MAPI_E_FAILONEPROVIDER and mailbox permissions
When attempting to configure the CodeTwo Exchange Sync synchronization account service, you see the following error message:
Unable to connect to Exchange Server. Failed to open mailbox 'Mailbox - <account_name>@<domain>'. MAPI_E_FAILONEPROVIDER (0x8004011d)
The problem seems to have its source on the environmental side and is in most cases connected with certain conflicts between Access Control List (ACL) permissions associated with a user which mailbox is going to be opened.
First of all, make sure that the user account meets the requirements mentioned in our another knowledge base article: Error opening default mailbox in the MAPI profile.
The next step is to identify conflicts between ACL permissions. To see the permissions list use the below Exchange Management Shell cmdlet:
Get-MailboxPermission -Identity "<UserAccount>" | FL
Now we need to find all entries which concerns access rights given for a user or group (i.e. Organization management). The example output is shown in the Fig. 2.
In our example, we have listed access rights to Administrator's mailbox granted for the Organization management group. The bottom entry informs that the group has Full Access rights to the mailbox. On the other hand, there is an entry (at the top of the list) which informs that Full Access rights are denied for this group (see Deny property) and it is not inherited (IsInherited flag). That kind of scenario may be the reason why MAPI_E_FAILONEPROVIDER error is shown when attempting to open the mailbox using a MAPI profile.
To get rid of this MAPI error, the conflict must be resolved by removing faulty entries. To do that customize the below Exchange Management Shell cmdlet to suit your environment:
Remove-MailboxPermission -Identity "Administrator" -User "DOMAIN52\Organization Management" -AccessRights FullAccess -deny:$true
And confirm by typing: y in the confirmation step. Please be aware that only not inherited rights may be removed this way. There may be more permission conflicts in your environment and they all have to be resolved for the mailbox used as synchronization service account in the CodeTwo Exchange Sync.
- Applies to: CodeTwo Exchange Sync
- Categories: Troubleshooting
- Last modified: 2015-04-27
- Created: 2015-04-24
- ID: 485
- Keywords: access rights, fullaccess, acl, permissions