This week, the Send and Receive task in Outlook 2007 SP2 and Outlook 2010 started hanging while trying to download from Exchange Server 2007 SP3 on SBS 2008. If I highlighted the stuck process, I could see that it wasn’t able to get the Offline Address Book:
Some articles point to Autodiscover as the problem. I learned the trick of holding the Ctrl key while right-clicking on the Outlook icon in the system tray. That let me Test E-Mail Autoconfiguration and determine that my autodiscovery wasn’t working too well. (Hint: you should see URLs for OOF and OAB, the user name it would use, etc.) With the help of this article on the Official SBS Blog, and the Go Daddy picture on Susan Bradley’s blog, I got autodiscovery cleared up by adding a SRV record to my Go Daddy DNS.
But still my OAB wouldn’t finish downloading. When I browsed to the full OAB URL provided by the autodiscovery, I got a “500 – Internal server error” (and another time, a “Runtime Error”).
Fix: Give Authenticated Users Read Permission
The 500 error led me to this article which recommends changing the permissions on the web.config file in the OAB directory. Sure enough, that solved it! Here are the simplified instructions that worked for me:
1. On the SBS 2008 server, open IIS manager. Navigate to Server > Sites > SBS Web Applications, then the OAB virtual directory. On the right side, switch to Content View.
2. Right-click on the web.config file and select Edit Permissions. In my case, I saw only SYSTEM, the SBS admin user, and the Administrators group listed. We want to add Authenticated Users, so click on Edit and and then Add and put the Authenticated Users in there. I assigned only Read rights (that is, I removed Read & execute):
Once I okayed that new permission, Outlook was immediately able to download the Offline Address Book. I did not need to restart IIS or Outlook.
Oh, and trying to browse directly to the OAB URL now fails with a 403 – Forbidden message:
Fortunately it seems that Outlook knows how to provide credentials and get what it needs.
Is This Safe?
l’m always a little nervous to follow the recommendation of some web site that tells me to add permissions. However, as the site pointed out, the web.config files in the Autodiscover and owa folders already allow Authenticated Users at least Read access, so it makes sense that it’s okay for the OAB to have that permission as well.