Solved

After Installing Exchange 2010 Service Pack 1 EMC, EMS, and OWA do not function

Posted on 2010-09-09
40
5,373 Views
Last Modified: 2012-05-10
After Installing Exchange 2010 Service Pack 1 EMC, EMS, and OWA do not function. I think my problem is being caused by a OWA redirect scipt I installed when first setting up the server but I am not sure. Outlook appears to be functioning fine. EMC has the following error when connecting: The attempt to connect to http://<servername>/PowerShell using "Kerebos" authentcation failed: Connecting to remote server failed with the following message: The WinRM client received an HTTP status code of 301 from the remote WS-Management service. EMS has the following error: <servername> connecting to remote server failed with the following message: The WinRM client received an HTTP status code of 301 from the remote WS-Management service.. OWA displays a page: 403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied. I have tried rebooting the server twice with no improvement. I tried to find the redirect script I used but I have not found t yet.
0
Comment
Question by:Appnet
  • 16
  • 10
  • 9
  • +4
40 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 33636278
can you remove the redirection script and try again
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 125 total points
ID: 33636280
make sure the powershell vdir is not set to require ssl
0
 
LVL 13

Expert Comment

by:George Sas
ID: 33636320
Depends on where your script was located.
If your patch the server , the OWA folders will be re-created with a new version.
Check :

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa

(my case) and you will see the different versions.

So I think you will have to re do your script.
Try to look in the IIS log files and see where you get the access denied.

0
 
LVL 8

Expert Comment

by:Mkris9
ID: 33636336
from technet

Kindly go through the following steps.

1. make sure IIS WinRM extension is installed
2. open powershell and run command : WinRM Quickconfig
3. Open IIS go to Powershell virtual directory and check that SSL in disabled and authentification is set only to Anonymous
4. Open Windows powershell modules
5. run Remove-PowershellVirtualDirectory command
6. run New-PowershellVirtuallirectory command
7. IISreset

The following link provide that this could issue with the permission
http://exchangeserverpro.com/exchange-2010-management-console-initialization-failed
http://www.exchange-powershell.com/2010/02/04/troubleshooting-exchange-2010-management-tools-startup-issues/
0
 

Author Comment

by:Appnet
ID: 33636553
I belive this is the script I used, I tried Mkris9's suggestion and it still doesn't work.

http://www.ucblogs.net/blogs/exchange/archive/2010/04/28/Redirecting-the-root-web-site-to-_2F00_owa-and-forcing-SSL-in-Exchange-2010.aspx

0
 
LVL 13

Expert Comment

by:George Sas
ID: 33636842
Have you also forced SSL in IIS ? Check if it's still on.
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33637442
The 301 in the error message seems to indicate that EMS and EMC are encountering your redirect when they try to access the powershell vdir.  However you did the redirect, make sure that the PS vdir is not inheriting it.
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 375 total points
ID: 33637606
I had a look at the script you used.  Here are some things you might check.  Look at the properties of the default web site, and open the HTTP Redirect feature.  It is probably set to https://yourserver/owa .  Make sure that the 'Only redirect requests to content in the directory' option IS checked.  Then look at the same feature on the powershell vdir.  Make sure that no redirect is configured at this level.
0
 

Author Comment

by:Appnet
ID: 33645857
I found the redirect that I was using, I was using URL Rewrite 2.0. If i disable the rules for URL Rewrite then the errors all change. EMC and EMS both give an error 403 and OWA if i browse to the full path and logon I get an HTTP 500.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33645885
403 requires SSL
500 permission issue
check the permissions on the web.config file in the owa directory under CASServer
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33645976
500 means 'internal server error', which is a rather vague status message meaning that something went wrong executing a web application.  Is anything else displayed on the page?  If not, make sure that in IE options you have /disabled/ Friendly HTTP Errors (which are no use at all).  If you do that, and nothing else is displayed,  You should find something in the server's event logs.  Try turning off Forms-Based Authentication.  Sometimes, it is only the logon page itself that is crashing.

But yes, as already mentioned, 403 usually (but sometimes doesn't) mean that SSL has been required on an iis directory.  Make sure that Powershell virtual directory has SSL Required unchecked in IIS Manager.
0
 

Expert Comment

by:tisl
ID: 33646026
I have the exact same problem with our server after installing the Service Pack, so I'm not sure it is your script that is the problem. We are speaking to Microsoft right now, so I'll let you know how we get on.
0
 

Author Comment

by:Appnet
ID: 33646154
LeedDerbyshire: That worked....almost. EMC and EMS now function. Also, I reimplemented URL Redirct and EMC and EMS still work. I disabled friendly erros and now my symptoms now are as follows. OWA if i browse to http://servername.com it displays: Server Error403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied. If I browse to https://servername.com/owa I get a login screen, after logging in I get a blank page. Thanks so much for your help.
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 375 total points
ID: 33646184
Come to think of it, I always find that installing Exhange, or a major service pack, tends to select SSL Required on the Default Web Site, which the subdirectories will then inherit, unless overridden.  Now, I'd have thought that the Exchange install would be intelligent enough not to screw up its own powershell vdir, but I think it would be worth checking to see if you Default Web Site now has SSL required.  And if so, whether or not un-requiring it helps.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33646185
my comment 33636280 said to do that a while back :)
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33646247
I know - and a few times since.  But in a long thread, sometimes the earlier comments get ignored.  I also think that at that stage, the redirection was causing a problem before the SSL challenge was encountered.

Also, SSL required is only one of about 20 different kinds of 403 response.  This latest one (with the description 'Forbidden: Access is denied.') sounds like a less common type of 403 response.  You'll have to find the request in the iis log file, and post the line so that we can see what the subcode is.  ACtually, it would be good to see all the iis log entries generated by the attempted login.
0
 

Author Comment

by:Appnet
ID: 33646286
endital1097, you are correct. My apologies, had a 15 hour day yesterday and so I am a bit tired. Unselecting SSL required from default site has allowed the http://servername.com to redirect to the OWA logon screen but I am still getting a blank page after logging in. incorrect credentials does fail wih appropriate error. I tried unslecting SSL required from OWA and it made no difference.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33646325
look at your C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa directory
verify that there are files in hte highest version number folder
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33646340
i believe the version number is 14.1.218.13
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33646738
Have a look for the latest iis log file in C:\Intepub\logs\logfiles\w3svc1 .  Double-click it to open it in Notepad.  Note that the times are in GMT, then look for a bunch of lines created by the attempted OWA logon.  If you can paste them here it might help.  You will see GET /owa near the beginning of the relevant group of lines.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Appnet
ID: 33647458
I checked the OWA files are there, i looks very similar to the lower version number folders except it has a new folder inside it named ClientBin. Below is my most recent IIS log showing the event of my attempted login

2010-09-10 15:30:37 10.0.0.11 GET /owa/ - 443 - 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 401 2 5 4
2010-09-10 15:30:37 10.0.0.11 GET /owa/auth/logon.aspx url=https://mail.mydomain.com/owa/&reason=0 443 - 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 200 0 0 89
2010-09-10 15:30:37 10.0.0.11 GET / - 80 - 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 301 0 0 216
2010-09-10 15:30:37 10.0.0.11 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fmail.mydomain.com%2fowa%2f 443 - 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 200 0 0 210
2010-09-10 15:30:42 10.0.0.11 POST /owa/auth.owa - 443 drussello 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 500 0 0 60
2010-09-10 15:30:42 10.0.0.11 POST /owa/auth.owa - 443 drussello 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 500 0 0 11
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33647525
2010-09-10 15:30:42 10.0.0.11 POST /owa/auth.owa - 443 drussello 72.250.246.131 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 500 0 0 11

the dreaded 500 error still
in iis manager go to the basic settings for the owa vdir
make sure it is using the MSExchangeOWAAppPool
0
 

Author Comment

by:Appnet
ID: 33647547
It is using MSExchangeOWAAppPool. Properties list .NET framework 2.0, pipeline mode integrated
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33647598
anonymous authentication is disabled?
just need to pinpoint the issue (typically permission issue somewhere)
0
 

Author Comment

by:Appnet
ID: 33647730
Only basic s enabled. Yeah I agree it has to be a permission issue. Its frustrating though because everything worked until I applied SP1 and I did all of the prereqs
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33647783
i hear you. i'm looking at some other critical locations
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33647833
Translate that GMT time 15:30 to your local time, and see if there are any events in your event log (the application one, most likely) at the same time.  Or, just try to log on again, and see if there are any new events.
0
 

Author Comment

by:Appnet
ID: 33648162
application log has no entries at all during an attempt at accessing OWA
0
 

Author Comment

by:Appnet
ID: 33648191
Also the address in IE changes to the following after you try to logon

https://mail.domainname.com/owa/auth.owa

rebooting server since we made all these changes to see if it helps
0
 

Author Comment

by:Appnet
ID: 33648422
I just reassigned my Godaddy SSL certificate for Exchange, Ran the Exchange Best Practices Analyzer, double checked all the authentication types enabled and SSL settings for each vdir, and rebooted the server. Same problem exists and no useful information from the scans.
0
 
LVL 31

Assisted Solution

by:LeeDerbyshire
LeeDerbyshire earned 375 total points
ID: 33648661
Try turning off Forms-Based authentication, since that's where it seems to be crashing.  If it works with the normal schemes (Basic or Integrated), then maybe you could live without the FBA logon page and at least have OWA working.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33648799
i definitely think it is an fba issue, but cannot pinpoint

can you post
get-owavirtualdirectory | fl
0
 

Author Comment

by:Appnet
ID: 33648929
[PS] C:\Windows\system32>get-owavirtualdirectory | fl


RunspaceId                                          : 86b3c87a-b7ac-40b0-85e5-acee054a9e1a
DirectFileAccessOnPublicComputersEnabled            : True
DirectFileAccessOnPrivateComputersEnabled           : True
WebReadyDocumentViewingOnPublicComputersEnabled     : True
WebReadyDocumentViewingOnPrivateComputersEnabled    : True
ForceWebReadyDocumentViewingFirstOnPublicComputers  : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers              : Block
ActionForUnknownFileAndMIMETypes                    : ForceSave
WebReadyFileTypes                                   : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes                                   : {application/vnd.openxmlformats-officedocument.presentationml.pre
                                                      sentation, application/vnd.openxmlformats-officedocument.wordproc
                                                      essingml.document, application/vnd.openxmlformats-officedocument.
                                                      spreadsheetml.sheet, application/vnd.ms-powerpoint, application/x
                                                      -mspowerpoint, application/vnd.ms-excel, application/x-msexcel, a
                                                      pplication/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes         : True
WebReadyDocumentViewingSupportedMimeTypes           : {application/msword, application/vnd.ms-excel, application/x-msex
                                                      cel, application/vnd.ms-powerpoint, application/x-mspowerpoint, a
                                                      pplication/pdf, application/vnd.openxmlformats-officedocument.wor
                                                      dprocessingml.document, application/vnd.openxmlformats-officedocu
                                                      ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
                                                      cument.presentationml.presentation}
WebReadyDocumentViewingSupportedFileTypes           : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes                                    : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm,
                                                      .docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
AllowedMimeTypes                                    : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes                                  : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
                                                      px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
ForceSaveMimeTypes                                  : {Application/x-shockwave-flash, Application/octet-stream, Applica
                                                      tion/futuresplash, Application/x-director}
BlockedFileTypes                                    : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
                                                      t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
                                                      }
BlockedMimeTypes                                    : {application/x-javascript, application/javascript, application/ms
                                                      access, x-internet-signup, text/javascript, application/xml, appl
                                                      ication/prg, application/hta, text/scriplet, text/xml}
RemoteDocumentsAllowedServers                       : {}
RemoteDocumentsBlockedServers                       : {}
RemoteDocumentsInternalDomainSuffixList             : {}
FolderPathname                                      :
Url                                                 : {}
LogonFormat                                         : UserName
ClientAuthCleanupLevel                              : High
FilterWebBeaconsAndHtmlForms                        : UserFilterChoice
NotificationInterval                                : 120
DefaultTheme                                        :
UserContextTimeout                                  : 60
ExchwebProxyDestination                             :
VirtualDirectoryType                                :
OwaVersion                                          : Exchange2010
ServerName                                          : APPNET-EXCHANGE
InstantMessagingCertificateThumbprint               :
InstantMessagingServerName                          :
RedirectToOptimalOWAServer                          : True
DefaultClientLanguage                               : 0
LogonAndErrorLanguage                               : 0
UseGB18030                                          : False
UseISO885915                                        : False
OutboundCharset                                     : AutoDetect
GlobalAddressListEnabled                            : True
OrganizationEnabled                                 : True
ExplicitLogonEnabled                                : True
OWALightEnabled                                     : True
DelegateAccessEnabled                               : True
IRMEnabled                                          : True
CalendarEnabled                                     : True
ContactsEnabled                                     : True
TasksEnabled                                        : True
JournalEnabled                                      : True
NotesEnabled                                        : True
RemindersAndNotificationsEnabled                    : True
PremiumClientEnabled                                : True
SpellCheckerEnabled                                 : True
SearchFoldersEnabled                                : True
SignaturesEnabled                                   : True
ThemeSelectionEnabled                               : True
JunkEmailEnabled                                    : True
UMIntegrationEnabled                                : True
WSSAccessOnPublicComputersEnabled                   : True
WSSAccessOnPrivateComputersEnabled                  : True
ChangePasswordEnabled                               : True
UNCAccessOnPublicComputersEnabled                   : True
UNCAccessOnPrivateComputersEnabled                  : True
ActiveSyncIntegrationEnabled                        : True
AllAddressListsEnabled                              : True
RulesEnabled                                        : True
PublicFoldersEnabled                                : True
SMimeEnabled                                        : True
RecoverDeletedItemsEnabled                          : True
InstantMessagingEnabled                             : True
TextMessagingEnabled                                : True
ForceSaveAttachmentFilteringEnabled                 : False
SilverlightEnabled                                  : True
CalendarPublishingEnabled                           : True
InstantMessagingType                                : None
Exchange2003Url                                     :
FailbackUrl                                         :
LegacyRedirectType                                  : Silent
Name                                                : owa (Default Web Site)
InternalAuthenticationMethods                       : {Basic, Fba}
MetabasePath                                        : IIS://APPNET-Exchange.appnetonline.local/W3SVC/1/ROOT/owa
BasicAuthentication                                 : True
WindowsAuthentication                               : False
DigestAuthentication                                : False
FormsAuthentication                                 : True
LiveIdAuthentication                                : False
DefaultDomain                                       : appnetonline.local
GzipLevel                                           : High
WebSite                                             : Default Web Site
DisplayName                                         : owa
Path                                                : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
ExtendedProtectionTokenChecking                     : None
ExtendedProtectionFlags                             : {}
ExtendedProtectionSPNList                           : {}
Server                                              : APPNET-EXCHANGE
InternalUrl                                         : https://appnet-exchange.appnetonline.local/owa
ExternalUrl                                         : https://mail.appnetonline.com/owa
ExternalAuthenticationMethods                       : {Fba}
AdminDisplayName                                    :
ExchangeVersion                                     : 0.10 (14.0.100.0)
DistinguishedName                                   : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=APPNET-EXCHANGE
                                                      ,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN
                                                      =Administrative Groups,CN=Appnetonline,CN=Microsoft Exchange,CN=S
                                                      ervices,CN=Configuration,DC=appnetonline,DC=local
Identity                                            : APPNET-EXCHANGE\owa (Default Web Site)
Guid                                                : 07c95ada-9574-4e0c-986b-95df98f74337
ObjectCategory                                      : appnetonline.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direc
                                                      tory
ObjectClass                                         : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged                                         : 4/11/2010 12:25:36 AM
WhenCreated                                         : 4/10/2010 1:21:58 PM
WhenChangedUTC                                      : 4/11/2010 4:25:36 AM
WhenCreatedUTC                                      : 4/10/2010 5:21:58 PM
OrganizationId                                      :
OriginatingServer                                   : APPNET-Exchange.appnetonline.local
IsValid                                             : True



[PS] C:\Windows\system32>

0
 

Author Comment

by:Appnet
ID: 33649016
disabling fba to see if that helps
0
 

Author Comment

by:Appnet
ID: 33649070
switching OWA authentication from EMC to basic clear text fixes the problem. I tried switching it back to forms after to see if maybe that helps but it doesn't. So I am going to award points and thank you ALL for your help. It would be nice to be able to use FBA again but after this much effort I need to move on to the next issue and I am just glad it works again.
0
 

Author Closing Comment

by:Appnet
ID: 33649099
This was an awesome experience to get such quick and intelligent troubleshooting advice
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33649475
I would suggest re-enabling FBA after the next rollup, which will probably not be too far away.  If you can't wait that long, come back and let us know.
0
 

Author Comment

by:Appnet
ID: 33650016
I can definately wait on a cosmetic improvement but I noticed that in OWA if you try to open options or change your out of office reply it takes you to the FBA page which of course does not work. This is a lower priority issue but just wanted to point that out in case it helps anyone else. I am going to live with it for now as I really need to relax this weekend
0
 
LVL 31

Expert Comment

by:LeeDerbyshire
ID: 33650344
The options pages are in another virtual directory named ECP.  It sounds like it still has FBA enabled.  See if you can turn it off in EMC.  I don't know if the authentication options for this vdir have a section in the EMC GUI or not.  There may be a PS command for it.
0
 

Author Comment

by:Appnet
ID: 33651520
Set-EcpVirtualDirectory -Identity "Appnet-Exchange\ECP (Default Web Site)" -InternalURL https://mail.appnetonline.com/ECP -FormsAuthentication $False -BasicAuthentication $True


all fixed now. everything works except FBA which is fine by me, will check back when they have the next update rollup. Thanks again guys
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now