%\System32\inetsrv\config\applicationHost.config in the 'File name' box, and then click 'Open'.

2. Locate the section titled as: <location path="Default Web Site/Exchange">

3. Under that section locate </authentication> tag

4. Just after that insert the following text on a new line: <requestFiltering allowDoubleEscaping="true" />

5. Save the file and 'Exit' Notepad

Again, no restart of any service is required.

Note:
As Entourage talks to 'Public' virtual directory (for public folder access) under 'Default Website' on IIS, thus you will need to follow the same procedure for 'Public' virtual directory as well. Same instructions apply, just replace 'Exchange' with 'Public' in all steps mentioned above.

Details
Let's go into the details of this issue. First of all let's see how this issue would look like to an Entourage user when he looks at his Inbox thru Outlook Web Access & Entourage.

Outlook Web Access thru Safari (note the presence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')

Entourage 2008 (note the absence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')

So how did it happen? Let's review the TCPFlow Trace pasted below, which I took on Entourage user's machine. Important parts are highlighted in red.

65.53.65.121 = Entourage Client

172.30.142.217 = Exchange 2007 CAS Server

In the trace snippet pasted below Entourage client is requesting (thru SEARCH command) if there are any changes in user's Inbox, i.e. if there are any new items there for Entourage to retrieve and sync down to its local database.

065.053.065.121.51253-172.030.142.217.00080:
SEARCH /exchange/john/Inbox/ HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Brief: t
Translate: F
Range: Rows=0-512
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4w+C87pKQrHkOOeTHX4IiYZdRzhFlUtMQICwpFE3
/xSe3jJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 743
Accept-Encoding: gzip
Connection: Keep-Alive

065.053.065.121.51253-172.030.142.217.00080:
<?xml version="1.0"?><D:searchrequestxmlns:D="DAV:"
xmlns:R="<http://schemas.microsoft.com/repl/>">
<R:repl><R:collblob>toCTAAMAAQIgzWX+UAA=</R:collblob>
</R:repl><D:sql>SELECT
"<http://schemas.microsoft.com/repl/repl-uid>",
"<http://schemas.microsoft.com/repl/resourcetag>",
"<http://schemas.microsoft.com/mapi/proptag/x001A001F>",
"<http://schemas.microsoft.com/mapi/sensitivity>",
"urn:schemas:httpmail:read", "urn:schemas:httpmail:datereceived"
FROM SCOPE ('SHALLOW TRAVERSAL OF "/exchange/john/Inbox/"')
WHERE "<http://schemas.microsoft.com/mapi/proptag/0x67aa000b>"
= false AND "DAV:isfolder" = false</D:sql></D:searchrequest>

And here comes the response from server with the URL of the new item, which is an e-mail with the subject 'Test + Mail' (we are working with only one message to keep things simple) …

172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 207 Multi-Status
Transfer-Encoding: chunked
Content-Type: text/xml
Content-Range: rows 0-0; total=*
Accept-Ranges: rows
Server: Microsoft-IIS/7.0
Set-Cookie: OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}; path=/
MS-WebStorage: 08.01.10240
MS-WebStorage: 08.01.10240
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT

172.030.142.217.00080-065.053.065.121.51253:
<?xml version="1.0"?><a:multistatusxmlns:b="urn:
uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
xmlns:g="urn:schemas:httpmail:"
xmlns:f="<http://schemas.microsoft.com/mapi/>"
xmlns:c="xml:"
xmlns:e="<http://schemas.microsoft.com/mapi/proptag/>"
xmlns:d="<http://schemas.microsoft.com/repl/>"
xmlns:a="DAV:"><a:contentrange>
0-0</a:contentrange><a:response><a:href>
<http://172.30.142.217/exchange/john/Inbox/Test%20%2B%20Mail.EML
</a:href><d:changetype>new</d:changetype><a:propstat><a:status>
HTTP/1.1> 200 OK</a:status><a:prop><d:repl-uid>
rid:d17078df5926b048921786b466da7185000220cd63ff
</d:repl-uid><d:resourcetag>rt:d5926b04892185000220cd728e
</d:resourcetag><e:x001A001F>IPM.Note</e:x001A001F>
<f:sensitivity b:dt="int">0</f:sensitivity><g:readb:dt="boolean">0
</g:read><g:datereceived b:dt="dateTime.tz">
20080620T21:46:46.895Z</g:datereceived></a:prop></a:propstat>
</a:response><d:repl><d:collblob>toaUAABAAYAAiDNY/8A</d:collblob>
</d:repl></a:multistatus>

In the snippet below Entourage tries to fetch the new mail message using the URL provided by server …

065.053.065.121.51253-172.030.142.217.00080:
PROPFIND /exchange/john/Inbox/Test%20%2B%20Mail.EML HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Depth: 0
Brief: t
Translate: F
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4wJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 646
Accept-Encoding: gzip
Connection: Keep-Alive

And Entourage's receives a 404 error from server for it's request, as IIS7 installed on that Windows 2008 Server (with Exchange 2007) does not allow the use of 'double escape sequence' in any incoming HTTP request.

172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"<http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>">
<htmlxmlns="<http://www.w3.org/1999/xhtml>">
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">

<!--

body{margin:0;font-size:.7em;font-family:Verdana, Arial,
Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;
font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;
padding:10px;position:relative;}

-->

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed,
had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

Now if you look in IIS Log on Exchange 2007 CAS or Mailbox Servers, you will find the following entry there:

CAS
2008-06-20 14:38:09 172.30.142.217 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 65.53.65.121 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0

Mailbox
2008-06-20 14:38:09 172.30.142.218 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 172.30.142.217 Exchange-Server-Frontend-Proxy/6.5+Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0

More Info
For more info, you can go thru the following links:

Blog : IIS7 Rejecting URLs Containing Plus Sign '+'

Article : Double Encoding

KB 942076 : Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"

KB 943891 : The HTTP status codes in IIS 7.0

Hello Readers,
Here is a guest post from our director who needs your input which will help us in making these blogs better. Thanks for your time!

---------------------------------------------------------------

Greetings Blog Readers,
My name is Ed Jolly, and I am a director in the Commercial Technical Support (CTS) organization at Microsoft. I am here to request a few minutes of your time.

We would like to learn more about blog readership through a brief survey. This is an opportunity for us to better understand what is valuable to you and what you would like to see in the future.

Below is a link that will take you to another website to complete the survey. Based on what we learn, we may request more feedback in future surveys like this. When you open the survey, you will see a list of blogs that CTS engineers contribute to across many different products. We have not posted a listing of these blogs in the past, and I hope it helps you find other blogs that are helpful to you.

The blog survey is completely anonymous.

Location: < Survey Period Expired, Link Removed >

Availability: Until August 22. You may receive a request to complete this survey through multiple RSS feeds. You need only to complete it one time.

Length: The survey can be a maximum of 11 questions.

Time: Less than 5 minutes (but providing more information in the open text fields may take a minute or two extra, improving our ability to understand your needs in these blogs).

Thank you in advance for your time, participation and assistance.

Ed Jolly (edjolly@microsoft.com)