Symantec Enterprise Vault Technical Note Troubleshooting OWA Extensions 8.0 Symantec Information Foundation
Symantec Enterprise Vault: Troubleshooting OWA Extensions The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Last updated: April 15, 2009. Legal Notice Copyright 2009 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, VERITAS, and Enterprise Vault are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Enterprise Vault and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Enterprise Vault 350 Ellis Street Mountain View, CA 94043
http://www.symantec.com
Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system
Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Troubleshooting OWA Extensions This document includes the following topics: Troubleshooting OWA 2007 Extensions Troubleshooting OWA 2000 and OWA 2003 Extensions Configuration changes on OWA Exchange Servers Configuration changes on the Enterprise Vault server Troubleshooting OWA 2007 Extensions If Enterprise Vault functionality is not available in OWA clients after installing the OWA 2007 Extensions, or users cannot perform actions such as archiving items, or viewing archived items, you can initiate logging for OWA 2007 sessions using settings in the Web.Config file on the Exchange 2007 CAS server. See Log file settings in Web.Config on page 7. If OWA users cannot access Archive Explorer or browser search, then check the IIS logs on the Enterprise Vault server, as the client attempts to connect directly to the Web application on the Enterprise Vault server for these features. If you are using an ISA Server, then check that the Enterprise Vault Web application is published to clients, as described in the manual, Setting up Exchange Server Archiving. Log file settings in Web.Config Settings in the Web.Config file on the Exchange 2007 CAS server enable you to log communication between OWA and the Enterprise Vault Extensions. You can
8 Troubleshooting OWA Extensions Troubleshooting OWA 2007 Extensions initiate logging for all OWA 2007 sessions, or for specific mailbox sessions. The Web.Config file is in the following location: Exchange installation folder\clientaccess\owa Table 1-1 lists the settings that you can add to this file. These should be added to the AppSettings section of the file using the following format: <add key="setting" value="value"/> Note that entries in this file are case sensitive. For example: <add key="enterprisevault_logenabled" value="true"/> <add key="enterprisevault_logmailboxes" value="j.doe@example.com;p.coe@example.com"/> Table 1-1 Setting Web.Config settings Default Value Notes EnterpriseVault_ResourceVersion EnterpriseVault_LogFolder EnterpriseVault_LogEnabled Set by installer. Enterprise Vault installation folder\owa 2007\Logs\ false The name of the versioned folder containing the Enterprise Vault OWA 2007 resources, such as script files and images. The folder where log files will be saved. Authenticated users need full control access to this folder. Note the trailing backslash. To enable logging, give this setting the value true. Any other value disables logging.
Troubleshooting OWA Extensions Troubleshooting OWA 2000 and OWA 2003 Extensions 9 Table 1-1 Setting Web.Config settings (continued) Default Value Notes EnterpriseVault_LogMailboxes not set Use this setting to restrict logging to specific mailboxes. The value is a semicolon delimited list of the primary SMTP addresses for the mailboxes to log. EnterpriseVault_LogEnabled must be set to true. If logging is enabled and this is not set, then all mailboxes are logged. A log file is created for each OWA session for each mailbox; the file name contains the SMTP address of the mailbox and the date: EVOwaLog_SMTPaddr_date.txt Troubleshooting OWA 2000 and OWA 2003 Extensions This section provides information on troubleshooting Enterprise Vault OWA 2000 and OWA 2003 Extensions. Installation log files The following Enterprise Vault log files are created in the installation folder for the OWA Extensions (typically, Program Files\Enterprise Vault\OWA): EVControlFilesTool.wsf.log (created on front-end and back-end OWA 2003 servers). BackEnd2000Setup.wsf.log or BackEnd2003Setup.wsf.log (created on back-end OWA 2000 and OWA 2003 servers respectively). FrontEnd2003Setup.wsf.log (created on front-end OWA 2003 servers). If you configure MSI logging, MSI logging files will be created in addition to the Enterprise Vault installation log files.
10 Troubleshooting OWA Extensions Troubleshooting OWA 2000 and OWA 2003 Extensions Capturing diagnostic information for the Enterprise Vault Extensions During the configuration of the Enterprise Vault OWA 2000 and 2003 Extensions, the file, installation_path\enterprisevault\owa\evbackend.ini, is created on back-end Exchange Server 2000 and 2003 computers, and the file, installation_path\enterprisevault\owa\evfrontend.ini, is created on front-end Exchange Server 2003 computers. The following settings in these files enable you to monitor communication between the Enterprise Vault OWA 2000 and 2003 Extensions, OWA components and Enterprise Vault when clients attempt to connect to Enterprise Vault: The diagnosticfilefolder setting defines where the log files will be created. The default value is installation_path\enterprisevault\owa\logging\. The exchangediagnostics setting enables logging of communication between the Enterprise Vault OWA 2000 and 2003 Extensions and the back-end Exchange Server. This setting is not available on front-end Exchange servers, as there is no communication between Enterprise Vault OWA Front-End Extensions and the front-end Exchange Server. The proxydiagnostics setting enables logging of communication between the OWA client and Enterprise Vault via the EnterpriseVaultProxy virtual directory, for example, when the client is using the Enterprise Vault web application during an archive search or Archive Explorer session, or when viewing an item using Enterprise Vault View mode. Configure these settings as described in this section and then perform the necessary actions to reproduce the problem. If Dtrace is being used to capture information on the Enterprise Vault computer, then set it up before you reproduce the problem. To enable logging on a back-end Exchange Server 1 Edit the EVBackEnd.ini file on the Exchange Server. 2 Locate the line exchange_server.website_id.virtual_directory.exchangediagnostics=0 and change the value of the setting from 0 to 2. 3 Locate the line exchange_server.website_id.virtual_directory.proxydiagnostics=0 and change the value of the setting from 0 to 2. 4 Note the value of diagnosticfilefolder, which shows where the log files will be created. 5 Save the changes to the file.
Troubleshooting OWA Extensions Troubleshooting OWA 2000 and OWA 2003 Extensions 11 To enable logging on a front-end Exchange Server 1 If the problem is not seen when connecting directly to the back-end Exchange Server, edit the EVFrontEnd.ini file on the front-end Exchange Server. 2 Locate the line exchange_server.website_id.virtual_directory.proxydiagnostics=0 and change the value of the setting from 0 to 2. 3 Note the value of diagnosticfilefolder, which shows where the log files will be created. 4 Save the changes to the file. Checksum failure on OWA controls files Exchange Server 2003 hotfixes may modify OWA controls files. If you have installed an Exchange Server 2003 hotfix that has created a version of the OWA controls files that is not supported by Enterprise Vault, or modified any files in the controls files folder (typically installation_path\exchsrvr\exchweb\6.5.nnnn.n\controls), then installing the Enterprise Vault OWA Extensions will fail. The installation log file, EVControlFilesTool.wsf.log, will contain lines similar to the following: Info : CompareControlFileChecksums : Checksum does not match... pristine value. Comparing with known checksums Error : CompareControlFileChecksums : control_filename has been... modified but not by EV Error : CompareControlFileChecksums : Some controls files in C:\Program Files\Exchsrvr\exchweb\6.5.nnnn.n\controls\ have been modified but not by Enterprise Vault For details of the versions of OWA 2003 controls files supported by the Enterprise Vault OWA Extensions, see the Enterprise Vault Compatibility Charts on the Symantec Support Website: http://entsupport.symantec.com/docs/276547 You can restore the original, unmodified OWA controls files by doing either of the following: If Enterprise Vault OWA Extensions have been installed previously, the original controls files will be in the folder, installation_path\exchsrvr\exchweb \6.5.nnnn.n\Controls-originals copied by Enterprise Vault. Copy the
12 Troubleshooting OWA Extensions Troubleshooting OWA 2000 and OWA 2003 Extensions files from this folder back into the Controls folder, and then rerun the Enterprise Vault OWA Extensions installation. Install (or reinstall) the Exchange Server hotfix which provides the required version of the OWA controls files, and then rerun the Enterprise Vault OWA Extensions installation. Errors when configuring OWA Extensions The following error may be generated during the configuration phase of the OWA Extensions installation. Registration failed The following error may be generated when configuring the front-end or back-end OWA 2003 Extensions: registration failed, error: -2147217895 Object or data matching the name, range, or selection criteria was not found within the scope of this operation. You need to create at least one public folder before you configure the OWA Extensions. As Microsoft Exchange installation automatically creates a public folder store, Enterprise Vault will attempt to register forms against public folders. If no public folders exist, the error will be displayed. ADO connection error The following error may be generated when configuring the front-end or back-end OWA 2003 Extensions: ADO connection error: -2147217895 Object or data matching the name, range, or selection criteria was not found within the scope of this operation. This error occurs when the Simple Mail Transfer Protocol (SMTP) domain name of the Microsoft Exchange 2003 Mailbox Store System mailbox is different than that of the Microsoft Exchange 2003 server domain name. For instructions on how to fix this, see the Enterprise Vault TechNote: http://entsupport.symantec.com/docs/280615
Troubleshooting OWA Extensions Troubleshooting OWA 2000 and OWA 2003 Extensions 13 WinHTTP configuration problems When you view the contents of an Enterprise Vault item, you may receive the following error message: Failed to get the document from the Storage Service (E_ACCESS_DENIED) This will occur if WinHTTP has not been configured correctly using Proxycfg. See the following articles for more information: PRB: "Access Denied" Error Message When Using ServerXMLHTTP to Access an Authenticated Site (http://support.microsoft.com/?kbid=291008) You may need to run the Proxycfg tool for ServerXMLHTTP to work (http://support.microsoft.com/?kbid=289481) PRB: Error Message on MSXML3 Setup - "Error Creating Process msiexec.exe" (http://support.microsoft.com/?kbid=289792) Frequently asked questions about ServerXMLHTTP (http://support.microsoft.com/?kbid=290761) Enterprise Vault buttons not displayed in OWA 2003 client If the Enterprise Vault buttons do not appear in OWA 2003 clients on a default installation, you can take the following steps: Check that the user has been enabled for Enterprise Vault. Clear the client browser cache. Check the installation logs on the back-end Exchange Server. See Installation log files on page 9. On the back-end Exchange Server, enable logging in the EVBackEnd.ini file, and review the resulting log files. See Capturing diagnostic information for the Enterprise Vault Extensions on page 10. Check that Enterprise Vault forms are registered on the back-end OWA server. You can use Exchange Explorer in the Exchange Server SDK Development Tools to check form registrations. If the forms are not registered, rerun the Enterprise Vault OWA Extensions installation. Check that the EVOWA Virtual Directory, which is created on the back-end OWA server, is set to use the Exchange Application Pool. See Configuration script changes: OWA 2003 back-end on page 15.
14 Troubleshooting OWA Extensions Configuration changes on OWA Exchange Servers Enterprise Vault OWA 2003 configuration edits the OWA control files on the Exchange Server. If you have installed an Exchange Server 2003 hotfix, this may have modified OWA control files or changed the version of the control file folder. For details of the versions of OWA 2003 controls files supported by the Enterprise Vault OWA Extensions, see the Enterprise Vault Compatibility Charts on the Symantec Support Website: http://entsupport.symantec.com/docs/276547 Check that the correct Enterprise Vault OWA Extensions have been installed and configured. See the section Which OWA Extensions to install in the manual, Setting up Exchange Server Archiving. Error displayed in shortcut preview pane If the back-end OWA server computer is running Windows 2000, it requires either Windows 2000 SP3, or SP2 and a Microsoft hotfix, because of a problem with IIS 5.0. The problem is described in Microsoft support article 294833. If this is not installed, the OWA preview pane shows the following error instead of the shortcut content: Error type: Active Server Pages, ASP 0110 (0x80004005) Unable to Allocate required memory. /EVowa/preview.asp, line 2 Configuration changes on OWA Exchange Servers This section summarizes the changes that the Enterprise Vault OWA Extensions configuration scripts make on the OWA Exchange Servers. This information may be useful when troubleshooting configuration problems. Configuration script changes: OWA 2000 back-end The configuration on an OWA 2000 back-end configures the following for each Exchange virtual server it finds on the computer: An EVOWA virtual directory for each Web server on the computer. A virtual directory called EnterpriseVaultname for each Exchange mailbox and public folder virtual directory. name is the name of the associated Exchange virtual directory.
Troubleshooting OWA Extensions Configuration changes on OWA Exchange Servers 15 For example, if Exchange virtual directories are called Exchange and Public, virtual directories called EnterpriseVaultExchange and EnterpriseVaultPublic will be created. Execution of scripts is enabled in the settings of the Exchange mailbox and public folder virtual directories. Enterprise Vault forms are registered. Entries in the proxy bypass list from the EVServers.txt file. Configuration script changes: OWA 2000 front-end On OWA 2000 front-end systems, the configuration adds several.gif images. There are no configuration scripts or log files or other changes. Configuration script changes: OWA 2003 back-end The configuration on an OWA 2003 back-end configures the following for each Exchange virtual server it finds on the computer: An EnterpriseVaultProxy virtual directory for each Web server on the computer. An EVOWA virtual directory for each Web server on the computer. A virtual directory called EnterpriseVaultname for each Exchange mailbox and public folder virtual directory. name is the name of the associated Exchange virtual directory. For example, if Exchange virtual directories are called Exchange and Public, virtual directories called EnterpriseVaultExchange and EnterpriseVaultPublic will be created. Execution of scripts is enabled in the settings of the Exchange mailbox and public folder virtual directories. OWA control files are edited to provide Enterprise Vault functionality in clients. Enterprise Vault forms are registered. Entries in the proxy bypass list from the EVServers.txt file. Configuration script changes: OWA 2003 front-end The program configures the following for each Exchange virtual server it finds on the computer: An EnterpriseVaultProxy virtual directory for each Web server on the computer.
16 Troubleshooting OWA Extensions Configuration changes on the Enterprise Vault server OWA control files are edited to provide Enterprise Vault functionality in clients. Adds the names of back-end Exchange Servers to the proxy bypass list. Configuration script changes: OWA 2007 Installing the Enterprise Vault OWA 2007 Extensions performs the following actions on the Exchange 2007 CAS Server: Adds the folder, installation_path\microsoft\exchange Server\ClientAccess\Owa\EnterpriseVault. Edits the file, Web.Config, in the folder, installation_path\microsoft\exchange Server\ClientAccess\Owa. Edits the file, SmallIcons.xml, to provide Enterprise Vault options in clients. Creates the log file folder, installation_path\ EnterpriseVault\ OWA 2007\Logs\, and assigns Authenticated users full access permissions to it so that log files can be created for these users. Sets registry entries for use by the Enterprise Vault installation program. Note that the process differs considerably from the process for installing and configuring OWA 2000 and OWA 2003 Extensions. With OWA 2007 Extensions: No virtual directories, such as EnterpriseVaultProxy, are required on the Exchange servers for Enterprise Vault. No form registration is required. No proxy bypass list is required. The OWA control files are not edited. Configuration changes on the Enterprise Vault server This section describes the configuration changes made on the Enterprise Vault server when you run the owauser.wsf script to set up the anonymous user. This information may be useful when troubleshooting OWA access to Enterprise Vault servers. The owauser.wsf script sets up the following on the Enterprise Vault server: Assigns the following user rights to the anonymous user: Access this computer from the network (SeNetworkLogonRight) Allow logon locally (SeInteractiveLogonRight) Log on as a batch job (SeBatchLogonRight)
Troubleshooting OWA Extensions Configuration changes on the Enterprise Vault server 17 Bypass traverse checking (SeChangeNotifyPrivilege) For OWA 2003 and OWA 2007, creates (or updates) the virtual directory, EVAnon, that points to the Enterprise Vault\WebApp folder and assigns anonymous access permissions to the OWA anonymous user. Access to EVAnon is granted to the servers listed in ExchangeServers.txt. You can check this by displaying the properties of the EVAnon virtual directory, selecting the Directory Security tab and clicking Edit in the IP address and domain name restrictions section. For OWA 2000, updates the IIS settings for the OWARDR.asp file in the EnterpriseVault virtual directory, so that requests for OWARDR.asp are run under the context of the OWA anonymous user. Access to OWARDR.asp is granted to the servers listed in ExchangeServers.txt. You can check this by displaying the properties of the OWARDR.asp file, selecting the File Security tab and clicking Edit in the "IP address and domain name restrictions" section. Creates (or updates) the following registry value: HKEY_CURRENT_USER \Software \KVS \Enterprise Vault \AnonymousUser The value of this setting is the full name, including the domain, of the anonymous user. For example, mydomain\evowauser. For OWA 2003 and OWA 2007, creates (or updates) the following registry value: HKEY_LOCAL_MACHINE \SOFTWARE \KVS \Enterprise Vault \Install \OwaWebAppAlias The value of this setting is the name of the virtual directory for anonymous connections, EVAnon.
18 Troubleshooting OWA Extensions Configuration changes on the Enterprise Vault server