Exchange 2013 CU4 (SP1) and Outlook for Mac 2011 Error 19721

Reading Time: 4 minutes

Recently I upgraded our hosted exchange 2013 CU1 servers to CU4 (aka SP1). I didn’t do an in-place upgrade but I chose rather to build an Exchange 2013 CU4 environment and then migrate all mailboxes.

The migration process went relative well, except for one peculiar problem:

Mac users with Outlook for Mac:2011 couldn’t send e-mails after the migration.

Symptoms

After the migration of all mailboxes to Exchange 2013 CU4 (aka SP1), I received complaints from Outlook for Mac:2011 users. The Macintosh users were complaining that their outlook client couldn’t send e-mails anymore. The symptoms they encountered:

  • Outlook for mac:2011 client is able to connect to the EWS service
  • Outlook for mac:2011 client is able to download new e-mails
  • Outlook for mac:2011 was the latest build.
  • Outlook for mac: 2011 client is not able to send e-mails to other users in the same organization or users outside the organization. The outlook client displayed the following error:

Outlook-for-mac-error

“The user account which was used to submit this request does not have the right to send mail on behalf of the specified sending account”

“Errorcode: -19721”

Upon reading this error, I used my google search skills and I didn’t find any relevant information about this error. I knew from this point on, that I will be troubleshooting this error for quite a time.

 

Troubleshooting

I spent about 40 hours troubleshooting this problem. I was going through various log files to hopefully find something. I didn’t find anything that could explain this sudden behaviour.

I opened a service call with Microsoft Support to help me with this issue. After sending some diagnostic logs, the support engineer at Microsoft, escalated my support ticket to Tier 3 Support of both Exchange and Office for mac. Both teams were looking into this problem.

After e-mailing back and forth, I decided to continue troubleshooting this problem in my spare time and I did share my findings with the support engineer.

Let me share my findings that I sent to the supporting engineer:

“Hello XXXXXXX,

I have some feedback that I want to share with you and Microsoft Support.

Yesterday we were doing more troubleshooting regarding this problem and we have found something quite interesting.

As you know, we have a hosted exchange environment. Tenants make use of our shared resources but they never see other tenants.

This means that each tenant has his own GAL, Address book, Address book policy etcetera.

This is what we encountered:

– User A from Company A is linked to his company’s address book policy. Result: User A can’t send an e-mail from his outlook client for mac. He receives error -19721

– A test user that we created from scratch doesn’t have an address book policy linked to it. Result: The test user can send an e-mail from his outlook client for mac

If we remove the address book policy from User A, he can send an e-mail from his outlook client for mac. The downside of this solution is that User A will see all the other GAL’s, Address books etc.

This is something that we don’t want in a hosted Exchange environment.

That’s why I’m sharing this behaviour with you. We think that the problem lies in servicepack 1 for Hosted Exchange 2013 and the way how Exchange copes with multiple GAL’s, Address books and Address book policies.

I hope that with this information, the escalation team can look more precisely into Address book policies and Outlook for Mac. We feel that the problem lies in this part of Exchange.

 

Solution

After waiting for two weeks to receive feedback from Microsoft Support, I decided to build a lab environment to test Exchange 2013 CU5. CU5 was released a week later, after I migrated all mailboxes to Exchange 2013 CU4 (aka SP1). In my line of work I can’t install the latest and greatest versions of software, because if something goes painfully wrong, a lot of tenants will be impacted.

In the lab environment, I was able to install Exchange 2013 CU5 and I was able to send e-mails using Outlook for Mac:2011. No problems whatsoever.

This got me thinking, what will happen if I build a second lab, but this time with Exchange 2013 CU4?

In my second lab, I had Exchange 2013 CU4 (aka SP1) running and I was able to reproduce the symptoms that I described above. I was not able to send e-mails using Outlook for Mac:2011. To put everything into a perspective, let me share this with you:

  • Exchange 2013 CU5 + Outlook for mac:2011 (latest build) = No problems
  • Exchange 2013 CU4 (aka SP1) + Outlook for mac:2011 (latest build) = Error –19721, user is not able to send e-mails

With this information, I reached to the Microsoft Support Engineer with my findings. I was able to convince my IT manager to upgrade our Hosted Exchange 2013 CU4 servers to CU5, because the affected users were getting anxious.

After I received the approval of my manager for the installation of Exchange 2013 CU5, all problems disappeared. The affected users were able to send e-mails using their beloved Outlook for Mac:2011 client.

The Microsoft Support Engineer reached back to me with the following message:

“Hello,

Thank you for the update. We have found this to be a known issue in Exchange 2013 SP1, coded as such by the product team. We do not have an official information that CU5 addresses this issue, so if the issue does reoccur in the future may we suggest to reopen the case and we could perform an AD cleanup.”

 

Conclusion

If you have Macintosh users in your organization and you are running Exchange 2013 CU4 and you encounter the described problem, please install CU5 for Exchange 2013.

The EWS code in Exchange 2013 CU4 contains a bug that causes e-mail problems with Outlook for mac:2011.

The EWS code in Exchange 2013 CU5 fixes this issue, albeit not officially confirmed by Microsoft Support.