Connection problems to Exchange after user account changes

Hi,
Our IT dept started switching users from a win2000 env to an XP
enviroment. They're doing it to switch to an Active directory setup.
When they switch a user, they apply restrictions to his profile so that
he/she can only log in to a specific workstation. When this is done to
users who have both Mac and PCs, they cannot connect with Entourage
2004, or Outlook 2001 to the echange server from the Mac (OSX10.3.9).
We have added the Mac's name from the Sharing preferences to the list
of allowed workstations in their AD permissions. That lets them connect
to SMB shares, but not the exchange server. We have also added the name
of the exchange server to the list but still no go. The error message
they get is that the username/password is incorrect. They can connect
using OWA from Firefox to http://exchangeserver/exchange. The only
solution we've found is if they don't have any restrictions on where
they can log in to. However IT is balking seriously at this option.
Does anyone have any suggestions/solutions to this?

TIA
Costas

(=?ISO-8859-1?Q?Corentin_Cras-M=E9neur?=)
Fri Nov 24 15:37:10 CST 2006

<costas.manousakis@mhd.state.ma.us> wrote:

> Hi,

Hi Costas,

> Our IT dept started switching users from a win2000 env to an XP
> enviroment. They're doing it to switch to an Active directory setup.
> When they switch a user, they apply restrictions to his profile so that
> he/she can only log in to a specific workstation. When this is done to
> users who have both Mac and PCs, they cannot connect with Entourage
> 2004, or Outlook 2001 to the echange server from the Mac (OSX10.3.9).


Ouch ouch... AD is a pain. I've done anything I could to stay away from
it.

> We have added the Mac's name from the Sharing preferences to the list
> of allowed workstations in their AD permissions. That lets them connect
> to SMB shares, but not the exchange server. We have also added the name
> of the exchange server to the list but still no go. The error message

If you are under Tiger (MacOS X 10.4), you can actually use AD on your
Mac. (you need to set it up with the Directory Utility application)

> they get is that the username/password is incorrect. They can connect
> using OWA from Firefox to http://exchangeserver/exchange. The only
> solution we've found is if they don't have any restrictions on where
> they can log in to. However IT is balking seriously at this option.
> Does anyone have any suggestions/solutions to this?

They can connect through OWA but not Entourage???
Try copying the URL from your web browser (eg:
http://exchangeserver/me/exchange) and use it directly in the Entourage
exchange settings for the server address. That might do the trick,

Corentin

--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

CostasM
Sun Nov 26 18:28:16 CST 2006

Hi Corentin,

> If you are under Tiger (MacOS X 10.4), you can actually use AD on your
> Mac. (you need to set it up with the Directory Utility application)
>
At the moment we are at 10.3.9. I saw some instructions on using AD.
they need IT to let us join the domain or something like that.
> They can connect through OWA but not Entourage???
> Try copying the URL from your web browser (eg:
> http://exchangeserver/me/exchange) and use it directly in the Entourage
> exchange settings for the server address. That might do the trick,
>
I had seen this suggestion for other problems and tried it. One thing
different in our setup is that the url does not have the 'me' anywhere.
It did not work anyway. Seems Entourage authenticates differently than
the browser OWA client. Does anyone know how it might be different?

Thanks
Costas

CostasM
Sun Nov 26 19:07:21 CST 2006


Corentin Cras-M=E9neur wrote:
> <costas.manousakis@mhd.state.ma.us> wrote:
>
> > Hi,
>
> Hi Costas,
>
> > Our IT dept started switching users from a win2000 env to an XP
> > enviroment. They're doing it to switch to an Active directory setup.
> > When they switch a user, they apply restrictions to his profile so that
> > he/she can only log in to a specific workstation. When this is done to
> > users who have both Mac and PCs, they cannot connect with Entourage
> > 2004, or Outlook 2001 to the echange server from the Mac (OSX10.3.9).
>
>
> Ouch ouch... AD is a pain. I've done anything I could to stay away from
> it.
>
> > We have added the Mac's name from the Sharing preferences to the list
> > of allowed workstations in their AD permissions. That lets them connect
> > to SMB shares, but not the exchange server. We have also added the name
> > of the exchange server to the list but still no go. The error message
>
> If you are under Tiger (MacOS X 10.4), you can actually use AD on your
> Mac. (you need to set it up with the Directory Utility application)
>
> > they get is that the username/password is incorrect. They can connect
> > using OWA from Firefox to http://exchangeserver/exchange. The only
> > solution we've found is if they don't have any restrictions on where
> > they can log in to. However IT is balking seriously at this option.
> > Does anyone have any suggestions/solutions to this?
>
> They can connect through OWA but not Entourage???
> Try copying the URL from your web browser (eg:
> http://exchangeserver/me/exchange) and use it directly in the Entourage
> exchange settings for the server address. That might do the trick,
>
> Corentin
>
> --
> --- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
> http://www.mvps.org - http://mvp.support.microsoft.com
> MVPs are not MS employees - Les MVP ne travaillent pas pour MS
> Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'=E9crire

(=?ISO-8859-1?Q?Corentin_Cras-M=E9neur?=)
Mon Nov 27 10:16:08 CST 2006

CostasM <costas.manousakis@mhd.state.ma.us> wrote:

> > If you are under Tiger (MacOS X 10.4), you can actually use AD on your
> > Mac. (you need to set it up with the Directory Utility application)
> >
> At the moment we are at 10.3.9. I saw some instructions on using AD.
> they need IT to let us join the domain or something like that.

Hum, I don't know about 10.3.9.... Some of the features you need might
be 10.4 only :-\

[...]
> I had seen this suggestion for other problems and tried it. One thing
> different in our setup is that the url does not have the 'me' anywhere.

I see. THe admin must have customized something there.

> It did not work anyway. Seems Entourage authenticates differently than
> the browser OWA client. Does anyone know how it might be different?

Well Entourage uses OWA to connect to Exchange servers (as of Entourage
2004). That's why using the http:// liknk works just fine in most cases
(and also why the Exchange server you connect to must have OOWA active
to allow Entourage conections).
I suspect the authentication scheme on your server is different from the
standard one :-\


Corentin

--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

CostasM
Mon Nov 27 12:20:25 CST 2006

Sorry about this one.. pressed 'Post Message' by accident
CostasM wrote:
> Corentin Cras-M=E9neur wrote:

> > Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'=E9crire

CostasM
Mon Nov 27 13:05:54 CST 2006


Corentin Cras-M=E9neur wrote:

> Well Entourage uses OWA to connect to Exchange servers (as of Entourage
> 2004). That's why using the http:// liknk works just fine in most cases
> (and also why the Exchange server you connect to must have OOWA active
> to allow Entourage conections).
> I suspect the authentication scheme on your server is different from the
> standard one :-\
>
I guess that's what requires some digging. I'm not sure if they changed
anything on the exchange server. I can go on the same Mac, and create
succesfully an entourage/echange account for a user who has not been
migrated to an 'IT - XP' account. If I try a 'migrated' user I get an
error when verifying the settings ("Entourage cannot connect to the
server. Verify computer is on the network (-3260)" . Then it indicates
that the exchange server is incorrect, but it's the same as before.
Any more thoughts on this? maybe a direction that i can research or ask
IT?
Costas

(=?ISO-8859-1?Q?Corentin_Cras-M=E9neur?=)
Mon Nov 27 13:34:10 CST 2006

CostasM <costas.manousakis@mhd.state.ma.us> wrote:

> Any more thoughts on this? maybe a direction that i can research or ask
> IT?

If the server is not accessed over SSL, you can try port sniffing:
http://www.entourage.mvps.org/troubleshoot/sniff.html


Corentin




--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

CostasM
Mon Nov 27 15:08:36 CST 2006

Hi Corentin,

Corentin Cras-M=E9neur wrote:

>
> If the server is not accessed over SSL, you can try port sniffing:
> http://www.entourage.mvps.org/troubleshoot/sniff.html
>
>
I tried Interarchy to scan the open ports. Our exchange server is not
the same as the LDAP. So I scanned for port 80 on the exchange and 389
on the LDAP. they were both open. Is there something else I should be
looking for?=20

Thanks for your help
Costas

(=?ISO-8859-1?Q?Corentin_Cras-M=E9neur?=)
Mon Nov 27 17:24:51 CST 2006

CostasM <costas.manousakis@mhd.state.ma.us> wrote:

> I tried Interarchy to scan the open ports. Our exchange server is not
> the same as the LDAP. So I scanned for port 80 on the exchange and 389
> on the LDAP. they were both open. Is there something else I should be
> looking for?


OWA uses port 80 (when it's not being used over SSL)
Try using Interarchy to monitor traffic on port 80 as you launch
Entourage and attempt to connect.
That will provide you with a detailed log of the communication between
the server and Entourage. Hopefully, you'll find clues of the reasons
why it fails in there :-\


Corentin



--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

CostasM
Wed Nov 29 09:10:36 CST 2006

Tried Interarchy. I see the requests from the Mac to the exchange
server :
1st is a PROPFIND with no Authorization at the end. It gets an "Access
denied" message back.
2nd another PROPFIND and it appears to have some NTLM authorization at
the end. Again "Access denied".
3rd Another PROPFIND request with the Authorization string being
longer. Then it gets a "Local Security Authority cannot be contacted".

Then there is a series of 3 GET requests with same replies.

When I tried Firefox to get to the same server, I saw GET requests. It
seems that they are similar to the GET requests from Entourage. The
first two also get "Access denied" but the 3rd one with the longer
authorization string seems to get accepted.

Does this make any sense?

Costas

(=?ISO-8859-1?Q?Corentin_Cras-M=E9neur?=)
Wed Nov 29 11:32:12 CST 2006

CostasM <costas.manousakis@mhd.state.ma.us> wrote:

> Tried Interarchy. I see the requests from the Mac to the exchange
> server :
> 1st is a PROPFIND with no Authorization at the end. It gets an "Access
> denied" message back.
> 2nd another PROPFIND and it appears to have some NTLM authorization at
> the end. Again "Access denied".
> 3rd Another PROPFIND request with the Authorization string being
> longer. Then it gets a "Local Security Authority cannot be contacted".
>
> Then there is a series of 3 GET requests with same replies.
>
> When I tried Firefox to get to the same server, I saw GET requests. It
> seems that they are similar to the GET requests from Entourage. The
> first two also get "Access denied" but the 3rd one with the longer
> authorization string seems to get accepted.
>
> Does this make any sense?


To some respect.... Can you connect to OWA through Safari ??
"Local Security Authority cannot be contacted " makes me wonder whether
there is some sort of certificate required.....
If yes, I wonder whether it is in your Keychain.

Safari should query the keychain and you should get a warning if there
is a certificate issue.

Corentin


--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

Jeremy
Wed Nov 29 14:37:08 CST 2006

I would point out this post on the Exchange admins newsgroup, which more or
less echoes the same problem and error message -- but just with OWA:

<http://www.archivum.info/microsoft.public.exchange.admin/2006-02/msg02673.h
tml>

That doesn't provide a solution, but the solution may be "don't do that"
(lock down accounts to computers).

* Do users with _only_ Macs (if there are any) have a problem?

* Do users who are not _simultaneously_ logged in on a Windows computer
(i.e. just sitting at the login window on Windows) have the problem?

Also, it is correct that an authorized administrator must bind a Macintosh
(or a Windows computer) to an Active Directory. It cannot be done by just
any account. There are specific privileges in the Active Directory involved.

CostasM
Thu Nov 30 15:08:18 CST 2006

First of all, I'd like to thank you for your comments and help.

Corentin Cras-M=E9neur wrote:

>
> To some respect.... Can you connect to OWA through Safari ??
> "Local Security Authority cannot be contacted " makes me wonder whether
> there is some sort of certificate required.....
> If yes, I wonder whether it is in your Keychain.
Tested Safari 1.3.2 on 10.3.9 and it just does not connect. There is no
message regarding a certificate of any kind. The trace shows a GET
request from safari with 'Authorization : Basic (binaryinfo)' in
there. The server responds with an Access Denied message and that's it.
Firefox works OK as I mentioned before.
>
> Safari should query the keychain and you should get a warning if there
> is a certificate issue.

CostasM
Thu Nov 30 15:34:26 CST 2006

Hi Jeremy,
Thanks,

Jeremy Reichman wrote:

> * Do users with _only_ Macs (if there are any) have a problem?

Currently users that have the problem have both a Mac and an XP
machine. There are users who are only on Macs, but they have not been
converted to the XP (one station only) setup.

>
> * Do users who are not _simultaneously_ logged in on a Windows computer
> (i.e. just sitting at the login window on Windows) have the problem?

No, we tried them being logged on to the windows and not logged on.
Same error from entourage.

>
> Also, it is correct that an authorized administrator must bind a Macintosh
> (or a Windows computer) to an Active Directory. It cannot be done by just
> any account. There are specific privileges in the Active Directory involved.

(=?ISO-8859-1?Q?Corentin_Cras-M=E9neur?=)
Fri Dec 01 16:03:55 CST 2006

CostasM <costas.manousakis@mhd.state.ma.us> wrote:

> Tested Safari 1.3.2 on 10.3.9 and it just does not connect. There is no
> message regarding a certificate of any kind. The trace shows a GET
> request from safari with 'Authorization : Basic (binaryinfo)' in
> there. The server responds with an Access Denied message and that's it.
> Firefox works OK as I mentioned before.

Then I suspect you need AD support and integration at the system level.
I fear it's a no-go unless the computers are migrated to Tiger..... :-\


Corentin



--
--- Mac:MS MVP (Francophone) http://www.cortig.net/wordpress/ ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire

CostasM
Mon Dec 04 18:25:19 CST 2006


Corentin Cras-M=E9neur wrote:
>
> Then I suspect you need AD support and integration at the system level.
> I fear it's a no-go unless the computers are migrated to Tiger..... :-\
>
>
I'll give it a try with 10.3.9 and see how it goes. Hopefully I'll post
back positive results

Thanks
Costas