IT
asked on
Cannot open Exchange 2010 console or shell. "Kerberos auth failed. Access is denied"
Hi All,
An issue just cropped up on an existing Exchange 2010 production server. When trying to open the Exchange Management Console or the shell, we get the following error:
"The following error occurred when trying to connect to the specified Exchange server 'server.domain.org':
The attempt to connect to http://server.domain.org/PowerShell using "Kerberos" authentication failed:
Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooti
I've confirmed my logon user (a domain admin account) is part of the Org Management security group. The time was off on the email server by over 7 minutes. I ran "net time \\dc1 /set" to sync the Exchange box with one of the domain controllers. No change. I even rebooted the server. No change.
I followed a bunch of other topics found on EE regarding WinRM issues, ran the winrm quickconfig, but this didn't change anything.
I'm at a loss and now we cannot manage the Exchange server since we can't get in via the shell or Console.
An issue just cropped up on an existing Exchange 2010 production server. When trying to open the Exchange Management Console or the shell, we get the following error:
"The following error occurred when trying to connect to the specified Exchange server 'server.domain.org':
The attempt to connect to http://server.domain.org/PowerShell using "Kerberos" authentication failed:
Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooti
I've confirmed my logon user (a domain admin account) is part of the Org Management security group. The time was off on the email server by over 7 minutes. I ran "net time \\dc1 /set" to sync the Exchange box with one of the domain controllers. No change. I even rebooted the server. No change.
I followed a bunch of other topics found on EE regarding WinRM issues, ran the winrm quickconfig, but this didn't change anything.
I'm at a loss and now we cannot manage the Exchange server since we can't get in via the shell or Console.
ASKER
Shree,
I followed those previous posts to no avail. The error is a bit vague (nothing refers to WinRM) and nothing is logged in EventVwr.
I even rebooted the server but this did not help. I seem to recall this happening a while ago right after installing Exchange. A reboot "resolved" it then, but not now.
I followed those previous posts to no avail. The error is a bit vague (nothing refers to WinRM) and nothing is logged in EventVwr.
I even rebooted the server but this did not help. I seem to recall this happening a while ago right after installing Exchange. A reboot "resolved" it then, but not now.
Have you tried to open a normal PowerShell window, and do:
add-pssnapin Microsoft.Exchange.Managem
And try to run:
test-servicehealth
And see if there is any service that is not running.
add-pssnapin Microsoft.Exchange.Managem
And try to run:
test-servicehealth
And see if there is any service that is not running.
ASKER
Did it. These are the results:
PS C:\Users\redeye> add-pssnapin Microsoft.Exchange.Managem
PS C:\Users\redeye> test-servicehealth
Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistant
ServicesNotRunning : {}
Role : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeAB, MSExchangeADTopology, MSExchangeFBA...}
ServicesNotRunning : {}
Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost...}
ServicesNotRunning : {}
PS C:\Users\redeye> add-pssnapin Microsoft.Exchange.Managem
PS C:\Users\redeye> test-servicehealth
Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistant
ServicesNotRunning : {}
Role : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeAB, MSExchangeADTopology, MSExchangeFBA...}
ServicesNotRunning : {}
Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost...}
ServicesNotRunning : {}
OK, then all services are running.
ASKER
I did notice that my mail server clock is consistently 7 minutes ahead of any domain controller. I've run the "net time \\dc1 /set" command and tried to sync it up, and while it does sync the time, eventually it reverts back to being 7 minutes ahead.
Maybe I ought to start there with any continued troubleshooting??
Maybe I ought to start there with any continued troubleshooting??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No. Not virtualized.
ASKER
Ok, this is creepy. Logged onto the server this morning with same user account as yesterday and I can open the EMC and Shell.
Nothing in Event Viewer.
I'm concerned about this still. If it's indicative of a problem under the covers we definitely need to get it under wraps. Weird stuff.....
Nothing in Event Viewer.
I'm concerned about this still. If it's indicative of a problem under the covers we definitely need to get it under wraps. Weird stuff.....
ASKER
It turned out this was related to time being off by approx. 7 minutes on one of the domain controllers. Updated the time via the "net time \\dc1 /set" command and rebooted the Exchange server. This resolved the issue.
ASKER
Let me clarify. I ran that "net time" command on the offending domain controller that had the time off. I previously ran the "net time" command on the Exchange server, but the time turned out to be fine on that box. Long term solution is to take a deeper look at the older domain controllers on the network and make sure time sync is functional on all.
ASKER
While our Exchange box is not virtualized, the time sync comment pointed us in the right direction.
One of three domain controllers had an incorrect time. fixed the time log off the exchange server and back on and was able to authenticate.
Thank you soostibi. After synchronizing the time, I only had to log off and log back on without restarting.
https://www.experts-exchange.com/questions/25992806/Exchange-2010-ECM-gives-access-denied-errors.html
Hope this helps,
Shree