Overview

This is an overview tutorial discussing the general troubleshooting techniques for MAPI_E_LOGON_FAILURE errors. These can be logon failures or access denied. Note that logon failure is generic and can be either communications, service failure or name resolution as the root cause. Generally the problem is lack of permissions or permissions denied.

The Quest product on this topic reports access errors in all Source or Target agents, but normally this is seen in either the Mail Source Agent or mail target Agent. The typical error below shows a standard access error which is extremely common. It is reported in agents, simply stating that we have no permissions or no MAPI access to the mailboxes with which we are trying to migrate.

02/02/2007 16:24:30 CSession::Logon TraceMsg 4800 Logging on to the mailbox ‘/o=TARGET/ou=First Administrative Group/cn=Recipients/cn=Ewan.Millington’ (Server: ‘EXCHANGE-SERVER’, user: ‘TARGET\qmmex’).
02/02/2007 16:24:30 CSession::Logon Error -2147221231 The information store could not be opened. - MAPI_E_LOGON_FAILED (MAPI 1.0) Low level error: 0×0 File: ‘aeWrapHelpers.h’ Line: ‘264′

What tools are required for troubleshooting and confirming permissions?

·         ADSIEdit: You will need to download ADSIEDIT which is part of the 200x server support tools. These can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en. Once installed you will need to register the adsiedit.dll. To do so use the following command via Start - Run ‘regsvr32 adsiedit’

 

·         MFCMAPI: This is a tool which allows you to connect to the Exchange server, store, mailbox, and public folder levels. It can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=55FDFFD7-1878-4637-9808-1E21ABB3AE37&displaylang=en

 

I’m not sure what permissions are actually required?

 ·         Essentially we required full mailbox access including send-as / receive-as rights to Exchange, including full rights to the ‘Exchange System Objects’ OU in Active Directory

·         Please read the Quick Start Guide PDF which is shipped by default with the software; Or

·         Please also see the following Solution article: https://support.quest.com/SUPPORT/index?page=solution&id=SOL38171

 

How do I set the required permissions?

 ·         Please read the Quick Start Guide PDF which is shipped by default with the software

  

Tutorial Contents

 ·         Step One: Natively Logon to a failing Mailbox

·         Step Two: Confirm Service Account Group membership

·         Step Three: Confirm Exchange Organization permissions

·         Step Four: Discussion of Scenarios

 

Step One: Natively Logon the Failing Mailbox

 Logon to Windows

 First logon to a machine, that has Outlook installed, as the Quest Service account credentials, and in domain of either source or target depending on where the error is being received. With Quest Mail Source (MSA) Agent, you should use the source domain, for the mail Target Agent (MTA) you should use the respective target domain. In this scenario we will use the Target domain to troubleshoot an error in the Mail Target Agent.

  

Obtain the LegacyExchangeDN (LEDN) of a failing User from the log file

 The following is gained from the highlight log snipped below, taken from the Mail Target Agent Log File:

02/02/2007 16:24:30 CSession::Logon TraceMsg 4800 Logging on to the mailbox ‘/o=TARGET/ou=First Administrative Group/cn=Recipients/cn=Ewan.Millington‘ (Server: ‘EXCHANGE-SERVER’, user: ‘TARGET\qmmex’).
02/02/2007 16:24:30 CSession::Logon Error -2147221231 The information store could not be opened. - MAPI_E_LOGON_FAILED (MAPI 1.0) Low level error: 0×0 File: ‘aeWrapHelpers.h’ Line: ‘264′

The legacyExchangeDN would therefore be:

 /o=TARGET/ou=First Administrative Group/cn=Recipients/cn=Ewan.Millington

 

Run MFCMAPI

 Select Logon and Display Store Table

  

When prompted, select to create a new MAPI profile

 

Create the MAPI Profile for a failing user to test the logon

 

When entering the Mailbox name, do NOT use the alias or Auto-Discover, use the legacyExchangeDN. This is because our software uses the legacyExchangeDN path of the user to logon to the mailbox making it a fully correct test.

 You should receive a result of success

  

Open the MAPI Mailbox with MFCMAPI

 Selecting the profile name on ‘Choose Profile’ will open the MAPI profile of this user. The Store of the mailbox should now be displayed, WITHOUT any errors or pop-ups. Double-click on the Mailbox store to open this store.

This should now display the Inbox store fully, as below

  

Step Two: Confirm Service Account Group Membership

 By default, Domain Admins and Enterprise Admins Groups have the Send-As & Receive-As permissions denied. These permissions are required for the Quest Service Account to logon to user mailboxes. As shown below, the membership is incorrect. Therefore you must remove the user object from membership  Domain Admins AND Enterprise Admins.

  

Step Three: Confirm Exchange Org Permissions

 Exchange permissions should be assigned to the entire Exchange Organisation root Exchange Organisation Name, and then propagated down. In some occasions for security reasons, security is assigned to each individual Exchange Store for more granularity. In any scenario you should always confirm permissions against a store, this is because permissions may not be propagated from the root configuration down to the store. The location for which these are assigned are shown below:

  

Open ADSIEDIT Configuration Container

 

Open the security of the Mail Store

 If you seen any denies please remove them, and as in Step Two, please remove the Service Account from the Domain Admins and Enterprise Admins Built-in Groups as these auto-deny the required permissions.

Confirm Effective Permissions

 Select the Advanced button and then the ‘Effective permissions’ tab, using the Quest Service Account, in our case, ‘qmmex’. All the options should be ticked, and if they are not, the product will not work, we cannot logon to the user mailboxes and the pre-requisites have not been met.

 

What if Send-as / Receive-as permissions are denied?

 ·         The Service Account is a member of Domain Admin or Enterprise Admins so this membership should be removed; Or

·         Permissions are denied at one of the levels below, so each level should be checked to confirmed permissions have propagated, these levels are:

  

·         The last possible reason is that a GPO restriction is enable prevent permissions of send-as / receive-as rights for the Service Account

  

Step Four: Discussion of Scenarios and typical reasons for failure

 The Logon failure occurs for all users

 

·         Most likely the service account has send-as / receive-as rights denied;

·         The service account is a member of Domain Admins or Enterprise Admins

·         Name resolution is not working. DNS and NETBIOS should be confirm between all servers involved in the migration (Quest & Exchange)

·         The Exchange server is unavailable or down

 

 The logon failure occurs for a limited number of users

 ·         The mailbox is hidden from the GAL. See the following solution: https://support.quest.com/SUPPORT/index?page=solution&id=SOL22596

·         The LegacyExchangeDN of the user object has a trailing whitespace. Please see the following solution: https://support.quest.com/SUPPORT/index?page=solution&id=SOL45625