Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 18811
  • Last Modified:

Cannot open Exchange 2010 console or shell. "Kerberos auth failed. Access is denied"

Hi All,
An issue just cropped up on an existing Exchange 2010 production server. When trying to open the Exchange Management Console or the shell, we get the following error:

"The following error occurred when trying to connect to the specified Exchange server 'server.domain.org':
The attempt to connect to http://server.domain.org/PowerShell using "Kerberos" authentication failed:
Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
"

I've confirmed my logon user (a domain admin account) is part of the Org Management security group. The time was off on the email server by over 7 minutes. I ran "net time \\dc1 /set" to sync the Exchange box with one of the domain controllers. No change. I even rebooted the server. No change.

I followed a bunch of other topics found on EE regarding WinRM issues, ran the winrm quickconfig, but this didn't change anything.

I'm at a loss and now we cannot manage the Exchange server since we can't get in via the shell or Console.
0
IT
Asked:
IT
1 Solution
 
Shreedhar EtteCommented:
Please refer the previuosly answered question:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_25992806.html

Hope this helps,
Shree
0
 
ITAuthor Commented:
Shree,
I followed those previous posts to no avail. The error is a bit vague (nothing refers to WinRM) and nothing is logged in EventVwr.

I even rebooted the server but this did not help. I seem to recall this happening a while ago right after installing Exchange. A reboot "resolved" it then, but not now.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
soostibiCommented:
Have you tried to open a normal PowerShell window, and do:
add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010

And try to run:
test-servicehealth

And see if there is any service that is not running.
0
 
ITAuthor Commented:
Did it. These are the results:

PS C:\Users\redeye> add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
PS C:\Users\redeye> test-servicehealth


Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants...}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeAB, MSExchangeADTopology, MSExchangeFBA...}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost...}
ServicesNotRunning      : {}
0
 
soostibiCommented:
OK, then all services are running.
0
 
ITAuthor Commented:
I did notice that my mail server clock is consistently 7 minutes ahead of any domain controller. I've run the "net time \\dc1 /set" command and tried to sync it up, and while it does sync the time, eventually it reverts back to being 7 minutes ahead.

Maybe I ought to start there with any continued troubleshooting??
0
 
soostibiCommented:
Is you machine virtualized? If so then check if your Exchange Server is double times syncronized or not. It should only be syncronizet to its DC, not to the physical machine.
0
 
ITAuthor Commented:
No. Not virtualized.
0
 
ITAuthor Commented:
Ok, this is creepy. Logged onto the server this morning with same user account as yesterday and I can open the EMC and Shell.

Nothing in Event Viewer.

I'm concerned about this still. If it's indicative of a problem under the covers we definitely need to get it under wraps. Weird stuff.....
0
 
ITAuthor Commented:
It turned out this was related to time being off by approx. 7 minutes on one of the domain controllers. Updated the time via the "net time \\dc1 /set" command and rebooted the Exchange server. This resolved the issue.
0
 
ITAuthor Commented:
Let me clarify. I ran that "net time" command on the offending domain controller that had the time off. I previously ran the "net time" command on the Exchange server, but the time turned out to be fine on that box. Long term solution is to take a deeper look at the older domain controllers on the network and make sure time sync is functional on all.
0
 
ITAuthor Commented:
While our Exchange box is not virtualized, the time sync comment pointed us in the right direction.
0
 
gleasonincCommented:

One of three domain controllers had an incorrect time. fixed the time log off the exchange server and back on and was able to authenticate.
0
 
PCS707Commented:
Thank you soostibi.  After synchronizing the time, I only had to log off and log back on without restarting.  
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now