Continued Credentials Prompt in Entourage Connecting to Exchange Mailbox

In this blog I wanted to talk about an issue which we have seen enough number of times working with our enterprise customers that it warrants a blog.

Issue
When connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop. We have seen this on all currently supported versions of Exchange & Entourage. This error can also come up when:

a. User tries to permanently delete or move a large number of messages from his Exchange mailbox

b. User tries to send/receive new mail after deleting or moving a large number of messages from his Exchange mailbox

Cause
When Entourage tries to permanently delete messages from a folder in Exchange mailbox, Exchange Server utilizes the TEMP (temporary) folder for that operation. If Entourage user does not have required permissions on that TEMP folder, server issues a '401, Access Denied' error. Moving messages in Entourage involves permanent deletion from source folder, thus it results in the same issue.

Resolution
There are two parts of it.

1. Locating TEMP & TMP Folders

a. Non-Clustered Servers
First determine which TEMP folder is set as default on Exchange Mailbox Server on the back-end, cos that's where the delete operation actually takes place. The default location of TEMP folder is set under the following registry key:

HKEY_LOCAL_MACHINE\System\CurrrentControlSet\Control\Session Manager\Environment
REG_EXPAND_SZ: TEMP
Value: <PATH>\TEMP

By default, the TEMP folder is located at: '%SystemRoot%\TEMP' which is usually 'C:\WINDOWS\TEMP'

Another place to check this is: Bring up 'Control Panel' on Exchange Server, go to System : Advanced : Environment Variables : System Variables (see the screenshot below)

Same check applies for TMP folder, if there is one located on your drive. The above registry key should have an entry for TMP folder as well.

b. Clustered Servers
On clustered servers, the following registry keys are used to specify the locations of TEMP & TMP folders (Ref.).

HKEY_USERS\<Cluster service account SID>\Environment\TEMP

HKEY_USERS\<Cluster service account SID>\Environment\TMP

2. Verifying Permissions
Now let's verify the permissions assigned on TEMP folder. The 'Authenticated Users' group (Entourage user belongs to this group) should have the following special permissions:

Traverse Folder / Execute File
Create Files / Write Data
Create Folders / Append Data

In order to check these permissions, locate the TEMP folder and then right click on it to take 'Properties', go to 'Security' tab, highlight 'Authenticated Users', under 'Permissions for Authenticated Users' section, click on 'Advanced' button (see the screenshot below)

You will then see the 'Advanced Security Settings for TEMP' folder window (see the screenshot below)

Highlight the entry for 'Authenticated Users' in the above window and then click on 'Edit' button to view/edit the permissions. The screenshot below displays the required permission assigned properly.

Same check applies for TMP folder, if there is one located on your drive.

Redirected TEMP/TMP Folder
If the TEMP/TMP folder has been redirected to D (or any other) drive on the Exchange Server, it is suggested to specify the above permissions at the following three levels:

1. Drive level, especially at the root of drive if you notice that 'Authenticated Users' group is simply missing

2. TEMP/TMP folder

3. Any sub-folders inside TEMP folder which may have numerical (like 1, 2, etc.) names as such folders have been seen on clustered servers

Important
You will need to restart IIS (Internet Information Server) on all those servers where you made these changes in permissions, i.e. mailbox servers on the back-end and front-end servers as well to which Entourage users are connecting for mailbox access.

More Info
If your Entourage users are running into this issue then IIS Log on Exchange Server (front-end and/or back-end) & TCPFlow Log on Entourage Client will show the following:

a. 'BDELETE' request from client

b. '401' error response from server

IIS Trace Sample

2008-08-10 07:05:33 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 5 0

2008-08-10 07:05:35 W3SVC1 192.168.137.121 BDELETE /exchange/john/Deleted+Items/ - 80 CONTOSO\JOHN 192.168.120.110 Entourage/12.11.0+(PPC+Mac+OS+X+10.4.9) 401 1 0

TCPFlow Trace Sample

192.168.120.110.54103-192.168.137.121.00080:
BDELETE /exchange/john/Deleted%20Items/ HTTP/1.1

192.168.137.121.00080-192.168.120.110.54103:
HTTP/1.1 401 Unauthorized

Comments

• Anonymous
  August 12, 2008
  I get this same issue every single day, not with Exchange mailboxes, but with external IMAP accounts - i.e. Gmail.

• Anonymous
  August 12, 2008
  Be sure to read Amir Haque's blog post Continued Credentials Prompt in Entourage Connecting to Exchange Mailbox.When connecting to an Exchange mailbox. Entourage user sees the following error repeatedly. User enters correct credentials (username, password

• Anonymous
  August 18, 2008
  Disappointing - what if your exchange server is hosted?

• Anonymous
  August 19, 2008
  Outlook never has these problems.

• Anonymous
  August 20, 2008
  The comment has been removed

• Anonymous
  August 21, 2008
  Hi, this describes my situation exactly. My exchange server is hosted, is there a work around I can do on my side, until my host or MS Entourage make a fix? Like telling the sync to skip the Deleted Items directory? Would setting up a new account (in Entourage, to the same exchange account) fix this? Many thanks.

• Anonymous
  August 22, 2008
  Neil, Talk to your Hosting Service Provider, they need to read this blog and look for the symptoms and if they do have this problem, then use the steps here to fix it. I actually just worked with such a company to fix this issue for their users. Yes, you can try setting up your Exchange account in a new identity, that may prevent you from running into the issue but don't move or delete messages in large numbers then. Still better would be to contact your service provider to have it fixed on server side. me, To be really honest, that's not correct, see: http://support.microsoft.com/kb/312630. In the end it can happen with any client, look at the cause here in my blog or in the KB article, we can't blame Entourage or Outlook, they are just relaying what they got from server and server can't be blame either, cos its not configured properly.

• Anonymous
  August 22, 2008
  Thanks Amir - I'll try setting up a a new account in Entourage to the same exchange account. We've made a support ticket with our host.

• Anonymous
  October 01, 2008
  The comment has been removed

• Anonymous
  October 16, 2008
  The comment has been removed

• Anonymous
  October 19, 2008
  Jon, Sorry for the delayed response, I am on extended leave these days. The IIS trace sample in my blog post above is from the default W3SVC log, I haven't customized it at all.

• Anonymous
  November 03, 2008
  Hi Amir, I use entourage 2008 and have this same issue. My setup has ex2007+win2008. However authenticated users is not present in the win2008 TEMP folder permissions. I have added, will see if that fixes the issue. cheers jai

• Anonymous
  November 03, 2008
  Hi Amir, the changes did not seem to resolve the issue. i am going to try and give the IIS user the same perms to see if that fixes. cheers, jai

• Anonymous
  November 03, 2008
  still get the popup for user/pass. no luck cheers, jai

• Anonymous
  November 06, 2008
  Jai, Please call in at 1-800-Microsoft and open a support incident, someone needs to work with you on your issue to ascertain the root cause and an appropriate resolution.

• Anonymous
  March 04, 2009
  When connecting to an Exchange mailbox Entourage user sees the following error repeatedly. User enters correct credentials (username, password & domain) but same error comes back again thus effectively entering a never ending loop.