Unlisted message error or Desktop email program unable to submit message

[BESadmin]

Unable to send email messages because the Send As permission has been revoked

Doc ID : KB04707
Last Modified : 12-02-2008
Document Type : Support

Environment

• BlackBerry® Enterprise Server software versions 2.1, and 3.6 through 4.1
• Microsoft® Exchange Server 2000 Service Pack 3 (SP3)
• Microsoft Exchange Server 2003 SP1 and SP2
• SDR75493
• SDR82260

Overview



When a BlackBerry smartphone user tries to send an email message, a red X appears beside the email message in the Messages list indicating that it cannot be sent. The Message Status field displays one of the following errors:

• Unlisted message error
• Desktop email program unable to submit message.

Note: The Message Status field appears above the To field within the email message.
The BlackBerry Enterprise Server debug log displays the following:

BlackBerry Enterprise Server software versions 4.0 and 4.1

[40700] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Receiving packet from device, size=111, TransactionId=-2099843783, Tag=147, content type=CMIME, cmd=0x3

[30112] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Receiving message from device, RefId=1607656887, Tag=147, TransactionId=-2099843783

[20265] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed

[20265] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed

[20000] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Send() failed: SUCCESS, Tag=147

[40277] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Sending message error to device for message 1607656887

[40583] (12/13 15:38:10):{0xFF0} {<user_name>@<domain>} Sending packet to device, Size=46, Tag=222, TransactionId=-1012978472

BlackBerry Enterprise Server software version 3.6 and earlier

[40700] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Receiving packet from device, size=161, TransactionId=-1966367802, Tag=-1091853399, content type=CMIME, cmd=0x3

[30112] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Receiving message from device, RefId=1473556709, Tag=-1091853399, TransactionId=-1966367802

[20265] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} *** MAPI *** MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed.

[20000] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Send() failed: ERR_SUBMIT_MAIL, Tag=-1091853399

[40277] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Sending message error to device for message 1473556709

[40583] (12/13 15:38:10):{0x7FC} {<user_name>@<domain>} Sending message to device, Size=85, Tag=6420, TransactionId=-1001413813

Cause

When applying the hotfix described in Microsoft Support Knowledge Base article 895949 to Microsoft Exchange Server 2003 SP1 or SP2, or applying the hotfix to Microsoft Exchange Server 2000 SP3, the store.exe utility revokes the Send As permission for all Microsoft Exchange Server administration accounts that have been granted Administer Information Store permission at the mailbox store level.

Note: For additional causes and resolutions related to this problem, see KB00274.

Resolution

Resolution 1

If you have not applied the Microsoft hotfix, check the permission requirements. For information on resolving the permission requirements, search for article 912918 in the Microsoft Support Knowledge Base.

Important: For more information on applying the hotfix to Microsoft Exchange Server 2003 SP1 or SP2, or applying the hotfix to Microsoft Exchange Server 2000 SP3, see KB12827.

Resolution 2

If you have applied the Microsoft hotfix, complete the steps below for the appropriate software version of the BlackBerry Enterprise Server.



BlackBerry Enterprise Server software version 4.0 through 4.1

1. Check the permission requirements. For information on resolving the permission requirements, search for article 912918 in the Microsoft Support Knowledge Base.
2. To clear the Microsoft Exchange Server permissions cache for the BlackBerry Enterprise Server administration account, complete the following steps:
   
   • Turn off the BlackBerry smartphone for two hours.
     OR
   • Stop and start the BlackBerry Router.
   Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.

To stop and start the BlackBerry Router, complete the following steps:

1. In Windows® Control Panel, open Administrative Tools > Services.
2. Right-click BlackBerry Router.
3. Click Stop, and wait for two hours.
4. Right-click BlackBerry Router.
5. Click Start.

Note: The default time for which permissions are cached is controlled by the Mailbox Cache Age Limit registry entry. Therefore, the amount of time needed for clearing the permissions cache depends on the value that has been set for this registry entry. Two hours is the default setting on all Microsoft Exchange Servers. Microsoft recommends changing the default time of two hours (120 minutes) for clearing the permissions cache to 20 minutes. The value for the Mailbox Cache Age Limit registry entry may be different in other environments. Refer to this value to determine how long permissions are cached for the administration account. Make sure you wait the amount of time set in the Mailbox Cache Age Limit registry entry to allow the permissions cache to clear. For other options, search for article 912918 in the Microsoft Support Knowledge Base.

For more information about the Mailbox Cache Age Limit registry entry, search for article 327378 in the Microsoft Support Knowledge Base or search for the Mailbox Cache Age Limit registry entry in the Microsoft TechNet web site.



BlackBerry Enterprise Server software version 3.6

1. Check the permission requirements. For information on resolving the permission requirements, search for article 912918 in the Microsoft Support Knowledge Base.
2. To clear the Microsoft Exchange Server permissions cache for the BlackBerry Enterprise Server administration account, open the Control Panel, then click Administrative Tools > Services.
3. Right-click each BlackBerry Enterprise Server service, then click Stop for each service.
4. Wait for 20 minutes.
5. Right-click each BlackBerry Enterprise Server service, then click Start for each service.

Note: The default time for which permissions are cached is controlled by the Mailbox Cache Age Limit registry entry. Therefore, the amount of time needed for clearing the permissions cache depends on the value that has been set for this registry entry. Two hours is the default time on Microsoft Exchange Servers. Microsoft recommends changing the default time of two hours (120 minutes) for clearing the permissions cache to 20 minutes. The value for the Mailbox Cache Age Limit registry entry may be different in other environments. Refer to this value to determine how long permissions are cached for the administration account. Make sure you wait the amount of time set in the Mailbox Cache Age Limitregistry entry to allow the permissions cache to clear. For other options, search for article 912918 in the Microsoft Support Knowledge Base.

For more information about the Mailbox Cache Age Limit registry entry, search for article 327378 in the Microsoft Support Knowledge Base or search for the Mailbox Cache Age Limit registry entry in the Microsoft TechNet web site.

Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.

Protected Accounts

If the Send As permission is revoked from a Microsoft® Active Directory® user account because that user object shares a membership with a protected account, complete the following steps:



Note: For more information and a complete list of protected accounts, search for article 907434 in the Microsoft Support Knowledge Base.

1. Remove the protected account membership from the Microsoft® Active Directory® user object.
2. Assign the Send As permission to the user object again. For instructions, search for article 912918 in the Microsoft Support Knowledge Base.
3. Wait for Microsoft Active Directory replication to occur, or force the replication.
4. Complete one of the following steps:
   
   • Remove the BlackBerry smartphone user from the BlackBerry Enterprise Server, and then wait 20 minutes. Add and activate the BlackBerry smartphone user on the BlackBerry Enterprise Server again.
   • Depending on the software version of the BlackBerry Enterprise Server, stop the BlackBerry Router or the BlackBerry Enterprise Server, then wait 20 minutes. Start the BlackBerry Router or the BlackBerry Enterprise Server again. Important: Restarting certain BlackBerry Enterprise Server services will delay message delivery to BlackBerry smartphones. For more information, see KB04789.

Tip: To view the How to verify the Exchange 'Send As' permissions educational online video, click here.

Additional Information

It is possible to modify Microsoft Active Directory permissions to allow BlackBerry smartphone users who are members of protected groups to send email messages from their BlackBerry smartphones without creating secondary email accounts. For instructions on modifying the permissions that are associated with the AdminSDHolder Microsoft Active Directory object and have been changed by the recent Microsoft Exchange update, search for article 817433 in the Microsoft Support Knowledge Base.

Important: This procedure is not recommended by Microsoft or by Research In Motion.

2007 Daylight Saving Time (DST) patch and the Send As permission

With the new collaboration data object (CDO) update from Microsoft, each BlackBerry smartphone user in the Microsoft Active Directory must have the Send As permission turned on in the BlackBerry Enterprise Server administration account. If the Send As permission is not turned on in the administration account, the BlackBerry smartphone user cannot send email messages from the BlackBerry smartphone.

When adding a new BlackBerry smartphone user to the BlackBerry Enterprise Server, administrators should make sure that the Send As permission is turned on in the BlackBerry Enterprise Server administration account within Microsoft Active Directory. When a new BlackBerry smartphone user is added to the BlackBerry Enterprise Server, the BlackBerry smartphone user must either inherit the Send As permission from a parent object in Microsoft Active Directory (for example, through a group permission), or the BlackBerry smartphone user must have this permission set automatically by the BlackBerry Enterprise Server. If this does not occur, use the SetSendAsPermission tool to set the permission.

To download the SetSendAsPermission tool, click here. For instructions on using the SetSendAsPermission tool, see KB12300.

For more information on the Microsoft update concerning DST changes in 2007 for Microsoft Exchange 2003 SP2, search for article 926666 in the Microsoft Support Knowledge Base.

For more information on the impact of DST changes in 2007 on BlackBerry solutions, go to www.blackberry.com/dst2007.


For more information on the Send As Issue you can also refer to: http://na.blackberry.com/eng/support/software/sendas.jsp

[GaryCutri]

To correct the "Send As" issue I have outlined the steps below that I use to quickly resolve this error:

1. Stop the Blackberry Router service.

2. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As".

3. Run the following script logged on as Administrator
Note: Only use this step if you have BlackBerry users that are members of Admin groups. Using best practice methods it is recommended that mobile user accounts aren't members of any administration groups.

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=c om " /G "DOMAINNAME\BESadmin:CA;Send As"

Example 1: dsacls "cn=adminsdholder,cn=system,dc=experts-exchange,dc=com " /G "EXPERTS_EXCHANGE\BESadmin:CA;Send As"

Example 2: dsacls "cn=adminsdholder,cn=system,dc=blackberryforums,dc =com,dc=au " /G "BLACKBERRYFORUMS\BESadmin:CA;Send As"

Example 3: dsacls "cn=adminsdholder,cn=system,dc=mobilenetwork,dc=lo cal" /G "MOBILENETWORK\BESadmin:CA;Send As"

NOTE: dsacls can be found in the Windows Server 2003 SP1 Support Tools pack: Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools

4. Wait 20 minutes and then restart the BlackBerry Router service.

5. Restart the BES server.


Additional Information

To globally apply Send As permissions to all user objects follow these steps:
1. Open Active Directory.
2. Select the "View" menu and ensure "Advanced Features" is checked.
3. Right mouse click on your domain name and select Properties
4. Select the Security tab
5. Press the Advanced button at the bottom on the security tab
6. Select "Add" and enter your Blackberry Service Account name (e.g. BESadmin) and select OK
7. When the permissions screen appears change "Apply onto:" to "User Objects"
8. In the permissions box scroll down and check the Allow box beside "Send As" and press OK
9. Press Apply and OK to exit

[andrew]

I cannot possibly tell you how big of a help you have been today. I had to add one item to your solution "a simple reboot" to complete the fix for this job. After the reboot, all was well. Thank you so much for your help. It means alot to people like me Thanks Again!

[GaryCutri]

Andrew, I added a step 5 in my instructions above for you.

[WMB]

Gary,
why is it necessary to stop the Blackberry Router service for 20mins?
is there another way to get it done ASAP? is there a way to clear the exchange cached permissions immediately?
cheers,
Warwick

[msltech]

Why is the send as permission removed every 30 to 60 minutes from admin users and what is the adminsdholder?

[GaryCutri]

Re: AdminSDHolder

The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does - it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.

The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it' s most granular level. Because of this, a user can have write access to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.

Re: Stopping the BlackBerry Router Service

Stopping the BlackBerry Router allows the Exchange Servers to clear the cached permissions for the BlackBerry Enterprise Server administration account. I am currently investigating various methods to expedite this process (e.g Restarting the Information Store Service).

[BESadmin]

The KB article above has just been updated; please reread the article as is now discusses the amount of time needed for clearing the permissions cache.

[BESadmin]

Send As Decision Tree

The Send As decision tree will allow BlackBerry Enterprise Server administrators to both confirm that they are being affected by this issue and resolve the problem, through applying the troubleshooting methodology outlined in the attachment below.

[BBguy]

Thank you BESadmin and GaryCutri for such an informative forum topic. You have answered all my questions without me having to even ask them.