Exchange 2007 Offline Address Book (OAB) keeps asking for authentication

If you are getting a constant authentication box pop up for your users when outlook is trying to connect to the Offline Address book, then read on, I am sure this will help you:

First thing is first make sure you have a vaild OAB

1. open Exchange Management console

2. open organization Configuration > Go to mailbox > choose Offline address book tab.

3. Make sure you have at least one address book here if not create one.

4. Right click on the address book go to properties > distribution Tab . ensure all boxes are ticked. > click on the ADD here you need to locate the appropriate server. > hit Ok.

5. You should be back to the OAB listings, if you have more then one that’s fine leave them for the time being, but choose the one you would like to be the default OAB and right click on it and choose ’set as default’

6. Now we need to update this OAB, right click on the default OAB you have created and then choose ‘update’

7. to ensure that the OAB has updated go to the event viewer and check the application log.

If you get a successful update great move on to step 9

if you get a warning with this event log below:

Log Name:      Application
Source:        MSExchangeSA
Date:          3/03/2009 9:10:24 AM
Event ID:      9320
Task Category: OAL Generator
Level:         Warning
Keywords:      Classic
User:          N/A
OALGen could not generate full details for some entries in the offline address list for address list ‘\Global Address List’.  To see which entries are affected, event logging for the offline address list generator must be set to at least medium.
- xxxxxxx Offline Address Book
Event Xml:
<Event xmlns="">
    <Provider Name="MSExchangeSA" />
    <EventID Qualifiers="32768">9320</EventID>
    <TimeCreated SystemTime="2009-03-02T22:10:24.000Z" />
    <Security />
    <Data>\Global Address List</Data>
    <Data>xxxxxx Offline Address Book</Data>


You need to set the event logging a little higher to do this open up the exchange powershell console and run the below command:

Set-EventLogLevel -Identity "MSExchangeSA\OAL Generator" -Level Expert

Now repeat step 7

you should now have some errors

event ID: 9330 MSExchangeSA

OALGen encountered error 80040115 (internal ID 50004ef) accessing Active Directory servername for ”.
- /o=Elcom Technology Pty Ltd/cn=addrlists/cn=oabs/cn=xxxxxx Offline Address Book



Event ID 9334 MSExchangeSA

OALGen encountered error 80040115 while initializing the offline address list generation process. No offline address lists have been generated. Please check the event log for more information.
- /o=Elcom Technology Pty Ltd/cn=addrlists/cn=oabs/cn=xxxxx Offline Address Book


8. If these are the same kind of errors you must open ADSIedit (only included in the support package supplied by micorosft)

once you have installed the support tools

start > run > adsiedit.msc

go to

Using ADSIEdit:
1. Navigate to the ‘Default Global Address List’ object
CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=local
2. Go to the properties of the ‘Default Global Address List’ object
3. Copy the distinguishedName attribute of the ‘Default Global Address List’.
It should look similar to the one below.
CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=local
4. Navigate to the ‘Microsoft Exchange’ container.
CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=local
5. Go to properties of the ‘Microsoft Exchange’ container
6. Select the GlobalAddressList attribute and click Edit.
7. Paste in the distinguishedName attribute of the ‘Default Global Address List’ and click Add
8. Click OK twice to close out of the properties.
9. Replicate domain controllers
10. Rebuild the OAB again

above taken from


9. Check your permissions on your OAB go to c:\Program Files\Microsoft\Exchange Server\Client Access\OAB\ find the correct GUID that related to your OAB, right click on the GUID and then go to the security tab. Ensure that administrators and system have full control and authenticated users have only read access. (leave the other permissions)

—- you can use this command to find out

get-offlineaddressbook | fl > c:\OAB_Version.txt


10. Ensure that the OAB has populated with an XML file you can find this in :\Program Files\Microsoft\Exchange Server\Client Access\OAB\GUID_here\oab.XML.

If you have not got an XML file the OAB has not populated revist your event viewer.


11. Now in IIS you should have an OAB virtual directory if you do not you must create this use the below

New-OABVirtualDirectory -DomainController <Fqdn> -ExternalUrl <Url> -InternalUrl <Url> -Path <String> -PollInterval <Int32> -RequireSSL <$true | $false> -Server <ServerIdParameter> -WebSiteName <String>

more info here:

If you do already have the virtual directory Change that virtual directory to an application.

That’s it, everything should work now!

this took me 2 days to work out and all it really was, was that darn virtual directory set by MS as default.

I hope I save someone the pain and frustration I went through with solving this.

13 Responses to “Exchange 2007 Offline Address Book (OAB) keeps asking for authentication”

  • Sudhir Malik Says:

    I do not have OAB virtual directory on my exchmb server, but it is on Exchange Client access server. Shell I crete the one.

  • Brad Marsh Says:

    Its is a single server setup (front and back end)?
    If so then yes recreate the Virtual Dir.

  • Raymon Jankoff Says:

    The easiest way to drive visitor is to acquire a high quality backlinks. It is just a matter of proper backlinking and your site will flood out visitors.This is a true asset if website traffic is concern. one way backlinks is a plus. Although backlinks have many types but I prefer backlinks with high quality. Although there are many ways to drive visitors, but my first choice is through backlinks because in this way you can easily build traffic to your site and the more traffic, the more money will come to your pocket.backlinks list

  • Ken Sheppard Says:

    Brad, your notes have been a big help to me. I was able to locate that the folders below Client Access\OAB do not allow SYSTEM full control on the subfolders. If I add it manually, I’m able to see the LZX files get copied over when I restart the File Distribution service. However, within a few minutes, the SYSTEM rights get cleared by some process. The Client Access\OAB folder does have the correct permissions, but the subfolders will not hold these settings.

    I’m running Exchange 2010 with Update4.

    Thanks for any suggestions that you may have.

  • Brad Marsh Says:

    Hi Ken,
    I am running Exchange 2007 unfortunately, however it sounds like you are running a DFS or alike on the server is this the case?

  • Ken Sheppard Says:

    I’m not running DFS on the Exchange 2010 server. It’s running Windows 2008 R2 and Exchange only. That’s it.

  • Dave Says:

    Thanks for the info, changing the folder in IIS to an application was the key I had been missing.

  • Kenia Getto Says:

    Greetings, this is a truly absorbing Internet weblog and I have cherished learning several from the content material and posts contained around the internet website, keep up the exceptional work and desire to study a great deal extra stimulating content articles within the long term.

  • Brad Marsh Says:

    Hi Kenia,

    Great to hear you got it working!!!!!
    I have’t had a good look at this script for a while, but I think there maybe be a way to do this, but it would require significate changes to the script… the things that I can see after a very quick look would be

    objShell.RegWrite RegKey , “AD_xxxxx”
    objShell.RegWrite RegKey07 , “AD_xxxxx”
    objShell.RegWrite RegKey10 , “AD_xxxxx”
    UserDataPath = ObjShell.ExpandEnvironmentStrings(“%appdata%”)
    FolderLocation = UserDataPath &”\Microsoft\AD_xxxxxxx\”
    HTMFileString = FolderLocation & “xxxxxxx.htm”

    Would more than likely have to change

    You would need to create a new HTML section and have this referenced to the above, and some components below… I would love to try and get this added as extra functionality… but time has been very tight for the last few months unfortunately, So in this instance I would say give it ago yourself, but if you come unstuck you may be better off just having 2 of these scripts, called by 1 batch file, but remove this section from the one that you DONT want the default profile to be set as:
    Call SetDefaultSignature(“xxxxx”,”")

    ‘ Use this version (and comment the other) to
    ‘ modify a named profile.
    ‘Call SetDefaultSignature _
    ‘ (“Signature Name”, “Profile Name”)

    Sub SetDefaultSignature(strSigName, strProfile)
    Const HKEY_CURRENT_USER = &H80000001
    strComputer = “.”

  • upload Says:

    Thanks for the article

  • Newton Zebell Says:

    Thank you for the benefit of sharing this insight!

  • JH Says:

    Thank you for posting this. This solved my problem with your very accurate information.

  • maizelight Says:


    [...]Exchange 2007 Offline Address Book (OAB) keeps asking for authentication | Brad Marsh’s Weblog[...]…

Leave a Reply