Connector for Microsoft Exchange - Troubleshooting
1. MediaGateway configuration
1.1 No access to Intrexx MediaGateway
If errors occur when
testing the connection to the Administrator account, please check the following points.
To successfully log in, the following login information needs to be entered correctly:
MediaGateway connection data
Make sure that the connection data entered for the host and port are
correct. The address of the server where the Intrexx MediaGateway is
installed should be entered as the host address. If the Intrexx
MediaGateway isn't on the same server as Intrexx, you need to check
wheterh the server is accessable in general, i.e. available in the
network or selectable via ping. The specified port
(default 8087) must be available and may
not be blocked, e.g. by a firewall.
MediaGateway password
The default password after installing the Intrexx MediaGateway is
1234. If the login isn't successful
with that password, it may well be that the password was change. If
you've forgotten the changed password, please contact Unitex Planet
Support.
MediaGateway service
When MediaGateway is installed successfully, a Windows service
called Intrexx MediaGateway Server is created.
Check whether the service was started and is running correctly.
1.2 No access to Exchange account
If errors occur when
testing the connection to the Exchange account, please check the following points.
1.2.1. Exchange 2003/2007
Username and password
Specify the username and password of the Exchange account here.
The data are the same as those used for logging on to the Windows
computer.
Mailbox
The mailbox, i.e. the mailbox name, can in some cases differ from
the username specified above and observe the respective configuration
of Exchange and ADS. If you're not sure what the correct mailbox name
is, you can specify a valid email address defined for the user in this
field. As a test, you can send an email from this user and then use the
address shown in the email.
Domain
Specify the domain name where the Exchange user is stored.
Server URL
Check the Exchange Server URL as well.
Use the fully-qualified domain name.
Usually, the URL starts with the protocol https://
followed by fully-qualified server name and the virtual
directory exchange. Example:
https://mailserver.example.org/exchange.
If the URL is correct, check whether the server is reachable from
the current computer using ping, telnet or nslookup
within a command line.
1.2.2. Exchange 2010
Username and password
Specify the username and password of the Exchange account here.
The data are the same as those used for logging on to the Windows
computer.
Email
The email address assigned to this account must be entered here.
Server URL
Check the Exchange Server URL as well.
Use the fully-qualified domain name.
Usually, the URL starts with the protocol https://
followed by fully-qualified server name and
ews/Exchange.asmx. Example:
https://mailserver.example.org/ews/Exchange.asmx.
If the URL is correct, check whether the server is reachable from
the current computer using ping, telnet or nslookup
within a command line.
Exchange account is locked
When testing the login information, the account can be locked
after multiple failed attempts. In this casse, contact your administrator
to unlock the account once more.
Initialize mailbox
To initialize the mailbox for newly created Exchange accounts,
the account needs to be accessed once via OWA or Outlook.
Outlook and OWA
Has OWA been installed on the Exchange Server and has its
functionality been started correctly. Furthermore, the virtual
directory /exchange must be available
in the IIS of the Exchange Server.
If this isn't the case, please contact your
Exchange Administrator. For reasons concerning the system security,
accessing the virtual directory /exchange
can be locked or only be callable from certain computers/IP addresses.
Check the access permissions in the ISS of the Exchange Server.
2. Kerberos - Exchange 2010
2.1 Modify EWSFindCountLimit
For security reasons, there is a limit on the maximum number of objects
that can be taken into account during a request from Exchange Server 2010.
If a request exceeds this limit, then no results will be returned.
The maximum amount is determiend in the property EWSFindCountLimit
of the ThrottlingPolicy. From Exchange 2010 SP1,
EWSFindCountLimit in the DefaultThrottlingPolicy
is set to 1000 by default. If, for example, the folder Inbox contains 5000
messages and EWSFindCountLimit is limited to 1000,
a request to this folder will not return any results. Only when the limit is
set to at least 5000 can objects in the Inbox be requested.
The value for EWSFindCountLimit can either be
defined globally or for individual mailboxes. With the following commands, which
need to be performed in the Exchange Management Shell, the limit can be modified.
Globally
Get-ThrottlingPolicy
Identify the name of the default policy in the output
(e.g. DefaultThrottlingPolicy_3f6fa3c1-2bf1-4b54-a221-534d03203807)
Set-ThrottlingPolicy <PolicyName> -EWSFindCountLimit 10000 (or $NULL to remove the limit)
iisreset (restarts the IISso that changes are effective immediately)
Per mailbox
New-ThrottlingPolicy -Name "IntrexxThrottlingPolicy" -EWSFindCountLimit 10000 (or $NULL to remove the limit)
Set-Mailbox <UserName> -ThrottlingPolicy "IntrexxThrottlingPolicy"
(must be performed for each user/mailbox that access Exchange
via Intrexx)
iisreset
2.2. Authentication
For the configuration of the Kerboeros authentication, the same conditions
apply as for Kerberos - Exchange 2003 / 2007.
Additionally, the permission
Exchange Web Services Impersonation must be given to the group
Authenticated Users on the Exchange
CAS Server. This is done as follows:
Open the Computer Management in the Control Panel
and select Active Directory Locations and Services.
Under Services / Microsoft Exchange /
Administrative Groups / Organisation / Exchange Administrative Group / Servers
select your Exchange Server and open its properties via the context
menu.
Click on the Security tab and
select the group Authenticated Users
underGroup and User Names. Provide this
group with the permission Exchange Web Services
Impersonation and confirm this with OK.
2.3. Calendar
Recurring appointments
You can only access recurring appointments if a date and time period is
specified during the request to the Appointment
table. To do that, you need to filter by the fields
StartDate
and EndDate.
Sorting appointments
If the Appointment table is sorted by start
and end date, the appointments from the Exchange 2010 Server are always
returned in ascending order from the start data. Custom sortings in the
applications or in the browser are not supported in this case.
3. Kerberos - Exchange 2003 / 2007
Kerberos identifies the login information based on the current Windows user
and logs in to the Exchange mailbox automatically. When using the
Kerberos authentication, you have a real
Single-Sign On (SSO) for your users' access to the Exchange Server
and use the integrated Windows authentication.
When accessing an Exchange application via Kerberos for the first time,
the user will be requested to specify, or rather confirm, their mailbox;
this is only required once. All future accesses take place via SSO.
If a user is asked to log in to the Exchange Server with username/password
despite a defined Kerberos authentication, then this indicates problems
during authentication. In this case, Intrexx automatically activates the
session-based login and shows the entire login form with username
and password. If you have problems with the authentication, please
check the following basic requirements for successful
Kerberos authentication.
3.1. Configuration in Intrexx
Portal with integrated authentication
The Intrexx portal must be operated with integrated authentication. This
is created using the Main menu: User / Configuration
in the Users module.
Active Directory users
The users from your Active Directory must be created in Intrexx
correspondingly. You can start the import via the
Main menu: User / User and group import
in the Users module.
Please make sure that at least one user is contained in the
Administrators user group so that the system
can continue to be administrated.
Server Principal Name
For successful authentication, a so-called
Server Principal Name (SPN) needs to
be specified. The SPN contains the information about the service for which
a Kerberos ticket should be generated,
This ticket is required for the MediaGateway Server.
In general, the SPN is constructed as follows:
host/<Gateway Host Fully
Qualified Domain Name>@<KERBEROS_REALM>.
Gateway Host Fully Qualified Domain Name:
Fully qualified host name (e.g. mycomputer.mycompany.com).
KERBEROS_REALM: Usually, the domain written in block capitals
(e.g. MYCOMPANY.COM).
An SPN would therefore be something like this:
host/mycomputer.mycompany.com@MYCOMPANY.COM.
The configuration dialog of the Kerberos authentication suggests
an SPN to you, however this usually needs to be modified
depending on your system environment.
3.2. Configuration of the infrastructure
Server delegation
The server where the MediaGateway Server is installed requires the
group policy Delegation. Define this in the
Active Directory Manager. To do that, selected the computer with the
installed MediaGateway from the domain, open the properties windows
and switch to the Delegation tab.
Please note that the settings dialog can vary depending on the
installed Exchange version.
Same domain
To implement the Exchange Connector, the Exchange Server, the
Intrexx MediaGateway Server and all accessing clients need to be in the
same domains. A collaboration of different domains is not possible.
Form-based authentication
For the virtual directory /exchange of the
OWA server, a Form-based authentication for
Outlook Web Access / Exchange may not be used. Open the IIS and select the point
Authentication for the virtual directory
/exchange.
Setting the authentication for individual virtual directories isn't possible
on Exchange 2003, but can only be set globally for all virtual directories
(/owa, /exchange and /exchweb). There is, however, a workaround with which
it's possible to use Kerberos authentication on Exchange 2003 despite activated
form-based authentication. Information about this can be found
here.
3.3. Browser settings
Internet Explorer
In Internet Explorer, the used zone must be defined for the user
authentication Automatic log-on with current
username and password in the security settings. These settings
can be found under Extras / Internet Options
/ Security. Select the used zone and then
adjust the level accordingly.
Furthermore, the setting Enable Intregrated Windows Authentication
needs to be activated under Internet options / Advanced.
Mozilla Firefox
Edit the settings in Firefox by entering about:config
in the address line of the browser.
Enter the host name of the Intrexx server for the key
network.negotiate-auth.delegation-uris:
network.negotiate-auth.trusted-uris
Safari
The Safari browser on Mac OS exhibits already known, but not repaired,
problems with the Kerberos authentication. For this reason, Safari cannot
be used as the browser in connection with Kerberos.
3.4 Test Kerberos authentication
If all of the measures described here are checked, the correct
functionality of the Kerberos authentication can be checked as follows:
Copy the directory support from
bin/windows in the
installation directory
to external/htmlroot
in the portal directory.
Load the page http://<intrexx-server-hostname>/<portal_name>/support/krbdebug.asp
in the browser. In the following, you can see different results that may occur
when making the request.
Situation
Integrated Windows log-on not activated in the IIS:
Situation
Integrated Windows log-on activated in the IIS, but Kerberos Ticket is not available:
Situation
Integrated Windows log-on activated in the IIS and Kerberos Ticket is available:
4. IIS Server
If you implement an IIS for your Intrexx portal, the following configurations
may be required for using the Intrexx MediaGateway.
4.1 File up- and downloads
To upload and/or download Exchange file attachments, e.g. in emails,
the file size limits may need to be adjusted. To do that, open the
Information Information Services (IIS) Manager
and adjust the ASP limit properties:
For the upload: Maximum Requesting Entity Body Limit (in bytes)
For the download: Response Buffering Limit (in bytes)
4.2 Maximum query string
In the application Exchange – Resource, it may
be necessary to extend the length of the query string when requesting
multiple overlapping resources. You can recognize this when the error
Http Error 404: Not Found is shown in the
browser when trying to edit overlapping resources.
In this case, proceed as follows:
Open the Information Information Services (IIS) Manager
Adjust the Feature Settings for the Request Filtering: Maximum query string (in bytes)