Share via


Using Basic Authentication for RPC over HTTP with MAPICDO

I had a case recently where the customer was trying to use Basic Authentication for RPC over HTTP with MAPI\CDO.  The customer's symptom was that no matter what was entered into the credentials dialog it would not accept the credentials.  When I reviewed the IIS logs there wasn't even a request being made to the server!  This was perplexing.  After reviewing it I realized that the credential dialog was being caused by the Windows' RPC subsystem.  Windows RPC was returning Access Denied (0x5) because the credentials to the proxy server were not being provided.  This is why no IIS request was being made, it was never leaving the machine.  A little more debugging revealed that no credentials were present because MAPI was not passing any.  This was because the profile did not include PR_PROFILE_AUTH_USER_W and PR_PROFILE_AUTH_PASSWORD.  As a result, MAPI would not set the credentials in the call to RpcBindingSetAuthInfo.  Once the credential dialog was shown there was really no way to recover.  That's why no matter what was entered it would not accept it.

Once I got the credentials to be passed (by setting the properties noted above) I encountered another strange error.  Upon connection I would see the following logged in the RCA Logs:

RpcDispatch: [LoginPermException] 'User SID: S-1-5-21-6954… -500' can't act as owner of a UserMailbox object '/o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=UserA123' with SID S-1-5-21-3130… -500 and MasterAccountSid  (StoreError=LoginPerm)

This really threw me. I verified that Outlook 2010 could connect just fine.  However, I noticed that the SID referenced in the connection for Outlook was not the same as the SID referenced in the connection for MAPI\CDO.  I then used the following command to MAP the SID I was seeing back to a username

c:\>wmic useraccount get name,sid

In the table I could see that the SID referenced by MAPI\CDO was a local machine account, not a domain account.  I then looked at the PR_PROFILE_AUTH_USER_W and noticed that I did not qualify the username.  I changed the username from UserA to UserA@Contoso.com and it all worked.

Note: This only applies to MAPI\CDO 6.5.8309 and greater.  This does not apply to Outlook's MAPI.

Comments

  • Anonymous
    March 20, 2014
    thanks dave. we have reported this problem to microsoft. your blog is a wealthy resource and worth time reading. thanks again.