Tracking down Exchange 2013 OWA Office Mail App Initialization Failed
Our current environment is a single EV 10.0.4 CHF3 server. We are running Exchange 2010 and have recently stood up our 2013 environment. We have a handful of IT test users migrated to 2013. Enterprise vault is working with exchange 2013. All user connections, internal and external, take the same path through to the EV server. They all pass through a vip on our F5 load balancer, which in this case, is really not doing much more than fronting the web traffice and passing it through. We have used this setup for many years now without issue. Our current Exchange version is 2013 CU 10. We were previously on CU 4 and experienced the below issue, then thought it might help to rollup Exchange.
I am currently trying to get EV working through Exchange 2013 owa using the Office Mail App and am running into some issues. The issue I'm experiencing is described exactly like in this article, https://www.veritas.com/support/en_US/article.TECH222757 among a few others. Originally, I thought it was a certificate problem because the Exchange auth certificates are self signed. So, I issued a new Auth certificate from our internal CA and connfigured it in Exchange, then set the AuthConfiguration to match that certificate thumbprint. Our setup seems correct.
I deployed our Office Mail app to the organization using the following:
$Mbx = get-mailbox "Test User"
New-App -OrganizationApp -DefaultStateForUser:enabled -Url ("https://OurEVServerVIPDnsName/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=" + $Mbx.LegacyExchangeDN)
The deployment appeared to go well. I'm using the default desktop policy options so EV is enabled for OWA and Outlook 2013. When I open Outlook 2013 from my office, I can use the Enterprise Vault mail app without any problems. When I try to use the Enterprise Vault app through OWA from my office, It just spins then gives the Initialization Failed message. When I try to use the Enterprise Vault app through OWA from my home pc, it first prompts me with a forms login, I'm assuming to Enterprise Vault, which makes sense since I'm using my home pc (non-domain).
Some additional troubleshooting:
I've checked retention categories for any funky characters.. those are fine. I'm able to browse to our EV OfficeMailApp.htm page without any certificate warnings or errors (just shows a blank page). I'm able to browse to our EV OfficeMailApp.aspx page without any cert warnings (just shows a blank page as well)
I attempted a Fiddler trace to see if I can figure out what is going on. If I've set it up correctly, I see the following lines:
GET /EnterpriseVault/OfficeMailApp.htm?et= HTTP/1.1
With a response of:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
Date: Tue, 03 Nov 2015 13:58:59 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
That shows up twice with a different Negotiate string.. I'm assuming its trying to negotiate authentication?
Then it shows a third line with the same GET and a 200 response of:
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Wed, 10 Jul 2013 21:57:08 GMT
Accept-Ranges: bytes
ETag: "05246cb87dce1:0"
Server: Microsoft-IIS/8.5
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAAYWonWSVdERgAAAAA=
Date: Tue, 03 Nov 2015 13:58:59 GMT
Content-Length: 3145
<!DOCTYPE html>
<html xmlns='\"http://www.w3.org/1999/xhtml\"'>
<head>
<META Http-Equiv="Cache-Control" Content="no-cache">
<META Http-Equiv="Pragma" Content="no-cache">
<META Http-Equiv="Expires" Content="0">
<META content="IE=9" http-equiv="X-UA-Compatible">
<script type="text/javascript" id="onlineOfficeJS" src="https://appsforoffice.microsoft.com/lib/1.0/hosted/office.js"></script>
<script type="text/javascript">
function buildQueryString(officeJS) {
var querystring = window.location.search;
querystring.length > 0 ? querystring += "&OfficeJS=" : querystring += "?OfficeJS=";
querystring += encodeURIComponent(officeJS)
return querystring;
}
function navigateAfterOfficeInit(queryString) {
Office.initialize = function() {
// When Office.js handshake complete - redirect to main office aspx
window.location.href = "OfficeMailApp.aspx" + queryString;
}
}
function redistScriptPath(script) {
var buildversion = "10.0.4.1189";
return "V" + buildversion + "/OfficeMailApp/redist/scripts/" + script;
}
function addScriptBlock(scriptFile, onTriedToLoadScript) {
var script = document.createElement("script");
script.type = "text/javascript";
if (script.readyState) {
script.onreadystatechange = function() {
if (script.readyState == "loaded" || script.readyState == "complete") {
script.onreadystatechange = null;
onTriedToLoadScript(scriptFile);
}
};
} else {
script.onload = function() {
onTriedToLoadScript(scriptFile);
};
}
script.src = scriptFile;
document.getElementsByTagName("head")[0].appendChild(script);
}
function officeJSIsLoaded() {
return typeof Office !== "undefined";
}
function tryToLoadAjaxRedist() {
addScriptBlock(redistScriptPath("MicrosoftAjax.js"), tryToLoadOfficeJSRedist);
}
function tryToLoadOfficeJSRedist() {
// Remove original script block for the hosted Office.js in preparation for adding a new script block
// that references the redistributed local Office.js. This is necessary because Office.js initialisation looks for
// the script block with a src attribute containing 'office.js' - it then attempts to load dependent js files
// from the base url of that src. Leaving the original block in place would therefore break the loading process of
// the redistributed Office.js.
onlineOfficeJS.parentNode.removeChild(onlineOfficeJS);
addScriptBlock(redistScriptPath("office.js"), triedToLoadOfficeJSRedist);
}
function triedToLoadOfficeJSRedist(file) {
navigateAfterOfficeInit(buildQueryString(file));
}
if (officeJSIsLoaded())
navigateAfterOfficeInit(buildQueryString(onlineOfficeJS.src));
else
tryToLoadAjaxRedist();
</script>
</head>
<body>
</body>
</html>
This is followed by a fourth line: GET /EnterpriseVault/OfficeMailApp.aspx?et=&OfficeJS=https%3A%2F%2Fappsforoffice.microsoft.com%2Flib%2F1.0%2Fhosted%2Foffice.js HTTP/1.1
and response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3840
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 13:58:59 GMT
<!DOCTYPE html>
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head><meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=9" /><meta http-equiv="Pragma" content="no-cache" /><meta http-equiv="Expires" content="-1" /><title>
Enterprise Vault
</title><link href="V10.0.4.1189/OfficeMailApp/Redist/css/Style.css" rel="stylesheet" type="text/css" /><link href="V10.0.4.1189/OfficeMailApp/OfficeMailApp.css" rel="stylesheet" type="text/css" /><script type="text/javascript" src="https://ajax.aspnetcdn.com/ajax/3.5/MicrosoftAjax.js"></script><script type="text/javascript" src="https://appsforoffice.microsoft.com/lib/1.0/hosted/office.js" id="OfficeJSPath"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/Redist/scripts/jquery-1.7.2.min.js"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/OfficeMailAppCommon.js"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/en/OfficeMailAppStrings.js"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/EVMbxSettings.js"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/EVEWSHelper.js"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/EVManagedFolder.js"></script><script type="text/javascript" src="V10.0.4.1189/OfficeMailApp/OfficeMailApp.js"></script></head>
<body id="OfficeMailAppBody">
<div id="OfficeMailAppSettings" class="hidden"></div>
<div class="header">
<div class="statusHelp">
<span><a id="helpLink" href="#"></a></span>
</div>
<div id="status" class="statusImage">
<img src="spacer.png" id="statusImage" class="cssimg">
</div>
<div class="statusText">
<span id="statusText"></span>
</div>
<div class="statusText">
<span><a id="statusBtn" href="#"></a></span>
</div>
<textarea id="TraceConsole" class="hidden"></textarea>
</div>
<div id="main" class="main">
<div id="wrapper" class="wrapper">
<div id="homePanel" class="homePanel">
<div id="viewBtn" class="button imageView"><img src="spacer.png" class="cssimg"><span></span></div>
<div id="searchBtn" class="button imageSearch"><img src="spacer.png" class="cssimg"><span></span></div>
<div id="aeBtn" class="button imageArchiveExplorer"><img src="spacer.png" class="cssimg"><span></span></div>
<div id="storeBtn" class="button imageStore"><img src="spacer.png" class="cssimg"><span></span></div>
<div id="restoreBtn" class="button imageRestore"><img src="spacer.png" class="cssimg"><span></span></div>
<div id="deleteBtn" class="button imageDelete"><img src="spacer.png" class="cssimg"><span></span></div>
</div>
<div id="storePanel" class="storePanel">
<div id="archiveBackBtn" class="button imageBack"><img src="spacer.png" class="cssimg"><span></span></div>
<div class="retentionCategories"><select id="retCatSelect"></select></div>
<div id="archiveOKBtn" class="button buttondisabled imageOKDisabled"><img src="spacer.png" class="cssimg"><span></span></div>
</div>
<div id="deletePanel" class="deletePanel">
<div id="deleteBackBtn" class="button imageBack"><img src="spacer.png" class="cssimg"><span></span></div>
<div id="deleteOKBtn" class="button imageOK"><img src="spacer.png" class="cssimg"><span></span></div>
</div>
</div>
</div>
</body>
</html>
I'm out of ideas at the moment. I'm hoping to take a step back and look at it all again, but would appreciate any thoughts or suggestions.
I do have https enabled and configured on EV with the proper cert. After coming across a good troubleshooting article for mail apps here:
http://blogs.msdn.com/b/emeamsgdev/archive/2014/09/19/troubleshooting-exchange-2013-mail-apps-executeewsproxy-calls.aspx
and the author's corresponding visual on various logs to check to see where the failure might be:
http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-components-postattachments/00-10-55-92-15/steps.png
I was able to trace the issue through each step of the communication process. It turns out that we had a firewall blocking traffic from our mailbox servers back to the Exchange 2013 F5 vip on port 443. What was happening was that the Enterprise Vault mail app was communicating properly to the EV server and communication was working up through step 3, after step three, checking the Exchange CAS iis logs again, I did not see any iis requests coming back from the mailbox servers. EV was configured correctly in this case and it turned out to be an Exchange communication issue.
Everything seems to be working well now.