In this blog I wanted to talk about an issue which we have seen enough number of times working with our enterprise customers that it warrants a blog.
IssueWhen connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop. We have seen this on all currently supported versions of Exchange & Entourage. This error can also come up when:
a. User tries to permanently delete or move a large number of messages from his Exchange mailbox
b. User tries to send/receive new mail after deleting or moving a large number of messages from his Exchange mailbox
CauseWhen Entourage tries to permanently delete messages from a folder in Exchange mailbox, Exchange Server utilizes the TEMP (temporary) folder for that operation. If Entourage user does not have required permissions on that TEMP folder, server issues a '401, Access Denied' error. Moving messages in Entourage involves permanent deletion from source folder, thus it results in the same issue.
ResolutionThere are two parts of it.
1. Locating TEMP & TMP Folders
a. Non-Clustered ServersFirst determine which TEMP folder is set as default on Exchange Mailbox Server on the back-end, cos that's where the delete operation actually takes place. The default location of TEMP folder is set under the following registry key:
HKEY_LOCAL_MACHINE\System\CurrrentControlSet\Control\Session Manager\EnvironmentREG_EXPAND_SZ: TEMPValue: <PATH>\TEMP
By default, the TEMP folder is located at: '%SystemRoot%\TEMP' which is usually 'C:\WINDOWS\TEMP'
Another place to check this is: Bring up 'Control Panel' on Exchange Server, go to System : Advanced : Environment Variables : System Variables (see the screenshot below)
Same check applies for TMP folder, if there is one located on your drive. The above registry key should have an entry for TMP folder as well.
b. Clustered ServersOn clustered servers, the following registry keys are used to specify the locations of TEMP & TMP folders (Ref.).
HKEY_USERS\<Cluster service account SID>\Environment\TEMP
HKEY_USERS\<Cluster service account SID>\Environment\TMP
2. Verifying PermissionsNow let's verify the permissions assigned on TEMP folder. The 'Authenticated Users' group (Entourage user belongs to this group) should have the following special permissions:
Traverse Folder / Execute FileCreate Files / Write DataCreate Folders / Append Data
In order to check these permissions, locate the TEMP folder and then right click on it to take 'Properties', go to 'Security' tab, highlight 'Authenticated Users', under 'Permissions for Authenticated Users' section, click on 'Advanced' button (see the screenshot below)
You will then see the 'Advanced Security Settings for TEMP' folder window (see the screenshot below)
Highlight the entry for 'Authenticated Users' in the above window and then click on 'Edit' button to view/edit the permissions. The screenshot below displays the required permission assigned properly.
Same check applies for TMP folder, if there is one located on your drive.
Redirected TEMP/TMP FolderIf the TEMP/TMP folder has been redirected to D (or any other) drive on the Exchange Server, it is suggested to specify the above permissions at the following three levels:
1. Drive level, especially at the root of drive if you notice that 'Authenticated Users' group is simply missing
2. TEMP/TMP folder
3. Any sub-folders inside TEMP folder which may have numerical (like 1, 2, etc.) names as such folders have been seen on clustered servers
ImportantYou will need to restart IIS (Internet Information Server) on all those servers where you made these changes in permissions, i.e. mailbox servers on the back-end and front-end servers as well to which Entourage users are connecting for mailbox access.
More InfoIf your Entourage users are running into this issue then IIS Log on Exchange Server (front-end and/or back-end) & TCPFlow Log on Entourage Client will show the following:
a. 'BDELETE' request from client
b. '401' error response from server
IIS Trace Sample
2008-08-10 07:05:33 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 5 0
2008-08-10 07:05:35 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 1 0
TCPFlow Trace Sample
192.168.120.110.54103-192.168.137.121.00080:BDELETE /exchange/john/Deleted%20Items/ HTTP/1.1
192.168.137.121.00080-192.168.120.110.54103:HTTP/1.1 401 Unauthorized
I get this same issue every single day, not with Exchange mailboxes, but with external IMAP accounts - i.e. Gmail.
Be sure to read Amir Haque's blog post Continued Credentials Prompt in Entourage Connecting to Exchange Mailbox.When connecting to an Exchange mailbox. Entourage user sees the following error repeatedly. User enters correct credentials (username, password
Disappointing - what if your exchange server is hosted?
Outlook never has these problems.
Any chance we are ever going to get an Exchange client for the Mac that doesn't suck?
Hi, this describes my situation exactly.
My exchange server is hosted, is there a work around I can do on my side, until my host or MS Entourage make a fix? Like telling the sync to skip the Deleted Items directory?
Would setting up a new account (in Entourage, to the same exchange account) fix this?
Talk to your Hosting Service Provider, they need to read this blog and look for the symptoms and if they do have this problem, then use the steps here to fix it. I actually just worked with such a company to fix this issue for their users.
Yes, you can try setting up your Exchange account in a new identity, that may prevent you from running into the issue but don't move or delete messages in large numbers then. Still better would be to contact your service provider to have it fixed on server side.
To be really honest, that's not correct, see: http://support.microsoft.com/kb/312630. In the end it can happen with any client, look at the cause here in my blog or in the KB article, we can't blame Entourage or Outlook, they are just relaying what they got from server and server can't be blame either, cos its not configured properly.
Thanks Amir - I'll try setting up a a new account in Entourage to the same exchange account.
We've made a support ticket with our host.
I figured something out to help here. I had the same issues as above using Entourage 2008 and gmail. I tried to delete 600 plus junk emails from Entourage 2008 and that's when I had an issue.
The solution was to go to gmail via the web and delete the junk emails, then via Entourage remove the gmail account, which then emptied the Entourage cache. I then re-added the gmail account and everything worked just fine!
Hi Amir, I appreciate this post! I've been hunting for a solution to this for weeks. However, I have followed steps but still have one Mac that keeps getting the error. Yes, there were a lot of messages that he dumped into his Exchange account on the Mac so I'm certain it's the same issue. I'm looking at doing a trace in IIS to make sure. Can you give me a hint as to the provider you traced on? When I set logman to do a full IISAll trace with verbose logging I'm not seeing entries even remotely similar to what you show.
Sorry for the delayed response, I am on extended leave these days. The IIS trace sample in my blog post above is from the default W3SVC log, I haven't customized it at all.
I use entourage 2008 and have this same issue. My setup has ex2007+win2008. However authenticated users is not present in the win2008 TEMP folder permissions.
I have added, will see if that fixes the issue.
the changes did not seem to resolve the issue. i am going to try and give the IIS user the same perms to see if that fixes.
still get the popup for user/pass. no luck
Please call in at 1-800-Microsoft and open a support incident, someone needs to work with you on your issue to ascertain the root cause and an appropriate resolution.