We help IT Professionals succeed at work.

OWA will not work for mailbox in non-internet facing AD site

We have Exchange 2010 servers in 2 sites (one internet facing (site A) and the other not (site B)).  If I use the main OWA (site A) to open a mailbox from site A, it works, but if the mailbox is from site B it doesn't work giving the message "Outlook Web App isn't available".  The event log on the CAS server in Site A has an error that says "The Outlook Web App proxy failed because no Outlook Web App virtual directory configured for Kerberos authentication could be found in the site."

If, internally, I go directly to a CAS OWA in site B and try to open the same mailbox from site B it works fine.  If you try to connect to a mailbox in site A from here, you get the normal message "Use the following link to open this mailbox with the best performance" with a link to the proper OWA in the internet facing site. (normal)

I have checked to make sure that the msExchInternalHostName (Internal URL) attribute of the Outlook Web App virtual directory exists and it matches the fully qualified domain name (FQDN) of the Client Access server.  I have also even tried to go into IIS on the CAS server in site B and set the Integrated Windows authentication enabled on the Outlook Web App virtual directory.  I'm stuck.

The users in Site B will need to be able to get OWA access from the internet (hence going through the CAS server in the internet facing site A) and get to their mailboxes hosted on the mailbox server in site B.  Thanks in advance for all available help.
Comment
Watch Question

Awarded 2009
Top Expert 2010

Commented:
Do you have a server that only has the CAS role on?

If so you should have.  CAS servers installed on servers with the mailbox role on will not proxy for other exchange server.

Author

Commented:
CAS server only has CAS and HTS.  MS servers are on separate servers.
Awarded 2009
Top Expert 2010

Commented:
Can you give more details regarding the servers and what roles are installed on them?
Awarded 2009
Top Expert 2010

Commented:
Your original question seems to indcate you are connecting directly to a server in site b and it works? You would only be able to do this if the CAS role was installed on that server.

Author

Commented:
Servers in Site A (internet facing)
  - Server1  (CAS, HTS)   (int URL: server1.domain.AD   ext URL:  mail.company.com)
  - Server2  (MS)

Servers in Site B (non-internet facing)
  - Server3  (CAS, HTS)   (int URL: server3.domain.AD   ext URL:  null)
  - Server4  (MS)

Author

Commented:
I can connect directly because A CAS role is installed on A server at that site, but it is not on the same server as the Mailbox Server role.  My scenario is classic proxying with multiple sites.  It is even the example setup for the Network Load Balancing config in the Microsoft documentation.

Please, any help would be greatly appreciated!

Author

Commented:
Demazter...  I call you out!
try to get the solution to this problem, if you have the skillz.
Awarded 2009
Top Expert 2010

Commented:
GeminiISG, sorry I missed the notifications for your question, it happens. But insulting experts is not the correct way to get your question resolved.

My initial questions were intended to help me build a picture of your configuration and fill the gaps that were in your question. It's important I have all the information before offering advice. Otherwise i could give advice that will cause further problems.

Technically there is no reason why your solution shouldn't work. I am happy to work with you (when time permits) to try and help you resolve the problem. I don't know what other factors other than Exchange are at play here?

Exchange 2010 uses active directory sites and services, is this configured correctly? Is AD healthy? It's not quite as simple as your initial question. Fortunately I also have AD skills so can guide you through checking this.

IF you would like to proceed, politely, then please let me know.

Author

Commented:
It was not meant as an insult, but rather a friendly jab (trash talk).  I guess I could have put smileys, but I put a "Z" in skillz to be street to show trash talk.  The intellectual equivalent of being called out to a one-on-one game.
Commented:
In order to allow CAS redirection to work, make sure the non-internet facing CAS server's virtual directories are set to windows integrated.

Understanding Proxying and Redirection
http://technet.microsoft.com/en-us/library/bb310763.aspx 
Awarded 2009
Top Expert 2010

Commented:
It's clear from the question that has already been done.

Now for XAS-2-CAS proxy to work exchange uses AD to find a CAS server that is in the same AD site as the Exchange server.

If AD sites and appropriate connectors are not configured it will not work.

Commented:
In the question it mentions that the authentication methods have been changed in IIS!!! This should be done in the Exchange Management Console, not in IIS! Please confirm in EMC that the authentication method for OWA virtual directory and ECP VDir are set to Windows integrated and not forms based.

Author

Commented:
DeBlackman is correct.  I did it from IIS, not the EMC.  Once I changed it in the EMC and did an IISRESET, it worked!
Thanks.
My situation was a bit different but I was experiencing the same problem.  I think my input here could help others with the same problem.  I had mine setup very similar to this but I have a dedicated OWA box.  My OWA was working for mailboxes in the same AD site but not working for the non-Internet facing site.  I have my OWA box setup for forms authentication but my SiteB CAS setup for Integrated Windows Auth.  All of my servers were patches to Update Rollup3v3 except my OWA box, once I patched it everything started working for me.  I hope that my 2 cents helps anyone else with this problem too.
AblSysadminSenior Systems Engineer

Commented:
hi i have the same setup as cbitsupport. my non-internet facing OWA site is not accessible. i keep getting prompted for authentication
AblSysadminSenior Systems Engineer

Commented: