Error when accesing OWA

When try to access the OWA site with some accounts we get the following error:

A problem occurred while trying to use your mailbox. Please contact technical support for your organization.


User host address:

Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack
Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack
System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

Who is Participating?
yupinel14Connect With a Mentor Author Commented:
I have applied this Ms note:


Ensure that user account object is inheriting permissions from its parent,

For some reason this account was not.

Glen KnightCommented:
Has this just started happening or has it never worked?

Check the server DNS make sure it is configured to use an Internal DNS server.
Is the server a domain controller if so make sure it's also a Global Catalogue server.  In Active Directiry Sites and Services expand the DC right click NTDS Settigs select properties then check the box to make it a Global Catalogue server.

Have there been any DC changes?

Have you tried restarting all the Exchange Services?
yupinel14Author Commented:
We just migrated from XCH 03 to XCH 07.

It seems to be working for some most of the accounts but for some is not, and they are getting this error.

I can access OWA with my account and all the MIS accounts; but some users give me this error, even I am connecting from my computer.

Global Catalogs are configured for all sites...

I have restarted all Exchange services in both CAS and Mailbox.

Any other idea?

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Glen KnightCommented:
Are the mailboxes that are not working by any chance still showing a mailbox on te 2003 server?

I have found that sometimes the mailbox isn't deleted from the 2003 server.

Issuing another move request resolves this.
yupinel14Author Commented:

Actually the mailbox stores in 2003 have been dismounted.

All mailboxes are being shown as recipient type: "user mailbox" with a valid xch 2007 database location.

When checking the account on AD on a Exchange 2003, it shows the account fine as "servername/Second Storage Group/SG2 Mailbox Database" which happens to be the Exchange 2007 mailbox server running on Windows 2008.

Glen KnightCommented:
Can you check that in the Default Domain Controller Policy ( not
the default domain policy) in group policy Management console that the Group Exchane Servers is listed under

Computer Configuration > Windows Settings > Security Settings > Local Settings > User Rights Assignment > Manage Auditing and Security

then check the Exchange server computer account is a memer of that group.
yupinel14Author Commented:
Yes they are,

They are listed under a group called DOMAIN\Exchange Servers, I have both my CAS and my Mailbox server.

Glen KnightCommented:
Did you check the group policy setting?
yupinel14Author Commented:
Yes, Exchange Servers is listed
Glen KnightCommented:
yupinel14Author Commented:

Will go to take my break and i will do it at my return

yupinel14Author Commented:
I have applied the note to two of the accounts with this problems,

got this form the Exchange shell:

WARNING: The command completed successfully but no settings of
'domain.local/TTI_Users/TTI Argentina/Users AR/Guillermo Polzella' have been

And still getting the same error,

Satya PathakLead Technical ConsultantCommented:
Please find IIS authentication type and the SSL requirement for Exchange  2007.
Exchange 2007
1) Autodiscover: Basic and Integrated authentication   SSL Optional
2) EWS : Integrated authentication                            NO SSL
3) Exadmin : Basic and Integrated authentication       NO SSL
4) Exchange : Basic and Integrated authentication      SSL Optional
5) Exchweb : Basic and Integrated authentication       NO SSL
6) Microsoft-Server-ActiveSync: Basic authentication   SSL Optional
7) OAB : Integrated authentication                             NO SSL
8) OWA : Basic authentication                                 SSL Optional
9) Public : Basic and Integrated authentication          SSL Optional
After That Need to Resart IIS service and checked it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.