Exchange Journaling tasks fail with Event 3460 and 2258

book

Article ID: 100054098

calendar_today

Updated On:

Description

Error Message

Lines in a dtrace will show:

Event ID: 3460 The Task '[task name]' failed to log on to Exchange server '[server name]' using mailbox 'SMTP:[mailbox email address]'. Check that the mailbox has not been hidden, that the server is running and that the vault service account has sufficient permissions on the server. |Enterprise Vault used the following settings for the Outlook Anywhere connection to Exchange 2013 or later: |   Proxy server: '[proxy address]' |   Requires SSL: 'True' |   Certificate principal: 'msstd:[proxy address]' |If these settings are correct, check that the servers are responding. |Note that Enterprise Vault auto-discovers the proxy server and certificate principal unless you have configured them explicitly in the target domain's properties in the Administration Console, in which case you should check the settings you have made.

and

Event ID: 2258 The Journal Task '[task name]' could not be started due to startup errors.

Dtrace will show:

796 09:17:08.670     [23156]    (JournalTask)   <12208> EV:L    {HrMAPIOpenMsgStoreKvs:#58} Opened msg store [0x80040111]
797 09:17:08.670     [23156]    (JournalTask)   <12208> EV:H    {CMailboxHelper::OpenMailbox:#328} Could not open message store: [0x80040111]
798 09:17:08.670     [23156]    (JournalTask)   <12208> EV:M    {CMailboxHelper::CreateProfileAndSessionAndOpenMailbox:#1237} Failed to open mailbox
799 09:17:08.670     [23156]    (JournalTask)   <12208> EV:M    {CMailboxHelper::CreateProfileAndSessionAndOpenMailbox:#1238} Error being returned : 0x80040111
800 09:17:08.670     [23156]    (JournalTask)   <12208> EV:L    {MAPISessionWithBoundProfileName::~MAPISessionWithBoundProfileName:#79} MAPISessionWithBoundProfileName object count: [0], Unbinding name: [EV_00000000]
801 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {EVMAPIProfileNameWithAutoDelete::DeleteProfile:#463} Deleted profile, Name: [EV_00000000]
802 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {EVMAPIProfileNameFromPoolInternal::~EVMAPIProfileNameFromPoolInternal:#351} Profile name now free to use: [EV_00000000]
803 09:17:08.686     [23156]    (JournalTask)   <12208> EV:H    {CMAPISession::CreateMapiSession} (Exit) Status: [ClassFactory cannot supply requested class  (0x80040111)]
804 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {CMAPISession::ClearProfileCache} (Entry)
805 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {CMAPISession::CloseMapiSession} (Entry)
806 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {CMAPISession::CloseMapiSession:#82} Releasing managed store (IExchangeManageStore): [False]
807 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {CMAPISession::CloseMapiSession:#88} Releasing message store (IMsgStore): [False]
808 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {CMAPISession::CloseMapiSession} (Exit)
809 09:17:08.686     [23156]    (JournalTask)   <12208> EV:L    {CMAPISession::ClearProfileCache} (Exit)
810 09:17:08.686     [23156]    (JournalTask)   <12208> EV:H    {CMAPISession::GetMapiSessionFromPoolEx} (Exit) Status: [ClassFactory cannot supply requested class  (0x80040111)]
811 09:17:08.686     [23156]    (JournalTask)   <12208> EV:H    {CAgentTask::Initialise:#1347} Failed to open privileged MAPI session: [0x80040111]. Aborting agent startup.

IIS Logs on the Exchange server will show the following associated to the IP address of the EV server:

2022-10-03 15:17:50 [Server IP Address] GET /autodiscover/autodiscover.xml - 80 - [Client IP] Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.5254;+Pro) - 403 4 5 27
2022-10-03 15:17:50 [Server IP Address] POST /autodiscover/autodiscover.xml - 443 - [Client IP] Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.5254;+Pro) - 500 50 2152071479 22

Cause

This may happen after manually applying Mitigation Option 3 of the below Microsoft mitigation guidance page while having the Microsoft Exchange Emergency Mitigation Service running on the Exchange server.

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Resolution

  1. Log on to the Exchange server using an Exchange administrator account
  2. Using IIS Manager, navigate to the Default Web Site
  3. In the IIS section, double-click on "URL Rewrite"
  4. Remove both the automatically and manually set Rule (see link above)
  5. Repeat for each Virtual Directory under the Default Web Site
  6. Restart IIS
  7. Restart the Microsoft Exchange Emergency Mitigation service

Confirm after 15 minutes that the rule has been recreated in the Default Web Site and all sub virtual directories. If the rule has not been recreated, it is recommended that a support case be opened with Microsoft.

As Option 3 causes the above issue, implement Option 1 or 2.

Issue/Introduction

Exchange Journal Archive Tasks will fail with Event 3460 and 2258 and not be able to start.
Powered by Wolken Software