OAB Never Downloads for Outlook 2007 Clients with Exchange 2007 on Server 2008

This one killed me today. Exchange 2007 SP1, with Rollup Update 6 on Server 2008. Everything working perfectly with one exception – the offline address book (OAB) never downloads from the file distribution point for Outlook 2007 clients. Works fine via public folders, but not web-based. No error, no timeout, no progress indicator, no login prompt, Outlook just looks like it’s endlessly trying to download the OAB. I double-checked all the URLs, flipped around SSL settings, but still couldn’t figure out why it wouldn’t download. I would have been happy to see an error so I had something to search on. There were actually 2 problems here that made the situation a real pain in the ass.

First – the same bug that affects Outlook Anywhere on Server 2008 apparently does a number on the OAB too. The solution is to turn off kernel-mode authentication in IIS. Run this command to fix that issue and you’re halfway there. I ran across some blog that mentioned Rollup Update 7 may include this change by default.


C:\Windows\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

Second – I had enabled a redirect at the Default Web Site root to dump clients to the /owa folder gracefully using the Microsoft methodology at Technet. If you read the procedure you’ll notice setting the redirect at the root sets the same redirect on every single virtual directory. So, you need to go in to each virtual directory and undo the change you made for the root. This works fine, or appears to until your Outlook 2007 client tries to download the OAB and hangs forever.

I brightly plugged the URL to the OAB.XML file into IE and was greeted with a 500 – Internal Server Error message without an authentication prompt. That didn’t seem right. After some searching I realized the reason why Outlook hangs forever is that it tries to hit this URL, gets denied, uses some back-off logic, and tries again. I believe the back-off gets longer and longer each time it fails.

What happens is that when you disable that redirect for the OAB virtual directory IIS 7 generates a web.config file in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB folder. This seems logical, as it overrides the redirect at the root level, and is necessary. Unlike every other web.config that is generated in the other folders like Autodiscover and OWA, Authenticated Users do not have read access to the file. This is why Outlook and IE can’t even access the /OAB virtual directory.

The fix is pretty easy. Open the web.config in the OAB folder, and give Authenticated Users both the read and read and execute permissions. Run a iisreset /noforce on the CAS server to bounce IIS. Just for good measure, on the client side I wiped out the Outlook profile, and the contents of the %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook folder. Once I recreated the profile the OAB downloaded just fine. All in a day’s fun…

Peanut Gallery

  1. 1 Didar Meral

    Hey Tom,

    Great article. I have been beating my head with this one as well. I finally noticed when I was able to download the OAB with my account, that it might be a permissions issue somewhere. So I followed the steps in your article, did the IIS reset and reconfigured the profile and it still hangs. If I browse to the site directly, I get redirected to the external address that I have setup on the cert. Any ideas here?

    Thanks

     
  2. 2 Tom Pacyk

    You get redirected if you browse to the /OAB URL? That shouldn’t happen. Did you remove the redirect on all the virtual directories after you set it at the root level?

    Make sure you follow the procedure at the bottom of Technet article I linked to desribing how to remove the redirection from folders like /OAB, /AutoDiscover, etc.

     
  3. 3 Didar Meral

    Thats the odd thing. I get redirected even after disbabling the redirect. My 2 CAS Servers have the cert for mail.domain.com but the redirect is off and I have ran iisreset /norforce and even rebootes one of my CAS servers. Do you think recreating the OAB directory is needed?

     
  4. 4 Thomas

    It didnt work for me. Also for my administrativ Account wich was in Administrators Group i get the Error 500 when try to Access. Are we the only People in the world who use Exchange 2007 on Server 2008? why there are no official States to this Problem?

     
  5. 5 Rich

    Good Lord I looked for the problem for a few days. Removed the redirect set on the virtual directories and was able to download the OAB. Thanks. Willy World strikes again.

     
  6. 6 Jason

    I’ve completed the settings listed above, but outlook still doesn’t seem to be able to download the offline address book. I have Exchange 2007 SP1 Rollup 8 installed on a W2K8 server. Any other suggestions would be GREAT.

    Thanks in advance, Jason

    PS, I can browse to https://domain.domain.com/oab/1fe5d922-0235-451d-b2f3-b09f60e55995/oab.xml

    The XML file is displayed when I input my username and password.

     
  7. 7 Tom Pacyk

    Jason, RU8 should actually disable the kernel mode authentication for you now.

    Do you get an error in Outlook when you try to download the OAB?

     
  8. 8 Chaman

    Hello Sir I was reading your stuff, it is nice to read. I know this is stupid, but i need to ask this simple question. I am not able to install OCS_Eval.msi on Server 2003. it shows me The system administrator has set policies to prevent this installation I will be very much pleased if I can get the answer of this :) Thanks anyway for putting stuff on your site.

     
  9. 9 mandm

    Thanks… it worked for me. some selected the redirect for owa and the web.config file lost its permisions. reset access permissions on the file and restarted iis. Its all good.

     
  10. 10 Paul

    Thanks so much for this–still helping some of us more than a year later!

     
  11. 11 Joe C

    Hey all – I know lots of folks still have OAB issues. I found a STRANGE resolution for my own personal w7 outlook 2007 sp2 client. I, the exchadmin, was unable to download the OAB. After much head-bashing I was shocked to learn that Exchange/Outlook use BITS to transfer the OAB. I had a throttled BITS job that appear to be stuck. Run “bitsadmin /list” from the problematic workstation. If you see ‘Microsoft Outlook Offline Address Book’ listed a bunch of times as QUEUED but a differing job “TRANSFERRING” try canceling the job that’s “TRANSFERRING” by running “bitsadmin /cancel” and paste the {whatever} job name after /cancel that you found from /list. Include the {} brackets. Worked like a champ here. wipes brow

     
  12. 12 Nick

    Had the same thing happen in Exchange 2010. 3 hours on the phone with support and this was the fix. Thanks!

     
  13. 13 Jeff Schertz

    Tom, thanks for posting this; I configured OWA redirection for a client 2 weeks ago and wouldn’t have even connected the dots when running into the issue just today.

    FYI only ‘Read’ permissions are required on the Web.config file, not Read & Execute.

     
  14. 14 Jim

    Good post!

    I had to go a bit further with my exact same problem. Turned out to be a group policy object which turned off BITS bandwidth during working hours, so that WSUS updates would be applied after hours.

     
  15. 15 Noel

    Thank you very much, I also configured redirection and only then noticed problems with my OAB. This fixed the issue.

    Thanks again.

     
  16. 16 Ed Swindelles

    Thank you! The permissions update resolved my problem as well. This is for Exchange 2010 on Server 2008 R2 with Outlook 2010 clients.

     
  17. 17 Justin Smith

    Yes, thank you very much. Also had this problem on Exchange 2010, Server 2008 R2, with Outlook 2007 and Outlook 2010 clients.

     

Speak Up