Thursday, 18 February 2010

Your Out of Office settings cannot be displayed because the server is currently unavailable. Try again later.

There are loads of blog entries about this error and numerous causes. It could be that autodiscovery is not working correctly, that the OOF URL is configured incorrectly, permissions are wrong on the CAS servers etc.... I'm not going to go into detail here as there are loads of blogs and articles about this.

Our situation was slightly different to anything I could find. OOF works just fine for our users, however as Exchange administrators we could not set other users OOF when using Outlook 2007, we got the error "...the server is unavailable...". We also found that we were unable to login to other users mailboxes using our Exchange admins accounts using OWA, which was the other way we used to set OOF for absent users. The only way we could still set OOF for end users was to use Outlook 2003, but this is no longer supported on our campus, so we needed another way. This prompted me to get to the bottom of this problem, so we as system admins could again easily set end users OOF.

The one thing that was obvious is that this was a problem that only happened when connecting via the CAS servers. We could login to mailboxes just fine using MAPI. Therefore there had to be something different about the way the CAS servers authenticate users against mailboxes. It is worth mentioning at this point that we had confirmed that our admin accounts were listed as having Full Mailbox Access to all mailboxes in ESM. We soon discovered that the server is unavailable error is a generic error and happens regardless of what error is actually returned by the server. Having tried the URL of the OOF within IE we saw that it was actually an access denied error that was being returned by the CAS server, not a service unavailable error. We were stumpted as our admin accounts had full access!

With some testing I noticed that some of our several thousand mailboxes did allow us to set OOF as admins, but the vast majority did not. The question was why. I then started playing with Full Access permissions and found that any change whatsoever to the Full Access permissions using ESM or the shell suddenly made OOF work for our admin accounts. This is where Microsoft came in as I was stumpted. It turned out that this is apparantly an expected issue that Microsoft have documented very poorly. It is a result of the split permissions model in Exchange 2007. When connecting to a mailbox using a CAS server (as OOF does in Outlook 2007), the CAS server reads the MSExchangesecurityDescriptor from AD. By default this is truncated and incomplete. To cut a long story short, Microsoft no longer support automatically inherited AD permissions to mailboxes, although you will see the permissions using ESM and they will work using MAPI connections. I find this utterly baffling, but it is what it is. In order to resolve this you need to make a change to the mailbox permissions using the shell or ESM. This causes Exchange to rewrite the MSExchangeSecurityDescriptor in AD and suddenly everything works. A couple of methods and further info:

add-mailboxPermission -identity -accessrights:fullaccess

get-mailbox -server Add-MailboxPermission -User -AccessRights FullAccess