Troubleshooting Logs and Tools
SaRA tool to assess OUTLOOK client: https://diagnostics.outlook.com/#/
Also on CTRL + right click on OUTLOOK icon on the system tray! to get the connection status
Test connectivity from outside using: https://testconnectivity.microsoft.com/
Also check potential source of problems:
- Check ADFS policies
- Check set-CASmailbox – (post authentication) ; if POP or imap protocols are blocked for example
- AzureAD Conditional access policies – (post authentication)
- Authentication policies – in Exchange online (“new-authenticationpolicy”)- (pre authentication)
- Client access rules – exchange online
- Org level – IP blacklist – legacy authentication can be blocked
- Org level – blacklist – EWS connections can be blocked
- Org level – disable SMTP auth legacy – recommended
- To protect from DDOS attack, enable ADFS extranet lockout protection and check audit log
- IdFIX tool: https://www.microsoft.com/en-us/download/details.aspx?id=36832
Side-effect on Modern authentication:
If ADFS WAP and Internal servers are stopped ! What are the side-effects to access Outlook ??
- On clients with Modern authentication or ADAL! => thanks to the access tokens but we can limit the issues (valid 90 days!)
- If ADFS internal is restarted => Only => problem solved (no need WAP)
- But for OL 2010 or OL 2013 without ADAL, we are prompted to enter USER/PASSWORD (but without success)
- We need also the WAP working! And not only ADFS internal… to solve the problem on old clients not supporting ADAL
And also check logs:
HTTP Proxy RPCHTTP Logs
In Exchange 2013, there are several logs in the logging folder. For Outlook clients one of the first logs to examine are the HTTP Proxy logs on CAS. The connection walk-through section shows the process that is used to connect to Exchange 2013. This complete process is logged in the HTTP Proxy log. Also, if it is possible, add Hosts file to the client for one specific CAS to reduce the number of logs.
The logs on CAS are located here by default: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\RpcHttp
HTTP Proxy AutoDiscover Logs
Exchange 2013 has HTTP Proxy logs for AutoDiscover that are similar to the logs shown earlier that can be used to determine whether AutoDiscover is failing.
The logs on CAS are located here by default: C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\AutoDiscover
HTTP Error Logs
HTTP Error logs are failures that occur with HTTP.SYS before hitting IIS. However, not all errors for connections to web sites and app pools are seen in the httperr log. For example, if ASP.NET threw the error it may not be logged in the HTTP Error log. By default, HTTP error logs are located in C:\Windows\System32\LogFiles\HTTPERR. Information on the httperr log and codes can be found here.
IIS logs can be used to review the connection for RPC/HTTP, MAPI/HTTP, EWS, OAB, and AutoDiscover. The full data for the MAPI/HTTP and RPC/HTTP is not always put in the IIS logs. Therefore, there is a possibility that the 200 connection successful may not be seen. IIS codes.
In Exchange 2013 IIS logs on the CAS should contain all user connections on port 443. IIS logs on the Mailbox server should only contain connections from the CAS server on port 444.
Most HTTP connections are first sent anonymously which results in a 401 challenge response. This response includes the authentication types available in the response header. The client should then try to connect again by using one of these authentication methods. Therefore, a 401 status found inside an IIS log does not necessarily indicate an error.
Note that an anonymous request is expected to show a 401 response. You can identify anonymous requests because the domain\username is not listed in the request.
RPC Client Access (RCA) Logs
The RCA logs can be used to find when a user has made a connection to their mailbox, or a connection to an alternate mailbox, errors that occur with the connection, and more information. RCA logs are located in the logging directory which is located at %ExchangeInstallPath%\Logging\RpcClientAccess. By default, these logs have a maximum size of 10MB and roll over when size limit is reached or at the end of the day (based on GMT), and the server keeps 1GB in the log directory.
Outlook ETL Logging (requires a support case with Microsoft to analyze the log)
ETL logs are located in %temp%/Outlook Logging and are named Outlook-#####.ETL. The numbers are randomly generated by the system.
To enable Outlook logging
In the Outlook interface:
- Open Outlook.
- Click File, Options, Advanced.
- Enable “Enable troubleshooting logging (requires restarting Outlook)”
- Restart Outlook.
How to enable Outlook logging in the registry:
- Browse to HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\Options\Mail
- DWORD: EnableLogging
- Value: 1
- Note: xx.0 is a placeholder for your version of Office. 15.0 = Office 2013, 14.0 = Office 2010
ExPerfwiz (Perfmon for Exchange)
You can use Perfmon for issues that you suspect are caused by performance. http://experfwiz.codeplex.com/
Exchange 2013 has daily performance logs that captures the majority of what is needed. These logs are by default located in C:\Program Files\Microsoft\Exchange Server\V15\Logging\Diagnostics\DailyPerformanceLogs
Log Parser Studio
Log Parser Studio is a GUI for Log Parser 2.2. LPS greatly reduces complexity when parsing logs. Additionally, it can parse many kinds of logs including IIS Logs, HTTPErr Logs, Event Logs (both live and EVT/EVTX/CSV), all Exchange protocol logs from 2003-2013, any text based logs, CSV logs and ExTRA traces that were converted to CSV logs. LPS can parse many GB of logs concurrently (we have tested with total log sizes of >60GB).
Blog with tips/how to about LPS: http://blogs.technet.com/b/karywa/
Exmon tool (aka Microsoft Exchange Server User Monitor)
We use this tool to get detailed information about client traffic.