Office Communicator client shows “Outlook Integration Error”

  • Article

Problem

You are using Office Communicator on the External network. ISA 2006 is configured to Web Publish the Autodiscovery URL to the Internal Exchange 2007.

You are able to successfully login to the Communicator client. You can view your Contacts and can successfully establish IM sessions with your Contacts.

However you may notice an “Outlook Integration Error” under “Notifications” in the client.

You may also notice the following:

· Presence information is unavailable or incorrect for your Contacts

· Scheduling information is unavailable or incorrect for your Contacts

· Receive the following error: “Communicator has failed to retrieve autodiscovery information”

Additionally, the above symptoms may appear to be intermittent.

More client information

Outlook Anywhere

Many of these users may also frequently take their Domain joined notebooks home or on the road. Under these circumstances, they may wish to not get prompted for credentials when launching Outlook Anywhere (for example); just as if they were connected to the office LAN.

For an external Outlook Anywhere client to be able to provide cached domain credentials, the ISA 2006 Web Listener must, at the very least, be configured with HTTP Authentication and accept Integrated credentials.

ISA 2006 related configuration settings

You may experience the above Office Communicator issues if the following are true:

· You have configured an ISA 2006 Web Listener using HTTP Authentication which accepts Integrated credentials.

· You have a Web Publishing rule that publishes the Autodiscovery URL for Communicator…and this rule uses the above Web Listener.

Explanation and supporting data

The following Microsoft Knowledgebase article describes the root cause of this issue. This article discusses Internet Explorer specifically, but this also applies to Office Communicator’s Autodiscovery process following the above scenario.

POST requests that do not have a POST body may be sent to a Web server that is published in ISA Server 2006

http://support.microsoft.com/default.aspx?scid=kb;EN-US;942638

When Office Communicator attempts to retrieve Autodiscovery information, it will make multiple POST requests to the web server. When Office Communicator sends a POST request to a Web site that uses Integrated NTLM authentication, Office Communicator reauthenticates with the Web server for each POST request. The POST body is not sent to the Web server in the first authentication handshake.

If Office Communicator sends a POST request that requires reauthentication on a TCP connection that has already been authenticated, ISA Server continues to use the current authentication context instead of reauthenticating the client. In this situation, the POST request that does not have a BODY body is sent to the published Web server.

The following is an example of the Office Communicator POST requiring reauthentication:

POST /EWS/Exchange.asmx HTTP/1.1
Accept: text/xml
Content-Type: text/xml; charset=utf-8
User-Agent: Microsoft+Office+Communicator/2.0
Host: autodiscover.fabrikam.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAAD0==

Because ISA 2006 has already authenticated the TCP session, it simply reverse proxies the above POST to the internal web server (Exchange). Because the POST contains no data, the internal web server responds with:

HTTP/1.1 500 Internal Server Error
Connection: Keep-Alive
Content-Length: 479
Date: Tue, 17 Mar 2009 16:26:24 GMT
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/7.0
Cache-Control: private
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

Resolution

On each ISA Server in the array, follow the instructions in the above Microsoft Knowledgebase article and execute the script provided in the article. This will instruct the ISA server to authenticate each Office Communicator POST request requiring reauthentication.

NOTE: If you have ISA 2006 with Service Pack 1 applied, you do not need to apply the Hotfix mentioned in the article. You only needed to run the script.

Author

Richard Barker

Security Support Engineer

Microsoft CSS Forefront Edge Team