Unlisted message error or Desktop email program unable to submit message

[BESadmin]

User cannot send messages because the Send As permission has been revoked

Doc ID : KB04707
Last Modified : 2007-04-09
Document Type : Support

Environment

• BlackBerry® Enterprise Server software versions 3.6 through 4.1
• Microsoft® Exchange Server 2003 Service Packs 1 and 2
• Microsoft Exchange Server 2000 Service Pack 3
• SDR75493
• SDR82260

Background

This article applies to Microsoft Exchange Server 2003 and 2000 within the following environments:

• Microsoft Exchange Server 2003 Service Pack 1 using store build 7233.51 or later
• Microsoft Exchange Server 2003 Service Pack 2 using store build 7650.23 or later
• Microsoft Exchange Server 2000 Service Pack 3 using store build 6619.4 or later

Important: When you apply the hotfix described in Microsoft Support Knowledge Base article 895949 to Microsoft Exchange Server 2003 Service Pack 1 or Service Pack 2, or apply the hotfix to Microsoft Exchange Server 2000 Service Pack 3, see KB12827.

Problem

When a BlackBerry device user tries to send a message, a red X appears beside the message in the Messages list indicating it cannot be sent. The Message Status field displays one of the following errors:

• Unlisted message error
• Desktop email program unable to submit message.

Note: The Message Status field appears above the To field within the message.



The BlackBerry Enterprise Server debug log displays the following:

BlackBerry Enterprise Server software versions 4.0 and 4.1

[40700] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Receiving packet from device, size=111, TransactionId=-2099843783, Tag=147, content type=CMIME, cmd=0x3

[30112] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Receiving message from device, RefId=1607656887, Tag=147, TransactionId=-2099843783

[20265] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed

[20265] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed

[20000] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Send() failed: SUCCESS, Tag=147

[40277] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Sending message error to device for message 1607656887

[40583] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Sending packet to device, Size=46, Tag=222, TransactionId=-1012978472

BlackBerry Enterprise Server software version 3.6 and earlier

[40700] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Receiving packet from device, size=161, TransactionId=-1966367802, Tag=-1091853399, content type=CMIME, cmd=0x3

[30112] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Receiving message from device, RefId=1473556709, Tag=-1091853399, TransactionId=-1966367802

[20265] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} *** MAPI *** MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed.

[20000] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Send() failed: ERR_SUBMIT_MAIL, Tag=-1091853399

[40277] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Sending message error to device for message 1473556709

[40583] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Sending message to device, Size=85, Tag=6420, TransactionId=-1001413813

Cause

When applying the hotfix described in Microsoft Support Knowledge Base article 895949 to Microsoft Exchange Server 2003 Service Pack 1 or Service Pack 2, or applying the hotfix to Microsoft Exchange Server 2000 Service Pack 3, the store.exe utility revokes the Send As permission for all Microsoft Exchange Server administration accounts that have been granted Administer Information Store permission at the mailbox store level.

Note: For additional causes and resolutions related to this problem, please see KB00274.

Resolution

Depending on whether you have applied the Microsoft hotfix, complete the appropriate resolution below.

Resolution 1

If you have not applied the Microsoft hotfix, check the permission requirements. For information on resolving the permission requirements, search for article 912918 in the Microsoft Support Knowledge Base.
Note: You do not need to restart any BlackBerry services.

Resolution 2

If you have applied the Microsoft hotfix, complete the steps below for the appropriate software version of the BlackBerry Enterprise Server.

BlackBerry Enterprise Server software version 4.0 through 4.1

1. Check the permission requirements. For information on resolving the permission requirements, search for article 912918 in the Microsoft Support Knowledge Base.
2. In Microsoft Windows® Control Panel, open Administrative Tools > Services.
3. Right-click BlackBerry Router, click Stop, and wait for 20 minutes.
4. Right-click BlackBerry Router, then click Start. This will clear the Microsoft Exchange Server permissions cache for the BlackBerry Enterprise Server administration account.

Note: The default time for which permissions are cached is controlled by the Mailbox Cache Age Limit registry entry. Therefore, the amount of time needed for clearing the permissions cache depends on the value that has been set for this registry entry. Microsoft recommends changing the default time of two hours (120 minutes) for clearing the permissions cache to 20 minutes. The value for the Mailbox Cache Age Limit registry entry may be different in other environments. Refer to this value to determine how long permissions are cached for the administration account. Make sure you wait the amount of time set in the Mailbox Cache Age Limit registry entry to allow the permissions cache to clear. For other options, search for article 912918 in the Microsoft Support Knowledge Base.

For more information about the Mailbox Cache Age Limit registry entry, search for article 327378 in the Microsoft Support Knowledge Base or search for the Mailbox Cache Age Limit registry entry in the Microsoft TechNet web site.

BlackBerry Enterprise Server software version 3.6

1. Check the permission requirements. For information on resolving the permission requirements, search for article 912918 in the Microsoft Support Knowledge Base.
2. To clear the Microsoft Exchange Server permissions cache for the BlackBerry Enterprise Server administration account, in the Control Panel, open Administrative Tools > Services.
3. Right-click each BlackBerry service, then click Stop for each service.
4. Wait for 20 minutes.
5. Right-click each BlackBerry service, then click Start for each service.

Note: The default time for which permissions are cached is controlled by the Mailbox Cache Age Limit registry entry. Therefore, the amount of time needed for clearing the permissions cache depends on the value that has been set for this registry entry. Microsoft recommends changing the default time of two hours (120 minutes) for clearing the permissions cache to 20 minutes. The value for the Mailbox Cache Age Limit registry entry may be different in other environments. Refer to this value to determine how long permissions are cached for the administration account. Make sure you wait the amount of time set in the Mailbox Cache Age Limitregistry entry to allow the permissions cache to clear. For other options, search for article 912918 in the Microsoft Support Knowledge Base.

For more information about the Mailbox Cache Age Limit registry entry, search for article 327378 in the Microsoft Support Knowledge Base or search for the Mailbox Cache Age Limit registry entry in the Microsoft TechNet web site.

Important: Restarting certain BlackBerry Enterprise Server services will delay message delivery to BlackBerry devices. For more information, see KB04789.

Protected Accounts

If the Send As permission is revoked from a Microsoft Active Directory® user account because that user object shares a membership with a protected account, complete the following steps:
Note: For more information and a complete list of protected accounts, search for article 907434 in the Microsoft Support Knowledge Base.

1. Remove the protected account membership from the Microsoft Active Directory user object.
2. Assign the Send As permission to the user object again. For instructions, search for article 912918 in the Microsoft Support Knowledge Base.
3. Wait for Microsoft Active Directory replication to occur, or force the replication.
4. Do one of the following:
   • Remove the BlackBerry device user from the BlackBerry Enterprise Server, then wait 20 minutes. Add and activate the BlackBerry device user on the BlackBerry Enterprise Server again.
   • Depending on the software version of the BlackBerry Enterprise Server, stop the BlackBerry Router or the BlackBerry Enterprise Server, then wait 20 minutes. Start the BlackBerry Router or the BlackBerry Enterprise Server again. Important: Restarting certain BlackBerry Enterprise Server services will delay message delivery to BlackBerry devices. For more information, see KB04789.

Tip: To view the How to verify the Exchange 'Send As' permissions educational online video, click here.

Additional Information

It is possible to modify Active Directory permissions to allow BlackBerry device users who are members of protected groups to send messages from their BlackBerry devices without creating secondary email accounts. For instructions on modifying the permissions that are associated with the AdminSDHolder Active Directory object and have been changed by the recent Microsoft Exchange update, search for article 817433 in the Microsoft Support Knowledge Base.

Important: This procedure is not recommended by Microsoft or by Research In Motion.

2007 Daylight Saving Time (DST) patch and the Send As permission

With the new collaboration data object (CDO) update from Microsoft, each BlackBerry device user in the Active Directory must have the Send As permission enabled in the BlackBerry Enterprise Server administration account. If the Send As permission is not enabled in the administration account, the BlackBerry device user cannot send messages from the BlackBerry device.

When adding a new BlackBerry device user to the BlackBerry Enterprise Server, administrators should make sure that the Send As permission is enabled in the BlackBerry Enterprise Server administration account within Active Directory. When a new BlackBerry device user is added to the BlackBerry Enterprise Server, the BlackBerry device user must either inherit the Send As permission from a parent object in Active Directory (for example, through a group permission), or the BlackBerry device user must have this permission set automatically by the BlackBerry Enterprise Server. If this does not occur, use the SetSendAsPermission tool to set the permission.

To download the SetSendAsPermission tool, click here. For instructions on using the SetSendAsPermission tool, see KB12300.

For more information on the Microsoft update concerning DST changes in 2007 for Microsoft Exchange 2003 Service Pack 2, search for article 926666 in the Microsoft Support Knowledge Base.
For more information on the impact of DST changes in 2007 on BlackBerry solutions, go to www.blackberry.com/dst2007.
</B>

[GaryCutri]

To correct the "Send As" issue I have outlined the steps I use to quickly resolve this issue:

1. Stop the Blackberry Router service.

2. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As".

3. Run the following script logged on as Administrator
Note: Only use this step if you have BlackBerry users that are members of Admin groups. Using best practice methods it is recomended that mobile user accounts aren't members of any administration groups.

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=c om " /G "DOMAINNAME\BESadmin:CA;Send As"

Example 1: dsacls "cn=adminsdholder,cn=system,dc=experts-exchange,dc=com " /G "EXPERTS_EXCHANGE\BESadmin:CA;Send As"

Example 2: dsacls "cn=adminsdholder,cn=system,dc=blackberryforums,dc =com,dc=au " /G "BLACKBERRYFORUMS\BESadmin:CA;Send As"

Example 3: dsacls "cn=adminsdholder,cn=system,dc=mobilenetwork,dc=lo cal" /G "MOBILENETWORK\BESadmin:CA;Send As"

NOTE: dsacls can be found in the Windows Server 2003 SP1 Support Tools pack: Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools

4. Wait 20 minutes and then restart the BlackBerry Router service.

5. Restart the BES server.

[andrew]

I cannot possibly tell you how big of a help you have been today. I had to add one item to your solution "a simple reboot" to complete the fix for this job. After the reboot, all was well. Thank you so much for your help. It means alot to people like me Thanks Again!

[GaryCutri]

Andrew, I added a step 5 in my instructions above for you.

[WMB]

Gary,
why is it necessary to stop the Blackberry Router service for 20mins?
is there another way to get it done ASAP? is there a way to clear the exchange cached permissions immediately?
cheers,
Warwick

[msltech]

Why is the send as permission removed every 30 to 60 minutes from admin users and what is the adminsdholder?

[GaryCutri]

Re: AdminSDHolder

The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does - it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.

The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it' s most granular level. Because of this, a user can have write access to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.

Re: Stopping the BlackBerry Router Service

Stopping the BlackBerry Router allows the Exchange Servers to clear the cached permissions for the BlackBerry Enterprise Server administration account. I am currently investigating various methods to expedite this process (e.g Restarting the Information Store Service).

[BESadmin]

The KB article above has just been updated; please reread the article as is now discusses the amount of time needed for clearing the permissions cache.

[BESadmin]

Send As Decision Tree

The Send As decision tree will allow BlackBerry Enterprise Server administrators to both confirm that they are being affected by this issue and resolve the problem, through applying the troubleshooting methodology outlined in the attachment below.

[BBguy]

Thank you BESadmin and GaryCutri for such an informative forum topic. You have answered all my questions without me having to even ask them.