Inside Entourage by Amir

Current Status

Amir Haque [MSFT] — Mon, 09 Nov 2009 17:51:00 GMT

Hello Everyone,

This blog is not being updated anymore as I have moved to another team (Exchange Product Quality) and job (Program Manager for Exchange CAS) at Microsoft. As you can guess from words in paranthesis, I still work for Exchange but my concentration is not on Entourage or Outlook for Mac, rather on Exchange Client Access Server.

Now, if you have Questions & want Answers from Entourage Experts, go to Entourage Forum.

If you want to learn more about:

1. 'Entourage for Mac', head over to: Entourage Help Page - excellent website maintained by MVPs, highly recommended!

2. 'Entourage News & Issues', check out: Entourage Help Blog - the blog from Entourage MVPs, regularly updated, valuable resource!

3. 'Office for Mac', try: Mac Mojo: Office for Mac Team Blog - name says it all, source of news & technical info as well!

4. 'All Things Exchange', you should run to: EHLO - Exchange Team Blog - excellent blog with a wealth of info, one of the first & best in 'blog industry'!

All The Best,

- Amir

11/9/2009

How To Setup Exchange 2007 Account Automatically in Entourage 2008 Thru Autodiscover

Amir Haque [MSFT] — Sat, 31 Jan 2009 15:42:00 GMT

Entourage 2008 with SP1 can use Autodiscover Service available on Exchange 2007 Server to configure your Exchange account automatically. In this post I will talk about this new feature from Entourage user perspective. I have also recorded a screencast to actually show you how you can do it in Entourage 2008. Please keep in mind that this feature is not available in earlier versions of Entourage (2004 and earlier) & Exchange (2003 & earlier).

What’s Autodiscover Service?
Microsoft Exchange Server 2007 includes a new Microsoft Exchange service named the Autodiscover service. The Autodiscover service configures client computers for Exchange mailbox access that are running Microsoft Office Outlook 2007 or Microsoft Entourage 2008 for Mac. The Autodiscover service can also configure supported mobile devices (Windows Mobile or iPhone). The Autodiscover service provides access to Microsoft Exchange features for Outlook 2007 or Entourage 2008 clients that are connected to your Microsoft Exchange messaging environment. The Autodiscover service must be deployed and configured correctly for Outlook or Entourage clients to automatically connect to Microsoft Exchange features, such as the Availability service (used for Free/Busy info pull-up), OOF Assistant and Delegate management. Additionally, these Exchange features must be configured correctly to provide their respective functionality for Outlook & Entourage clients. You can go here for more info.

Now a couple of important points:

1. Entourage Version – Check to see which version of Entourage you are using. You should be using the latest released version (build), currently its 12.1.5 (081119). In order to check for that, launch Entourage, go to ‘Entourage’ menu on top left hand corner and then click on ‘About Entourage’, the top potion of resulting window should look like this:

If your version (build) does not match, you need to install all available updates for Office 2008 for Mac. You can do that by going to ‘Help’ menu and clicking on ‘Check for Updates’. ‘Microsoft AutoUpdate’ application will launch and you can then click on ‘Check for Updates’ button there to have it look for all available updates. It will check for released updates, will come back and report to you about them and you can then install them one by one. You can also download and install all updates from Mactopia.

2. Exchange Version – Check to see which version of Exchange Server is hosting your mailbox. You can do so by logging into your mailbox thru OWA or ‘Outlook Web Access’ (explained in screencast video). Generally organizations publish a website for this purpose, like Microsoft has published this website for its employees to log into their mailboxes thru OWA. You should have one as well, if you don’t know its address or URL, you should talk to your Exchange Server Administrator or IT Help Desk/Support in your organization.

The very first mention of Exchange Server version can be found on the main login page for OWA, it looks like this if it’s not published thru Microsoft ISA Firewall Server (see ‘Microsoft Exchange’ & ‘2007’ in the screenshot below):

Screencast video also talks about this in the beginning, where OWA has been published thru Microsoft ISA Firewall Server thus the login page looks a bit different. Let’s watch the screencast now.

Note: If you meet the requirements listed above and automatic Exchange account configuration still does not work for you, then it could be because your Exchange Server Administrator has not published Autodiscover Service properly. You should then contact your administrator to verify that. You can provide this link to get him started on that.

Continued Credentials Prompt in Entourage Connecting to Exchange Mailbox

Amir Haque [MSFT] — Tue, 12 Aug 2008 01:18:04 GMT

In this blog I wanted to talk about an issue which we have seen enough number of times working with our enterprise customers that it warrants a blog.

Issue
When connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop. We have seen this on all currently supported versions of Exchange & Entourage. This error can also come up when:

a. User tries to permanently delete or move a large number of messages from his Exchange mailbox

b. User tries to send/receive new mail after deleting or moving a large number of messages from his Exchange mailbox

Cause
When Entourage tries to permanently delete messages from a folder in Exchange mailbox, Exchange Server utilizes the TEMP (temporary) folder for that operation. If Entourage user does not have required permissions on that TEMP folder, server issues a '401, Access Denied' error. Moving messages in Entourage involves permanent deletion from source folder, thus it results in the same issue.

Resolution
There are two parts of it.

1. Locating TEMP & TMP Folders

a. Non-Clustered Servers
First determine which TEMP folder is set as default on Exchange Mailbox Server on the back-end, cos that's where the delete operation actually takes place. The default location of TEMP folder is set under the following registry key:

HKEY_LOCAL_MACHINE\System\CurrrentControlSet\Control\Session Manager\Environment
REG_EXPAND_SZ: TEMP
Value: <PATH>\TEMP

By default, the TEMP folder is located at: '%SystemRoot%\TEMP' which is usually 'C:\WINDOWS\TEMP'

Another place to check this is: Bring up 'Control Panel' on Exchange Server, go to System : Advanced : Environment Variables : System Variables (see the screenshot below)

Same check applies for TMP folder, if there is one located on your drive. The above registry key should have an entry for TMP folder as well.

b. Clustered Servers
On clustered servers, the following registry keys are used to specify the locations of TEMP & TMP folders (Ref.).

HKEY_USERS\<Cluster service account SID>\Environment\TEMP

HKEY_USERS\<Cluster service account SID>\Environment\TMP

2. Verifying Permissions
Now let's verify the permissions assigned on TEMP folder. The 'Authenticated Users' group (Entourage user belongs to this group) should have the following special permissions:

Traverse Folder / Execute File
Create Files / Write Data
Create Folders / Append Data

In order to check these permissions, locate the TEMP folder and then right click on it to take 'Properties', go to 'Security' tab, highlight 'Authenticated Users', under 'Permissions for Authenticated Users' section, click on 'Advanced' button (see the screenshot below)

You will then see the 'Advanced Security Settings for TEMP' folder window (see the screenshot below)

Highlight the entry for 'Authenticated Users' in the above window and then click on 'Edit' button to view/edit the permissions. The screenshot below displays the required permission assigned properly.

Same check applies for TMP folder, if there is one located on your drive.

Redirected TEMP/TMP Folder
If the TEMP/TMP folder has been redirected to D (or any other) drive on the Exchange Server, it is suggested to specify the above permissions at the following three levels:

1. Drive level, especially at the root of drive if you notice that 'Authenticated Users' group is simply missing

2. TEMP/TMP folder

3. Any sub-folders inside TEMP folder which may have numerical (like 1, 2, etc.) names as such folders have been seen on clustered servers

Important
You will need to restart IIS (Internet Information Server) on all those servers where you made these changes in permissions, i.e. mailbox servers on the back-end and front-end servers as well to which Entourage users are connecting for mailbox access.

More Info
If your Entourage users are running into this issue then IIS Log on Exchange Server (front-end and/or back-end) & TCPFlow Log on Entourage Client will show the following:

a. 'BDELETE' request from client

b. '401' error response from server

IIS Trace Sample

2008-08-10 07:05:33 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 5 0

2008-08-10 07:05:35 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 1 0

TCPFlow Trace Sample

192.168.120.110.54103-192.168.137.121.00080:
BDELETE /exchange/john/Deleted%20Items/ HTTP/1.1

192.168.137.121.00080-192.168.120.110.54103:
HTTP/1.1 401 Unauthorized

E-mail Download Issue in Entourage With Exchange 2007 on Windows 2008

Amir Haque [MSFT] — Wed, 06 Aug 2008 19:00:34 GMT

In this blog post I wanted to talk about another new issue being experienced by our customers who are working with Exchange 2007 on Windows 2008. Windows Server 2008 is the key here as it relates to IIS 7 (Internet Information Server) and it's default security restrictions.

Issue
Using Entourage for Mac (2004 or 2008) while connecting to an Exchange 2007 mailbox on a Windows 2008 Server, user cannot download any e-mail message which has a plus sign in it's subject line, like 'Test + Mail'.

Cause
Entourage's request to download this e-mail message goes thru IIS 7 on Windows 2008 Server, which is configured (by default) to deny 'double escape sequences' in any HTTP request and thus it rejects the request with a '404.11' error.

Resolution
As Entourage talks to 'Exchange' virtual directory (for mailbox access) under 'Default Website' on IIS, thus you can use the following procedure to allow the use of 'double escape sequence' only at that level to address this issue. This will minimize the risk you will be taking to enable the usage of double escape sequence. Enabling the use of 'double escape sequence' does carry some risk, please go thru the links below under 'More Info' section to get yourself educated on the issue & involved risks before you work on the steps below.

Quick & Easy Way
You will need to run this command on all of your Exchange 2007 CAS and Mailbox Servers as IIS is installed on them by default.

Bring up a Windows 'Command Prompt', type the following command and hit 'Enter' on keyboard, that's it, you are done!

%windir%\system32\inetsrv\appcmd set config "http://localhost/Exchange" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true /commit:apphost

You will see the following response after running the above command in the same window.

Applied configuration changes to section "system.webServer/security/requestFiltering" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchange" at configuration commit path "MACHINE/WEBROOT/APPHOST"

After running this command, you don't need to restart any services on server, just run the command and ask your Entourage users to see if the issue has been resolved for them, at the most you can ask them to re-launch Entourage.

OR if you are a guy who is interested in details, then you can follow the manual steps outlined below.

Manual Steps
1. Bring up Notepad : File : Open, type %windir%\System32\inetsrv\config\applicationHost.config in the 'File name' box, and then click 'Open'.

2. Locate the section titled as: <location path="Default Web Site/Exchange">

3. Under that section locate </authentication> tag

4. Just after that insert the following text on a new line: <requestFiltering allowDoubleEscaping="true" />

5. Save the file and 'Exit' Notepad

Again, no restart of any service is required.

Note:
As Entourage talks to 'Public' virtual directory (for public folder access) under 'Default Website' on IIS, thus you will need to follow the same procedure for 'Public' virtual directory as well. Same instructions apply, just replace 'Exchange' with 'Public' in all steps mentioned above.

Details
Let's go into the details of this issue. First of all let's see how this issue would look like to an Entourage user when he looks at his Inbox thru Outlook Web Access & Entourage.

Outlook Web Access thru Safari (note the presence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')

Entourage 2008 (note the absence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')

So how did it happen? Let's review the TCPFlow Trace pasted below, which I took on Entourage user's machine. Important parts are highlighted in red.

65.53.65.121 = Entourage Client

172.30.142.217 = Exchange 2007 CAS Server

In the trace snippet pasted below Entourage client is requesting (thru SEARCH command) if there are any changes in user's Inbox, i.e. if there are any new items there for Entourage to retrieve and sync down to its local database.

065.053.065.121.51253-172.030.142.217.00080:
SEARCH /exchange/john/Inbox/ HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Brief: t
Translate: F
Range: Rows=0-512
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4w+C87pKQrHkOOeTHX4IiYZdRzhFlUtMQICwpFE3
/xSe3jJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 743
Accept-Encoding: gzip
Connection: Keep-Alive

065.053.065.121.51253-172.030.142.217.00080:
<?xml version="1.0"?><D:searchrequestxmlns:D="DAV:"
xmlns:R="<http://schemas.microsoft.com/repl/>">
<R:repl><R:collblob>toCTAAMAAQIgzWX+UAA=</R:collblob>
</R:repl><D:sql>SELECT
"<http://schemas.microsoft.com/repl/repl-uid>",
"<http://schemas.microsoft.com/repl/resourcetag>",
"<http://schemas.microsoft.com/mapi/proptag/x001A001F>",
"<http://schemas.microsoft.com/mapi/sensitivity>",
"urn:schemas:httpmail:read", "urn:schemas:httpmail:datereceived"
FROM SCOPE ('SHALLOW TRAVERSAL OF "/exchange/john/Inbox/"')
WHERE "<http://schemas.microsoft.com/mapi/proptag/0x67aa000b>"
= false AND "DAV:isfolder" = false</D:sql></D:searchrequest>

And here comes the response from server with the URL of the new item, which is an e-mail with the subject 'Test + Mail' (we are working with only one message to keep things simple) …

172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 207 Multi-Status
Transfer-Encoding: chunked
Content-Type: text/xml
Content-Range: rows 0-0; total=*
Accept-Ranges: rows
Server: Microsoft-IIS/7.0
Set-Cookie: OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}; path=/
MS-WebStorage: 08.01.10240
MS-WebStorage: 08.01.10240
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT

172.030.142.217.00080-065.053.065.121.51253:
<?xml version="1.0"?><a:multistatusxmlns:b="urn:
uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
xmlns:g="urn:schemas:httpmail:"
xmlns:f="<http://schemas.microsoft.com/mapi/>"
xmlns:c="xml:"
xmlns:e="<http://schemas.microsoft.com/mapi/proptag/>"
xmlns:d="<http://schemas.microsoft.com/repl/>"
xmlns:a="DAV:"><a:contentrange>
0-0</a:contentrange><a:response><a:href>
<http://172.30.142.217/exchange/john/Inbox/Test%20%2B%20Mail.EML
</a:href><d:changetype>new</d:changetype><a:propstat><a:status>
HTTP/1.1> 200 OK</a:status><a:prop><d:repl-uid>
rid:d17078df5926b048921786b466da7185000220cd63ff
</d:repl-uid><d:resourcetag>rt:d5926b04892185000220cd728e
</d:resourcetag><e:x001A001F>IPM.Note</e:x001A001F>
<f:sensitivity b:dt="int">0</f:sensitivity><g:readb:dt="boolean">0
</g:read><g:datereceived b:dt="dateTime.tz">
20080620T21:46:46.895Z</g:datereceived></a:prop></a:propstat>
</a:response><d:repl><d:collblob>toaUAABAAYAAiDNY/8A</d:collblob>
</d:repl></a:multistatus>

In the snippet below Entourage tries to fetch the new mail message using the URL provided by server …

065.053.065.121.51253-172.030.142.217.00080:
PROPFIND /exchange/john/Inbox/Test%20%2B%20Mail.EML HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Depth: 0
Brief: t
Translate: F
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4wJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 646
Accept-Encoding: gzip
Connection: Keep-Alive

And Entourage's receives a 404 error from server for it's request, as IIS7 installed on that Windows 2008 Server (with Exchange 2007) does not allow the use of 'double escape sequence' in any incoming HTTP request.

172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"<http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>">
<htmlxmlns="<http://www.w3.org/1999/xhtml>">
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">

<!--

body{margin:0;font-size:.7em;font-family:Verdana, Arial,
Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;
font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;
padding:10px;position:relative;}

-->

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed,
had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

Now if you look in IIS Log on Exchange 2007 CAS or Mailbox Servers, you will find the following entry there:

CAS
2008-06-20 14:38:09 172.30.142.217 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 65.53.65.121 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0

Mailbox
2008-06-20 14:38:09 172.30.142.218 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 172.30.142.217 Exchange-Server-Frontend-Proxy/6.5+Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0

More Info
For more info, you can go thru the following links:

Blog : IIS7 Rejecting URLs Containing Plus Sign '+'

Article : Double Encoding

KB 942076 : Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"

KB 943891 : The HTTP status codes in IIS 7.0

Understanding How You Use This Blog

Amir Haque [MSFT] — Tue, 05 Aug 2008 21:12:00 GMT

Hello Readers,
Here is a guest post from our director who needs your input which will help us in making these blogs better. Thanks for your time!

---------------------------------------------------------------

Greetings Blog Readers,
My name is Ed Jolly, and I am a director in the Commercial Technical Support (CTS) organization at Microsoft. I am here to request a few minutes of your time.

We would like to learn more about blog readership through a brief survey. This is an opportunity for us to better understand what is valuable to you and what you would like to see in the future.

Below is a link that will take you to another website to complete the survey. Based on what we learn, we may request more feedback in future surveys like this. When you open the survey, you will see a list of blogs that CTS engineers contribute to across many different products. We have not posted a listing of these blogs in the past, and I hope it helps you find other blogs that are helpful to you.

The blog survey is completely anonymous.

Location: < Survey Period Expired, Link Removed >

Availability: Until August 22. You may receive a request to complete this survey through multiple RSS feeds. You need only to complete it one time.

Length: The survey can be a maximum of 11 questions.

Time: Less than 5 minutes (but providing more information in the open text fields may take a minute or two extra, improving our ability to understand your needs in these blogs).

Thank you in advance for your time, participation and assistance.

Ed Jolly (edjolly@microsoft.com)

Parts of Hyperlink After Ampersand Sign Are Stripped in Entourage 2008

Amir Haque [MSFT] — Thu, 17 Jul 2008 18:34:00 GMT

Update: The fix for this issue has been released in the 12.1.2 Update for Office 2008 for Mac.

Here is another known issue we are working to fix these days.

Issue
Entourage 2008 users are reporting that it is stripping parts of hyperlinks (URLs) in messages they receive from other users. It always strips parts of those hyperlinks right after '&', including the ampersand sign. This is only being reported by those users who have recently upgraded to Office 2008 for Mac Service Pack 1 (SP1). Examples of stripped URLs are:

Original Link:
https://www.contoso.com/dept/sales/abc.php?ABCD=0987654321&UID=987612345

Stripped Link:
https://www.contoso.com/dept/sales/abc.php?ABCD=0987654321=987612345

Note that '&UID' has been stripped

Original Link:
https://www.litwareinc.com/EntApp/ViewMsg.asp?MsgID=897&SaveID=7843~2945

Stripped Link:
https://www.litwareinc.com/EntApp/ViewMsg.asp?MsgID=897=7843~2945

Note that '&SaveCaseID' has been stripped

Cause
This happens as '&' is not properly encoded as '&amp' in the message source

Resolution
Microsoft is working to release a fix for this issue in an update for Entourage 2008 but a final release date is not available yet. I plan to update this post with new information in this regard when it becomes available.

SSL Warning Issue in Entourage 2008

Amir Haque [MSFT] — Thu, 17 Jul 2008 00:15:00 GMT

Update 1: The fix for this issue has been released in the 12.1.2 Update for Office 2008 for Mac. See 'Improvements for Microsoft Entourage 2008 for Mac' section in KB 956344.

Update 2: The fix for a subsequent 'CNAME' entry issue discussed in the comments section of this blog post has been released in the 12.1.3 Update for Office 2008 for Mac. See 'Improvements for Microsoft Entourage 2008 for Mac' section in KB 958267.

In this post I wanted to quickly provide an update on an ongoing issue with some specifics to make sure our customers are well informed on its current status.

Issue
After installing Office 2008 for Mac Service Pack 1 (SP1) when Entourage 2008 users connect to their mailbox on an Exchange 2007 Server, they may see an error like this (you can substitute 'contoso' in the screenshot below with your own root domain):

If you click on 'OK', Entourage will continue to work and you won't see this error message again until the end of that session when you close Entourage. Clicking on 'Cancel' you may end up in 'Not Connected' state with your Exchange account. This error may also come up when:

1. You try to configure your Exchange account using 'Account Setup Assistant' which now uses Autodiscover Service on Exchange 2007 to automatically configure your account or

2. You use any 'Exchange Web Services' based feature in Entourage 2008, like OOF Assistant, Free/Busy Info pull-up, etc. as they also utilize Autodiscover feature or

3. Entourage tries to talk to Autodiscover Service while its running connected to your mailbox to see if any updates were made to Autodiscover Service on server side by your Exchange Administrator, this happens automatically in the background based on a pre-set interval which cannot be modified by user

Cause
This happens as Entourage 2008 tries to establish a secured connection to the first of the 2 default addresses (URLs) in its attempt to contact the Autodiscover Service on your Exchange 2007 Server. This is explained in the Autodiscover Whitepaper, see 'How the Autodiscover Service Works with Clients' section. Most organizations using Exchange 2007 do not publish Autodiscover Service thru the first URL mentioned over there, i.e. 'https://contoso.com/autodiscover/autodiscover.xml', rather they use the other URL, i.e. 'https://autodiscover.contoso.com/autodiscover/autodiscover.xml'. When Entourage finds an error (mostly its 'Common Name' mismatch) with the certificate published at the root of your domain (if there is one, many organizations do, but 'Common Name' on that certificate is 'www.contoso.com', not just 'contoso.com' and Autodiscover Service is not published thru that URL), it displays the above error. It does not move silently to try the other possible URL. Clicking 'OK' on above error makes it exactly do that and thus it finds the Autodiscover Service responding on the other URL and everything then works fine from there.

This issue can also happen in Entourage 2008 if Autodiscover Service is not configured properly as per the guidelines in Autodiscover Whitepaper. See 'Note' below on how to quickly check to see if Autodiscover Service is properly configured and published for users.

Note
We need to make sure that when Entourage looks for Autodiscover Service, the related URL as mentioned above in 'Cause' section is configured and published to respond to those requests. A quick way is to look up the A Record (a type of DNS record which is used to map a hostname or URL to the IP Address of the host) which you will have to register with your DNS provider.

A Working Example:
For Microsoft, the Autodiscover Service is configured and published at 'https://autodiscover.microsoft.com/autodiscover/autodiscover.xml', you can look it up using this URL in your browser:

http://codeflux.com/exec/tools/?method=nslookup&query=autodiscover.microsoft.com&type=A

You will see an IP Address is mapped to the URL for Autodiscover Service to respond to incoming requests.

Now, if I go and hit the URL for Autodiscover Service in my browser, i.e. 'https://autodiscover.microsoft.com/autodiscover/autodiscover.xml'

I will get a window to enter my user credentials (domain\username & password) and after that I will see the following lines in the main browser window:

<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="10:29:57.7332076" Id="59171512">
    <ErrorCode>600</ErrorCode>
    <Message>Invalid Request</Message>
    <DebugData />
</Error>
</Response>
</Autodiscover>

The response above says 'Error 600, Invalid Request' as the Autodiscover Service URL is not supposed to be accessed thru a browser. This is an expected response in this scenario and confirms the proper configuration and publishing of Autodiscover Service.

A Non-Working Example:
Let's use Contoso as a non-working example, the Autodisover Service should be configured and published at 'https://autodiscover.contoso.com/autodiscover/autodiscover.xml', if you look it up using this URL in your browser:

http://codeflux.com/exec/tools/?method=nslookup&query=autodiscover.contoso.com&type=A

You won't find an IP Address mapped to the URL for Autodiscover Service, instead you will see an error there saying 'server can't find autodiscover.contoso.com'.

Client Certificate-based Authentication in Entourage 2008

Amir Haque [MSFT] — Fri, 13 Jun 2008 00:46:00 GMT

Recently Microsoft released Service Pack 1 (SP1) for Office 2008 for Mac. There are some new features in SP1 for Entourage 2008 users, one of them is 'Client Certificate-based Authentication'. In this post we will walk thru the setup on server & client sides so that it will be helpful to those who want to use this feature in Entourage.

Introduction
Entourage connects to an Exchange mailbox thru 'Exchange' virtual directory under 'Default Website' in IIS (Internet Information Server) installed on an Exchange Server. IIS provides several authentication methods and they are all discussed here & here. One of them is 'Client Certificate-based Authentication' (CCA) which works thru 'Client Certificate Mapping' on server side. Most conventional ways of authentication require the provision of username, domain & password (3-tier credentials) but CCA does not require users to provide their domain credentials. It works thru a mapping of user certificates to their accounts in Windows Active Directory. It is used where high level of security is required and domain password policies are very strict or administrators simply do not want their users to remember/enter their domain credentials for any kind of access. In those environments 'Two Factor Authentication' (RSA, Smart Card) is also used & CCA helps in its implementation. Now with the new support for CCA in Entourage, you can have your Entourage users utilize 'Two Factor Authentication' when they connect to their Exchange mailbox. Let's see how we can set it up.

Setup Details
To keep things simple, I have a single box server with Windows 2003 SP2 & Exchange 2003 SP2 (most common versions out there). It also has 'Certificate Services' (a Windows component) installed on it to act as my 'Private Root Certification Authority' (one can go with Public Root CAs like VeriSign, etc.). You can install an 'Enterprise Root CA' or a 'Standalone Root CA' (steps with screenshots), if you want to read more before installation, go here.

I installed an 'Enterprise Root CA' on my server. I used it to issue an identity certificate to IIS (Default Website) so that secured connections (SSL) can be established over port 443 by Entourage clients when they connect to 'Exchange' virtual directory to get access to their Exchange mailbox. This is a pre-requisite for CCA, steps are here.

I also used it to issue client certificates to individual Entourage users so that they can use it for CCA when connecting to their Exchange mailbox (more details later in 'Client Side Setup' section below).

Server Side Setup
There are several ways to set 'Client Certificate Mapping' on IIS, they are all discussed here. I used the 'Windows Directory Service Mapper' for my setup, as its most popular & simple to setup. I followed the steps listed here.

Note: I tested this feature successfully with '1-to-1 Mapping' as well, no issues, however I didn't test it with 'Many-to-1 Mapping', I assume that scenario will also work without any issues.

After that I went to 'Exchange' virtual directory and enabled the requirement of client certificates for authentication. To do that:

Go to IIS Manager : Default Website : Exchange : Properties : Directory Security : Secure Communications : Edit : Check the 2 boxes for 'Require secure channel (SSL)' & 'Require 128 bit encryption'
On the same window, under 'Client certificates' section, select 'Require client certificates'
Also check the box for 'Enable client certificate mapping'
The final configuration will look like this

That's it, click OK twice to get back to IIS Manager.

Now when we are set to use CCA for authentication on 'Exchange' virtual directory, we can go and turn off all other authentication methods. To do that, go to IIS : Default Website : Exchange : Properties : Directory Security : Authentication & Access Control : Edit : Uncheck all boxes here (screenshot), click OK twice to get back to IIS Manager.

Repeat the above steps now for 'Public' virtual directory which is used by Entourage to access public folders on Exchange Server.

Client Side Setup
To begin with Entourage users should follow these steps for obtaining and installing a user certificate on their Mac. I used a Mac with Tiger (Mac OS 10.4.11) and Entourage 2008 SP1 installed on it.

Launch Safari browser and go to http://<server-name>/certsrv (where 'server-name' is the name of the server where 'Private Root CA' is installed) (screenshot)
Enter your username and password when prompted (screenshot)
On the 'Welcome' page of your Root CA Server, click on 'Request a certificate' link (screenshot)
On the 'Request a certificate' page, click on 'User Certificate' link (screenshot)
On the 'User Certificate – Identifying Information' page, keep the 'Key Strength' field set to '2048 (High Grade)', click on 'Submit' button (screenshot)
On the 'Certificate Issued' page, click on 'Install this certificate' link (screenshot)
You will see the 'Downloads' window from Safari and a file by the name of 'certnew.cer' will be downloaded to your desktop (screenshot)
Double click on the 'certnew.cer' file on your desktop (screenshot)
The 'Keychain Access' application will launch and you will see the 'Add Certificates' window, keep the 'Keychain' field set to 'login' and click 'OK' (screenshot)
The user certificate will then be imported in the Keychain (screenshot)
You can double click on it to view the user certificate (screenshot)
You can also launch 'Microsoft Cert Manager' application (from Mac Hard Drive : Applications : Microsoft Office 2008 : Office) to view the certificate in 'Digital Identities' container. This is a good indication that the user certificate will work fine with CCA or digital signing and encryption of outgoing mail.

Quick Admin Check: Now in order to make sure that Entourage user account is setup properly in Windows Active Directory, take a look at its properties (thru 'Active Directory Users & Computers' or 'ADUC'), you should see the user certificate there under 'Published Certificates' tab (screenshot). If not then you can also import it (use the 'cer' file from user's Mac, see Step 7 above) using the 'Add from file' button there. Another way to add & map user certificate is to do a right click on user object in ADUC, choose 'Name Mappings', then add the user certificate there under 'X.509 Certificates' tab (screenshot).

Now let's configure Exchange account settings in Entourage, this screenshot depicts how 'Account Settings' tab should look like. Note that you do not need to provide user's domain credentials, i.e. username, domain & password. The 'Advanced' tab is where you need to select user certificate under 'Client Certificate-based Authentication' section. Clicking on 'Select' button there will provide you with the 'Choose an Identity' window which will list the user certificate there. That's it, you are done.

After that Entourage will try to connect to Exchange mailbox utilizing 'Client Certificate-based Authentication', user will see a prompt 'Confirm Access to Keychain', choose 'Always Allow' on that. This allows Entourage to access 'Keychain' in Mac OS where user certificate is stored. Entourage will then go and talk to 'Exchange' virtual directory on server. User certificate will be used for CCA and connection to Exchange mailbox will be established in seconds. We are done!

But What About GAL Access?
After some research I found that currently it is not possible in Windows Server 2003 to require CCA for LDAP connections & queries. Thus if you want your Entourage users to access your Windows Global Catalog Server (LDAP Server) for 'GAL Access' (Global Address List) feature, you will need to configure it appropriately (non-SSL over ports 3268 & 389 or SSL over ports 3269 & 636) and also provide domain credentials in Exchange account settings in Entourage. Entourage uses the same set of domain credentials provided on first tab (screenshot) for authentication against Exchange & LDAP Server. The authentication processes are separate for IIS (for Exchange mailbox & public folder access) & LDAP Server (for 'GAL Access' feature). If CCA is required for authentication by IIS (at 'Exchange' & 'Public' virtual directories), then Entourage will use client certificate for that and will only use domain credentials for authentication against LDAP Server for 'GAL Access' feature.

Smart Cards
Some organizations out there use Smart Cards to store user certificate which is generally used by them for digital signing and encryption of outgoing mail. They will continue to work in the same way for CCA feature as well. Just select the same user certificate over here as well.

DST Workaround for Entourage 2004 & 2008 Users in ANZ

Amir Haque [MSFT] — Tue, 01 Apr 2008 02:12:00 GMT

Update: The fixes for this issue have been released in 11.5 (Entourage 2004) & 12.1 (Entourage 2008) Updates for Office for Mac.

I wanted to quickly provide this workaround to the users of Entourage 2004 & 2008 in Australia & New Zealand (ANZ) time zones until Microsoft releases fixes thru updates at Mactopia website.

Issue
When Entourage 2004 & 2008 users organize meetings by inviting other users who are using Microsoft Outlook or OWA (Outlook Web Access) against their Exchange mailboxes (version of Exchange Server does not matter here), then those meeting attendees may see the incoming meeting invite being an hour off. This issue is not seen if all meeting attendees are Entourage users.

Cause
This happens as Entourage 2004 & 2008 use DST information from related 'Timezones' files for users in ANZ time zones, which are not up to date with current information.

Resolution
Microsoft is working to release a fix for this issue in an update for both versions of Entourage but a final release date is not available yet. When that update is available, users can safely install it and it will replace the files which they will put on their systems as a result of applying the workaround provided below.

Workaround
Below are the steps to follow for both versions of Entourage. Only Entourage users will need to apply this workaround on their machines, no action is required by other users who are using Microsoft Outlook or OWA.

Entourage 2004

Quit Entourage (Entourage should not be running when you apply this workaround)
Back up the current 'Timezones' file in folder: Mac Hard Drive : Applications : Microsoft Office 2004 : Office (just copy it to a backup folder on your hard drive)
Download the updated 'Timezones' file for Entourage 2004 from here (extract its content before proceeding to next step)
Copy the downloaded 'Timezones' file to the same location as above in Step 2, replacing the existing 'Timezones' file
That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above

Entourage 2008

Quit Entourage (Entourage should not be running when you apply this workaround)
Back up the current 'Timezones.ics' file, go to folder: Mac Hard Drive : Applications : Microsoft Office 2008 : Office, locate a file by the name of 'EntourageCore.framework', now Control-Click on it and choose 'Show Package Contents' in the resulting menu, a new window will appear, in that window go to folder: Versions : 12 : Resources : en.lproj (you will find the 'Timezones.ics' file here, just copy it to a backup folder on your hard drive)
Download the updated 'Timezones.ics' file for Entourage 2008 from here (extract its content before proceeding to next step)
Copy the downloaded 'Timezones.ics' file to the same location as above in Step 2, replacing the existing 'Timezones.ics' file
That's it, you are done, launch Entourage and every meeting you create now will not display the issue described above

Note: Any meetings which were scheduled earlier and display the issue described in this post will not automatically get fixed. If you want to fix them, you will have to open them and make a change in them (like add one character to its subject/title or notes area, etc.), then save them and send update to all attendees. This change will force Entourage to recalculate DST info as per the updated 'Timezones' file.

Workaround Removal
If at anytime you may need to remove or undo this workaround, just follow the same steps as above and replace the 'Timezones' files with the original ones which you backed up earlier.

How Does Entourage Work?

Amir Haque [MSFT] — Sat, 09 Feb 2008 08:17:00 GMT

As my blog is focused on Entourage as an 'Exchange Client', let's start with the most obvious topic which will provide details on how Entourage works with a mailbox on an Exchange Server. This blog will encompass the currently supported versions of Entourage & Exchange Server, i.e. Entourage 2004 & 2008, and Exchange 2000, 2003 & 2007. Let's list all the different features in Entourage for which it needs to talk to Exchange Server or any other server in a Windows Active Directory based environment. (Note: All ports mentioned below are server side ports)

Entourage Setup Assistant (screenshot)
The very first feature which you use in Entourage is the 'Entourage Setup Assistant' (or 'Account Setup Assistant') after you create a new identity. If you try to configure your Exchange account using the setup assistant, it talks to available DNS server configured in Mac OS X 'Network Preferences' to locate a Windows Domain Controller or Global Catalog Server hosting Active Directory and then authenticates & inquires about Exchange mailbox server for user. The whole process is described over here in detail. Server side ports used are 53 (for DNS queries) and 3268 (for authentication & LDAP queries to locate mailbox server).

Mailbox Synchronization (screenshot)
After you have setup your Exchange account (using setup assistant or manually), Entourage goes and talks to the Exchange server (front-end or back-end mailbox server) thru IIS (Internet Information Server) to get connected to your mailbox. This communication is HTTP (WebDAV protocol) in nature, thus can happen over port 80 (without SSL) or 443 (with SSL) as per your server side requirements.

Public Folders (screenshot)
Another server you have to enter in Exchange account settings is your public folders server. Generally in big enterprises public folder servers are maintained separately from mailbox servers on the back-end. Entourage communicates with the public folder server in the same way as with an Exchange mailbox server, i.e. HTTP (WebDAV) over port 80 (without SSL) or 443 (with SSL).

Global Address List (screenshot)
In Entourage you also have to provide a Directory or LDAP server name, which in a Windows Active Directory based environment is your Global Catalog Server so that you can have access to 'Global Address List' (GAL) of your Exchange organization. Entourage uses ports 389 (without SSL) & 636 (with SSL) for authentication and then to access GAL, it sends LDAP queries over ports 3268 (without SSL) or 3269 (with SSL), so a combination of two ports is used for GAL feature, i.e. 389 & 3268 (without SSL) or 636 & 3269 (with SSL).

Out of Office Assistant
This is a new feature only in Entourage 2008. When connecting to Exchange 2000/2003 based mailboxes, Entourage sends a WebDAV query to pull up 'Options' page from OWA (Outlook Web Access) thru which it sets the OOF Assistant. The port usage for this feature is same as described above under 'Mailbox Synchronization' section.

When connecting to an Exchange 2007 CAS, it works thru 'Exchange Web Services' ('OOFURL' in 'autodiscover.xml') to configure 'OOF Assistant' with appropriate settings. Entourage 2008 uses port 80 (without SSL) or 443 (with SSL) for this feature depending on related configuration on Exchange 2007 CAS. Keep in mind that this feature does not work and fails with an error if you connect directly to an Exchange 2007 mailbox server on back-end as 'autodisover' and 'Exchange Web Services' are not present on it, they are only present on an Exchange 2007 CAS.

Free/Busy Info (screenshot)
When Entourage users schedule a meeting with other users in their Exchange organization, they can also view their free/busy information, i.e. whether other users are free or busy on particular day/time slots.

Entourage 2004 retrieves free/busy information for other users by talking to a public folder server hosting consolidated free/busy info for all users. This communication is also HTTP (WebDAV) in nature thus happens over port 80 (without SSL) or 443 (with SSL). Entourage 2004 pulls free/busy information in this way in all cases. It does not matter where Entourage user's mailbox is located, i.e. on Exchange 2000, 2003 or 2007 Server. Therefore, it is necessary to provide a public server name in Exchange account settings (under 'Advanced' tab) in Entourage 2004.

Entourage 2008 utilizes 'Availability Service' (AS, part of 'Exchange Web Services') on Exchange 2007 to retrieve free/busy information for other users (having mailboxes located on any version of Exchange Server) if it is connecting directly to an Exchange 2007 Client Access Server (CAS). For mailboxes located on Exchange 2007 server, AS pulls free/busy info directly from users' mailboxes while for mailboxes located on Exchange 2003 server (or earlier versions), AS sends the WebDAV query (HTTP, this query always goes over port 80 from CAS to an internal Public Folder server) to respective public folder server hosting those users' free/busy information. Entourage 2008 uses port 80 (without SSL) or 443 (with SSL) for this feature depending on related configuration on Exchange 2007 CAS. You also don't need to enter a public folder server name in Exchange account settings (under 'Advanced' tab) in Entourage for this feature to work, just the name of Exchange 2007 CAS (in 'Exchange server' field under 'Account Settings' tab) is enough.

If Entourage 2008 is connecting directly to a backend mailbox server (Exchange 2007 or earlier versions) or a front-end server (Exchange 2003 or earlier versions) then it utilizes the same WebDAV (HTTP) procedure to pull up the free/busy info as Entourage 2004 does (discussed above). It cannot use AS in this scenario as its only available on an Exchange 2007 CAS.

Folder Sharing
When an Entourage user (User1) accesses a shared folder of another user (User2) in his Exchange organization, it uses the same WebDAV (HTTP) based communication which it uses to access the mailbox of Entourage user (User1). The port usage is also the same as described above under 'Mailbox Synchronization' section. Same applies when you use Entourage to assign folder sharing permissions (Folder : <right click> : Sharing : Permissions tab).

Delegate Management (screenshot)
Using Entourage you can also assign access permissions to your delegates so that they can access your folders such as Inbox, Calendar & Contacts. Entourage 2004 establishes a direct connection to your mailbox server for this purpose, which utilizes MAPI (RPC over TCP). Why? Please read the 'CAUSE' section in KB 909269. Entourage 2004 first connects to port 135 ('End-point Mapper' or 'epmap') on Exchange mailbox server, which refers it to 'Exchange System Attendant Service' ('MAD.exe', there is no fixed port for 'MAD', its assigned dynamically). Exchange server then authenticates Entourage client by talking to a 'Domain Controller' or 'Global Catalog Server'. After successful authentication Entourage finally connects to mailbox store on Exchange server (there is no fixed port for 'store' either) and sets two parameters as mentioned in KB 909269. Entourage 2004 uses this procedure irrespective of the version of Exchange server (2007 or earlier versions) to which its connecting for mailbox access. Entourage 2008 works in the same way except when its connecting to an Exchange 2007 CAS with SP1 installed.

Entourage 2008 utilizes the new delegate management web service if its connecting to an Exchange 2007 CAS with Service Pack 1 installed. This communication happens over port 80 (without SSL) or 443 (with SSL) as per the server side configuration. The major advantage of this feature is that Entourage users can now assign delegation rights to other users independent of their location, i.e. they can do it while connected from internal or external locations.

Mailbox Quota Management (screenshot)
Entourage users can also find how much space their mailbox is utilizing on server at different levels, like at the top mailbox level, at each folder level, etc. They can do that by going to any folder, right click on it, choose 'Folder Properties' and then go to 'Storage' tab. The port usage for this feature is same as described above under 'Mailbox Synchronization' section.

Password Expiration Notice (screenshot)
Entourage also checks for Windows domain (where your Exchange server resides) password expiration on every launch or every 24 hours afterwards to see if user's password is going to expire in the next 10 days or not. It does that thru an LDAP query to your Windows 'Domain Controller' or 'Global Catalog Server' configured in Exchange account settings (under 'Advanced' tab). This communication happens over port 389 (without SSL) or 636 (with SSL).