Archive Tasks don't start and no events are generated in event viewer. Dtrace stuck at ConfigureMsgService.

Problem

When Outlook Anywhere is configured to use ‘Negotiate’ authentication, in the Initialization process of Archive Task, task attempts creating MAPI profile in order to open EV System Mailbox, while doing so it uses NTLM authentication for the relevant proxy server and then gets stuck at the “ConfigMsgService” function.

Error Message

There are no error messages received.
If you re-start the task controller service, you will see the Task Controller Startup event. But you won't see any event getting triggered for the Archive Task Startup.

In the Dtrace logs on ArchiveTask (for enabling dtrace, refer to: how to enable dtrace)

(ArchiveTask)<3204>{CMAPISession::CreateMapiSession:#308} Acquired CEVMAPILieModeLock Exclusive Lock
(ArchiveTask)<3204>{CMailboxHelper::CreateProfileAndSessionEx} (Entry)
….
(ArchiveTask)<3204>{CMailboxHelper::CreateProfileAndSessionEx} (Entry)
….
(ArchiveTask)<3204>{ExchangeConnectionPointInformation::IsValid:#53} SSL connection to Exchange required using proxy server [Ex2013-cas.ev.local] certificate principal [msstd:Ex2013-cas.ev.local]
(ArchiveTask)<3204>{ExchangeConnectionPointInformation::GetOutlookAnywhereAuthScheme:#108} Using NTLM authentication for proxy server [Ex2013-cas.ev.local]
…..
(ArchiveTask)      <3204>  EV:L       {CONFIGUREMSGSERVICEATTEMPT.EN_US} (Entry)
(ArchiveTask)      <3204>  EV:L       {ConfigureMsgServiceAttempt:#264} Trying ConfigureMsgService using PR_PROFILE_UNRESOLVED_SERVER [e8f708ef-cfe8-441a-a46d-037596adcc31@ev.loca], attempt [1] of [5]

Note : At this point, ArchiveTask will not release the LieModeLock it acquired while creating mapi profile. Due to which, request of any other process (such as AgentclientBroker, RetrievalTask & MigratorServer etc) attempting to acquire the same lock will be blocked. Post 15 minutes, the request will be timed out resulting in to Lock errors 7206, 3230 logged in the Enterprise Vault Event logs.

Cause

On Exchange 2016 Server or the 2013 CAS Server Windows Authentication is disabled on the RPC virtual directory.

OR

On Exchange 2016 Server or the 2013 CAS Server, NTLM provider is missing in the RPC virtual directory authentication’s ‘Enabled Providers’ list.

Negotiate authentication is enabled by default for Exchange Outlook anywhere. This is combination of Windows integrated authentication and Kerberos authentication. If we employ Negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password. Hence when NTLM provider is missing Enterprise Vault Task tries to use the NTLM authentication prompts client to authenticate using a username and password. As a result of this EnterpriseVault Archive task gets stuck at “ConfigMsgService” call.

Note: Basic authentication for Exchange Outlook anywhere is not recommended.

Solution

Option 1:

Launch Exchange Management Shell. 

Then enable Windows Authentication as follows:

Set-OutlookAnywhere -Identity "<ExchangeServerName>\rpc (Default Web Site)" -IISAuthenticationMethods Basic,NTLM,Negotiate

As an example: 

Set-OutlookAnywhere -Identity "EXCH1\rpc (Default Web Site)" -IISAuthenticationMethods Basic,NTLM,Negotiate

Option 2:

This issue can be resolved by adding required NTLM Authentication provider in RPC Virtual Directory properties.

1. Open IIS Manager on Exchange CAS Server, highlight RPC virtual directory and then under IIS double click on authentication.
2. Right click on Windows Authentication, select Providers.
3. Under ‘Available Providers’, select NTLM and click on Add.
4. Confirm the NTLM listed under the ‘Enabled Providers’ list and click OK.
5. Reset IIS and re-start the Task controller service on the EV Server once.
6. Repeat the same steps in case of multiple Exchange 2013 CAS servers or multiple Exchange 2016 servers.

Applies To

MS Exchange 2013 and 2016.

NOTE: If you have an Exchange 2016 environment and if the above steps are being implemented, then "MapiHttpDisabled" registry entry must be present on the EV Server as stated in the following article.