After Installing Exchange 2010 Service Pack 1 EMC, EMS, and OWA do not function

After Installing Exchange 2010 Service Pack 1 EMC, EMS, and OWA do not function. I think my problem is being caused by a OWA redirect scipt I installed when first setting up the server but I am not sure. Outlook appears to be functioning fine. EMC has the following error when connecting: The attempt to connect to http://<servername>/PowerShell using "Kerebos" authentcation failed: Connecting to remote server failed with the following message: The WinRM client received an HTTP status code of 301 from the remote WS-Management service. EMS has the following error: <servername> connecting to remote server failed with the following message: The WinRM client received an HTTP status code of 301 from the remote WS-Management service.. OWA displays a page: 403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied. I have tried rebooting the server twice with no improvement. I tried to find the redirect script I used but I have not found t yet.
Who is Participating?
endital1097Connect With a Mentor Commented:
make sure the powershell vdir is not set to require ssl
BusbarSolutions ArchitectCommented:
can you remove the redirection script and try again
George SasIT EngineerCommented:
Depends on where your script was located.
If your patch the server , the OWA folders will be re-created with a new version.
Check :

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa

(my case) and you will see the different versions.

So I think you will have to re do your script.
Try to look in the IIS log files and see where you get the access denied.

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

from technet

Kindly go through the following steps.

1. make sure IIS WinRM extension is installed
2. open powershell and run command : WinRM Quickconfig
3. Open IIS go to Powershell virtual directory and check that SSL in disabled and authentification is set only to Anonymous
4. Open Windows powershell modules
5. run Remove-PowershellVirtualDirectory command
6. run New-PowershellVirtuallirectory command
7. IISreset

The following link provide that this could issue with the permission
AppnetAuthor Commented:
I belive this is the script I used, I tried Mkris9's suggestion and it still doesn't work.

George SasIT EngineerCommented:
Have you also forced SSL in IIS ? Check if it's still on.
The 301 in the error message seems to indicate that EMS and EMC are encountering your redirect when they try to access the powershell vdir.  However you did the redirect, make sure that the PS vdir is not inheriting it.
LeeDerbyshireConnect With a Mentor Commented:
I had a look at the script you used.  Here are some things you might check.  Look at the properties of the default web site, and open the HTTP Redirect feature.  It is probably set to https://yourserver/owa .  Make sure that the 'Only redirect requests to content in the directory' option IS checked.  Then look at the same feature on the powershell vdir.  Make sure that no redirect is configured at this level.
AppnetAuthor Commented:
I found the redirect that I was using, I was using URL Rewrite 2.0. If i disable the rules for URL Rewrite then the errors all change. EMC and EMS both give an error 403 and OWA if i browse to the full path and logon I get an HTTP 500.
403 requires SSL
500 permission issue
check the permissions on the web.config file in the owa directory under CASServer
500 means 'internal server error', which is a rather vague status message meaning that something went wrong executing a web application.  Is anything else displayed on the page?  If not, make sure that in IE options you have /disabled/ Friendly HTTP Errors (which are no use at all).  If you do that, and nothing else is displayed,  You should find something in the server's event logs.  Try turning off Forms-Based Authentication.  Sometimes, it is only the logon page itself that is crashing.

But yes, as already mentioned, 403 usually (but sometimes doesn't) mean that SSL has been required on an iis directory.  Make sure that Powershell virtual directory has SSL Required unchecked in IIS Manager.
I have the exact same problem with our server after installing the Service Pack, so I'm not sure it is your script that is the problem. We are speaking to Microsoft right now, so I'll let you know how we get on.
AppnetAuthor Commented:
LeedDerbyshire: That worked....almost. EMC and EMS now function. Also, I reimplemented URL Redirct and EMC and EMS still work. I disabled friendly erros and now my symptoms now are as follows. OWA if i browse to it displays: Server Error403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied. If I browse to I get a login screen, after logging in I get a blank page. Thanks so much for your help.
LeeDerbyshireConnect With a Mentor Commented:
Come to think of it, I always find that installing Exhange, or a major service pack, tends to select SSL Required on the Default Web Site, which the subdirectories will then inherit, unless overridden.  Now, I'd have thought that the Exchange install would be intelligent enough not to screw up its own powershell vdir, but I think it would be worth checking to see if you Default Web Site now has SSL required.  And if so, whether or not un-requiring it helps.
my comment 33636280 said to do that a while back :)
I know - and a few times since.  But in a long thread, sometimes the earlier comments get ignored.  I also think that at that stage, the redirection was causing a problem before the SSL challenge was encountered.

Also, SSL required is only one of about 20 different kinds of 403 response.  This latest one (with the description 'Forbidden: Access is denied.') sounds like a less common type of 403 response.  You'll have to find the request in the iis log file, and post the line so that we can see what the subcode is.  ACtually, it would be good to see all the iis log entries generated by the attempted login.
AppnetAuthor Commented:
endital1097, you are correct. My apologies, had a 15 hour day yesterday and so I am a bit tired. Unselecting SSL required from default site has allowed the to redirect to the OWA logon screen but I am still getting a blank page after logging in. incorrect credentials does fail wih appropriate error. I tried unslecting SSL required from OWA and it made no difference.
look at your C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa directory
verify that there are files in hte highest version number folder
i believe the version number is
Have a look for the latest iis log file in C:\Intepub\logs\logfiles\w3svc1 .  Double-click it to open it in Notepad.  Note that the times are in GMT, then look for a bunch of lines created by the attempted OWA logon.  If you can paste them here it might help.  You will see GET /owa near the beginning of the relevant group of lines.
AppnetAuthor Commented:
I checked the OWA files are there, i looks very similar to the lower version number folders except it has a new folder inside it named ClientBin. Below is my most recent IIS log showing the event of my attempted login

2010-09-10 15:30:37 GET /owa/ - 443 - Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 401 2 5 4
2010-09-10 15:30:37 GET /owa/auth/logon.aspx url= 443 - Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 200 0 0 89
2010-09-10 15:30:37 GET / - 80 - Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 301 0 0 216
2010-09-10 15:30:37 GET /owa/auth/logon.aspx replaceCurrent=1& 443 - Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 200 0 0 210
2010-09-10 15:30:42 POST /owa/auth.owa - 443 drussello Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 500 0 0 60
2010-09-10 15:30:42 POST /owa/auth.owa - 443 drussello Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 500 0 0 11
2010-09-10 15:30:42 POST /owa/auth.owa - 443 drussello Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3;+.NET4.0C) 500 0 0 11

the dreaded 500 error still
in iis manager go to the basic settings for the owa vdir
make sure it is using the MSExchangeOWAAppPool
AppnetAuthor Commented:
It is using MSExchangeOWAAppPool. Properties list .NET framework 2.0, pipeline mode integrated
anonymous authentication is disabled?
just need to pinpoint the issue (typically permission issue somewhere)
AppnetAuthor Commented:
Only basic s enabled. Yeah I agree it has to be a permission issue. Its frustrating though because everything worked until I applied SP1 and I did all of the prereqs
i hear you. i'm looking at some other critical locations
Translate that GMT time 15:30 to your local time, and see if there are any events in your event log (the application one, most likely) at the same time.  Or, just try to log on again, and see if there are any new events.
AppnetAuthor Commented:
application log has no entries at all during an attempt at accessing OWA
AppnetAuthor Commented:
Also the address in IE changes to the following after you try to logon

rebooting server since we made all these changes to see if it helps
AppnetAuthor Commented:
I just reassigned my Godaddy SSL certificate for Exchange, Ran the Exchange Best Practices Analyzer, double checked all the authentication types enabled and SSL settings for each vdir, and rebooted the server. Same problem exists and no useful information from the scans.
LeeDerbyshireConnect With a Mentor Commented:
Try turning off Forms-Based authentication, since that's where it seems to be crashing.  If it works with the normal schemes (Basic or Integrated), then maybe you could live without the FBA logon page and at least have OWA working.
i definitely think it is an fba issue, but cannot pinpoint

can you post
get-owavirtualdirectory | fl
AppnetAuthor Commented:
[PS] C:\Windows\system32>get-owavirtualdirectory | fl

RunspaceId                                          : 86b3c87a-b7ac-40b0-85e5-acee054a9e1a
DirectFileAccessOnPublicComputersEnabled            : True
DirectFileAccessOnPrivateComputersEnabled           : True
WebReadyDocumentViewingOnPublicComputersEnabled     : True
WebReadyDocumentViewingOnPrivateComputersEnabled    : True
ForceWebReadyDocumentViewingFirstOnPublicComputers  : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers              : Block
ActionForUnknownFileAndMIMETypes                    : ForceSave
WebReadyFileTypes                                   : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes                                   : {application/vnd.openxmlformats-officedocument.presentationml.pre
                                                      sentation, application/vnd.openxmlformats-officedocument.wordproc
                                                      essingml.document, application/vnd.openxmlformats-officedocument.
                                                      spreadsheetml.sheet, application/, application/x
                                                      -mspowerpoint, application/, application/x-msexcel, a
                                                      pplication/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes         : True
WebReadyDocumentViewingSupportedMimeTypes           : {application/msword, application/, application/x-msex
                                                      cel, application/, application/x-mspowerpoint, a
                                                      pplication/pdf, application/vnd.openxmlformats-officedocument.wor
                                                      dprocessingml.document, application/vnd.openxmlformats-officedocu
                                                      ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
WebReadyDocumentViewingSupportedFileTypes           : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes                                    : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm,
                                                      .docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
AllowedMimeTypes                                    : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes                                  : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
                                                      px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
ForceSaveMimeTypes                                  : {Application/x-shockwave-flash, Application/octet-stream, Applica
                                                      tion/futuresplash, Application/x-director}
BlockedFileTypes                                    : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
                                                      t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
BlockedMimeTypes                                    : {application/x-javascript, application/javascript, application/ms
                                                      access, x-internet-signup, text/javascript, application/xml, appl
                                                      ication/prg, application/hta, text/scriplet, text/xml}
RemoteDocumentsAllowedServers                       : {}
RemoteDocumentsBlockedServers                       : {}
RemoteDocumentsInternalDomainSuffixList             : {}
FolderPathname                                      :
Url                                                 : {}
LogonFormat                                         : UserName
ClientAuthCleanupLevel                              : High
FilterWebBeaconsAndHtmlForms                        : UserFilterChoice
NotificationInterval                                : 120
DefaultTheme                                        :
UserContextTimeout                                  : 60
ExchwebProxyDestination                             :
VirtualDirectoryType                                :
OwaVersion                                          : Exchange2010
ServerName                                          : APPNET-EXCHANGE
InstantMessagingCertificateThumbprint               :
InstantMessagingServerName                          :
RedirectToOptimalOWAServer                          : True
DefaultClientLanguage                               : 0
LogonAndErrorLanguage                               : 0
UseGB18030                                          : False
UseISO885915                                        : False
OutboundCharset                                     : AutoDetect
GlobalAddressListEnabled                            : True
OrganizationEnabled                                 : True
ExplicitLogonEnabled                                : True
OWALightEnabled                                     : True
DelegateAccessEnabled                               : True
IRMEnabled                                          : True
CalendarEnabled                                     : True
ContactsEnabled                                     : True
TasksEnabled                                        : True
JournalEnabled                                      : True
NotesEnabled                                        : True
RemindersAndNotificationsEnabled                    : True
PremiumClientEnabled                                : True
SpellCheckerEnabled                                 : True
SearchFoldersEnabled                                : True
SignaturesEnabled                                   : True
ThemeSelectionEnabled                               : True
JunkEmailEnabled                                    : True
UMIntegrationEnabled                                : True
WSSAccessOnPublicComputersEnabled                   : True
WSSAccessOnPrivateComputersEnabled                  : True
ChangePasswordEnabled                               : True
UNCAccessOnPublicComputersEnabled                   : True
UNCAccessOnPrivateComputersEnabled                  : True
ActiveSyncIntegrationEnabled                        : True
AllAddressListsEnabled                              : True
RulesEnabled                                        : True
PublicFoldersEnabled                                : True
SMimeEnabled                                        : True
RecoverDeletedItemsEnabled                          : True
InstantMessagingEnabled                             : True
TextMessagingEnabled                                : True
ForceSaveAttachmentFilteringEnabled                 : False
SilverlightEnabled                                  : True
CalendarPublishingEnabled                           : True
InstantMessagingType                                : None
Exchange2003Url                                     :
FailbackUrl                                         :
LegacyRedirectType                                  : Silent
Name                                                : owa (Default Web Site)
InternalAuthenticationMethods                       : {Basic, Fba}
MetabasePath                                        : IIS://APPNET-Exchange.appnetonline.local/W3SVC/1/ROOT/owa
BasicAuthentication                                 : True
WindowsAuthentication                               : False
DigestAuthentication                                : False
FormsAuthentication                                 : True
LiveIdAuthentication                                : False
DefaultDomain                                       : appnetonline.local
GzipLevel                                           : High
WebSite                                             : Default Web Site
DisplayName                                         : owa
Path                                                : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
ExtendedProtectionTokenChecking                     : None
ExtendedProtectionFlags                             : {}
ExtendedProtectionSPNList                           : {}
Server                                              : APPNET-EXCHANGE
InternalUrl                                         : https://appnet-exchange.appnetonline.local/owa
ExternalUrl                                         :
ExternalAuthenticationMethods                       : {Fba}
AdminDisplayName                                    :
ExchangeVersion                                     : 0.10 (
DistinguishedName                                   : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=APPNET-EXCHANGE
                                                      ,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN
                                                      =Administrative Groups,CN=Appnetonline,CN=Microsoft Exchange,CN=S
Identity                                            : APPNET-EXCHANGE\owa (Default Web Site)
Guid                                                : 07c95ada-9574-4e0c-986b-95df98f74337
ObjectCategory                                      : appnetonline.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direc
ObjectClass                                         : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged                                         : 4/11/2010 12:25:36 AM
WhenCreated                                         : 4/10/2010 1:21:58 PM
WhenChangedUTC                                      : 4/11/2010 4:25:36 AM
WhenCreatedUTC                                      : 4/10/2010 5:21:58 PM
OrganizationId                                      :
OriginatingServer                                   : APPNET-Exchange.appnetonline.local
IsValid                                             : True

[PS] C:\Windows\system32>

AppnetAuthor Commented:
disabling fba to see if that helps
AppnetAuthor Commented:
switching OWA authentication from EMC to basic clear text fixes the problem. I tried switching it back to forms after to see if maybe that helps but it doesn't. So I am going to award points and thank you ALL for your help. It would be nice to be able to use FBA again but after this much effort I need to move on to the next issue and I am just glad it works again.
AppnetAuthor Commented:
This was an awesome experience to get such quick and intelligent troubleshooting advice
I would suggest re-enabling FBA after the next rollup, which will probably not be too far away.  If you can't wait that long, come back and let us know.
AppnetAuthor Commented:
I can definately wait on a cosmetic improvement but I noticed that in OWA if you try to open options or change your out of office reply it takes you to the FBA page which of course does not work. This is a lower priority issue but just wanted to point that out in case it helps anyone else. I am going to live with it for now as I really need to relax this weekend
The options pages are in another virtual directory named ECP.  It sounds like it still has FBA enabled.  See if you can turn it off in EMC.  I don't know if the authentication options for this vdir have a section in the EMC GUI or not.  There may be a PS command for it.
AppnetAuthor Commented:
Set-EcpVirtualDirectory -Identity "Appnet-Exchange\ECP (Default Web Site)" -InternalURL -FormsAuthentication $False -BasicAuthentication $True

all fixed now. everything works except FBA which is fine by me, will check back when they have the next update rollup. Thanks again guys
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.