Outlook/BITS client can't download the OAB, returns HTTP 401
We're having difficulties with Outlook clients running in cached mode. They get stuck forever on "Offline Address Book is connecting to Microsoft Exchange".
The two Exchange servers in question are load-balanced by a KEMP cluster, with HTTPS round-robin (SSL termination is done at the Exchange servers, no caching or any of the sort). Both servers are running Exchange 2013 CU6.
BITSadmin show the jobs failing with the error code 0x80190191: HTTP 401
The strange part here is that external OutlookAnywhere clients can download the OAB just fine, so this seems to be related to NTLM or Kerberos in some way.. I just can't figure out where.
It happens to all users on all kinds of devices, so this is not isolated.
- The OAB url can be accessed through IE and Chrome without problems (authentication pop-up)
- Added the domain to the intranet zone in order to get SSO, which works in IE and Chrome
- Set up Kerberos SPN with an alternate service account across the DAG (no effect)
- The OAB virtual directories are setup correctly (Require SSL, ignore client cert, windows authentication)
- Added ACL for authenticated users under the OAB physical path with read+list+execute (no effect)
- Created a new OAB (no effect)
- Recreated the OAB arbitrary generation mailbox (no effect)
- Moved the OAB mailbox to a different database (no effect)
- Activated the database holding the OAB arbitration mailbox on a different server (no effect)
- OWA redirection is not enabled on IIS as this is known to cause these kind of errors. We do a simple http -> https rewrite on the loadbalancer in case requests arrive on http. I disabled the redirection during troubleshooting, and it did not help.
Does anyone have further pointers on what could be wrong, and what I should check? I've tried to dig through logs, but I'm unsure of what logs to inspect and what to look for. Many of the Exchange logs are enormous in size - so large that even notepad++ has difficulties opening them.
UPDATE - 14.11.2014
Microsoft has released a update to fix the issue. I've verified it and it works.
Original post:
And after working on this issue for nearly two weeks, I finally lost my courage and wrote the question above. One hour after posting the question I find this: https://social.technet.microsoft.com/Forums/en-US/3de4a585-4bd2-4ca1-a20b-80e81fc61499/kb2986204-breaks-offline-address-book-download-using-mapi-over-http?forum=outlook
The issue with the OAB download not working has been investigated by the Outlook Product Team. They are working on a fix which is expected in the November 11th Public Update. In the meantime if you are experiencing the issue you can uninstall the update, KB 2986204 to workaround the problem. If you happen to be running the Click to Run version of Office you will not see the update to uninstall. Instead, please follow the instructions in this KB to revert to the September public update, https://support.microsoft.com/kb/2770432. If there are any changes to the fix release date I will post back and update the forum thread.
Removing the said update (or updates, as there were two with the same name and KB number installed) solved the issue.
Lesson learned. Remove recent updates before tearing your infrastructure apart!