Cannot open Exchange 2010 console or shell. "Kerberos auth failed. Access is denied"

Hi All,
An issue just cropped up on an existing Exchange 2010 production server. When trying to open the Exchange Management Console or the shell, we get the following error:

"The following error occurred when trying to connect to the specified Exchange server 'server.domain.org':
The attempt to connect to http://server.domain.org/PowerShell using "Kerberos" authentication failed:
Connecting to remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
"

I've confirmed my logon user (a domain admin account) is part of the Org Management security group. The time was off on the email server by over 7 minutes. I ran "net time \\dc1 /set" to sync the Exchange box with one of the domain controllers. No change. I even rebooted the server. No change.

I followed a bunch of other topics found on EE regarding WinRM issues, ran the winrm quickconfig, but this didn't change anything.

I'm at a loss and now we cannot manage the Exchange server since we can't get in via the shell or Console.
ITAsked:
Who is Participating?
 
soostibiConnect With a Mentor Commented:
Is you machine virtualized? If so then check if your Exchange Server is double times syncronized or not. It should only be syncronizet to its DC, not to the physical machine.
0
 
Shreedhar EtteCommented:
Please refer the previuosly answered question:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_25992806.html

Hope this helps,
Shree
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ITAuthor Commented:
Shree,
I followed those previous posts to no avail. The error is a bit vague (nothing refers to WinRM) and nothing is logged in EventVwr.

I even rebooted the server but this did not help. I seem to recall this happening a while ago right after installing Exchange. A reboot "resolved" it then, but not now.
0
 
soostibiCommented:
Have you tried to open a normal PowerShell window, and do:
add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010

And try to run:
test-servicehealth

And see if there is any service that is not running.
0
 
ITAuthor Commented:
Did it. These are the results:

PS C:\Users\redeye> add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
PS C:\Users\redeye> test-servicehealth


Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants...}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeAB, MSExchangeADTopology, MSExchangeFBA...}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost...}
ServicesNotRunning      : {}
0
 
soostibiCommented:
OK, then all services are running.
0
 
ITAuthor Commented:
I did notice that my mail server clock is consistently 7 minutes ahead of any domain controller. I've run the "net time \\dc1 /set" command and tried to sync it up, and while it does sync the time, eventually it reverts back to being 7 minutes ahead.

Maybe I ought to start there with any continued troubleshooting??
0
 
ITAuthor Commented:
No. Not virtualized.
0
 
ITAuthor Commented:
Ok, this is creepy. Logged onto the server this morning with same user account as yesterday and I can open the EMC and Shell.

Nothing in Event Viewer.

I'm concerned about this still. If it's indicative of a problem under the covers we definitely need to get it under wraps. Weird stuff.....
0
 
ITAuthor Commented:
It turned out this was related to time being off by approx. 7 minutes on one of the domain controllers. Updated the time via the "net time \\dc1 /set" command and rebooted the Exchange server. This resolved the issue.
0
 
ITAuthor Commented:
Let me clarify. I ran that "net time" command on the offending domain controller that had the time off. I previously ran the "net time" command on the Exchange server, but the time turned out to be fine on that box. Long term solution is to take a deeper look at the older domain controllers on the network and make sure time sync is functional on all.
0
 
ITAuthor Commented:
While our Exchange box is not virtualized, the time sync comment pointed us in the right direction.
0
 
gleasonincCommented:

One of three domain controllers had an incorrect time. fixed the time log off the exchange server and back on and was able to authenticate.
0
 
PCS707Commented:
Thank you soostibi.  After synchronizing the time, I only had to log off and log back on without restarting.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.