Outlook Synchronization and some core features of Terminal Server


At the moment we see an incoming volume of support cases regarding Outlook Synchronization and core features of Terminal Server. That would be a good subject for a new blog. Partners would like to setup roaming profiles, mandatory profiles and maybe even setup Network Load Balancing so that the end user does not know to what Terminal Server they are logging on to. Let me shed some light of the difficulties we have encountered with this while analyzing if this scenario can be setup without too much troubles.

The Outlook Add-In settings are stored in the following folder:

Windows Vista %userprofile%\AppData\Local\Microsoft Dynamics NAV\OutlookSynch
Windows 7 %userprofile%\AppData\Local\Microsoft Dynamics NAV\OutlookSynch
Windows 2003 %userprofile%\Local Settings\Application Data\Microsoft Dynamics NAV\OutlookSynch
Windows 2008 %userprofile%\AppData\Local\Microsoft Dynamics NAV\OutlookSynch

As the folder path already suggested, the settings files are stored in the local part of the user profile. By default of the operating system, this part of the user profile does not roam. To workaround this issue, you could use a Group Policy where you configure the ExcludeProfileDirs registry or you configure a logon script in which you explicitly set this registry key on the clients PC or within the RDP-session. The local settings part of the user profile will then roam along with the user profile to the network server where all the roaming user profiles are stored.

More information about this key and the corresponding Group Policy can be found here:
http://technet.microsoft.com/nl-nl/library/cc728399(WS.10).aspx

Many Terminal Servers administrators also want to configure a specific Group Policy Object called: Delete cached copies of roaming profiles. More information can be found here: 
http://technet.microsoft.com/en-us/library/cc958989.aspx

This policy may be used in combination with a Terminal Server farm where the user is load balanced across the several available Terminal Servers.

However, in Dynamics NAV 5.0 SP1 and later releases of Dynamics the files that are stored in the OutlookSynch folder are encrypted with an an encryption key that is stored in the user profile as well.

Windows Vista %userprofile%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
Windows 7 %userprofile%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%
Windows 2003 %userprofile%\Application Data\Microsoft\Crypto\RSA\%SID%
Windows 2008 %userprofile%\AppData\Roaming\Microsoft\Crypto\RSA\%SID%

The files can be viewed with notepad and should contain a text value XML_ENC_OL_KEY.

If there are problems with this key, then the following error message may show up:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Security.Cryptography.CryptographicException: Bad Data.

   at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
   at System.Security.Cryptography.Utils._DecryptKey(SafeKeyHandle hPubKey, Byte[] key, Int32 dwFlags)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
   at System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(Byte[] rgbIn)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptKey(Byte[] keyData, RSA rsa, Boolean useOAEP)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.DataSetEncryption.Decrypt(String encryptedDataSet)
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.PersistentStorage.<LoadSynchronizationEntityFilterDS>b__2(DataSet newSet, FileStream reader)
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.PersistentStorage.LoadDS(DataSet newSet, String setName, ReadDelegate specialRead)
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.PersistentStorage.LoadSynchronizationEntityFilterDS()
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.SettingsForm.LoadFolderControls()
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.SettingsForm.LoadSettings()
   at Microsoft.Dynamics.NAV.OLSync.NAVSyncAddIn.SettingsForm.SettingsForm_Load(Object sender, EventArgs e)
   at System.Windows.Forms.Form.OnLoad(EventArgs e)
   at System.Windows.Forms.Form.OnCreateControl()
   at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
   at System.Windows.Forms.Control.CreateControl()
   at System.Windows.Forms.Control.WmShowWindow(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
   at System.Windows.Forms.ContainerControl.WndProc(Message& m)
   at System.Windows.Forms.Form.WmShowWindow(Message& m)
   at System.Windows.Forms.Form.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

From development:
If you experience it works on one machine but not on the other please check this setting on both machines- it might be as simple as the key not being copied. Only one file should exist with the above text value and it should be exactly the same file. If you find a difference I suggest you log the user off from all the machines, delete the outlook integration settings + machine key and recreate it by setting up the synchronization again.  If you're working on a "large sync data" user you can try, copying the key from a working machine to the non working machine or by moving keys out of the folder so there's only one.

Currently it's not possible to disable encryption.

From CSS perspective:
Since it is not possible to disable encryption at this moment, we now suggest to move the Outlook Synch users to a specific Organizational Unit where you exclude them from having roaming profiles / mandatory profiles, etc. The user profile should be stored locally. There is too much work to do to correct a failure in the encryption of the files that are stored in the \OutlookSynch folder.

Regards,

Marco Mels
CSS EMEA

This posting is provided "AS IS" with no warranties, and confers no rights

Comments (0)

Skip to main content