Continued Credentials Prompt in Entourage Connecting to Exchange Mailbox

In this blog I wanted to talk about an issue which we have seen enough number of times working with our enterprise customers that it warrants a blog.

Issue
When connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop. We have seen this on all currently supported versions of Exchange & Entourage. This error can also come up when:

a. User tries to permanently delete or move a large number of messages from his Exchange mailbox

b. User tries to send/receive new mail after deleting or moving a large number of messages from his Exchange mailbox

Cause
When Entourage tries to permanently delete messages from a folder in Exchange mailbox, Exchange Server utilizes the TEMP (temporary) folder for that operation. If Entourage user does not have required permissions on that TEMP folder, server issues a '401, Access Denied' error. Moving messages in Entourage involves permanent deletion from source folder, thus it results in the same issue.

Resolution
There are two parts of it.

1. Locating TEMP & TMP Folders

a. Non-Clustered Servers
First determine which TEMP folder is set as default on Exchange Mailbox Server on the back-end, cos that's where the delete operation actually takes place. The default location of TEMP folder is set under the following registry key:

HKEY_LOCAL_MACHINE\System\CurrrentControlSet\Control\Session Manager\Environment
REG_EXPAND_SZ: TEMP
Value: <PATH>\TEMP

By default, the TEMP folder is located at: '%SystemRoot%\TEMP' which is usually 'C:\WINDOWS\TEMP'

Another place to check this is: Bring up 'Control Panel' on Exchange Server, go to System : Advanced : Environment Variables : System Variables (see the screenshot below)

Same check applies for TMP folder, if there is one located on your drive. The above registry key should have an entry for TMP folder as well.

b. Clustered Servers
On clustered servers, the following registry keys are used to specify the locations of TEMP & TMP folders (Ref.).

HKEY_USERS\<Cluster service account SID>\Environment\TEMP

HKEY_USERS\<Cluster service account SID>\Environment\TMP

2. Verifying Permissions
Now let's verify the permissions assigned on TEMP folder. The 'Authenticated Users' group (Entourage user belongs to this group) should have the following special permissions:

Traverse Folder / Execute File
Create Files / Write Data
Create Folders / Append Data

In order to check these permissions, locate the TEMP folder and then right click on it to take 'Properties', go to 'Security' tab, highlight 'Authenticated Users', under 'Permissions for Authenticated Users' section, click on 'Advanced' button (see the screenshot below)

You will then see the 'Advanced Security Settings for TEMP' folder window (see the screenshot below)

Highlight the entry for 'Authenticated Users' in the above window and then click on 'Edit' button to view/edit the permissions. The screenshot below displays the required permission assigned properly.

Same check applies for TMP folder, if there is one located on your drive.

Redirected TEMP/TMP Folder
If the TEMP/TMP folder has been redirected to D (or any other) drive on the Exchange Server, it is suggested to specify the above permissions at the following three levels:

1. Drive level, especially at the root of drive if you notice that 'Authenticated Users' group is simply missing

2. TEMP/TMP folder

3. Any sub-folders inside TEMP folder which may have numerical (like 1, 2, etc.) names as such folders have been seen on clustered servers

Important
You will need to restart IIS (Internet Information Server) on all those servers where you made these changes in permissions, i.e. mailbox servers on the back-end and front-end servers as well to which Entourage users are connecting for mailbox access.

More Info
If your Entourage users are running into this issue then IIS Log on Exchange Server (front-end and/or back-end) & TCPFlow Log on Entourage Client will show the following:

a. 'BDELETE' request from client

b. '401' error response from server

IIS Trace Sample

2008-08-10 07:05:33 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 5 0

2008-08-10 07:05:35 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 1 0

TCPFlow Trace Sample

192.168.120.110.54103-192.168.137.121.00080:
BDELETE /exchange/john/Deleted%20Items/ HTTP/1.1

192.168.137.121.00080-192.168.120.110.54103:
HTTP/1.1 401 Unauthorized