Solved

Exchange 2007 CAS not able to connect to 2003 backend

Posted on 2008-10-30
16
1,119 Views
Last Modified: 2012-05-05
I'm doing a transition to Exchange 2007 from Exchange 2003 and I'm having a little trouble with the 2007 CAS. Here's the scenario

Previous environment
1 Exchange 2003 Front End server
1 Exchange 2003 Backend Server

I've installed the mailbox and hub transport rolls on a Server 2008 box, and installed the CAS roll on a Server 2003 box.

Current environment
1 Exchange 2003 Front End server
1 Exchange 2003 Backend server
1 Exchange 2007 CAS server
1 Exchange 2007 mailbox server

I'm leaving the Exchange 2003 FE server up until I get everything working on the 2007 box.

Here's the problem...when I try to access OWA (https://FQDN/exchange) on the Exchange 2007 CAS server I get the following results:

- If the user has a mailbox on the Exchange 2007 mailbox server, OWA comes up fine.
- If the user has a mailbox on the Exchange 2003 BE server, I get a "The website cannot display the page" error message in the browser. The URL is redirected to "https://fqdn/exchweb/bin/auth/owaauth.dll" when I get the message.

Any ideas? Thanks in advance!
0
Comment
Question by:RoboMunch
  • 5
  • 4
  • 4
  • +1
16 Comments
 
LVL 10

Expert Comment

by:Rudram
ID: 22848017
* Hopefully the below link would be of some help:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23786098.html


Good Luck (^_^)
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22848599
If none of your users are on E2k3 and you still want to work with E2k3 FE server.
You want o re-direct the request from FE server to E2k7 using /owa instead of /exchange (automatically)

This is explained in the link below.
http://www.amset.info/exchange/owa-defaultpage.asp

However, if you want the request to flow from E2k7 to E2k3 for OWA - i believe /exchange is what they should be looking at - unfortunately E2k7 does not re-direct any more - only version used is proxy client access request, hence both servers should be on the same platform for it to work.

Please feel free to get your queries answered by posting on this thread.
0
 
LVL 1

Author Comment

by:RoboMunch
ID: 22849666
Thanks for the replies!
@Rudram - that's the exact scenario I have set up, however when we try to access http://exchange2007casname/exchange we're getting the "The website cannot display the page" (500) error message.
@Exchange_Geek - You said that E2k7 doesn't ridirect any more, is that something that happened with SP1?
In this writeup, it sounded like it should work. Example #3 is the exact scenario (other than me still having the E2k3 FE server in place) we have now and it says it should work. http://msexchangeteam.com/archive/2007/02/07/434523.aspx Did they take away that functionality with SP1?
0
 
LVL 9

Expert Comment

by:abdulzis
ID: 22851782
If you have a CAS only box, yes co-existense should work. Can you check your E2K7 CAS box IIS log and paste the relevant request
0
 
LVL 33

Accepted Solution

by:
Exchange_Geek earned 500 total points
ID: 22852574
I guess i should make myself a bit more clear using MS documentation.

"Proxying is supported from one Client Access server to another Client Access server when the destination Client Access server is running the same version of Exchange Server or an earlier version as the source Client Access server. However, Exchange Web Services cannot proxy from a server that is running Exchange Server 2007 SP1 to a server that is running the original release (RTM) version of Exchange 2007 because the RTM version of Exchange 2007 did not support proxying for Exchange Web Services."

Now, what i meant was in your case using FE server to talk to CAS server and expect the request to flow smoothly redirect / proxy - my understanding would be difficult.

MSFT Escalation Engineer Rahul Dhar had to comment on this.

"I believe you can make the redirection work this way, assuming webmail.domain.com is the Exchange 2003 front-end (FE) server.

1. replace the Exchange 2003 FE server with an Exchange 2007 CAS
2. Redirect webmail.domain.com to webmail.domain.com/exchange
3. All users log into webmail.domain.com/exchange
4. Exchange 2007 users will be automatically redirected to webmail.domain.com/owa and get OWA2007.
5. Exchange 2003 users will be *proxied* to the Exchange 2003 back-end server and get the OWA2003 UI."

MSFT goes on to talk about it bang on head

"A Client Access Server can also perform redirection for Microsoft Office Outlook Web Access URLs. Redirection is useful when a user is connecting to a Client Access Server that is not in their local Active Directory site. Each site would have to have an Internet-facing CAS server with the ExternalURL set. Having the ExternalURL set is not a default configuration in Exchange 2007."

Bottom line: Use CAS server as your FE server - and this would take care of all the proxy and re-direction. Proxy for E2k3 boxes - Re-direction for E2k7 boxes (provided both CAS boxes are of same version and not lesser). YOUR EXAMPLE SIMPLY RE-ITERATES MY THOUGHTS.

"Example #3
1 Exchange 2007 CAS-only server
1 Exchange 2007 Mailbox-only server
1 Exchange 2003 BE server
Mailboxes on both Exchange 2007 and 2003 servers

If the your mailbox is on an E2007 server

    * requests to /owa will return the OWA 2007 experience
    * requests to /exchange on the CAS or Mailbox server will redirect the user to /owa. Authentication credentials transparently passed through.
    * requests to /exchange on the BE will direct the user to the CAS, but the user may need to be authenticated again
    * requests to /public will be directed to /public on the BE server
    * requests to /exchweb will be directed to the BE server or return nothing

If your mailbox is on an E2003 server

    * requests to /owa will yield the error message from Example 2
    * requests to /exchange or /public on a CAS will be proxied by exprox to /exchange or /public on the BE server and yield the OWA 2003 experience
    * requests to /exchange or /public on the BE server will yield the OWA 2003 experience
    * requests to /exchweb will be directed to the BE server or return nothing
"

0
 
LVL 10

Expert Comment

by:Rudram
ID: 22852651
* Also could you post the hexadecimal error code (0x8******) that comes along with the "website cannot display the page" error

(^_^)
0
 
LVL 1

Author Comment

by:RoboMunch
ID: 22852744
Our intention is to phase out the E2k3 FE server, but that is the one everyone is using until l can solve this problem on the E2k7 CAS server.
If I didn't make it clear, I'm having the problem when I try to access OWA through the E2k7 CAS (FE) server. I'm trying to do exactly what Microsoft is saying should work, but it isn't. From the example:
If the your mailbox is on an E2007 server
* requests to /exchange on the CAS or Mailbox server will redirect the user to /owa. Authentication credentials transparently passed through. - Works
If your mailbox is on an E2003 server
* requests to /exchange or /public on a CAS will be proxied by exprox to /exchange or /public on the BE server and yield the OWA 2003 experience - Not working, I get the error mentioned in the OP
I hope all this makes sense, and thanks for the help!
0
 
LVL 9

Expert Comment

by:abdulzis
ID: 22852813
1) Paste the request that is send from CAS to E2K3 BE from IIS log
2) Make sure SSL is not selected on default website, /exchange and /public on E2K3 BE as well as make sure Integrated authentication is selected on /exchange and /public. If you do any changes, iisreset.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:RoboMunch
ID: 22852831
@abdulzis - Here's what I think is the relevant part of the log, the rest would be way too much to post...if you need more let me know:
2008-10-31 17:40:55 W3SVC1 192.168.110.22 POST /owa/auth/owaauth.dll - 443 - 192.168.108.71 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+.NET+CLR+2.0.50727) 302 0 0
2008-10-31 17:40:55 W3SVC1 192.168.110.22 GET /owa/8.1.291.1/themes/base/reqd.gif - 443 - 192.168.108.71 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+.NET+CLR+2.0.50727) 200 0 0
2008-10-31 17:40:55 W3SVC1 192.168.110.22 GET /exchange - 443 my.name@mydomain.com 192.168.108.71 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+.NET+CLR+2.0.50727) 500 0 0
2008-10-31 17:40:55 W3SVC1 192.168.110.22 GET /owa/8.1.291.1/scripts/premium/fedtcali.js - 443 - 192.168.108.71 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+InfoPath.2;+.NET+CLR+2.0.50727) 200 0 0
That's it, there's nothing after that. I checked the logs on the 2k3 box to see if the request might have gotten there, but can't find anything.
@Rudram - Where would I find that error?
0
 
LVL 10

Expert Comment

by:Rudram
ID: 22852891
* You can find that somewhere at the bottom of the page where its displayed
0
 
LVL 10

Expert Comment

by:Rudram
ID: 22852928
* Taking the below blog as a reference we could strike something:

http://groups.google.com/group/microsoft.public.exchange.admin/browse_thread/thread/d04819a0482a3241
0
 
LVL 9

Expert Comment

by:abdulzis
ID: 22852941
Disabling HTTP Friendly Error Messages in Internet Explorer
http://technet.microsoft.com/en-us/library/cc778248.aspx
0
 
LVL 1

Author Comment

by:RoboMunch
ID: 22853070
Sorry, but I can't find the error code. =/ I've even asked one of our developers to find and have him scratching his head.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22853350
"requests to /exchange or /public on a CAS will be proxied by exprox to /exchange or /public on the BE server and yield the OWA 2003 experience - Not working, I get the error mentioned in the OP"

If you go to ExchWeb - Bin - Auth - goto properties and check for application pool at the end - which pool do you see there ??

ExchangeApplicationPool or something else

I am talking about checking on the same box - whose name is being referred on
https://<servername>/exchweb/bin/auth/owaauth.dll
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22853368
Infact i came across this article, worth reading and of course checking on your box.

http://support.microsoft.com/kb/829167
0
 
LVL 1

Author Comment

by:RoboMunch
ID: 22920904
Sorry for the delay in getting back. Turns out the problem was with the account I was testing with. It had a mailbox on the '03 server, but for some reason it wouldn't work...I had to delete/create the account in order for it to work.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now