CloudPortal Services Manager
CloudPortal Services Manager 10
Error: "Cannot Open mailbox..." when Provision Hosted Exchange for a User.

Symptoms or Error

When provisioning the Hosted Exchange Service to a user, CloudPortal Service Manager (CPSM) cannot open a mailbox and generates an error message.

 “Error: Server was unable to process request. ---> Unable to run the "$Identity = 'test.user01@tctest.local:\Calendar'; $GrantedTo = &# 39;Default'; $AccessRight = 'None'; if (Get-Command "Get- MailboxFolderPermission" -errorAction SilentlyContinue) { Set-Mailbox FolderPermission -Identity $Identity -User $GrantedTo -AccessRights $Access Right -DomainController ‘DC01.TEST.local'; }" PowerShell s cript. ---> The script returned 1 errors. Cannot open mailbox /o=test/o u=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Serve rs/cn=EX01/cn=Microsoft System Attendant. at System.Web.Services.Prot ocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebRes ponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object [] parameters) at EMS.Cortex.Service.HE.HEWebService.HostedExchange.Mai lboxFolderPermissionUpdate(String Identity, String GrantedTo, String Access Right, String DCServer) at EMS.Cortex.Provisioning.Actions.Exchange.MailboxFolderPermissionUpdate.OnDo(Hashtable Properties) at EMS.Cortex.Provisioning.Actions.Base.ActionBase.Do(Hashtable Properties) Failed to ('$HEUserMailboxCalendarPermissionsSet')”


Complete the following steps to resolve the issue:

  1. Disable the rules in Provisioning Manager. For more information, click here.

  2. Create a scheduled task that runs every 15 to 30 minutes. For more information, click here. The scheduled task will lock down the calendar settings and grant new calendar permissions.

    During the time it takes for the scheduled task to run, the calendar will be exposed. Because it is a new user, there will be no entries.

Disable the two rules in the Provisioning Manager

To disable the rules, complete the following steps:

  1. Connect to the CPSM Provisioning Server.

  2. Go to C:\Program Files (x86)\Citrix\Cortex\Provisioning Engine and open the ProvisioningManager.exe.

  3. Expand Rule Stores > Default Rule Store > Events > User Service > HE > Provision.

  4. Locate the section “If Exchange 2010+ Then” – (located at the bottom of the HE rules).?? ??

  5. Disable the following rules:
    Disable system wide calendar sharing access
    Grant MailObjects AvailabilityOnly Calendar Access

  6. Go to the File menu and click Save.

  7. Stop the Cortex Queue Monitor service.??

  8. Wait until the Cortex Queue Monitor process has stopped.

  9. Start the Cortex Queue Monitor Service another time.??

Create the Scheduled Task

Complete the following steps on the Exchange Server to create the scheduled task:

  1. Save the following script into a new file SyncCalendarPermission.ps1.

     #---------------------------------------------------------------------------------- # 1. Lock-down the calendar settings for Exchange 2010 Mailboxes. # 2. Set calendar permissions for a mailbox # # The MailboxFolderPermissions can take 3 to 5 minutes to become active so we # want to sync the mailboxes instead of adding provisioning delays. # # Refer to the MS Compliance document: #   "The default permission on a mailbox calendar allows Free/Busy availability #    to be shown to anyone on the same system who requests it." #---------------------------------------------------------------------------------- # ----- CONNECT TO EXCHANGE REMOTING ---------------------------------------------- . 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; # ----- CONFIG START -------------------------------------------------------------- $MailboxAgeInDays = -3; #The number of days old mailboxes to search for   # Permission to Lock-down $AccountToLock = "Default"; $AccessToLock = "None"; # Permission to Grant $AccountToGrant = "{CustomerShortName} MailObjects"; $AccessToGrant = "AvailabilityOnly"; # ----- CONFIG END ---------------------------------------------------------------- # Make sure the GetMailboxFolderPermission cmdlet is supported if (Get-Command "Get-MailboxFolderPermission" -errorAction SilentlyContinue) {    $FilterDate = (Get-date).addDays($MailboxAgeInDays);    #Only return Exchange 2010+ mailboxes    $Accounts = Get-Mailbox -filter "WhenMailboxCreated -gt '$FilterDate' " -ResultSize Unlimited | where { $_.ExchangeVersion.ExchangeBuild.Major -gt 13 } | Select PrimarySmtpAddress, DistinguishedName;    $GrantAccountPattern = $AccountToGrant.Replace("{CustomerShortName}", "*");      if ($Accounts) {       foreach ($Account in $Accounts) {          #Only apply changes if the permission is not correct.           $MBFolderIdentity = ($Account.PrimarySmtpAddress.ToString() + ":\Calendar");          Write-Host "Checking calendar permissions for:" $Account.PrimarySmtpAddress.ToString();                   #1. Lock-down permissions          $RemovePermission = Get-MailboxFolderPermission -Identity $MBFolderIdentity -ErrorAction silentlycontinue | where { $_.User.ToString() -eq $AccountToLock -and !($_.AccessRights.Count -eq 1 -and $_.AccessRights.Contains($AccessToLock)) };          if ($RemovePermission) {            Write-Host "Locking-down calendar permissions for:" $Account.PrimarySmtpAddress.ToString();             Set-MailboxFolderPermission -Identity $MBFolderIdentity -User $AccountToLock -AccessRights $AccessToLock;           }                      #2. Grant permissions          $AddPermission = Get-MailboxFolderPermission -Identity $MBFolderIdentity -ErrorAction silentlycontinue | where { $_.User.ToString() -like $GrantAccountPattern -and $_.AccessRights.Contains($AccessToGrant) };          if (!$AddPermission) {                #Find the customer's short name by looking for the "PROXY {CustomerShortName} USERS" group membership                $UserDE = [ADSI]("LDAP://" + $Account.DistinguishedName);                $ProxyUsers = $UserDE.Properties.Item("MemberOf") | where { $_.StartsWith("CN=Proxy ", "InvariantCultureIgnoreCase") -And $_.ToLower().Contains(" users,") };                $UserDE.Dispose();                               if ($ProxyUsers) {                      if ($ProxyUsers -is [Array]) { $ProxyUsers = $ProxyUsers[0]; };                      $CustomerShortName = $ProxyUsers.Split(" ")[1];                      $GroupAccount = $AccountToGrant.Replace("{CustomerShortName}", $CustomerShortName);                                        Write-Host "Adding calendar permissions for:" $Account.PrimarySmtpAddress.ToString() "to" $GroupAccount;                      Add-MailboxFolderPermission -Identity $MBFolderIdentity -User $GroupAccount -AccessRights $AccessToGrant -ErrorAction silentlycontinue;                }          }       }    } }  
  2. Copy the script to the server?? with Exchange Web Service.

  3. Create a new folder in the Exchange WS directory and add the SyncCalendarPermission.ps1 file. For example, C:\Program Files (x86)\Citrix\Cortex\Services\ExchangeWS\ CalendarJob\SyncCalendarPermission.ps1.

  4. Create a scheduled task with the following settings on the General tab:

    ?? User-added image

    • Name?? - Calendar Settings.

    • Select Run whether a user is logged on or not.

    • Select Run with the highest privileges.

    • Click Change User or Group and select the same user account that is running the Exchange WS.??

  5. In the Triggers tab, select the following settings:

    • Click New to create the new trigger.

    • Select Repeat task every “15 (or 30) minutes”?? and for a duration of Indefinitely.

    • Select?? Enabled.

      User-added image

  6. In the Actions tab, select the following settings:

    • Select New to create a new action.

    • In the Action: field, select ‘Start a program’ from the drop down list.??

    • In the Program/Script: field, type "powershell.exe" (Include the speech marks).

    • In the Add arguments: field, type -Command &{C:\Program Files (x86)\Citrix\Cortex\Services\ExchangeWS\CalendarJob\SyncCalendarPermission.ps1}.

    • Click OK to save the scheduled task. A prompt message is displayed to enter the password for the user account which is running the task.

      User-added image

  7. If the PowerShell has restrictions, run the following query for the ExchangeWS user:
    Set-ExecutionPolicy -ExecutionPolicy Unrestricted -scope currentuser(ExchangeWS user)

  8. If required, modify the SyncCalendarPermission.ps1 script to change the age of the mailboxes it looks to fix. By default, the value is set to 3 days in the script. You can also force the script to use a particular Exchange server,?? instead of?? automatically detecting a server.

Problem Cause

When provisioning a Hosted Exchange Service for a user, it can take up to five minutes for the user’s mailbox to be available to add permissions. During the process, the CPSM disables system wide calendar sharing permissions and adds additional calendar permissions. This delay of provisioning a Hosted Exchange Service for a user causes the error message.


The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.


Join the conversation

Citrix Discussions

Open a case

Citrix Support