OAB Never Downloads for Outlook 2007 Clients with Exchange 2007 on Server 2008

Update: This post gets a lot of traffic, but I want to be clear the first step here is no longer required. Simply perform the solution at the end of the post.

This one killed me today. Exchange 2007 SP1, with Rollup Update 6 on Server 2008. Everything working perfectly with one exception – the offline address book (OAB) never downloads from the file distribution point for Outlook 2007 clients. Works fine via public folders, but not web-based. No error, no timeout, no progress indicator, no login prompt, Outlook just looks like it’s endlessly trying to download the OAB. I double-checked all the URLs, flipped around SSL settings, but still couldn’t figure out why it wouldn’t download. I would have been happy to see an error so I had something to search on. There were actually 2 problems here that made the situation a real pain in the ass.

First – the same bug that affects Outlook Anywhere on Server 2008 apparently does a number on the OAB too. The solution is to turn off kernel-mode authentication in IIS. Run this command to fix that issue and you’re halfway there. I ran across some blog that mentioned Rollup Update 7 may include this change by default.


C:\Windows\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

Second – I had enabled a redirect at the Default Web Site root to dump clients to the /owa folder gracefully using the Microsoft methodology at Technet. If you read the procedure you’ll notice setting the redirect at the root sets the same redirect on every single virtual directory. So, you need to go in to each virtual directory and undo the change you made for the root. This works fine, or appears to until your Outlook 2007 client tries to download the OAB and hangs forever.

I brightly plugged the URL to the OAB.XML file into IE and was greeted with a 500 – Internal Server Error message without an authentication prompt. That didn’t seem right. After some searching I realized the reason why Outlook hangs forever is that it tries to hit this URL, gets denied, uses some back-off logic, and tries again. I believe the back-off gets longer and longer each time it fails.

What happens is that when you disable that redirect for the OAB virtual directory IIS 7 generates a web.config file in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB folder. This seems logical, as it overrides the redirect at the root level, and is necessary. Unlike every other web.config that is generated in the other folders like Autodiscover and OWA, Authenticated Users do not have read access to the file. This is why Outlook and IE can’t even access the /OAB virtual directory.

The fix is pretty easy. Open the web.config in the OAB folder, and give Authenticated Users both the read and read and execute permissions. Run a iisreset /noforce on the CAS server to bounce IIS. Just for good measure, on the client side I wiped out the Outlook profile, and the contents of the %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook folder. Once I recreated the profile the OAB downloaded just fine. All in a day’s fun…

Peanut Gallery

  1. 1 Didar Meral

    Hey Tom,

    Great article. I have been beating my head with this one as well. I finally noticed when I was able to download the OAB with my account, that it might be a permissions issue somewhere. So I followed the steps in your article, did the IIS reset and reconfigured the profile and it still hangs. If I browse to the site directly, I get redirected to the external address that I have setup on the cert. Any ideas here?

    Thanks

     
  2. 2 Tom Pacyk

    You get redirected if you browse to the /OAB URL? That shouldn’t happen. Did you remove the redirect on all the virtual directories after you set it at the root level?

    Make sure you follow the procedure at the bottom of Technet article I linked to desribing how to remove the redirection from folders like /OAB, /AutoDiscover, etc.

     
  3. 3 Didar Meral

    Thats the odd thing. I get redirected even after disbabling the redirect. My 2 CAS Servers have the cert for mail.domain.com but the redirect is off and I have ran iisreset /norforce and even rebootes one of my CAS servers. Do you think recreating the OAB directory is needed?

     
  4. 4 Thomas

    It didnt work for me. Also for my administrativ Account wich was in Administrators Group i get the Error 500 when try to Access. Are we the only People in the world who use Exchange 2007 on Server 2008? why there are no official States to this Problem?

     
  5. 5 Rich

    Good Lord I looked for the problem for a few days. Removed the redirect set on the virtual directories and was able to download the OAB. Thanks. Willy World strikes again.

     
  6. 6 Jason

    I’ve completed the settings listed above, but outlook still doesn’t seem to be able to download the offline address book. I have Exchange 2007 SP1 Rollup 8 installed on a W2K8 server. Any other suggestions would be GREAT.

    Thanks in advance, Jason

    PS, I can browse to https://domain.domain.com/oab/1fe5d922-0235-451d-b2f3-b09f60e55995/oab.xml

    The XML file is displayed when I input my username and password.

     
  7. 7 Tom Pacyk

    Jason, RU8 should actually disable the kernel mode authentication for you now.

    Do you get an error in Outlook when you try to download the OAB?

     
  8. 8 Chaman

    Hello Sir I was reading your stuff, it is nice to read. I know this is stupid, but i need to ask this simple question. I am not able to install OCS_Eval.msi on Server 2003. it shows me The system administrator has set policies to prevent this installation I will be very much pleased if I can get the answer of this :) Thanks anyway for putting stuff on your site.

     
  9. 9 mandm

    Thanks… it worked for me. some selected the redirect for owa and the web.config file lost its permisions. reset access permissions on the file and restarted iis. Its all good.

     
  10. 10 Paul

    Thanks so much for this–still helping some of us more than a year later!

     
  11. 11 Joe C

    Hey all – I know lots of folks still have OAB issues. I found a STRANGE resolution for my own personal w7 outlook 2007 sp2 client. I, the exchadmin, was unable to download the OAB. After much head-bashing I was shocked to learn that Exchange/Outlook use BITS to transfer the OAB. I had a throttled BITS job that appear to be stuck. Run “bitsadmin /list” from the problematic workstation. If you see ‘Microsoft Outlook Offline Address Book’ listed a bunch of times as QUEUED but a differing job “TRANSFERRING” try canceling the job that’s “TRANSFERRING” by running “bitsadmin /cancel” and paste the {whatever} job name after /cancel that you found from /list. Include the {} brackets. Worked like a champ here. wipes brow

     
  12. 12 Nick

    Had the same thing happen in Exchange 2010. 3 hours on the phone with support and this was the fix. Thanks!

     
  13. 13 Jeff Schertz

    Tom, thanks for posting this; I configured OWA redirection for a client 2 weeks ago and wouldn’t have even connected the dots when running into the issue just today.

    FYI only ‘Read’ permissions are required on the Web.config file, not Read & Execute.

     
  14. 14 Jim

    Good post!

    I had to go a bit further with my exact same problem. Turned out to be a group policy object which turned off BITS bandwidth during working hours, so that WSUS updates would be applied after hours.

     
  15. 15 Noel

    Thank you very much, I also configured redirection and only then noticed problems with my OAB. This fixed the issue.

    Thanks again.

     
  16. 16 Ed Swindelles

    Thank you! The permissions update resolved my problem as well. This is for Exchange 2010 on Server 2008 R2 with Outlook 2010 clients.

     
  17. 17 Justin Smith

    Yes, thank you very much. Also had this problem on Exchange 2010, Server 2008 R2, with Outlook 2007 and Outlook 2010 clients.

     
  18. 18 Oliver

    I got an internal server error when I used Iexplore to browse to https://mail.domain.com/OAB

    This article solved that problem, but the Outlook clients still receive a 0×8004010F error when trying to download the OAB….

     
  19. 19 Phil Parry

    This was driving me crazy – thanks for a great article.

     
  20. 20 Iñaki

    Great Job (Same error for Ex 2010 sp1) – Thanks!

     
  21. 21 Brandon

    this article fixed my exact issue.. been researching this for a few days! Thank you

     
  22. 22 Dan Abraham

    I know I turned off redirect when I setup this whole mess originally! I too did this in order to make the URL simple and easy to remember. It somehow got turned back on, so at some point the OAB folder must have been automatically regenerated???

    Goo to know! Thanks!

     
  23. 23 Corey

    Great solution! I’ve been struggling with this for days with Exchange 2010 SP1.

     
  24. 24 Marcin

    Thank you very much! Setting the permissions of web.config as you described solved the problem!

     
  25. 25 John

    This is a great post, but I’d like to point out a small error. The actual user that needs read/execute access to the web.config file is NETWORK SERVICE.

    The web.config files are parsed by IIS directly, not the web client. Actually, it’s the ASP.net worker process (w3wp.exe) that reads and parses them. The default worker process identity in IIS 7/7.5 is NETWORK SERVICE, and unless this has been changed (not recommended on a CAS box), then that is the user that needs access to the web.config file.

    I busted out my trusty Process Monitor (greatest tool ever) and confirmed this fairly quickly. A quick change to the web.config ACL, as you described, and the problem was solved.

    Great post and thanks for pointing me in the right direction!

     
  26. 26 Steve

    Thanks for the solution. Whoop! Whoop!

     
  27. 27 nav

    Can someone explain how in the config file you “give Authenticated Users both the read and read and execute permissions”?? thanks

     
  28. 28 omar

    I am having this issue on Exchange 2010 Sp1 and I have added redirection at the root or any level of the website. Due to that- there is no web.config in the oab directory. any thoughts?

     
  29. 29 Richard

    Thanks very much! I’ve been banging my head about this one for several hours today

     
  30. 30 Peter

    i followed they steps and it is a not go.. exchange 2010 /outlook 2007.

    new profiles get new oab just that time. old profiles get what they already have.

    I’ve even removed the web.cofig file and restarted iis. and it does not regenerate the file.

     
  31. 31 Steve

    Fantastic fix mate. Thank you for posting. Solved my issue.

     
  32. 33 JT

    Thanks!! Worked for me on exchange 2010. Only had to add permissions to authenticated users and do a iisrest.

     
  33. 34 Frank D

    Great tip..i was banging my head against the wall for days now. Thanks.

     
  34. 35 Scott

    I second that – a great tip. Was searching in all the wrong places. And I had just turned on redirect at the root folder. Thanks.

     
  35. 36 Richard Stevens

    great, setting the permission on the webconfig worked for me too., the browsing the url went from a 500 to a 403.14 like a ‘normal’ machine. You’re a star, many thanks.

     
  36. 37 Oleg

    You are great!! Thank you.

     
  37. 38 Marty

    I wasted a lot of time troubleshooting this, it’s tricky because I couldn’t find any error codes or error messages that I could search on. Thanks!

     
  38. 39 Misty

    Wow, thank you so much. I spent about three hours on this issue and it was driving me nuts. I’m glad I found your blog!

     
  39. 40 Chris Nicholas

    I love you!

     
  40. 41 Mitch Skrove

    I also ran into this issue on an Exchange Server 2010 SP2 server.

     

Speak Up