MAPI_E_FAILONEPROVIDER and mailbox permissions
When attempting to configure the CodeTwo Exchange Sync synchronization account service, you see the following error message:
Unable to connect to Exchange Server. Failed to open mailbox 'Mailbox - <account_name>@<domain>'. MAPI_E_FAILONEPROVIDER (0x8004011d)
The problem seems to have its source on the environmental side and is in most cases connected with certain conflicts between Access Control List (ACL) permissions associated with a user which mailbox is going to be opened.
First of all, make sure that the user account meets the requirements mentioned in our another knowledge base article: Error opening default mailbox in the MAPI profile.
The next step is to identify conflicts between ACL permissions. To see the permissions list use the below Exchange Management Shell cmdlet:
Get-MailboxPermission -Identity "<UserAccount>" | FL
Now we need to find all entries which concern access rights given to a user or group (i.e. Organization management). The example output is shown in the Fig. 2.
In our example, we have listed access rights to Administrator's mailbox granted for the Organization management group. The bottom entry informs that the group has Full Access rights to the mailbox. On the other hand, there is an entry (at the top of the list) which informs that Full Access rights are denied for this group (see Deny property) and it is not inherited (IsInherited flag). That kind of scenario may be the reason why MAPI_E_FAILONEPROVIDER error is shown when attempting to open the mailbox using a MAPI profile. If you see a similar duplicated entries, you can try to solve your issue by either using a new user profile or resolving the conflicts manually.
Creating a new account that could be used by CodeTwo Exchange Sync is the most effective method. To do so, please follow the steps below:
- According to our User Guide create a new user that meets the following requirements, along with a new mailbox:
- is a member of Domain Admins (required to access Exchange mailboxes via MAPI)
- is not disabled, locked, etc.
- is Exchange mailbox-enabled
- its mailbox is not hidden from Exchange address list
- Log in to the mailbox of the new account (e.g. using OWA).
- Send and receive any message to make sure that mailbox is activated (you can send an email to itself).
- Log out from your current profile, on the machine where CodeTwo Exchange Sync is installed.
- Log in to the new account.
- Try to configure CodeTwo Exchange Sync.
Resolving conflicts manually
If creating a new account does not work or you need to stay with the desired user account, you can solve the conflicts manually. To get rid of the MAPI_E_FAILONEPROVIDER error, all conflicts must be resolved by removing faulty entries. To do that customize the below Exchange Management Shell cmdlet to suit your environment:
# Remove deny permission assigned for Administrator in the case of Organization Management Remove-MailboxPermission -Identity "Administrator" -User "DOMAIN52\Organization Management" -AccessRights FullAccess -deny:$true
And confirm by typing: y in the confirmation step. Please be aware that only not inherited rights may be removed this way. There may be more permission conflicts in your environment and they all have to be resolved for the mailbox used as synchronization service account in the CodeTwo Exchange Sync. If you need to add permissions to a mailbox, you can use the following command:
# Add full access permission for Administrator in the case of Organization Management group Add-MailboxPermission -Identity "Administrator" -User "DOMAIN52\Organization Management" -AccessRights FullAccess -InheritanceType All