Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


30,079 views

Outlook 2007 unable to download Offline Address Book – error 0X8004010F and 0X80190194

I used to run Exchange 2003 in my test lab. After adding a new 2007 Server (HUB, CAS and Mail) in my AD and moving the mailboxes to the 2007 server, I started seeing problems in my Outlook 2007 client that is using cached exchange mode. Under ‘Sync Issues’ I noticed an error about the client not being able to download the Offline Address Book.

New, before the Offline Address Book can be downloaded, it must exist & must be available, the Exchange 2007 Autodiscovery feature must work properly (because Outlook 2007 uses Autodiscovery to determine where to download the Address Book) and finally the web service hosting the Address Book must be configured correctly as well.

When I was running Exchange 2003, the Offline Address Book was hosted (and generated) on my Exchange 2003 server. When I installed the 2007 server, the Offline Address Book was still hosted on the 2003 server. I tried updating the Address book running the Update-OfflineAddressBook -id “Default Offline Address List” –verbose cmdlet, and the output indicated that the address book was still on my old 2003 server (which had to go anyway). So I decided to remove the (Default) Address List and rebuild it on the new server.
I removed the address book by running Remove-OfflineAddressBook “Default Offline Address List” and then created a new Default address book. I enabled Web based distribution and public folder based distribution. The Update-OfflineAddressBook cmdlet now clearly shows that the address book is generated on my Exchange 2007 server. First problem was solved. By the way, as explained in http://technet.microsoft.com/en-us/library/bb288905.aspx, you don’t need to remove the OAB… I already did before I realized that I just could move the generation server to my 2007 server.

In case you don’t know yet : the OAB is generated on a mailbox server. If you are running a cluster, you need to find the active node because that is where the OAB is generated. Furthermore, there should be a registry key available on the servers that points to the server that is generating the OAB :  HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters\\EnableOABGenOnThisNode (Reg_SZ) : Value = netbios hostname of the active cluster node.

Normally, when the OAB is generated, it is automatically placed put in the VirtualDirectory on the CAS servers. So the OAB Virtual Web folder must be configured correctly as well. Use Get-OABVirtualDirectory and Set-OABVirtualDirectory to find and fix any issues. (Check InternalURL, ExternalURL and RequireSSL parameters). If the IIS folder does not exists, you can create it through the New-OABVirtualWeb cmdlet

I opened Outlook, but I still got an error about the client not being able to download the OAB (error 0X8004010F – A Server (URL) could not be located) ). So I checked autodiscover.

First of all, check your AD user account and make sure the mail address is filled out.  The email address domain name needs to match the DNS zone that contains the autodiscover entry (SCP or DNS), or the AD domain the user is logged on to must contain the SCP instance and the certificates need to match those FQDN’s also.

Verify that autodiscovery is set up :
In my lab, the Get-AutodiscoverVirtualDirectory cmdlet showed that the internal and external URL were missing, so I used the Set-AutoDiscoverVirtualDirectory command to fix that :
Set-AutodiscoverVirtualDirectory “apollo\Autodiscover (Default Web Site)” -InternalUrl “http://apollo.corelan.be” -ExternalUrl https://autodiscover.mydomain.com
In order make autodiscovery work, DNS must be set up as well. My DNS zone contains a CNAME record “autodiscover” pointing to my Client Access server, and the IIS Default Web Site shows that the Autodiscovery folder was created. In order to see if autodiscovery works fine, open Outlook, hold the CTRL key and right-click the Outlook icon in the system tray. Choose “Test E-mail AutoConfiguration”, disable “Use Guessmart” and disable “Secure Guessmart Authentication” and click “Test”. If this test doesn’t work, then autodiscovery (and download of the Offline Address Book) won’t work. Fix this problem before continuing. (Look at DNS resolution, certificates, and so on. It is important that DNS is set up correctly and that your certificate contains both internal fqdn’s and external fqdn’s. Not all CA’s support creating certificates with SAN’s (Subject Alternate Names), but you can generate a webserver certificate using Exchange Powershell :

First, create the request :

New-ExchangeCertificate -GenerateRequest:$true -Path c:\newCert.req -DomainName

www.mydomain.com,webmail.mydomain.com,autodiscovery.mydomain.com

 -PrivateKeyExportable:$true -FriendlyName "MyDomain Exchange SSL Certificate "

 -IncludeAcceptedDomains:$false -Force:$true

Next, copy the request .req file to your CA and sign the request.  Then open the issued certificate in the CA manager, export it to file, and copy it back to the Exchange server. You can then import it back on the Exchange server (has to be the same server as where the request was created) using the following powershell cmdlet :

Import-ExchangeCertificate c:\newCert.cer

Now open IIS manager and install the new certificate (which should be visible in the list).

Enable https for the Default Web Site (assuming that this is the place where your OWA/OAB/Autodiscover/… virtual sites are created.)

Try accessing the website using a browser : http://autodiscover.corelan.be/Autodiscover/autodiscover.xml (If you have enabled https, you should change all URL’s again to https, and use https://…..  in your simulations). You will be prompted to enter a username and password, and you should get the following message : 
101407_1602_Outlook20071

This means that autodiscover works fine. Since the browser did not specify a proper command, you got the ErrorCode 600 page.

If it still doesn’t work, check the AutoDiscoverServiceInternalUri via the Get-ClientAccessServer | FL cmdlet Correct the URI if it does not contain the correct link. The link should look like : http://autodiscover.domain.com/Autodiscover/autodiscover.xml You can find more information about the Autodiscovery process on http://technet.microsoft.com/en-us/library/bb124251.aspx

Use the Outlook “Test E-mail Autoconfiguration” tool again to verify that Autodiscovery is working fine. 
101407_1602_Outlook20072

When I got autodiscovery to work, the Outlook “Sync Issues” reports another error : 0X80190194 In fact, this is a HTTP 404 error, which means that the files cannot be found (= the OAB Address Book is not available on the website). In my environment, I have a single server. This means that the OAB files should be copied to the folder on the server immediately. In fact, the Microsoft Exchange File Distribution Service is responsible for replicating the data to CAS servers.

First of all, check if the files are indeed missing. Open the IIS manager, select the OAB folder under “Default Web Site” and see where the Path to the OAB folder is. I opened the folder in the path (default location is C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB), and I found that the folder was empty. An easy way to solve this, is by stopping and starting the MSExchangeFDS service on the Mailbox servers. After restarting the service, the folder was created and the problem was solved. In fact, this subfoldername looks like a GUID string : 
101407_1602_Outlook20073

 

Some more information to help you troubleshoot similar problems :

Verbose logging

You can enable verbose logging for the Offline Address List generator service by running the Set-EventLogLevel -id “MSExchangeSA\OAL Generator” -Level expert -verbose cmdlet (possible level values are Lowest, Low, Medium, High and Expert) Next, you can look for OAL Generator event log entries by using the following command : Get-EventLog Application | where {$_.Category –eq “OAL Generator”} | ft -Wrap > c:\oallog.txt

(Don’t forget to put the Event Logging level back at “Low” when you’ve finished troubleshooting.)

 

Interesting links to troubleshoot Autodiscovery :

 

Converting error codes to human readable text

First of all, download a tool called Err.exe from the Microsoft website : http://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en

Launch the err.exe file, which is in fact a file extractor. You will be asked for a destination folder. Don’t choose the same location, as one of the extracted files is also called err.exe

Open a command prompt, navigate to the folder that contains the extracted err.exe file.

Suppose you want to look up what error codes 0X8004010F and 0X80190194 mean :

err.exe 0x8004010f
# for hex 0x8004010f / decimal -2147221233 :
  ecNotFound                                                    ec.h
  ecAttachNotFound                                              ec.h
  ecUnknownRecip                                                ec.h
  ecPropNotExistent                                             ec.h
  MAPI_E_NOT_FOUND                                              mapicode.h
# 5 matches found for "0x8004010F"

err 0x80190194
# for hex 0x80190194 / decimal -2145844844 :
  BG_E_HTTP_ERROR_404                                           bitsmsg.h
# 1 matches found for "0x80190194"

 

This should work for all Microsoft error codes, not just the Exchange error codes.

 

What if Autodiscover is generating a wrong / nonexisting OABUrl ?

Check this post and look at the bottom of the page – there is a chapter on wrong OABUrls

 

Changing polling/replication interval for OAB data

By default, the polling interval (to replicate OAB data between servers) is 480 minutes (8 hours). You can speed up the polling (temporarily) by changing the interval : Get-OABVirtualDirectory | Set-OABVirtualDirectory –pollinterval 2 You can watch the event log for event id 1008, which indicates that replication was successful :

[PS] C:\>Get-EventLog Application | where {$_.EventID -eq 1008} | FL

Index : 9254

EntryType : Information

EventID : 1008

Message : Process MSExchangeFDS.exe (PID=6120). Offline Address Book data synchronization task has completed successfully. OAB name: “Default Offline Address List”, Guid: 4c9c89e8-9958-4c30-999e-f803f3cf606e

Category : FileReplication

CategoryNumber : 2

ReplacementStrings : {MSExchangeFDS.exe, 6120, Default Offline Address List, 4c9c89e8-9958-4c30-999e-f803f3cf606e}

Source : MSExchangeFDS

TimeGenerated : 14/10/2007 17:41:51

TimeWritten : 14/10/2007 17:41:51

UserName :

 

Links

http://www.corelan.be:8800/index.php/2009/05/22/fixing-exchange-2007-offline-address-book-generation-oalgen-and-distribution-issues/ 

http://msexchangeteam.com/archive/2007/04/19/437902.aspx

http://blogs.msdn.com/dgoldman/archive/2006/10/23/outlook-client-fails-to-download-the-oab-with-error-0x8004011b.aspx

http://blogs.msdn.com/dgoldman/archive/2006/08/25/How-Exchange-2007-OAB-Files-are-replicated-to-a-Client-Access-Server-for-download.aspx

http://technet.microsoft.com/en-us/library/bb288905.aspx

2007 – 2009, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

Comments are closed.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories