OWA Internet Explorer cannot display the webpage

It sounds like this issue is costing the company more money than what it would cost for a UC cert.    Why not be done with the issues and get a proper cert?

Do you still get the error if you temporarily remove the requirement for SSL on the Exchange VDir?

EndureKona
I take your point, if i can prove it's the cert i will

LeeDerbyshire:

Will give it a go, thanks

LeeDerbyshire:

Yes it does work if i uncheck the SSL requirements in the exchange section of the Vdirectory.

Well, I think that points to a problem with the cert.  It's probably easier to go and buy one, but if you want to persevere with your own, I would suggest going through the creation process again, being extra careful.  My personal favourite method is SelfSSL, since it's a very simple process.

I did use SelfSSL, when i view the certificate it says its OK, i restarted the server and its now working, but will see how long for.
My thoughts are the cert will either work or not, not just give up a few days in.

Maybe something else is going wrong with IIS?  Next time you are unable to use OWA, see if you are also unable to access the Default Web Site using SSL.

its stopped again, had a look through event manager and this error W3SVC-WP does not appear whilst it was running but did appear when not, not sure if its relevent.
aim1.JPG

I don't know what ETW tracing is.  Maybe you turned it on to help diagnose the problem:
http://msdn.microsoft.com/en-us/library/ms751538.aspx?ppud=4

Did you try disabling SSL once the problem appears?  I know that I sort of already asked this once, but I didn't mention to only try it after you see the problem.

Yes, i disabled SSL and it works, re enabled it and it does not

Is anything else displayed, other than 'Cannot display the web page'?  If not, make sure that you IE 'Friendly HTTP Errors' are not enabled (they hide the most useful information).

No matter if its checked or not after clicking the continue on the security cert page i get Internet Explorer cannot display the webpage
if i click rthe more info tab, i get
This problem can be caused by a variety of issues, including:

•Internet connectivity has been lost.
•The website is temporarily unavailable.
•The Domain Name Server (DNS) is not reachable.
•The Domain Name Server (DNS) does not have a listing for the website's domain.
•There might be a typing error in the address.
•If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

Well, IE's own suggestions aren't usually very helpful, but lets try them.  The only way it could be a DNS issue is if OWA has changed the server name part of the URL by itself (not as impossible as, you'd think).  So, has the server name part of the URL changed to something other than what you originally typed in?

Also, try the last suggestion.  I've never heard of anyone disabling SSL in IE, but you never know - it might have happened accidentally.

i did try the suggestions IE made, server name had not changed and i have SSL enabled.
What does not make sense is when we make initial connection it must be finding the server because it shows the certificate error, its only when we click continue it bombs out.

Is the HTTP SSL service still running on the server?

HTTP SSL services are running, i even restarted them

Can you find the IIS log entries generated by the server when the request failed?

any idea what the log id called, seached for obviouse but cannot find aything, maybe not turned on

Should be one of the files in C:\Windows\System32\LogFiles\W3SVC1 .  There is one file for each day.

Found the logs, the only thing i can see different between not working and woring is the following line repeated time after time in the non working log but not in the working log
the reason=0 443 may be the issue but i have no idea what it means other than port 443

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2010-04-03 15:21:09 W3SVC1 192.168.0.101 GET /exchweb/bin/auth/owalogon.asp url=https://mydomain/exchange&reason=0 443 - 45.152.195.20 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+Tablet+PC+2.0) 200 0 0

That is the server sending the Forms-based Auth logon page to the client.  Are these entries in different log file directories?  They should all be in W3SVC1 .

They do not appear in the logs when ots working, but appear many times in the logs when not, currently it has been up with no problems.

There is no reason why the working entries should not be in the same log, unless the requests are going to a different site when they succeed.  Does the server have more than one web site on it?

no, there is no other website on this server, but there is our company intranet on another server on the domain.

Can you see requests for /Exchange in the IIS log for the intranet server?  It's possible that a name resolution issue is directing some of your OWA requests there.

dont think so but i will have another look

No i cannot see any requests for exchange in the logs or visa versa

Can you access the default web site on the server?  With and without https?

No not with https, but i can with http

We should already have checked this, but I can't find it mentioned anywhere...  In IIS Manager, look at the properties of the default web site.  Note the IP address selected, then click the Advanced button.

Is the IP address set to anything other than All Unassigned?
Is a Host Header name configured for the site?
Is SSL configured to listen on port 443?
Is there more than one web site in the Web Sites container?

Is the IP address set to anything other than All Unassigned?       - No
Is a Host Header name configured for the site?                            - Host header value is blank
Is SSL configured to listen on port 443?                                        - Yes
Is there more than one web site in the Web Sites container?       - No, one only

Thanks

What error is displayed when you tried to reach the default web site via https?  Can you find that request in the IIS log file?

Have just noticed it has dropped again so will check the log files in the morningm through firefox i get
The connection to the server was reset while the page was loading.

       


       
       


    *   The site could be temporarily unavailable or too busy. Try again in a few
          moments.

    *   If you are unable to load any pages, check your computer's network
          connection.

    *   If your computer or network is protected by a firewall or proxy, make sure
          that Firefox is permitted to access the Web.

At the moment i cannot connect so i have tried to connect then looked at the log file, here is whats in the log file.

2010-04-23 17:49:54 W3SVC1 192.168.0.101 GET /exchweb/bin/auth/owalogon.asp url=https://owa.mydomain.co.uk/exchange&reason=0 443 - 81.154.8.52 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+Tablet+PC+2.0) 200 0 64

what i have noticed is i connectedat 18:49, the server time says 18:49, but the log file says 17:49, all the entries appear to be an hour behind.

Again, that is the server correctly sending the FBA logon page to the client.  Do you see the FBA page okay?  IIS log file times are in GMT.

I assume by FBA page you mean the OWA sign in screen, no i do not see that
I restarted the server and it's working again and the time is still an hour out, so as you suggested, it's got nothing to do with it.

Your server is presumably now in Daylight Saving Time, so it's clock will have advanced.  The IIS log times are always in GMT, though, so in DST periods they will appear to be one hour behind.

Anyway.  The IIS log shows that the server is sending the FBA page to you (that's what the GET /exchweb/bin/auth/owalogon.asp means), and the 200 near the end indicates that as far as the server is concerned, the request was completed successfully.  What address is in the address bar when you get the error message in the browser?  It should have changed from https://server/exchange to something else.

Just tried it and its not working again, heres the log of my attempt to connect internally, when i get the cannot connect page the address does not change in the address bar.


2010-04-29 14:54:52 W3SVC1 192.168.0.101 GET /exchweb/bin/auth/owalogon.asp url=https://server1/exchange&reason=0 443 - 192.168.0.134 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 64

It's baffling.  That single entry looks good, and you should be looking at the FBA logon screen.  How long does it take before you see the error message?  Does it appear immediately, or does it hang about for a few seconds?

It appears immediately

Can you check a few things in IIS Manager.  First, expand the Web Sites container, and make sure that there is only the Default Web Site in there.  Lots of server applications like to add a web site for their own administration purposes, so there might be something in there that you don't know about.  Then look at the Web Service Extensions container, and make sure that Active Server Pages is set to Allow.

Also, try turning off Forms-based Authentication in ESM/Servers/Protocols/HTTP .

ok, checked as suggested and all are as they should be,

Does it make any difference if you turn off Forms-Based Authentication?

Missed that one, i had to restart the server last night so it's currently up and running, currently Forms-Based Authentication is on, will wait for it ot go wrong again and try thid.

if i turn off Forms-based authentication it works, when i enable again it stops working.

I have had ssl on all the time(excpept for when i turned it off briefly for a test), so yes, with ssl on and FBA off i was able to connect.

With FBA (when it's not working) you are only seeing iis log entries for owalogon.asp, whose only job is to work out what language you use, and then redirect you to something like exchweb/bin/auth/<lang>/logon.asp .  When you see the error message, what URL is in the address bar?  Does it end in either owalogon.asp or logon.asp, or something else?

https://servername/exchange when trying internally, will try externally tonight

Tried it remotely whilst not working, then restarted the server and tried again, which then worked, the address in the address bar was exacly the same.

https://owa.mydomain.co.uk/exchweb/bin/auth/owalogon.asp?url=https://owa.mydomain.co.uk/exchange&reason=0

The redirection to the FBA page is working, then.  It doesn't seem like an SSL problem if the redirect worked AND you used https: in your original request for https://servername/Exchange (if ssl was broken, nothing would have happened at all).  At the moment, it seems to me like ASP processing is periodically failing on the server, but if you're sure that nothing is being recorded in the event logs (not just the iis logs), I don't see a way to diagnose it.

When not working thats all i get in the log, but when it is working i can see all the various folders etc being called by the user.
Strange!, thanks for all your help

You might try adding the AllowRetailHTTPAuth registry key described here:
http://technet.microsoft.com/en-us/library/aa996007(EXCHG.65).aspx?ppud=4
which will allow you to use FBA without SSL, and see if that makes any difference.  Note that this is only a temporary measure, since FBA without SSL is not very secure.

will give it look tomorrow, thanks