E14 Ticket: Unable to Download OAB after Exchange 2010 SP2

 

 

=======================================================================
Part 3
=======================================================================

1.

2.

3. Get the value of OAB Container

OAB Server: BQT-MBX01
[PS] Get-OfflineAddressBook –Server BQT-MBX01 | fl
DistinguishedName : CN=BQT-MBX01 OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=MSFT,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=com

4. Set $TenantOAB

[PS] C:\>$TenantOAB="CN=BQT-MBX01 OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=MSFT,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=com"

5. Add-ADPermission

-User “Domain Users” (Security Group)

[PS] C:\>Add-ADPermission $TenantOAB -User "MSFT\Domain Users" -ExtendedRights "MS-EXCH-DOWNLOAD-OAB"|

Identity User Deny Inherited
-------- ---- ---- ---------
\BQT-MBX01 OAB MSFT\Domain Users False False

6. Check the Permission

[PS] C:\>Get-ADPermission $TenantOAB -User "MSFT\Domain Users" | fl

User : MSFT\Domain Users
Identity : \BQT-MBX01 OAB
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All



or
[PS] C:\>Get-ADPermission $TenantOAB -User "MSFT\Domain Users" | where {$_.ExtendedRights -match 'MS-EXCH-DOWNLOAD-OAB'} | fl

User                : MSFT\Domain Users
Identity            : \BQT-MBX02 OAB
Deny                : False
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

 

8. Before Restart FDS

9.  Restart FDS

10. Reset to Default

11. Outlook Download OAB

 

========================================================================
Part 2
========================================================================

1. 問題定義的出處
Multi-Tenancy and Hosting Guidance Exchange Server 2010 SP2

2. 問題說明: 起因為Exchange SP2 為加強OAB 安全性，而將Authenticated User 權限移除 (詳如appendix)

Problem or Issue Description	Securing Offline Address Book web distribution folders.
Recommended Approach	It is recommended you follow the process outlined in the appendix of this document to remove the Authenticated Users Read ACE from each OAB folder (including that for the Default OAB to prevent accidental download), and add an ACE for a security group including all users in the tenant who will be using each folder. The steps documented in this process are planned to be added to Exchange in the future, to allow easy securing of the folders without the need to change Active Directory permissions. Until that time, the steps outlined in the appendix of this document are the only supported way to accomplish this task.  It is recommended you perform the detailed steps during initial creation of a tenant on the system using a scripted and tested process.
Unsupported Solutions	It is unsupported to make other ACL changes to the OAB container, objects, folders or sub-folders
Additional Comments	IIS enforces authentication to the content of the OAB virtual directory, and with the recommended ACL changes it should not be possible for any user to see any OAB other than that intended for their own tenant.

3. 而微軟的解決方案為下，要改用另外的權限方式調整讓用戶端下載OAB

4. Appendix

Appendix Securing OAB Virtual Directories Prior to the release of an update to Exchange that will enable this functionality natively, the following steps need to be completed to secure access to the OAB virtual directory folders on the Client Access server. Each of the following examples assumes the domain being used by the hoster is called fabrikam.com – you need to change the examples shown below to refer to your own deployment. Removing the MS-Exch-Download-OAB extended right from the root OAB container The following two commands should be run once per Exchange installation to remove the MS-Exch-Download-OAB extended right from the root OAB container. This prevents all subsequently created OABs from inheriting this extended right. To first verify the permission exists, first run the following command $BaseOABContainer=’CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fabrikam,DC=com’ Then run the following command to examine the existing permissions. Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match 'ms-exch-download-oab'} | fl The results returned should look similar to this; User                              : NT AUTHORITY\Authenticated Users Identity                        : \ Deny                            : False AccessRights              : {ExtendedRight} IsInherited                   : False Properties                    : ChildObjectTypes       : InheritedObjectType  : InheritanceType         :  All Then run the following command to remove the extended right; Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match 'ms-exch-download-oab'} | Remove-ADPermission To validate this command has executed correctly, the following command should now return zero results; Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match 'ms-exch-download-oab'} | fl

========================================================================
Part 1 ========================================================================

Our new E14 enviroment has the same situation here issue 1 .

I’ve build two CAS servers with WNLB. New build in SP2 and updated to RU3.

When restart FDS or server everytime, it will reset the permission of the oab folder as below.

And this happened on both CAS servers.

I already checked and modified the oab folder permission by refer below. But it will be reset to default when reboot cas server everytime.

A security group does not have sufficient rights to an OAB folder