CodeTwo Base.title

MAPI_E_FAILONEPROVIDER and mailbox permissions

Problem:

When attempting to configure the CodeTwo Exchange Sync synchronization account service, you see the following error message:

Unable to connect to Exchange Server.
Failed to open mailbox 'Mailbox - <account_name>@<domain>'.
MAPI_E_FAILONEPROVIDER (0x8004011d)

485-1
Fig. 1. MAPI error message while connecting to the server.

Solution:

The problem seems to have its source on the environmental side and is in most cases connected with certain conflicts between Access Control List (ACL) permissions associated with a user which mailbox is going to be opened.  

First of all, make sure that the user account meets the requirements mentioned in our another knowledge base article: Error opening default mailbox in the MAPI profile

The next step is to identify conflicts between ACL permissions. To see the permissions list use the below ems Exchange Management Shell cmdlet:

Get-MailboxPermission -Identity "<UserAccount>" | FL

Now we need to find all entries which concerns access rights given for a user or group (i.e. Organization management). The example output is shown in the Fig. 2.

485-2
Fig. 2. Example mailbox permission - cmdlet output.

In our example, we have listed access rights to Administrator's mailbox granted for the Organization management group. The bottom entry informs that the group has Full Access rights to the mailbox. On the other hand, there is an entry (at the top of the list) which informs that Full Access rights are denied for this group (see Deny property) and it is not inherited (IsInherited flag). That kind of scenario may be the reason why MAPI_E_FAILONEPROVIDER error is shown when attempting to open the mailbox using a MAPI profile. 

To get rid of this MAPI error, the conflict must be resolved by removing faulty entries. To do that customize the below ems Exchange Management Shell cmdlet to suit your environment:

Remove-MailboxPermission -Identity "Administrator" -User "DOMAIN52\Organization Management" -AccessRights FullAccess -deny:$true

And confirm by typing: y in the confirmation step. Please be aware that only not inherited rights may be removed this way. There may be more permission conflicts in your environment and they all have to be resolved for the mailbox used as synchronization service account in the CodeTwo Exchange Sync.

See also:

  • Applies to: CodeTwo Exchange Sync
  • Categories: Troubleshooting
  • Last modified: 2015-04-27
  • Created: 2015-04-24
  • ID: 485
  • Keywords: access rights, fullaccess, acl, permissions
Our Clients:
Unicef
Facebook
Shell
T-Systems
Loreal
Casio
UPS Israel
Oford University
Mitsubishi Motors
Toshiba TEC UK Imaging Systems Ltd
Illinois Institute of Technology
MAN Diesel
McDonalds India
Skoda Auto
Bank of Israel
Fujifilm
China Mobile
Santander
Samsung SDI
Skanska
Generali
Telmex
Toyota Tsusho
BECHTEL
Ricoh
BAE SYSTEMS
Federação Portuguesa de Futebol
Credit Agricole
HYUNDAI
Rothschild
Toyota Boshoku
Oriflame Romania
ING
Ikea
Nordea

Partners, certificates & awards