Friday, 28 August 2009

MapiExceptionNotAuthorized in Exchange 2007

I thought I would share with everyone an issue we had with mail delivery to Public Folders in Exchange 2007. We were receiving the following error:

#550 5.2.0 STOREDRV.Deliver: The Microsoft Exchange Information Store service reported an error. The following information should help identify the cause of this error: "MapiExceptionNotAuthorized....

This happened for some staff, but others could deliver messages just fine. Also external users i.e. Hotmail could deliver messages to the PFs without issue.

You would imagine then there must be a deny rule somewhere for a specific group of staff, or there was something wrong with the permissions on the PF. Numerous tests and checks proved this to not be the case.

Fortunately a pattern started to emerge with the people having the problem i.e. they were all in the same faculty and members of specific groups. Further testing proved that if a user was a member of a few groups their messages/emails would be denied to ALL PFs. However the groups were not mentioned anywhere in the PF permissions.

We even created new mail enabled PFs and gave everyone full control with no denies... still no luck. After a bit more thinking we figured that it must be that Exchange is having trouble reading the group membersip. We soon found that the OUs containing the problem groups of which the problem users were members, had inheritance switched off and hence had not picked up the new Exchange 2007 permissions when we installed EX2007. They still allowed the old Exchange Enterprise Servers group acccess which worked for EX2003, but no access was in place for the EX2007 Exchange Servers group. The OUs had also had read permissions removed for Pre-Windows 2000 (Everyone) and Authenticated Users. Therefore Exchange was denying the user access as it could not fully recurse the users ACLs. I guess this is secure by default in action, although it seems like a bit of an inefficient design to me.

I hope this saves someone a bit of time as it took us ages to get to the bottom of it.

Wednesday, 5 August 2009

Exchange 2007 Outlook Web Access Old Passwords

Weird one yesterday. We had a customer who had fallen foul of a phishing email and entered their username and password in a web form. Surprise surprise their account was compromised and used for sending a huge amount of SPAM. As soon as we became aware of the problem the user changed their password. Because the spammer had already established a connection as this user the password change did not affect them and they carried on. No major surprises there. We had to lapse the account (disable) for the connection to be dropped (I wish Microsoft would provide a tool for checking/closing active OWA/IMAP sessions in Exchange). The surprise came when we found the user could continue to login to OWA/IMAP using their old password, although it could not be used for any other resources. With some investigation it seems that once a user has authenticated to a CAS server with a password, as long as the connection remains active (and for some time after) the old password can still be used to authenticate (open new connections) to OWA/IMAP. This is alarming in my opinion. The most alarming thing is that all connections can be closed and you can still login using the old password (although I don't know for how long).

This issue is per CAS server. We usually have two, so this issue would not be as obvious normally (as the server the user logged into using the old password is the only server that will allow logins to continue using the old password).

I am going to log a urgent call with Microsoft about this. For info we are using Exchange 2007 SP1 RU5 on one front end and Exchange 2007 RU5 on all backends. The other front end has recently been upgraded to RU7, but the issue remains.

Anyone else seeing this?