Exchange 2007- Mapi session exceeded the maximum of 32 objects of type "session"

Two days back i faced a strange issue from one of the user that he is not able to open his outlook. Although he can open his OWA but whenever he open his outlook he is getting following error

“Unable to open your default e-mail folders. You must connect to your Microsoft Exchange Server computer with the current profile before you can synchronize your folders with the offline folder file”

After further investigation i found that there is an event logged in the application events of the mailbox server for the same user

Event Type:      Error
Event Source:      MSExchangeIS
Event Category:      General
Event ID:      9646
Date:            XXXXX
Time:           XXXXX
User:            N/A
Computer:      XXXXX
Description:
Mapi session "/o=firstorganisation=XXXX/cn=Recipients/cn=username" exceeded the maximum of 32 objects of type "session".

After researching i found following KB on the same issue

http://support.microsoft.com/kb/842022

As per this KB this issue may occur if the following conditions are true:

• You have installed Microsoft Exchange Server 2003 Service Pack 1 (SP1) on the Exchange Server computer.
• A program that is running on a client computer opens many MAPI sessions to the Exchange Server computer. The number of MAPI sessions is larger than the permitted limit.
• You are using Microsoft Office Outlook 2007, and you add a large additional mailbox to your profile. For example, this issue may occur if the additional mailbox contains more than one thousand folders.

I am unable to found any of the above condition in my case. Also fixes mentioned in this article is not relevant to my case except the last registry change which i don’t want to apply for one user.

Then i decided to view the connections on the mailbox server. I downloaded TCP view utility from sysinternals (one of the best sites for troubleshooting tools). After running TCP view i have seen lots of connections coming to mailbox server but the user name which i was searching was not visible in the list of connections, then i ran following command on exchange management shell for finding out the source IP of the user having problem

Get-logonstatistics username | FT ClientIPAddress

After viewing the IP Address i searched the IP address in the TCP View and was able to found lots of connections coming from the same IP, i killed these sessions by using Kill option in TCP view and then again tried to open the outlook and the issue gone !!!!  I have also informed the user to have a look on his PC for checking if there is any third party software or any other MAPI program which is causing this issue for having a permanent fix for this.

Importing Certificates to Exchange 2007 servers

In my previous blogs (http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/ and http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/) i have discussed how we can generate CSR for different exchange roles. Here i will discuss how we can import certificates to different exchange roles. Following is the command for importing certificates;

Import-ExchangeCertificate -Path “c:\path\generated SAN certif_name.cer” –friendlyname “<Certificate Friendly Name>”

After running this command successfully you should be seeing the thumbprint of the new certificate. Copy the full thumbprint value because you will required this in the next commands.

Now you have to enable your certificate for specific services for example for SMTP and Web services.

For enabling CAS server certificates run this command:

Get-exchangecertificate <Thumbprint>| enable-exchangecertificate -services "IIS”

 

For enabling Edge server certificates run this command

Get-exchangecertificate <Thumbprint>| enable-exchangecertificate -services "SMTP”

After running above command run Get-exchangecertificate again for verifying if services are enabled or not.

You can also combine the above 2 commands like this;

Import-ExchangeCertificate -Path “c:\path\generated SAN certif_name.cer” –friendlyname “<Certificate Friendly Name>” | enable-exchangecertificate -services "IIS”

Following are the possible values for services parameter;

• IMAP
• POP
• UM
• IIS
• SMTP
• None

Do not import exchange certificate by normal certificate importing methods (import from certificate MMC Snap in) otherwise certificate will not going to work. Also make sure you have Trusted root CA and Intermediate CA certificates installed in their relevant stores otherwise certificate will have issues.

In case you want to import or apply the same certificate to another Edge or CAS server then you need to perform following addition steps;

1. Open Certificate MMC Snap in on the server for local computer.

2. Go to personal container and locate the certificate which you had just imported.

3. Export this certificate with private key.

5. Copy this certificate on the server where you want to configure this certificate.

6. Run following command on the second server which you want to configure from the same certificate;

Import-ExchangeCertificate -Path c:\path\<certificate file>.pfx –Password:(Get-Credential).password

The Get-Credential cmdlet in the above command pops up a standard username\password dialog box. This is little bit confusing because we don’t need a username to get to the keys, just put whatever you want for the username, but put the password that you used when you ran the Export certificate wizard the Certificate Manager snap-in in MMC.

7. Run command Get-ExchangeCertificate to get the thumbprint of this certificate.

8. Run command EnableCertificate –thumbprint <copy the thumbprint> -services “IIS”

9. After running above command run Get-exchangecertificate again for verifying if services are enabled or not.