Entourage Exchange Account Configuration
Volume Number: 22 (2006)
Issue Number: 7
Column Tag: MICROSOFT | MAC IN THE ENTERPRISE
Entourage Exchange Account Configuration
Understanding the details of Microsoft Entourage 2004 Exchange account configurations
by Andy Ruff
Introduction
Entourage provides two methods for configuring accounts: manually via the Account Settings dialog or through the Account Configuration Wizard, a simple tool that automatically detects your network's configurations and configures an Exchange account accordingly. Understanding how these methods work is very useful for troubleshooting deployment headaches.
Navigating the Account Settings Dialog
Entourage uses WebDAV, the same technology underpinnings as the web-based Outlook Web Access (OWA), to communicate with the Exchange server. As a user, if you can access your Exchange mailbox through the web browser, you should be able to configure Entourage to synchronize with Exchange. From the administrator's perspective, this means that no further work is required in order to support Entourage if OWA is enabled on your Exchange server.
To configure or create an Exchange account in Entourage, use the standard Entourage account manager at menu path Tools : Accounts, click on the Exchange tab, and press the New toolbar button.
Figure 1: Account Settings
The Account name field merely represents how the Exchange account will appear throughout Entourage. The contents of this field do not impact how Entourage synchronizes or communicates with the Exchange server. Typically the field should be easily recognizable as conveying the relevance or location of the account. For example, with my Microsoft corporate account, I simply name my account Microsoft. Name and E-mail address represent how outgoing e-mail addresses will be generated and represented to recipients. The E-mail address field is also used in Entourage's mailbox discovery process detailed later.
The Account ID, Domain, and Password are the Active Directory credentials of the account whose mailbox Entourage will synchronize. Within many organizations, you may recognize these credentials by logging in with a domain name\account ID. If you save your password using the Mac OS keychain, it is important to remember that each time you change your password, you need to return to Entourage's account settings and update your password. While Entourage does not allow you to change or reset your password from within Entourage, Entourage will notify you that a password will soon expire.
Figure 2: Components of Exchange Mailbox URLs
In the simplest configuration, the Exchange server field merely needs to contain the host name of the Exchange server Entourage will connect to for mailbox synchronization. If the user's mailbox is later moved to a different Exchange server, Entourage should be redirected to the new location and the user will not need to update the Exchange server field's contents.
Entourage's mailbox discovery process is one of the most common issues that result in an Exchange account failing to connect with the server. When first connecting to an Exchange mailbox, Entourage attempts to locate the user's mailbox through a combination of the left-hand-side of the user's e-mail address, and the Exchange server field's value. In most cases, Entourage attempts to find the user's mailbox beyond the virtual root with the left-hand-side (LHS) of a user's e-mail address. In the e-mail address aruff@microsoft.com, Entourage will look for an Exchange mailbox named aruff.
The virtual root is the first subcomponent of the URL used by Entourage when communicating with the Exchange server. In the default Exchange deployment, the virtual root is /exchange/. Entourage will always assume the default virtual root is unchanged. If your organization has modified the virtual root, you may override this behavior by entering a custom virtual root within the account's Exchange Server field. For example, if your Exchange server had a custom virtual root of /owa/ and mail.example.com was your Exchange server, you should enter mail.example.com/owa/ in the Exchange server field in order for Entourage to begin synchronization.
In some organizations, particularly those supporting a variety of legacy e-mail and directory configurations, this poses a problem. Often times, such organizations name Exchange mailboxes using the user's account alias (the default value when creating an Exchange mailbox), but assign users much more human-readable e-mail addresses. For example, instead of aruff@microsoft.com, the user knows their e-mail address as more along the lines of andy.ruff@microsoft.com.
The Exchange Server field is again key to overriding the methods Entourage uses to discover a user's mailbox. When the user's mailbox name differs from the LHS of their e-mail address, placing the full path (server name/virtual root/mailbox name) in the field, will override Entourage's mailbox discovery behavior, forcing Entourage to look directly at the provided path for the user's mailbox.
Often times, getting the Exchange server field correct is a process of understanding the relationship between Entourage and Outlook Web Access (OWA). The simplest method for configuring an Exchange account in Entourage is to log into OWA, copy the resulting location in Safari's Address Bar up until the first mailbox folder, and pasting the resulting text in the Exchange server field of your account in Entourage.
Figure 3: Advanced tab
The Advanced tab provides further configuration for Exchange functionality that is not required in order to synchronize with Entourage, but many users find important: public folders and access to the global address list.
The Public Folder server provides both access to public folders and free/busy information. Entourage may synchronize any calendar, address book, or message public folder. If your public folders are replicated across a collection of servers, Entourage will follow redirections to the appropriate server. If you would like a regularly accessed public folder to be synchronized for offline access, the public folder should be added to your public folder favorites simply by dragging-and-dropping the folder into the Favorites subfolder of the Public Folders folder of your Exchange account in Entourage.
When scheduling a meeting, free/busy information is used to share with others what time you are available to meet. Entourage does not generate and publish free/busy information. Instead, the Exchange server detects changes in a calendar and automatically updates the corresponding free/busy information. If another user's free/busy information appears dark grey within Entourage when scheduling meetings, it is often the result of an incorrectly configured Public folders server address.
For access to the corporate directory or Global Address List, Entourage uses the LDAP services of an Active Directory domain controller. The LDAP Server field is the host name of a domain controller Entourage will query. Entourage typically queries the Global Catalog of a domain controller for directory information with default ports of 3268 and 3269. If you do not know the name of your domain controller, you may use the same "dig" command line query detailed later.
In order for users to be able to browse the contents of the directory, Entourage uses the LDAP Virtual List View (VLV) control introduced in Windows Server 2003. For Entourage users connecting to Windows 2000 domain controllers, they will only be to search the contents of the directory.
Dissecting the Account Configuration Wizard
The Account Configuration Wizard provides a simple mechanism for configuring a new Exchange account without requiring the user to know anything other than their Active Directory login credentials and e-mail address. It is important to understand how Account Configuration Wizard works so that you might tweak your network configuration to ensure its success as a low cost method for deploying Entourage as an Exchange client.
Figure 4: Account Configuration Wizard
The wizard follows a three-step process for automatically determining the user's account settings: 1) finding a domain controller, 2) determining the Exchange server that hosts the user's mailbox, and 3) connecting to the server to begin synchronization. It is important that the user's Network settings in System Preferences are properly configured with the appropriate search domains and DNS server, as the combination of the two values is critical to Entourage's ability to find servers on a network.
In order to find a domain controller, Entourage uses the DNS service discovery mechanism to find LDAP-based services on the currently connected network. If Entourage is unsuccessful at finding, or finds the incorrect domain controller within a network, often times it is easiest to debug the DNS configuration of the machine using either the dig or nslookup command-line tools to perform a DNS query similar to that issued by Entourage. In Terminal.app, execute dig _ldap._tcp.search.domain:
aruff:~ aruff$ dig _ldap._tcp.microsoft.com
; <<>> DiG 9.2.2 <<>> _ldap._tcp.microsoft.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36646
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;_ldap._tcp.microsoft.com. IN A
;; AUTHORITY SECTION:
microsoft.com. 3595 IN SOA dc.microsoft.com. hostmaster.microsoft.com. 11896502 900 600 86400 3600
;; Query time: 70 msec
;; SERVER: 157.57.195.29#53(157.57.195.29)
;; WHEN: Mon Jun 12 22:46:37 2006
;; MSG SIZE rcvd: 118
In the above results, the DNS server returned that dc.microsoft.com provides LDAP services. In this case, dc.microsoft.com likely refers to many different domain controllers. Often organizations use DNS to have a single host name point to a series of servers, allowing clients such as Entourage to quickly rollover to any of the servers depending on uptime and server load. If the DNS query returns more than one domain controller, Entourage chooses the appropriate domain controller based on priority returned in the DNS query. If the priority value of two or more domain controllers match, Entourage chooses the first matching domain controller.
After discovering a domain controller, Entourage connects, binds, and queries the Active Directory via LDAP for the homeMDB attribute of the user's directory entry. The homeMDB attribute contains the host name of the Exchange server that stores the user's mailbox. Further, Entourage will set the Directory Service server field for the account to the discovered LDAP-providing domain controller.
Failure to discover the homeMDB attribute typically is the result of Entourage's inability to find the user object in the Active Directory. If you have access to a Window's machine, it may be useful to use the LDP.exe tool in the Windows 2000 Support Tools kit to connect to the LDAP service returned by the DNS query in step one, and ensure the user's Active Directory object is replicating properly to the target domain controller and that the homeMDB attribute is returned correctly.
Once Entourage knows the homeMDB value, Entourage connects to the server via WebDAV, and attempts to locate the user's mailbox. Once the Entourage locates the mailbox on the server, Entourage parses out HTML generated by Outlook Web Access to the location of the public folder server. Typical causes of failure at this step in the configuration wizard are either Entourage's difficulty in locating the user's mailbox on the server or the server is inaccessible on the network (e.g. incorrect search domains within the Network settings of System Preferences). If all succeeds, the account configuration wizard will exit and the user will begin to see the contents of their Exchange mailbox synchronizing with Entourage.
Seamless Traveling: Synch Entourage without VPN Access
Taking advantage of the rich experience and offline capabilities of Entourage's Exchange synch need not be limited to your office. A benefit of Entourage using the same underlying technology as OWA to communicate with your Exchange server, Entourage may synchronize your Exchange account from any machine that is able to access the same mailbox in a web browser through OWA. If you are able to go home, launch Safari, and check your e-mail using OWA, then you should also be able to configure Entourage to connect to your Exchange server and synchronize while at home, just as you would in the office.
For laptop users, this capability provides offline access for productive e-mail triage on the airplane or quick access to a contact's phone number, even when no wireless network is available. Personally, I configure Entourage to always point to the corporate OWA servers. This allows me to dash off to a local coffee shop for several hours of uninterrupted focus or connect to the airport's wireless network when traveling, all the while seamlessly synchronizing my Exchange account with Entourage without once mucking with VPN access--it just works.
To configure Entourage to connect to the OWA server, place the name of the server you connect to in Safari within the Exchange server field. For example, if you type https://mail.example.com/ in Safari to access your Exchange mail from within your web browser, enter https://mail.example.com into the Exchange server field of your Entourage Exchange account (Entourage will automatically detect if your Exchange server uses a secure connection and toggle the "use SSL" checkbox as necessary). For public folders and free-busy information, you may find it easiest to browse to your public folders within OWA, copying the front portion of the resulting URL in the Address Bar. Under the default Exchange server configuration, public folders are accessible under the /public/ virtual root (e.g. https://mail.example.com/public/).
Generally, few organizations allow applications outside their trusted networks to access domain information via LDAP. As such, both the Global Address List and Account Configuration Wizard will fail to work in Entourage. If always-accessible Global Address List is critical to your organization, you may consider configuring Microsoft Active Directory Application Mode (http://www.microsoft.com/windowsserver2003/adam/), to host the GAL and provide lightweight LDAP services over a secure connection. Some third party tools, such as EntourageABMenu, provide a method for quickly searching your GAL through Entourage without requiring LDAP connectivity.
While Outlook and Exchange 2003 deliver similar functionality in the form of MAPI-RPC, Entourage 2004 users in both Exchange 2000 and 2003 environments may configure Entourage to synchronize without ever needing to worry about VPN access.
Conclusion
Entourage uses a variety of technologies to communicate with the Exchange server, sometimes making deployment a challenge. Understanding how each of these technologies impacts Entourage is often key to forging a plan for deploying Entourage within your organization.
Andy Ruff is an Entourage Program Manager at Microsoft. You may read his weblog at http://www.ruffly.org
