Tag Archives: Outlook 2007

Outlook 2007/2010 on Windows XP Cannot Connect to Availability Service with Exchange 2007/2010

I ran in to an interesting issue recently with some users reporting that they could not see Free/Busy information. Upon further discovery, I found out that they couldn’t use the Out-of-Office Assistant either. The immediately tipped me off that we had some sort of issue Availability/AutoDiscover.

We narrowed it down to our users using Windows XP and Outlook 2007. Our Windows 7 Users with Outlook 2010 and our Windows XP users with Outlook 2003 were unaffected.

This coincided with our deployment of some additional Client Access Servers in a new site. It seemed like it had to be related, but I couldn’t immediately think of how.

All of our Exchange 2010 AutoDiscover tests were successful, and the Best Practices Analyzer didn’t reveal anything telling. The Application Log was clear as well.

So, if our Exchange 2010 infrastructure was testing out fine, and there really wasn’t anything apparently wrong with the client PCs either, then what could be the problem?

The answer came when I tried to browse directly to the /owa virtual directory on one of the new client access servers via HTTPS. I got “Page cannot be displayed” and nothing else, even though it worked fine from Windows 7.

It turns out there is a “gotcha” when creating CSR’s with Windows Server 2008 R2.
 
When the original SSL certificate request was created for the new Client Access Servers, it was created using Windows Server 2008 R2 using the non-default “Legacy Key” custom request. This causes the private key to be stored in Microsoft’s Legacy Cryptographic API framework.
 
However, Internet Information Services, under Windows Server 2008 R2, will try to process the request using its brand new Cryptographic Next Generation (CNG) framework… which works with the Legacy Key, but has some limitations. Specifically, it will only support two AES cipher suites:

  1. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  2. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

…and those two AES cipher’s are not supported by Windows XP by default.
 
Therefore, an SSL certificate that is the product of a Legacy Key CSR will result in an SSL failure between Windows XP and Server 2008 R2.
 
To fix it, you need to generate a new CSR using the default “CNG Key” (which supports numerous ciphers under Server 2008 R2) instead of “Legacy Key” and issue the certificate with your favorite signing authority. Then just apply it to your Client Access Servers and you should be good to go. Don’t forget to assign the IIS services to the new certificate using the Exchange Management Console/Shell.
 
Be careful though, not everything in your Exchange 2010 technology stack is compatible with a CNG-based certificate request. I know that because I ran into issues when I chose the default selection “CNG Key” for a certificate on Threat Management Gateway 2010 and found that it was not compatible.

So, having already been through troubleshooting that during the deployment of TMG, “Legacy Key” seemed like the safe (and logical) choice when generating CSR’s for use with our Client Access Servers.

Had I not done that though, I wouldn’t have had this problem, and I wouldn’t have written this article… which means you would still be looking for a solution.

Attempting to Remove Additional Mailboxes from Outlook 2010 Fails

I had an issue escalated to me today where a mailbox that had been properly removed from the “Open These Additional Mailboxes” box in the Advanced properties of an Outlook profile did not disappear from Outlook as expected.

We attempted to remove the relevant keys that were still hanging out in:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profile

…and that did not correct the issue, even after a full reboot of the PC.

We then blew away the Outlook profile, permanently deleted everything in   C:\Users\%username%\AppData\Local\Microsoft\Outlook, and recreated the profile. That didn’t work either, so at this point I knew it had to be something on the Exchange server.

I removed the “Full Access” permission using the Exchange Management Console, and then closed and reopened Outlook. Sure enough, the additional mailboxes that were opened were now gone.

Now I’m curious 🙂 So, I go into the Exchange Management Console and add myself to the Full Access list for a resource mailbox I had never connected to or had the occasion to access. I opened up Outlook, and there it was. Funny enough, if I looked in the Advanced properties of my Outlook profile, it did not appear in the list of additional mailboxes to be opened.

Even more curious, I did some digging and found that this is in fact a “feature” of Exchange Server 2010 SP1 when using Outlook 2007 or Outlook 2010:

…which you can see for yourself at http://technet.microsoft.com/en-us/library/bb676551.aspx

I had not yet run in to this “feature,” but found it interesting enough to write about.

Recurring Appointment Silliness in Outlook

I was asked to troubleshoot an interesting issue today for a manager of another department… you know, one of those informal “can you come here and look at this really quick” type of things. He had a daily, reoccurring appointment set up for lunch every day.  On one of the days he needed to set up lunch with a couple of people, so he opened that day’s occurrence of the appointment and invited the two attendees. We should note that all attendees were in the same time zone (that’s relevant information if you look the issue up on TechNet).

Today, he was asked to move the lunch forward several days. So, in order to do so, he went to that day and deleted that days’ occurrence of his generic “Lunch” appointment, and then attempted to move the customized one with attendees to that day.

When doing so, he got the following error:

Cannot reschedule an occurrence of the recurring appointment “[appointment name]” if it skips over a later occurrence of the same appointment

There are two things going on here… one is end user perspective, and the other is the reality of how Outlook is viewing that appointment.

To the end user, when he customized that specific occurrence of that reoccurring appointment, that appointment became a standalone event… one that he felt he should be able to move anywhere.

The reality of the situation though is that Outlook still sees that as one reoccurring event, not a standalone appointment. So when he attempted to move it forward several days, Outlook sees that reoccurring event trying to jump ahead of the same event on the day’s in-between.

The solution was simply to educate the user, and he created an independent event for his lunch meeting which could then be freely moved around.