Microsoft BITS Errors While Attempting To Download Outlook Offline Address Book (OAB)

The oab.xml file is the one that we can't cache, since it is the manifest indicating the most recent version of the address book files. All the others are OK to cache.

The iApp configures an NTLMv1 SSO by default, so I assume you created the NTLMv2 SSO because your environment is using it, and that the Exchange APM profile is also configured to use that SSO (our advanced monitors also require the "--ntlm" switch to be added to the cURL command in that case)?

Can you post the output of the tmsh command "list apm profile exchange "?

Hello again, Mike!

Yes; due to our corp security requirements, we needed to utilize NTLMv2 instead of NTLMv1. In turn, we configured the Exchange App profile to also utilize that same SSO Config.

Here's the output of the command you requested. We use the EXCHANGE2010_1.0 configuration from our Access Profile:

apm profile exchange EXCHANGE2010_1.0 {
    active-sync-auth-type basic
    active-sync-sso-config none
    active-sync-url /microsoft-server-activesync*
    app-service none
    auto-discover-auth-type basic
    auto-discover-sso-config %COMPANY%_NTLMV2
    auto-discover-url /autodiscover/*
    defaults-from exchange
    ntlm-auth-name none
    offline-address-book-auth-type basic
    offline-address-book-sso-config %COMPANY%_NTLMV2
    offline-address-book-url /oab/*
    rpc-over-http-auth-type basic
    rpc-over-http-sso-config none
    rpc-over-http-url /rpc/rpcproxy.dll
    user-agent-pattern-for-utf8 Android*
    web-service-auth-type basic
    web-service-sso-config %COMPANY%_NTLMV2
    web-service-url /ews/*
}
apm profile exchange exchange {
    active-sync-auth-type basic
    active-sync-sso-config none
    active-sync-url /microsoft-server-activesync*
    app-service none
    auto-discover-auth-type basic
    auto-discover-sso-config none
    auto-discover-url /autodiscover/*
    ntlm-auth-name none
    offline-address-book-auth-type basic
    offline-address-book-sso-config none
    offline-address-book-url /oab/*
    rpc-over-http-auth-type basic
    rpc-over-http-sso-config none
    rpc-over-http-url /rpc/rpcproxy.dll
    user-agent-pattern-for-utf8 Android*
    web-service-auth-type basic
    web-service-sso-config none
    web-service-url /ews/*
}

Am I supposed to have anything configured under the SSO / Auth Domains section within the Access Profile? I saw that the iApp doesn't put anything in there, but I also noticed the documentation calls out that you're supposed to set the SSO Configuration field to the NTLM SSO config.

Thanks!

-Cory

You don't need to configure anything else under the access profile properties. All of that is taken care of by the Exchange APM profile.

The messages you posted from the APM logs are not errors, they just indicate that NTLMv2 is found and that the profile is using the appropriate SSO for that request. I see those messages for successful OAB downloads (the only difference in my lab is that I'm using NTLMv1).

Do you have APM debugging turned up for both access and sso? If you can post more of your APM logs here while the problem is happening, I'll have a look.

Hi Mike-

I converted the logs to Debug for both access and SSO. Unfortunately, I only see the same three messages that I previously mentioned repeating over and over.

Found HTTP 401 response for SSO configuration '/Common/%COMPANY%_NTLMV2' type:'ntlmv2'
metadata len 338
Websso NTLM authentication for user '%USERNAME%' using config '/Common/%COMPANY%_NTLMV2'

On a whim, I tried to use a browser to download the .lzx file directly, and the browser also reported the connection terminating abnormally.

I dumped my hosts file entries from our POC LTM+APM 11.5.1 --> CAS config back to our production LTM 11.2.0 --> TMG --> LTM 11.2.0 --> CAS configuraton, and I was able to download the .lzx file through a browser and through BITS without issue. Both configurations are pointing at the same 10 CAS servers.

This is an odd one! 🙂

-Cory

I recommend opening a case with F5 support. If you post the case here, or PM me with it, I can track the progress.

In further troubleshooting, here is what I've discovered so far:

If I enable persistence for the /oab URI, the scheduled automatic download of the offline address book now completes without issue. HOWEVER, the manual download of the OAB using the Send/Receive Groups-->Download Address Book function within Outlook still fails on each attempt. The LTM log shows 4 TCL Errors on the initial attempt, and 1 similar TCL Error on each subsequent attempt every 5 minutes thereafter:

Jul 17 16:23:23 slot1/%REDACTED% err tmm1[11395]: 01220001:3: TCL error: /Common/_sys_APM_Exchange  - Operation not supported (line 1)     invoked from within "HTTP::status"
Jul 17 16:23:26 slot2/%REDACTED% err tmm3[12304]: 01220001:3: TCL error: /Common/_sys_APM_Exchange  - Operation not supported (line 1)     invoked from within "HTTP::status"
Jul 17 16:23:29 slot1/%REDACTED% err tmm3[11395]: 01220001:3: TCL error: /Common/_sys_APM_Exchange  - Operation not supported (line 1)     invoked from within "HTTP::status"
Jul 17 16:23:32 slot1/%REDACTED% err tmm1[11395]: 01220001:3: TCL error: /Common/_sys_APM_Exchange  - Operation not supported (line 6)     invoked from within "HTTP::status"

I have proven this several times over and have submitted my findings/recommendations to F5 support for consideration in including this fix in the up and coming 1.4.0 Exchange iApp. If you are using the iApp, modify the following in your configuration as necessary:

(1) Modify the %APP_NAME%_oa_persist_irule iRule to look like the following:

when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
        "/ews*" {
             Exchange Web Services.
            if { [HTTP::header exists "APM_session"] } {
                persist uie [HTTP::header "APM_session"] 7200
            } else {
                persist source_addr
            }
        }
        "/oab*" {
             Offline Address Book.
            if { [HTTP::header exists "APM_session"] } {
                persist uie [HTTP::header "APM_session"] 7200
            } else {
                persist source_addr
            }
        }
        "/rpc/rpcproxy.dll*" {
            if { [HTTP::header exists "APM_session"] } {
                persist uie [HTTP::header "APM_session"] 7200
            } elseif { [string tolower [HTTP::header "Authorization"]] starts_with "basic" } {
                set oa_key [sha256 [HTTP::header "Authorization"]]
                persist uie $oa_key 7200
            } else {
                persist source_addr
            }
        }
    }
}
when HTTP_RESPONSE {
    if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
        ONECONNECT::reuse disable
        ONECONNECT::detach disable
        NTLM::disable
    }
    if {[HTTP::header exists "Transfer-Encoding"]} {
        HTTP::payload rechunk
    }
}

(2) If you are using the combined Virtual Server, modify the combined_persist_irule by removing the /oab section and replacing with the following:

"/oab*" {

     Offline Address Book.
    if { [HTTP::header exists "APM_session"] } {
        persist uie [HTTP::header "APM_session"] 7200
    } else {
        persist source_addr
    }
    pool %YOUR_POOL_HERE%

    return

}

(3) If you are using both a combined Virtual Server AND APM, modify the apm_combined_pool_irule by removing the /oab section and replacing with the following:

"/oab*" {
    pool %YOUR_POOL_HERE%
    persist uie $sessionid 7200
    return
}

The F5 engineer I am working with has assured me he will be working with the iApp team to figure out this issue and hopefully work toward a better solution, but this workaround will get the automatic downloads of the OAB up and running for now if you're seeing what I'm seeing.

Take care, and more to follow!

-Cory

Apparently, editing an existing post deletes it when you click Save. 🙂

Let's try this again:

PD was unable to reproduce our symptoms, therefore they could not identify a BZID. As a workaround, to fix the OAB download issue you must perform the following steps:

• On your BigIP/VIPRION, use a text editor to create a file called tmm_init.tcl with the following contents:

  rule /Common/_sys_APM_Exchange { when HTTP_RESPONSE_RELEASE { log local0. "Bypass iRule" } }

• Set the permissions on the above file using one of the two commands below:

  BigIP -

  chmod 644 /config/tmm_init.tcl

  / VIPRION -

  clsh chmod 644 /config/tmm_init.tcl

• Run one of the following commands to restart tmm:

  BigIP -

  bigstart restart tmm

  / VIPRION -

  clsh bigstart restart tmm

• Run one of the following commands to verify tmm has restarted:

  BigIP -

  bigstart status tmm

  / VIPRION -

  clsh bigstart status tmm