E-mail Download Issue in Entourage With Exchange 2007 on Windows 2008

In this blog post I wanted to talk about another new issue being experienced by our customers who are working with Exchange 2007 on Windows 2008. Windows Server 2008 is the key here as it relates to IIS 7 (Internet Information Server) and it's default security restrictions.

Issue
Using Entourage for Mac (2004 or 2008) while connecting to an Exchange 2007 mailbox on a Windows 2008 Server, user cannot download any e-mail message which has a plus sign in it's subject line, like 'Test + Mail'.

Cause
Entourage's request to download this e-mail message goes thru IIS 7 on Windows 2008 Server, which is configured (by default) to deny 'double escape sequences' in any HTTP request and thus it rejects the request with a '404.11' error.

Resolution
As Entourage talks to 'Exchange' virtual directory (for mailbox access) under 'Default Website' on IIS, thus you can use the following procedure to allow the use of 'double escape sequence' only at that level to address this issue. This will minimize the risk you will be taking to enable the usage of double escape sequence. Enabling the use of 'double escape sequence' does carry some risk, please go thru the links below under 'More Info' section to get yourself educated on the issue & involved risks before you work on the steps below.

Quick & Easy Way
You will need to run this command on all of your Exchange 2007 CAS and Mailbox Servers as IIS is installed on them by default.

Bring up a Windows 'Command Prompt', type the following command and hit 'Enter' on keyboard, that's it, you are done!

%windir%\system32\inetsrv\appcmd set config "https://localhost/Exchange" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true /commit:apphost

You will see the following response after running the above command in the same window.

Applied configuration changes to section "system.webServer/security/requestFiltering" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchange" at configuration commit path "MACHINE/WEBROOT/APPHOST"

After running this command, you don't need to restart any services on server, just run the command and ask your Entourage users to see if the issue has been resolved for them, at the most you can ask them to re-launch Entourage.

OR if you are a guy who is interested in details, then you can follow the manual steps outlined below.

Manual Steps
1. Bring up Notepad : File : Open, type %windir%\System32\inetsrv\config\applicationHost.config in the 'File name' box, and then click 'Open'.

2. Locate the section titled as: <location path="Default Web Site/Exchange">

3. Under that section locate </authentication> tag

4. Just after that insert the following text on a new line: <requestFiltering allowDoubleEscaping="true" />

5. Save the file and 'Exit' Notepad

Again, no restart of any service is required.

Note:
As Entourage talks to 'Public' virtual directory (for public folder access) under 'Default Website' on IIS, thus you will need to follow the same procedure for 'Public' virtual directory as well. Same instructions apply, just replace 'Exchange' with 'Public' in all steps mentioned above.

Details
Let's go into the details of this issue. First of all let's see how this issue would look like to an Entourage user when he looks at his Inbox thru Outlook Web Access & Entourage.

Outlook Web Access thru Safari (note the presence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')

Entourage 2008 (note the absence of messages with '+' in their subject lines, i.e. 'Movie + Dinner' & 'Test + Message')

So how did it happen? Let's review the TCPFlow Trace pasted below, which I took on Entourage user's machine. Important parts are highlighted in red.

65.53.65.121 = Entourage Client

172.30.142.217 = Exchange 2007 CAS Server

In the trace snippet pasted below Entourage client is requesting (thru SEARCH command) if there are any changes in user's Inbox, i.e. if there are any new items there for Entourage to retrieve and sync down to its local database.

065.053.065.121.51253-172.030.142.217.00080:
SEARCH /exchange/john/Inbox/ HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Brief: t
Translate: F
Range: Rows=0-512
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4w+C87pKQrHkOOeTHX4IiYZdRzhFlUtMQICwpFE3
/xSe3jJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 743
Accept-Encoding: gzip
Connection: Keep-Alive

065.053.065.121.51253-172.030.142.217.00080:
<?xml version="1.0"?><D:searchrequestxmlns:D="DAV:"
xmlns:R="<https://schemas.microsoft.com/repl/>">
<R:repl><R:collblob>toCTAAMAAQIgzWX+UAA=</R:collblob>
</R:repl><D:sql>SELECT
"<https://schemas.microsoft.com/repl/repl-uid>",
"<https://schemas.microsoft.com/repl/resourcetag>",
"<https://schemas.microsoft.com/mapi/proptag/x001A001F>",
"<https://schemas.microsoft.com/mapi/sensitivity>",
"urn:schemas:httpmail:read", "urn:schemas:httpmail:datereceived"
FROM SCOPE ('SHALLOW TRAVERSAL OF "/exchange/john/Inbox/"')
WHERE "<https://schemas.microsoft.com/mapi/proptag/0x67aa000b>"
= false AND "DAV:isfolder" = false</D:sql></D:searchrequest>

And here comes the response from server with the URL of the new item, which is an e-mail with the subject 'Test + Mail' (we are working with only one message to keep things simple) …

172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 207 Multi-Status
Transfer-Encoding: chunked
Content-Type: text/xml
Content-Range: rows 0-0; total=*
Accept-Ranges: rows
Server: Microsoft-IIS/7.0
Set-Cookie: OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}; path=/
MS-WebStorage: 08.01.10240
MS-WebStorage: 08.01.10240
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT

172.030.142.217.00080-065.053.065.121.51253:
<?xml version="1.0"?><a:multistatusxmlns:b="urn:
uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
xmlns:g="urn:schemas:httpmail:"
xmlns:f="<https://schemas.microsoft.com/mapi/>"
xmlns:c="xml:"
xmlns:e="<https://schemas.microsoft.com/mapi/proptag/>"
xmlns:d="<https://schemas.microsoft.com/repl/>"
xmlns:a="DAV:"><a:contentrange>
0-0</a:contentrange><a:response><a:href>
<https://172.30.142.217/exchange/john/Inbox/Test%20%2B%20Mail.EML
</a:href><d:changetype>new</d:changetype><a:propstat><a:status>
HTTP/1.1> 200 OK</a:status><a:prop><d:repl-uid>
rid:d17078df5926b048921786b466da7185000220cd63ff
</d:repl-uid><d:resourcetag>rt:d5926b04892185000220cd728e
</d:resourcetag><e:x001A001F>IPM.Note</e:x001A001F>
<f:sensitivity b:dt="int">0</f:sensitivity><g:readb:dt="boolean">0
</g:read><g:datereceived b:dt="dateTime.tz">
20080620T21:46:46.895Z</g:datereceived></a:prop></a:propstat>
</a:response><d:repl><d:collblob>toaUAABAAYAAiDNY/8A</d:collblob>
</d:repl></a:multistatus>

In the snippet below Entourage tries to fetch the new mail message using the URL provided by server …

065.053.065.121.51253-172.030.142.217.00080:
PROPFIND /exchange/john/Inbox/Test%20%2B%20Mail.EML HTTP/1.1
Host: 172.30.142.217
From: 65.53.65.121
User-Agent: Entourage/12.10.0 (PPC Mac OS X 10.4.9)
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset="utf-8"
Depth: 0
Brief: t
Translate: F
Cookie: sessionid=7f5d08a5-f5ef-4e36-91e1-8c57c1c2a67f;
cadata="4Soepik9ZpG1ev4wJmd6QpyBoZI08NwuacKT+wAeWBA==";
OwaLbe={7313483B-4B9B-459B-8EB9-8D0BEE690596}
Content-Length: 646
Accept-Encoding: gzip
Connection: Keep-Alive

And Entourage's receives a 404 error from server for it's request, as IIS7 installed on that Windows 2008 Server (with Exchange 2007) does not allow the use of 'double escape sequence' in any incoming HTTP request.

172.030.142.217.00080-065.053.065.121.51253:
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2008 21:46:52 GMT
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"<https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>">
<htmlxmlns="<https://www.w3.org/1999/xhtml>">
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">

<!--

body{margin:0;font-size:.7em;font-family:Verdana, Arial,
Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;
font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;
padding:10px;position:relative;}

-->

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found. </h2>
<h3>The resource you are looking for might have been removed,
had its name changed, or is temporarily unavailable. </h3>
</fieldset></div>
</div>
</body>
</html>

Now if you look in IIS Log on Exchange 2007 CAS or Mailbox Servers, you will find the following entry there:

CAS
2008-06-20 14:38:09 172.30.142.217 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 65.53.65.121 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0

Mailbox
2008-06-20 14:38:09 172.30.142.218 PROPFIND /exchange/john/Inbox/Test+++Mail.EML - 80 - 172.30.142.217 Exchange-Server-Frontend-Proxy/6.5+Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 404 11 0 0

More Info
For more info, you can go thru the following links:

Blog : IIS7 Rejecting URLs Containing Plus Sign '+'

Article : Double Encoding

KB 942076 : Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"

KB 943891 : The HTTP status codes in IIS 7.0