Causes of MapiExceptionNotAuthorized Error Sending to Public Folders

In some scenarios a mailbox user sending emails to a mail-enabled Public Folder may receive an undeliverable message in reply.

The message contains the following error details:

#550 5.2.0 STOREDRV.Deliver: The Microsoft Exchange Information Store service
reported an error.  The following information should help identify the cause
of this error: "MapiExceptionNotAuthorized:16.18969:57080000..."

This error can occur under a variety of configurations relating to Public Folder client permissions.

External Senders

External senders will receive the error if the Public Folder does not permit “Anonymous” to create new items.

[PS] C:\>Get-PublicFolderClientPermission \pftest

Identity                   User                       AccessRights
--------                   ----                       ------------
\pftest                    Default                    {FolderVisible}
\pftest                    mycompany.local/Users/A... {Owner}
\pftest                    Anonymous                  {None}

To grant this access run the following command in the Exchange Management Shell.

[PS] C:\>Add-PublicFolderClientPermission \pftest -User Anonymous -AccessRights CreateItems

Identity                   User                       AccessRights
--------                   ----                       ------------
\pftest                    Anonymous                  {CreateItems}

Internal Senders

Internal senders are able to be authenticated by the Exchange server, and so are not treated as Anonymous. For internal senders the user must have at least Create Items permissions on the Public Folder. For general use Public Folders this can be granted as the “Default” permission.

To grant this access run the following command in the Exchange Management Shell.

[PS] C:\>Add-PublicFolderClientPermission \pftest -user Default -AccessRights CreateItems

Identity                   User                       AccessRights
--------                   ----                       ------------
\pftest                    Default                    {Contributor}

Internal Senders Alternate Scenario

Because internal senders are being authenticated by the Exchange server their group membership is taken into consideration. When the Exchange server receives a new item from an internal sender it takes the following basic steps:

1. Maps the sender address to a user account object (this occurs even if the email was not sent by the user themselves, eg was sent via Telnet)
2. Enumerates the user’s group membership
3. Assesses the group membership against the ACLs on the Public Folder
4. Permits or denies the mail item depending on the ACL

Because of this process the Exchange server must have Read access to the groups that the sender is a member of, including direct membership and indirect membership (eg by nested groups).

If the Exchange server cannot read a group object it will deny the mail item and the user will receive the undeliverable message with “MapiExceptionNotAuthorized”.  The reason for this is that it is designed to fail in a secure way (ie, “I can’t verify your access therefore I will deny you”), rather than an insecure way (ie “I can’t verify your access therefore I will permit you”).

With that in mind you would need to investigate all of the direct and indirect group membership for the user and try to locate a group object that does not have the Exchange Servers group with Read access in its ACL.  Most commonly this will occur when the group is in a Domain in the Forest that has not been prepped for Exchange, or is in an OU where permissions inheritance has been disabled.

Correcting the ACL on the group objects should resolve the undeliverable “MapiExceptionNotAuthorized” error in those cases.