After the power outage at the office here this weekend, the nine Blackberry phones suddenly stopped being able to send e-mails. It turns out that we’d installed an Exchange security service pack which contained some anti-spoofing measures. Chief among these countermeasures is a removal of the “Send As” priviledge. This means that one account can’t send an e-mail as if it came from another account.
Of course, this is precisely how the Blackberry works. You create a “service account” or domain user in AD and give it Send As permissions for your Blackberry users. Then several Blackberry services manage all the internet connections and mapping between user mailboxes. Now that the Send As priviledge has been systematically removed, you can’t send from the Blackberry (you get an “unspecified message error”)
So I call support yesterday. Sit on hold for 30 minutes. As soon as someone picks up, the little icon I was looking at went from an X to a green light. I thought that was an indication of success so I hung up. It wasn’t. My coworker then spends 2 hours on hold waiting for a tech to pick up later that evening. No luck so he just hangs up and goes home at 8:30. This morning I call in and after 30 minutes I get a tech who tells me about the problem with the Send As rights removal.
Blackberry KB article 04707
Microsoft KB articles 912918 and 907434
This collection of articles basically say that you have to give your Blackberry service account the Send As priviledge again and THEN you have to give that user the security access to act on behalf of each user. For only nine users, this isn’t a big effort. Unfortunately, it says that none of the accounts can be members of any “protected” groups like Admins or Backup Operators.
Of course the first guy I talk to today didn’t tell me that tidbit. So I have to call back a second time today. 45 minutes on hold later this tech tells me about the security groups. So I take one of my users and strip him out of every AD group except Domain Users. I stop the Blackberry router service for 20 minutes. I restart the service. I wait 10 minutes. I still CANNOT send e-mail from this person’s Blackberry.
I call Blackberry back. 50 minutes on hold later and I get a guys who basically throws up his hands and tells me to call Microsoft. According to the latest technician the server and AD is set up correctly and “something in Microsoft is not letting the changes happen”
Whatever. I’ll post an update if I do get this working. Major PITA today.
Oh yeah - the reason for the extremely long hold times? Apparently EVERYONE is calling Blackberry about this same issue. Do you see this on their homepage - a major service interruption due to a MS patch? Nope!