CodeTwo Base.title

MAPI_E_FAILONEPROVIDER and mailbox permissions

Problem:

When attempting to configure the CodeTwo Exchange Sync synchronization account service, you see the following error message:

Unable to connect to Exchange Server.
Failed to open mailbox 'Mailbox - <account_name>@<domain>'.
MAPI_E_FAILONEPROVIDER (0x8004011d)

485-1
Fig. 1. MAPI error message while connecting to the server.

Solution:

The problem seems to have its source on the environmental side and is in most cases connected with certain conflicts between Access Control List (ACL) permissions associated with a user which mailbox is going to be opened.  

First of all, make sure that the user account meets the requirements mentioned in our another knowledge base article: Error opening default mailbox in the MAPI profile

The next step is to identify conflicts between ACL permissions. To see the permissions list use the below ems Exchange Management Shell cmdlet:

Get-MailboxPermission -Identity "<UserAccount>" | FL

Now we need to find all entries which concerns access rights given for a user or group (i.e. Organization management). The example output is shown in the Fig. 2.

485-2
Fig. 2. Example mailbox permission - cmdlet output.

In our example, we have listed access rights to Administrator's mailbox granted for the Organization management group. The bottom entry informs that the group has Full Access rights to the mailbox. On the other hand, there is an entry (at the top of the list) which informs that Full Access rights are denied for this group (see Deny property) and it is not inherited (IsInherited flag). That kind of scenario may be the reason why MAPI_E_FAILONEPROVIDER error is shown when attempting to open the mailbox using a MAPI profile. If you see a similar duplicated entries, you can try to solve your issue by either using a new user profile or resolving the conflicts manually.

New account

Creating a new account that could be used by CodeTwo Exchange Sync is the most effective method. To do so, please follow the steps below:

  1. According to our User Guide create a new user that meets the following requirements, along with a new mailbox:
    • is a member of Domain Admins (required to access Exchange mailboxes via MAPI)
    • is not disabled, locked, etc.
    • is Exchange mailbox-enabled
    • its mailbox is not hidden from Exchange address list
  2. Log in on mailbox of the new account (e.g. using OWA).
  3. Send and receive any message to make sure that mailbox is activated (you can send an email to itself).
  4. Log out from your current profile, on the machine where CodeTwo Exchange Sync is installed.
  5. Log in as the new account.
  6. Try to configure CodeTwo Exchange Sync.

Resolving conflicts manually

If creating a new account does not work or you need to stay with desired user account, you can solve the conflicts manually. To get rid of the MAPI_E_FAILONEPROVIDER error, all conflicts must be resolved by removing faulty entries. To do that customize the below ems Exchange Management Shell cmdlet to suit your environment:

# Remove deny permission assigned for Administrator in the case of Organization Management 
Remove-MailboxPermission -Identity "Administrator" -User "DOMAIN52\Organization Management" -AccessRights FullAccess -deny:$true

And confirm by typing: y in the confirmation step. Please be aware that only not inherited rights may be removed this way. There may be more permission conflicts in your environment and they all have to be resolved for the mailbox used as synchronization service account in the CodeTwo Exchange Sync. If you need to add permissions for a mailbox, you can use the following command:

# Add full access permission for Administrator in the case of Organization Management group
Add-MailboxPermission -Identity "Administrator" -User "DOMAIN52\Organization Management" -AccessRights Full Access -InheritanceType All

See also:

  • Applies to: CodeTwo Exchange Sync
  • Categories: Troubleshooting
  • Last modified: 2016-10-26
  • Created: 2015-04-24
  • ID: 485
  • Keywords: access rights, fullaccess, acl, permissions
Our Clients:
Unicef
Facebook
Shell
T-Systems
Loreal
Casio
UPS Israel
Oford University
Mitsubishi Motors
Toshiba TEC UK Imaging Systems Ltd
Illinois Institute of Technology
MAN Diesel
McDonalds India
Skoda Auto
Bank of Israel
Fujifilm
China Mobile
Santander
Samsung SDI
Skanska
Generali
Telmex
Toyota Tsusho
BECHTEL
Ricoh
BAE SYSTEMS
Federação Portuguesa de Futebol
Credit Agricole
HYUNDAI
Rothschild
Toyota Boshoku
Oriflame Romania
ING
Ikea
Nordea

Partners, certificates & awards