We're having difficulties with Outlook clients running in cached mode. They get stuck forever on "Offline Address Book is connecting to Microsoft Exchange".
The two Exchange servers in question are load-balanced by a KEMP cluster, with HTTPS round-robin (SSL termination is done at the Exchange servers, no caching or any of the sort). Both servers are running Exchange 2013 CU6.
BITSadmin show the jobs failing with the error code 0x80190191: HTTP 401
The strange part here is that external OutlookAnywhere clients can download the OAB just fine, so this seems to be related to NTLM or Kerberos in some way.. I just can't figure out where.
It happens to all users on all kinds of devices, so this is not isolated.
- The OAB url can be accessed through IE and Chrome without problems (authentication pop-up)
- Added the domain to the intranet zone in order to get SSO, which works in IE and Chrome
- Set up Kerberos SPN with an alternate service account across the DAG (no effect)
- The OAB virtual directories are setup correctly (Require SSL, ignore client cert, windows authentication)
- Added ACL for authenticated users under the OAB physical path with read+list+execute (no effect)
- Created a new OAB (no effect)
- Recreated the OAB arbitrary generation mailbox (no effect)
- Moved the OAB mailbox to a different database (no effect)
- Activated the database holding the OAB arbitration mailbox on a different server (no effect)
- OWA redirection is not enabled on IIS as this is known to cause these kind of errors. We do a simple http -> https rewrite on the loadbalancer in case requests arrive on http. I disabled the redirection during troubleshooting, and it did not help.
Does anyone have further pointers on what could be wrong, and what I should check? I've tried to dig through logs, but I'm unsure of what logs to inspect and what to look for. Many of the Exchange logs are enormous in size - so large that even notepad++ has difficulties opening them.
