Outlook object model guard crisis

[mpriem]

Hi there,

A client of mine uses a vb6 application to send out emails using
methods provided by the msmapi32.ocx activeX component. They
implemented the outlook security template ages ago and added the
credentials of the account running the application to it, to allow it
to send out emails and access the address book.
Now all of a sudden (I also get the chivers when someone sais that) the
object model guard of outlook is blocking the sending it out of emails.
I checked the code and it uses the MapiSession control to logon to an
existing outlook profile (using Logon() method). It then uses the
MapiMessages control to send out the emails (using Send() method). The
mails are "SEND AS" the mailboxes in the mailprofile. These are
disabled useraccounts with mailbox, which are also added to the
template.

I checked the following:

- The administrative template is correctly configured (published,
configured reviewer permissions for default/anonymous)
- The registry setting for the user running the application is set
correctly.
- When opening all profiles used by the profile with outlook, the
template is visible.
- The mail profiles do not use cached mode exchange.
- The default mail delivery location for all profiles is mailbox.

There are a few strange things happening:
- When I run a custom vbscript using MAPI code the model guard does not
block any methods for the user. When using an user who is not added to
the template it does. This tells me the template is working.
- The object model guard does not always block the emails. When only a
few emails need to be sent out, everything goed well most of the time.
When more than 6 need to be sent out, it starts blocking the emails
with the nagging popups.


Does anyone have any ideas????
How can I tell that the template is correctly implemented??
Are there any regkeys I can check to see if it works??
Are there any limitations to using email profiles to SEND AS the
mailbox?
Does it matter that the user accounts for the mailprofiles used are
disabled???

 

[Sue Mosher [MVP-Outlook]]

Look on the Help | About Microsoft Outlook dialog: What does it say for Security Mode?

If the behavior changed, then it's almost certain that something in the client or server configuration changed to cause the change in behavior.

The ideal solution, of course, would be to use a different method other than that .ocx to send the messages -- CDO for Windows or Outlook Redemption would both be better and avoid the prompts.

FYI, there is a newsgroup specifically for general Outlook programming issues "down the hall" at microsoft.public.outlook.program_vba or, via web interface, at http://www.microsoft.com/office/community/en-us/default.mspx?dg=microsoft.public.outlook.program_vba
--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[mpriem]

It states Administrator/User controlled.

About changing the code; I brought that up, but they did not want to
change the code. It worked before.
It is not an option for now.

The strange thing is that when using the profile of user executing the
program, all goes well.
When another profile is used, only 2 - 3 messages are being sent out
and then the pop-up appears.

Thanks!

 

[Sue Mosher [MVP-Outlook]]

I've never seen "Admininstrator/User controlled." It should be either Administrator Controlled, User Controlled, or Default. I'd suggest checking the registry entry again.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[mpriem]

Sorry to disappoint you but it really does state Administrator/User
controlled.

Also the regkey is set properly:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Security

Dword > CheckAdminSettings=1

We are using Outlook 2003 sp2


Can you confirm that using different profiles within a vb app will not
pose any limitations?

 

[Sue Mosher [MVP-Outlook]]

Can you confirm that using different profiles within a vb app will not

pose any limitations?

Sorry, but I don't know what you have in mind. Only one Outlook mail profile can be running at a time.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[mpriem]

I mean that the vb app logs on and off to different profiles in
sequence.
I reproduced a similar issue at my own workstation.

I created a mailprofile for an user and gave my own credentials full
mailbox access.

When I use a script to send emails through simple mapi using my own
profile, all goes well.
When I use the same script to send emails through the other users
profile, it generates a popup.

Thanks,

Mark

 

[Sue Mosher [MVP-Outlook]]

The primary mailbox for the other profile would need to be included in the security settings folder item that relaxes the object model guard.

Did any of the mailboxes recently move from one server to another?

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[mpriem]

Yes,

Several of them.

Kind Regards,

Mark

Sue Mosher [MVP-Outlook] schreef:

 

[Sue Mosher [MVP-Outlook]]

Perhpas part of the problem is that the mail profiles that you are using for those mailboxes need to be updated. I'd update the security settings item as well.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Yes,

Several of them.

Kind Regards,

Mark

Sue Mosher [MVP-Outlook] schreef:

The primary mailbox for the other profile would need to be included in the security settings folder item that relaxes the object model guard.

Did any of the mailboxes recently move from one server to another?

 

[mpriem]

Well,

The mailboxes are members of a nested distribution list.
I posted a new template with the DL's, without any effect.

I can try to add them individualy, just to try..

 

[mpriem]

That didn't work either.....

Just to be sure.... The template does not need to be published to the
Organisational forms right? Only to the outlook security settings
folder???

 

[Sue Mosher [MVP-Outlook]]

You mean the security settings item template? That's correct: It can be published to the public folder.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[mpriem]

I'm completely out of ideas now.

Sue, thank you very much for your help. You are great!
I will open a support case at MS for this.

Best Regards,

Mark Priem

 

[Sue Mosher [MVP-Outlook]]

Let us know what you find from the support case. We hear periodically about problems with the Outlook Security Settings folder, but without any specific causes.

In Outlook 2007, BTW, the settings are all controllable by GPO.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[mpriem]

MS called back, and I think we have a winner!
I will get back to you when I've tested and implemented the
work-arround.
It has something to do with a protection that is introduced with SP2 of
Exchange to protect Exchange from malicious programs, by putting a
limit on the number of public folder referals per certain ammount of
time. I will post the complete description in a few days

 

[mpriem]

Ok, we solved it..

This is what happened:

In Outlook 2003 SP2 there was a change, that Outlook always, if it
tries to access a public folder first contacts its home server (stored
in the Outlook profile). The home server gives back an EcWrongServer
and the referral to the server where the Public Folder is located.
In Exchange SP2 there was a change that if Exchange had to send an
EcWrongServer more than 5 times in 10 seconds it will respond with a
EcServerPaused what will end up in a MAPI error MAPI_E_FAILONPROVIDER.
This error message causes, that the Outlook client is not able to find
the Outlook security form and as a result it will show the security
warning.
The issue only occurs, if the home server of the mailbox/user used is
not the one, that also holds the Outlook security settings public
folder, what is true in my environment.

To work around this issue, there is a possibility to force Outlook not
to contact the home server first when searching for a public
folder.What we need to do is, we need to remove or rename the registry
key, where the home server is stored in the Outlook profile.
Please try to rename the following registry key on the profile of the
user you use to send the emails:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Messaging
Subsystem\Profiles\<profile>\13dbb0c8aa05101a9bb000aa002fc45a]

Rename the property "001e6612" to "001e6612_old" and try if the
issue still occurs when sending a bigger number of emails using your
application.
Another solution would be to move the mailboxes to a server containing
the public folder or to add replica's.

Also regarding the Security Mode "Administrator/User controlled"

This is indeed a valid mode. It is called the
"Outlook_security_combined_mode"
It is enabled when the following setting is set in the security
template:
"Allow users to lower attachments to level 2"

The client will then have the following registry key added:
"HKCU\Software\Microsoft\Office\11.0\Outlook\Security\Level1Remove"

Thanks for your help Sue!

 

[mpriem]

Ok, we solved it..

This is what happened:

In Outlook 2003 SP2 there was a change, that Outlook always, if it
tries to access a public folder first contacts its home server (stored
in the Outlook profile). The home server gives back an EcWrongServer
and the referral to the server where the Public Folder is located.
In Exchange SP2 there was a change that if Exchange had to send an
EcWrongServer more than 5 times in 10 seconds it will respond with a
EcServerPaused what will end up in a MAPI error MAPI_E_FAILONPROVIDER.
This error message causes, that the Outlook client is not able to find
the Outlook security form and as a result it will show the security
warning.
The issue only occurs, if the home server of the mailbox/user used is
not the one, that also holds the Outlook security settings public
folder, what is true in my environment.

To work around this issue, there is a possibility to force Outlook not
to contact the home server first when searching for a public
folder.What we need to do is, we need to remove or rename the registry
key, where the home server is stored in the Outlook profile.
Please try to rename the following registry key on the profile of the
user you use to send the emails:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Messaging
Subsystem\Profiles\<profile>\13dbb0c8aa05101a9bb000aa002fc45a]

Rename the property "001e6612" to "001e6612_old" and try if the
issue still occurs when sending a bigger number of emails using your
application.
Another solution would be to move the mailboxes to a server containing
the public folder or to add replica's.

Also regarding the Security Mode "Administrator/User controlled"

This is indeed a valid mode. It is called the
"Outlook_security_combined_mode"
It is enabled when the following setting is set in the security
template:
"Allow users to lower attachments to level 2"

The client will then have the following registry key added:
"HKCU\Software\Microsoft\Office\11.0\Outlook\Security\Level1Remove"

Thanks for your help Sue!