How to troubleshoot MAPI logon script errors in Microsoft Operations Manager 2005 when it is used together with Exchange Server 2003

To verify that the mailbox store is mounted and that Microsoft Outlook users can successfully log on, the Exchange Management Pack runs the MAPI logon verification script. In this script, the Mailbox Access account credentials are used to actually log on and open the mailbox of the test mailbox. This mailbox is typically named as follows:The mail flow verification scripts also use MAPI logon to send and receive messages.

If the Mailbox Access account does not have the correct user rights, or if it cannot log on to the test mailboxes because of other causes, it generates MAPI logon errors. This article describes the probable causes of these errors. Additionally, this article describes the steps that you must take to troubleshoot the different types of errors that you may receive.

You can view the MAPI logon script error messages in the Operator Console of MOM 2005 by using one of the following views:

• Alerts
• State
• Events

The appearance of the MAPI logon script error messages may vary depending on the view that you use to view the error messages. However, the common MAPI logon script error messages will contain one of the following phrases:

• MAPI_E_NOT_FOUND
• MAPI_E_LOGON_FAILED
• MAPI_E_NOT_INITIALIZED

For example, an error message may appear similar to the following error message:The "General troubleshooting steps" section lists the general steps that you must perform to troubleshoot the issue. Additionally, other sections list steps that you must perform to troubleshoot the issue, depending on the phrase that you see in the error message. However, if the steps that you perform in a particular section do not resolve the issue, you must perform the steps in the other sections. Sometimes multiple causes can exist for the same error. For more information about MAPI error codes, click the following article number to view the article in the Microsoft Knowledge Base:

General troubleshooting steps

Determine the Mailbox Access account that is used by the MAPI verification script to log on to the Exchange server. To do this, look in Exchange System Manager in the Logons section under the Mailbox Store folder. You should see the test mailbox and verify that the Microsoft Windows account that was used to log on was the Mailbox Access account.

Next, determine whether the issue is specific to a particular Exchange server or if the issue applies to all Exchange servers. If you receive MAPI logon verification script problems that generate event ID 9981 (general MAPI logon failure) or event ID 9016 (generated by the MailFlow sender script), verify that the Mailbox Access account has full mailbox rights on the mailbox that is used for the MAPI logon test. To do this, follow these steps:

1. Log on to Outlook by using the Mailbox Access account.
2. Open the test mailbox. To do this, click Open Other User’s Folder on the File menu, and then type the name of the test mailbox. You should be able to see the Inbox of the test account.
3. If you cannot open the mailbox, start the Active Directory Users and Computers snap-in, and then examine the properties of the test mailbox.
4. Click Exchange Advanced, and then click Mailbox Rights. The Mailbox Access account should be listed here and should be granted the following permissions:
   • Full Mailbox Access
   • Delete mailbox storage
   • Read

If you can log on to Outlook as the Mailbox Access account, and you can open the mailbox of the test account by using the credentials of the Mailbox Access account, you should direct your troubleshooting to the individual Exchange servers instead of looking for a permissions problem in Active Directory.

If you cannot open the test mailbox, make sure that none of the mailboxes that MOM uses (Mailbox Access account and test mailboxes) are hidden. Also, determine whether the accounts were created manually, were created by using the Exchange Management Pack Configuration Wizard, or were created by using provisioning software. This will help narrow the reasons for the issue with the accounts or test mailboxes.

Error: MAPI_E_NOT_FOUND

To resolve this issue, verify the value for the following registry entry:This is the location where temporary MAPI logon profiles are created. This value should be configured as follows: Typically, the profile directory would be C:\temp\exmppd. For more information about MAPI profile files, click the following article number to view the article in the Microsoft Knowledge Base: Verify that the Mailbox Access account, not the test mailbox for the server, has read and write permissions to the C:\temp\exmppd directory. The best way to do this is to log on to the server as the Mailbox Access account and then verify that you can create a test file in this directory.

The Mailbox Access account must have local logon rights on each Exchange server. These rights are required for the MAPI logon and mail flow tests. The Exchange Management Pack Configuration Wizard automatically grants the necessary rights.

Error: MAPI_E_NOT_INITIALIZED

Typically, this error is related to file versions on the Exchange server. To verify file conflicts, follow these steps:

1. Verify whether Outlook is installed on this server.
2. Verify the versions of Cdo.dll.
3. Additionally, you can use the MFCMapi tool to open the mailbox of the Mailbox Access account. To do this, follow these steps:
   1. Download MFCMapi, and then copy it to the Exchange server. MFCMapi can help you identify the cause of the logon errors. For more information about how to obtain MFCMapi, click the following article number to view the article in the Microsoft Knowledge Base:
      291794  (http://support.microsoft.com/kb/291794/ ) MFCMAPI demonstrates MAPI client code
   2. Run MFCMapi.
   3. On the Session menu, click Logon and Display Store Table.
   4. You will be prompted to create a profile.
   5. You can enter the Mailbox Access account information to verify that you can log on to the mailbox.
   6. You can also perform a check name operation.

Error: MAPI_E_LOGON_FAILED(80040111)

Inherited "Deny" permissions cause the MAPI logon verification test to fail. If the Mailbox Access account is included in a group that has "Send As" and "Receive As" permissions that are configured as "Deny" at the organization level, the Mailbox Access account cannot log on to the Exchange server. To verify and correct this issue, follow these steps.

Step 1: Verify that you can see the mailbox in Exchange System Manager

1. Log on to the Exchange server as the Mailbox Access account.
2. Start Exchange System Manager.
3. Expand Administrative Groups, and then expand Servers.
4. Click Mailboxes.
5. Verify that you can see the list of mailboxes in the right pane. If you cannot see the mailboxes, the Mailbox Access account may be denied the "View Information Store Status" permission.

Step 2: Verify user rights in Exchange System Manager

1. Log on to the Exchange server as the Mailbox Access account.
2. Start Exchange System Manager.
3. Right-click the organization object, and then click Properties.
4. Click the Security tab, and then click Advanced.
   
   Note If you cannot see the Security tab, click the following article number to view the article in the Microsoft Knowledge Base:
   264733  (http://support.microsoft.com/kb/264733/ ) How to enable the Security tab for the organization object in Exchange 2000 and in Exchange 2003
5. Verify whether any of the groups that include the Mailbox Access account are denied the "Send As" or the "Receive As" user right.
6. If you find that "Deny" permissions are configured for the group that includes the Mailbox Access account, follow the steps in the "Step 3: Make sure that the Mailbox Access account is not included in a group that has organization-level 'Deny' permissions" section.

Step 3: Make sure that the Mailbox Access account is not included in a group that has organization-level "Deny" permissions

If the group that includes the Mailbox Access account has "Deny" permissions configured for the "Send as" or the "Receive as" user right at the organization level, the Mailbox Access account cannot log on to the Exchange server. If the Mailbox Access account is configured as an administrative account that is included in groups that are restricted at the organization level, you must use an ordinary account that is not included in these default groups. For example, you can use an ordinary domain user account that has the "Log on locally" user right for the Mailbox Access account. To correct this problem, follow these steps:

1. Create a new Mailbox Access account.
   
   Note You can use an ordinary domain user account.
2. Verify that the new Mailbox Access account can resolve names in the global address list.
3. Run the Exchange Management Pack Configuration Wizard.

Error: Event ID 9983 – "Cannot Impersonate Mailbox Access Account"

If you receive this event, the credentials that you supplied when you ran the Exchange Management Pack Configuration Wizard or the ExchangeMOMSetCredentialUtility.exe were incorrect. Run the Exchange Management Pack Configuration Wizard or the ExchangeMOMSetCredentialUtility.exe again by using the correct credentials. This event may also indicate that the Mailbox Access account may not have permission to log on locally to the Exchange server. Verify that the Mailbox Access account is listed as having the "Allow log on locally" user right in the Local Security Policy or in the Domain Controller Security Policy if the server is a domain controller.

Note The ExchangeMOMSetCredentialUtility tool is included with Microsoft Operations Manager 2000. The Exchange Server 2003 Management Pack for Microsoft Operations Manager 2000 Service Pack 1 (SP1) and later Management Packs do not include this tool. Instead, the Exchange Management Pack Configuration Wizard is used together with these products. You can use the Exchange Server 2003 Management Pack Configuration Wizard to perform the functions that you performed by using the ExchangeMOMSetCredentialUtility tool.

Error: MAPI_E_AMBIGUOUS_RECIP

You receive this error if the mailbox logon script does not run. This error occurs when the Mailbox Access account display name and the samAccountName attribute in Active Directory are different. To resolve this issue, follow these steps:

1. Delete the Mailbox Access account.
2. Create a new Mailbox Access account by using the Exchange Management Pack Configuration Wizard.

Intermittent MAPI logon failures

Active Directory problems can cause intermittent failure of the MAPI logon verification script. MAPI logon fails if it cannot access a domain controller or if the domain controller does not respond in a timely manner.

1. Start the Microsoft Exchange System Attendant service.
2. Verify the configuration for the agent mailboxes. Then, correct any configuration errors.
3. Verify that the domain controllers in the domain can be accessed and that users can log on by using Outlook.

Log MOM errors

You can log MOM errors to a log file by configuring a registry entry on the Exchange server. To do this, follow these steps:

1. Start Registry Editor.
2. Locate the following subkey:
   HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange MOM\
3. Create the following registry entry under this subkey:
   Value name: DebugLS
   Value type: DWORD
   Value data: 1
4. Stop and then restart the MOM service on the Exchange server. Wait until the MAPI logon verification script runs. If it is required, wait overnight to make sure that the script runs.
5. Look for the ExMPLS_LOG.txt file in the root of the %systemdrive%. Typically, this is drive C.
   
   Note This log file is frequently useful to troubleshoot MAPI logon issues.