Do you see things a little differently?

Friday, April 15, 2011

Terminal Server with Outlook 2007 and other problems.

Recently I was tasked with implementing Office 2007 in our Terminal Server environment.  We were running 2003 R2 for the OS, and the updated Office seemed fine at first.  At some point we hit some threshold, or maybe a patch is to blame, but the servers started to lock up.  This wasn't just a user session dumping, this was any person logged in to the server started to experience delays and errors, with the session eventually coming to a screeching halt.  The fun part was that I couldn't even reboot the server and would eventually need to fall back to a hard power off.  After working with our friends at Microsoft for a bit, it looked like the culprit may be something in Outlook.  The problem is that we had a project going live that required Office 2007 and I was out of time to fix it. In desperation, I stood up some 2008 R2 servers with Office 2007 and gave them to my users to try out.  Miracle of miracles, the servers didn't crash and everyone was able to work.  Great!  Now I can go back to other things, right?
Wrong.....
The next problem was with the integration between the CRM application and Outlook.  When they ran the application they would get the error "AppName solution cannot access Microsoft Outlook. Application was stopped".

Okay, I know it works for our desktop users, what is the difference?   Turns out that Office 2007 no longer ships with CDO included.  For this application to work, an add-on version of CDO was needed. This was a standard install for the desktop users, but they get apps from SCCM.  We don't get to use SCCM on the servers.
*Note: This error also occurs for the application, when it is run in the 64 bit version of Internet Explorer.

A few minutes later, and CDO is installed. All should be good.

I ran the application, and Doh!, another message pops up.
"A program is trying to access e-mail addresses you have stored in Outlook.  Do you want to allow this?"
I am asked to allow the application to have access to my inbox. When I select the check box and pick a time, I am able to use the application, but the management team was not happy.  Users can do their jobs, but this prompt every time they use the application, or if they exceed the time while in the application, is unacceptable.  Back to the drawing board.

Now I'm a bit confused.  Desktop users don't get this prompt.  I'm told that nothing special was done to enable the application for the desktop users.  I used the exact same installation files that SCCM uses to install both Office and CDO for the desktop users. I did some digging and finally noticed a difference between the desktop and the server.  On the server, the Outlook Programmatic Access Security screen in the Trust Center looks like the following....
Notice the "Antivirus status". On the workstations, the text looked as follows.

It's the same installation... what's going on?  After even more research, I discovered the reason.  On non Server operating systems, there is a service called Windows Security Center (WSC). Outlook attempts to determine if the system is safe, by asking the WSC if antivirus is up to date, and patches have been applied.  Normally I don't really care about this.  We have antivirus on everything, and we apply all critical patches. This extra layer is a nice effort, but I don't really need it, and in this case it is inhibiting our ability to work.

Fine, I now know the cause, but what can I do about it?  On the workstations, Outlook sees that everything is okay, and allows external applications to proceed.  On the server, it can not see if things are okay, so how do I get outlook to allow the application to proceed?

For this I resorted to a Group Policy Object (GPO).  I needed to get a special set of Office 2007 Template files to accomplish this.  I extracted the outlk12.adm template, and attached it to a GPO I have applied to just my Terminal Servers.  This gave me the option of automatically approving external programmatic access to outlook via the following settings.

Update: I have confirmed that this behavior continues with Outlook 2010. The templates are available here 

*User Configuration/Policies/Administrative Templates/ Microsoft Office outlook 2007/ Security/

Programmatic Access Security = enabled



*User Configuration/Policies/Administrative Templates/ Microsoft Office outlook 2007/ Security/Security Form Settings

Outlook Security Mode = Enabled

 This is not the default->  Outlook Security Policy: Use Outlook Security Group Policy



*User Configuration/Policies/Administrative Templates/ Microsoft Office outlook 2007/ Security/Security Form Settings/Custom Form Security

Set control ItemProperty prompt = Enabled

                When accessing the ItemProperty in an Outlook custom form: Automatically Approve

Set Outlook object model Custom Actions execution prompt = enabled

                When executing a custom action: Automatically Approve



*User Configuration/Policies/Administrative Templates/ Microsoft Office outlook 2007/ Security/Security Form Settings/Programmatic Security

Configure Outlook object model prompt when accessing address information via UserProperties.Find = Enabled

                Guard behavior: Automatically Approve

Configure Outlook object model prompt when accessing an address book = Enabled

                Guard behavior: Automatically Approve

Configure outlook object model prompt When accessing the Formula property of a User Property object = Enabled

Guard behavior: Automatically Approve

Configure Outlook object model prompt when executing Save As = Enabled

Guard behavior: Automatically Approve

Configure Outlook object model prompt when reading address information = Enabled

Guard behavior: Automatically Approve

Configure Outlook object model prompt when responding to meeting and task requests= Enabled

Guard behavior: Automatically Approve

Configure Outlook object model prompt when sending mail = Enabled

Guard behavior: Automatically Approve


Once everything was in place, I tested one more time, and like magic the application was able to do its thing without the annoying pop-ups.  Why Microsoft doesn't provide WSC for Terminal Servers, or at least automatically have applications ignore this, I can't say.  At least now I can work around it.

Let me know if you find this helpful, or discover something I've missed.  Once I managed to get our application functioning, I stopped digging, so there may be other tidbits applicable to other people, and I'd love to add that information to this article.