14 February 2013

Apple Mail + Exchange WebServices = Madness

I bought my first Mac last year, and I've been using the default Mail client ever since. Despite all its shortcomings, it's one of the very few clients supporting Exchange, and probably the only one  I know (apart from Outlook) that supports even its WebService-mode my employer uses. OSX even supports shared calendars!

However, there is one particularly annoying problem I keep encountering.

Exchange has an "auto-discovery" feature, which means that you pass a web address to Mail, the app connects to that URL and it receives the addresses of all necessary servers involved. Say you are a responsible sysadmin, and you run TWO Exchange servers to get some redundancy; when Mail does the auto-discovery dance, it gets told that there are indeed two servers. Mail will try the first one, prompt the user for his credentials, and if successful, it will save server address and credentials in its settings and use it. When the first server goes down, it will switch to the second one, and the user will live happily ever after.

Now, OSX has a system-wide keychain for password storage; basically, applications store all passwords (and other securable objects) in a central, protected place in encrypted form. In order to discern which password is used by which app, they are organized in different "items" with name, description, etc.

It appears that Mail will write each server/user/pass combo in a different item. So when it connects to server1, it will create an item saying "for server 1, connect with username X and password Y"; when it connects to server2, even though it came from the same auto-discoverable Exchange setup, it will write a new item saying "for server2, connect with username X and password Y". When you change your password in Preferences, Mail will update only the last-used item. Which means, the next time you switch server, your authentication will fail at least once. It appears also that Calendar (or any other program using the accounts specified in System Preferences) will randomly pick one of the two.

If you also have the misfortune to install Outlook 2011 for Mac (which you might want to do because some niche Exchange features are not supported by Apple programs), that program will write yet another item.

The result: you have three items for one account -- and this doesn't even include other devices! (phone etc). Whenever your password changes, you have to make sure all of them are updated, or authentication will likely fail somewhere. Because these subsystems poll servers very frequently, and don't give up very easily when refused access, there is a very high chance that a password change will result in your apps triggering a lock-out by constantly trying to use the old password. This is what regularly happens to me! Note that simply changing your password in Preferences might not be enough, because Mail will update only one of the two items.

Workaround: turn off *all* your clients (quit Mail, Calendar, Outlook, shut down your iPhone etc), change the password on Exchange, then open the Keychain ( /Applications/Utilities/Keychain Access.app ), select Passwords, search your username and update all necessary items, then reboot for good measure. Now all apps will use the correct credentials, and not lock you out.