Outlook 2011 + 10.6.8 + SecurityUpdate 2011-006 = Spinning Beach Ball of Death

ericbenfer
Contributor III

We are experiencing a plague of the dreaded Spinning Beach Ball of Death in Outlook 2011.
We have about 600 10.6.8 Macs running Outlook 2011. They all use AD logins.

The Outlook SBBoD started for us back in October with the Apple Security Update 2011-006 (Snow Leopard).
One thing that does seem to help is to reinstall the Apple 10.6.8 combo updater. This effectively backs you out of the Security Update 2011-006. But of course you are missing the added security at that point.

10.7.2 does not have this issue.

Is anyone else experiencing problems with Outlook since 2011-006?

Our servers are running Exchange 2007 SP3 RU5.
Outlook 2011 is 14.1.3 and 14.1.4

--

Eric Benfer
ITSD – Macintosh Services Manager
Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd
Laurel, MD 20723
eric.benfer@jhuapl.edu
443-778-4248 MD • 240-228-4248 DC
443-463-1664 Mobile

1 ACCEPTED SOLUTION

ericbenfer
Contributor III

I finally got to the root of the problem, with lots of help from lots of people.

/Users/~/Library/Preferences/com.apple.security.revocation.plist.
Turns out this managed pref does not "undo" itself when you turn off the MCX settings. Tricky little guy.
This is what we where managing.
CRLStyle - BestAttempt
CRLSufficientPerCert - true
OCSPStyle - BestAttempt
OCSPSufficientPerCert - true
RevocationFirst - CRL

We started managing this plist over a year ago. This was to try to get Macs to not use cached/expired certificates in Outlook. We have since instituted a Casper login policy that empties the Outlook certificate cache of our internally issued email certificate. As certs are needed Outlook pulls them down from the LDAP server. So the com.apple.security.revocation.plist settings we manage are not really needed anymore.

To fix it all we have to do is delete the plist, and reboot.
/Users/your521/Library/Preferences/com.apple.security.revocation.plist.
Automating this should be simple with a Casper policy.

The Managed prefs settings where working fine with 10.6.8 until Apple released Security Update 2011-006 in mid October.
http://support.apple.com/kb/HT5002 We believe this changed something about the way the ocspd interacts with our Outlook Security settings.

View solution in original post

14 REPLIES 14

talkingmoose
Moderator
Moderator

I'd be curious to hear what happens if you create a new Mac OS X user account and then connect Outlook 2011 to Exchange. Does the problem persist after that?

Any unique setups like PHDs in the mix? Are users pointing to internal or external (OWA) server addresses? Is autodiscover working in your environment? If not have you disabled it in Outlook?

Are you able to test on a vanilla 10.6.8 system (with updates applied) running Outlook 14.1.4—no other apps installed—with no managed preferences or settings other than the basics needed for your network?

donmontalvo
Esteemed Contributor III

We saw some performance issues when Apple Security Update 2011-006 was released. The release notes show several ATS related "fixes". We found by validating all the fonts (using Apple Font Book) and purging any that were not GREEN resolved some of the issues.

--
https://donmontalvo.com

ericbenfer
Contributor III

Will,

The Outlook problem persists with new AD and/or local accounts. At one point we thought recreating the Outlook Identity was going to be the answer, but the SBBoD returned after a few days for all the users we tested.

All the user home directories are on the boot drive in /Users. We are pointing to out internet EWS Exchange servers, and we are using autodiscover (and your AppleScripts) successfully for the setups.

I have tested a Vanilla 10.6.8 with SecurityUpdate 2011-006 and all other Apple updates. It does NOT get the SBBoD.
So now I am digging into all the parts of our OS X build.
This process just takes time, between doing the custom build and then using Outlook for an hour to gauge if the SBBoD is bad.

BTW - There is a very useful tool for detecting and logging the the spinning ball.
Install the Apple Developer tools and use check out Spin Control.app
/Developer/Applications/Performance Tools/Spin Control.app

Don,

I did look into ATS. We do certainly have duplicate fonts. I cleaned up my font collection, and emptied the cache via atsutil. However, SBBoD continues to haunt me.

In the end I know there is something in my build. As soon as I narrow it down I will post it.

bentoms
Release Candidate Programs Tester

Is it 10.6.8 1v1??

ericbenfer
Contributor III

yes, 10.6.8 v1.1

ericbenfer
Contributor III

I feel like I have been chasing my tail for the past four days.
Just when I think I have it narrowed down to some part of our build, the SBBoD returns to mock me.

At this point I am using a very minimal install.
Base OS X 10.6.8 image and all software updates. This DMG is created with instadmg.
Microsoft Office 2011 14.1.4 - dmg created with Composer
A local admin user account for Casper
A local account to test Outlook and SBBoD.

I am testing two versions of this. One built with Casper and the other built by hand using Disk Utility/ASR.
I am using two identical 13" MacBook Pros. 2.4 i7
The hand built Mac does not get the SBBoD in Outlook.
The Casper built Mac does get the SBBoD in Outlook.
If I add the Casper client to the hand built one, it starts to get the SBBoD.

So in my mind, that narrows it down to the Casper Client, a Casper Policy, a Casper Managed Pref, or something else the Casper client is doing.

Also, this ONLY happens if Security Update 2011-006 is installed.

talkingmoose
Moderator
Moderator

Rather than using Composer to create an Office 2011 .dmg have you tried putting the installer and updates directly into Casper Admin so that they are installed rather than the component files copied? Only takes three files for a fully patched install:

  1. Office Installer.mpkg (14.0.0)
  2. Office Update 14.1.0 (SP1)
  3. Office Update 14.1.4

ericbenfer
Contributor III

Yes I have used the Office pkgs. I tested this on both sides, with and without the Casper client.
With the Casper client and using Office pkgs - I get the SBBoD.
Without the Casper client and using Office pkgs - No SBBoD.

talkingmoose
Moderator
Moderator

Ah, so I was reading you right in the first place. Got a files list from Composer? Should look somewhat like this list:

http://www.officeformachelp.com/office/install/installed-files-list-for-office-2011/

ericbenfer
Contributor III

All signs are pointing to Managed Preferences (MCX).
I have not narrowed it down the the exact MCX setting yet.

Here is my recipe for the SBBoD
Mac OS X 10.6.8
Security Update 2011-006
Outlook 2011
Apple Managed Preferences (MCX)

Anyone else have that combo?

If I build a Mac using Casper and with MCX, I get SBBoD.
If I build the same Mac using Casper and without MCX, no SBBoD.

talkingmoose
Moderator
Moderator

On my system here I meet that combination including using MCX to manage Office 2011 settings.

I have MCX settings for:

  • com.microsoft.autoupdate2
  • com.microsoft.error_reporting
  • com.microsoft.Excel
  • com.microsoft.office
  • com.microsoft.Outlook
  • com.microsoft.Powerpoint
  • com.microsoft.Word

Assuming the problem is with either com.microsoft.office or com.microsoft.Outlook then I have these settings:

com.microsoft.office

Name Apply To Key Name Type Value
Display Word Startup Gallery User Level At Every Login 14File New StateFNMSWD integer 0
Display PowerPoint Gallery User Level At Every Login 14File New StateFNPPT3 integer 0
Display Excel Startup Gallery User Level At Every Login 14File New StateFNXCEL integer 0
Office 2011 Setup Complete User Level Enforced 14FirstRunSetupComplete integer 1
Office 2011 User Name User Level Enforced 14UserInfoUserName string Company Name
Office 2011 Organization Name User Level Enforced 14UserInfoUserOrganization string Company Name

com.microsoft.office.Outlook
Name Apply To Key Name Type Value
Hide Outlook Welcome window User Level At Every Login FirstRunExperienceCompleted boolean true

No spinning here. Do you see anything in your setup that's very different?

ericbenfer
Contributor III

I finally got to the root of the problem, with lots of help from lots of people.

/Users/~/Library/Preferences/com.apple.security.revocation.plist.
Turns out this managed pref does not "undo" itself when you turn off the MCX settings. Tricky little guy.
This is what we where managing.
CRLStyle - BestAttempt
CRLSufficientPerCert - true
OCSPStyle - BestAttempt
OCSPSufficientPerCert - true
RevocationFirst - CRL

We started managing this plist over a year ago. This was to try to get Macs to not use cached/expired certificates in Outlook. We have since instituted a Casper login policy that empties the Outlook certificate cache of our internally issued email certificate. As certs are needed Outlook pulls them down from the LDAP server. So the com.apple.security.revocation.plist settings we manage are not really needed anymore.

To fix it all we have to do is delete the plist, and reboot.
/Users/your521/Library/Preferences/com.apple.security.revocation.plist.
Automating this should be simple with a Casper policy.

The Managed prefs settings where working fine with 10.6.8 until Apple released Security Update 2011-006 in mid October.
http://support.apple.com/kb/HT5002 We believe this changed something about the way the ocspd interacts with our Outlook Security settings.

ericbenfer
Contributor III

The specific setting is in the Keychain Access.app preferences.
In the Certificates tab, we had it set like this.
Online Certificate Status Protocol (OCSP): Best Attempt
Certificate Revocation List (CRL): Best Attempt
Priority: CRL

Having Priority set to CRL was the cause of the SBBoD for us. If we set it to OCSP we do not get the SBBoD. This is the default setting by the way.

bentoms
Release Candidate Programs Tester

Eric. Thanks for posting the solution.

I didn't contribute as didn't have the issue, but it's nice when someone takes the time to post a detailed explanation of the resolution.