Outlook 2010 OWA Proxying\Redirection issue for AD Sites


We're experiencing a very frustrating issue with OWA access for users with mailboxes in Active Directory Sites that aren't in the CAS\Mailbox Exchange server (call it SiteA for convenience) that has the External URL parameter listed.

We are running Exchange 2010 SP1 at all sites and, after following the MS technet article - http://technet.microsoft.com/en-us/library/bb310763.aspx, set up our servers so that our Server at SiteA that faces externally has the internal and external OWA URL listed and all the others at remote sites only have the internal URL listed, with External URL being left as blank.  What should happen is that any user in any site navigating to https://mail.example.com/owa should be proxied to their relevant mailbox server.  However what happens is that users with mailboxes at SiteA work without an issue but users at any other site receive "Outlook Web App isn't available.  If the problem continues, please contact your helpdesk".

Frustratingly, and quite bizarrely, Exchange Activesync works without any issues for users in all sites.

I get the feeling this is an issue related more towards IIS or Windows\Forms authentication on each of the target mailbox servers but I don't want to start guessing.  Can anyone help shed any light on this issue?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

One quick question is can you open a mailbox on the CAS in the other sites by navigating directly to https://serverinsite2.com/owa? Do you have the same certificate loaded onto every CAS in the organisation? are the sites correctly defined in AD Sites and Services?
Orion-GroupAuthor Commented:
Radweld - thanks for the reply.

Yes I can access the internal URL and log on with out issue.  I've even taken it a step further by configuing authentication in one site (site1) to Forms Based and in another site (site2) to Intergrated Windows Authentication.  I can successfully logon internally to both.  

Sites are defined correctly and replication is working - confirmed with a DCDiag.

Aside from the external facing server that has the SSL for the external mail.example.com domain all the others server have the certificates automatically generated at time of install.
If you run Get-OWAVirtualDirectory -Identity <NameofClientAccessServer> | FL you will see all the settings for OWA, can you post up the results from either CAS server.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Orion-GroupAuthor Commented:
This is an output from site2:

RunspaceId                                          : 7d665846-fa55-41fe-8a77-b9570d4292bf
DirectFileAccessOnPublicComputersEnabled            : True
DirectFileAccessOnPrivateComputersEnabled           : True
WebReadyDocumentViewingOnPublicComputersEnabled     : True
WebReadyDocumentViewingOnPrivateComputersEnabled    : True
ForceWebReadyDocumentViewingFirstOnPublicComputers  : False
ForceWebReadyDocumentViewingFirstOnPrivateComputers : False
RemoteDocumentsActionForUnknownServers              : Block
ActionForUnknownFileAndMIMETypes                    : ForceSave
WebReadyFileTypes                                   : {.xlsx, .pptx, .docx, .xls, .rtf, .ppt, .pps, .pdf, .dot, .doc}
WebReadyMimeTypes                                   : {application/vnd.openxmlformats-officedocument.presentationml.pre
                                                      sentation, application/vnd.openxmlformats-officedocument.wordproc
                                                      essingml.document, application/vnd.openxmlformats-officedocument.
                                                      spreadsheetml.sheet, application/vnd.ms-powerpoint, application/x
                                                      -mspowerpoint, application/vnd.ms-excel, application/x-msexcel, a
                                                      pplication/msword, application/pdf}
WebReadyDocumentViewingForAllSupportedTypes         : True
WebReadyDocumentViewingSupportedMimeTypes           : {application/msword, application/vnd.ms-excel, application/x-msex
                                                      cel, application/vnd.ms-powerpoint, application/x-mspowerpoint, a
                                                      pplication/pdf, application/vnd.openxmlformats-officedocument.wor
                                                      dprocessingml.document, application/vnd.openxmlformats-officedocu
                                                      ment.spreadsheetml.sheet, application/vnd.openxmlformats-officedo
WebReadyDocumentViewingSupportedFileTypes           : {.doc, .dot, .rtf, .xls, .ppt, .pps, .pdf, .docx, .xlsx, .pptx}
AllowedFileTypes                                    : {.rpmsg, .xlsx, .xlsm, .xlsb, .tiff, .pptx, .pptm, .ppsx, .ppsm, 
                                                      .docx, .docm, .zip, .xls, .wmv, .wma, .wav...}
AllowedMimeTypes                                    : {image/jpeg, image/png, image/gif, image/bmp}
ForceSaveFileTypes                                  : {.vsmacros, .ps2xml, .ps1xml, .mshxml, .gadget, .psc2, .psc1, .as
                                                      px, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe...}
ForceSaveMimeTypes                                  : {Application/x-shockwave-flash, Application/octet-stream, Applica
                                                      tion/futuresplash, Application/x-director}
BlockedFileTypes                                    : {.vsmacros, .msh2xml, .msh1xml, .ps2xml, .ps1xml, .mshxml, .gadge
                                                      t, .mhtml, .psc2, .psc1, .msh2, .msh1, .aspx, .xml, .wsh, .wsf...
BlockedMimeTypes                                    : {application/x-javascript, application/javascript, application/ms
                                                      access, x-internet-signup, text/javascript, application/xml, appl
                                                      ication/prg, application/hta, text/scriplet, text/xml}
RemoteDocumentsAllowedServers                       : {}
RemoteDocumentsBlockedServers                       : {}
RemoteDocumentsInternalDomainSuffixList             : {}
FolderPathname                                      : 
Url                                                 : {}
LogonFormat                                         : FullDomain
ClientAuthCleanupLevel                              : High
FilterWebBeaconsAndHtmlForms                        : UserFilterChoice
NotificationInterval                                : 120
DefaultTheme                                        : 
UserContextTimeout                                  : 60
ExchwebProxyDestination                             : 
VirtualDirectoryType                                : 
OwaVersion                                          : Exchange2010
ServerName                                          : Site2-DC
InstantMessagingCertificateThumbprint               : 
InstantMessagingServerName                          : 
RedirectToOptimalOWAServer                          : True
DefaultClientLanguage                               : 0
LogonAndErrorLanguage                               : 0
UseGB18030                                          : False
UseISO885915                                        : False
OutboundCharset                                     : AutoDetect
GlobalAddressListEnabled                            : True
OrganizationEnabled                                 : True
ExplicitLogonEnabled                                : True
OWALightEnabled                                     : True
DelegateAccessEnabled                               : True
IRMEnabled                                          : True
CalendarEnabled                                     : True
ContactsEnabled                                     : True
TasksEnabled                                        : True
JournalEnabled                                      : True
NotesEnabled                                        : True
RemindersAndNotificationsEnabled                    : True
PremiumClientEnabled                                : True
SpellCheckerEnabled                                 : True
SearchFoldersEnabled                                : True
SignaturesEnabled                                   : True
ThemeSelectionEnabled                               : True
JunkEmailEnabled                                    : True
UMIntegrationEnabled                                : True
WSSAccessOnPublicComputersEnabled                   : True
WSSAccessOnPrivateComputersEnabled                  : True
ChangePasswordEnabled                               : True
UNCAccessOnPublicComputersEnabled                   : True
UNCAccessOnPrivateComputersEnabled                  : True
ActiveSyncIntegrationEnabled                        : True
AllAddressListsEnabled                              : True
RulesEnabled                                        : True
PublicFoldersEnabled                                : True
SMimeEnabled                                        : True
RecoverDeletedItemsEnabled                          : True
InstantMessagingEnabled                             : True
TextMessagingEnabled                                : True
ForceSaveAttachmentFilteringEnabled                 : False
SilverlightEnabled                                  : True
CalendarPublishingEnabled                           : True
InstantMessagingType                                : None
Exchange2003Url                                     : 
FailbackUrl                                         : 
LegacyRedirectType                                  : Silent
Name                                                : owa (Default Web Site)
InternalAuthenticationMethods                       : {Ntlm, WindowsIntegrated}
MetabasePath                                        : IIS://Site2-DC.xxxxxxxglobal.local/W3SVC/1/ROOT/owa
BasicAuthentication                                 : False
WindowsAuthentication                               : True
DigestAuthentication                                : False
FormsAuthentication                                 : False
LiveIdAuthentication                                : False
DefaultDomain                                       : 
GzipLevel                                           : High
WebSite                                             : Default Web Site
DisplayName                                         : owa
Path                                                : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
ExtendedProtectionTokenChecking                     : None
ExtendedProtectionFlags                             : {}
ExtendedProtectionSPNList                           : {}
Server                                              : Site2-DC
InternalUrl                                         : https://Site2-dc.xxxxxxxglobal.local/owa
ExternalUrl                                         : 
ExternalAuthenticationMethods                       : {Fba}
AdminDisplayName                                    : 
ExchangeVersion                                     : 0.10 (
DistinguishedName                                   : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=Site2-DC,C
                                                      N=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=A
                                                      dministrative Groups,CN=xxxxxxxglobal,CN=Microsoft Exchange,CN=Serv
Identity                                            : Site2-DC\owa (Default Web Site)
Guid                                                : 5d9bbddd-ec8e-4a56-8950-2d682c64212c
ObjectCategory                                      : xxxxxxxglobal.local/Configuration/Schema/ms-Exch-OWA-Virtual-Direct
ObjectClass                                         : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}
WhenChanged                                         : 04/10/2011 13:47:20
WhenCreated                                         : 27/09/2011 15:45:05
WhenChangedUTC                                      : 04/10/2011 12:47:20
WhenCreatedUTC                                      : 27/09/2011 14:45:05
OrganizationId                                      : 
OriginatingServer                                   : Site2-DC.xxxxxxxglobal.local
IsValid                                             : True

Open in new window

Orion-GroupAuthor Commented:
Also this is an error logged in SiteA regarding proxy attempts from earlier today:

Event ID 41 - MSExchange OWA

The Client Access server "https://mail.xxxxxxx.com/owa" attempted to proxy Outlook Web App traffic for mailbox "/o=xxxxxxxglobal/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Dxxxx Mxxxx". This failed because no Client Access server with an Outlook Web App virtual directory configured for Kerberos authentication could be found in the Active Directory site of the mailbox. The simplest way to configure an Outlook Web App virtual directory for Kerberos authentication is to set it to use Integrated Windows authentication by using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, or by using the Exchange Management Console. If you already have a Client Access server deployed in the target Active Directory site with an Outlook Web App virtual directory configured for Kerberos authentication, the proxying Client Access server may not be finding that target Client Access server because it does not have an internalUrl parameter configured. You can configure the internalUrl parameter for the Outlook Web App virtual directory on the Client Access server in the target Active Directory site by using the Set-OwaVirtualDirectory cmdlet.

Open in new window

Ok I am pretty sure you need to set the External Authentication Method to Windows Integrated and not FBA when you don't have an external URL specified.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I have a similar issue here, whereby the CAS servers are not talking to each other.  

I get:

Log Name:      Application
Source:        MSExchange OWA
Date:          15/10/2012 16:12:27
Event ID:      71
Task Category: Proxy
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server.domain.local
Microsoft Exchange Client Access server https://server/owa tried to proxy Outlook traffic to Client Access server https://server2.domain.local/owa. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
1. The host name in https://server2.domain.local/owa may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server. You can change the "internalURL" configuration for the target Client Access server using the Set-OwaVirtualDirectory" task. If you don't want to change the "internalURL" configuration for the Outlook Web App virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
2.The server hosting https://server2.domain.local/owa may be configured not to allow Kerberos authentication. It might be set to use Integrated Windows authentication for the Outlook Web App virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="MSExchange OWA" />
    <EventID Qualifiers="49152">71</EventID>
    <TimeCreated SystemTime="2012-10-15T15:12:27.000000000Z" />
    <Security />

Both server have been changed from FBA to Integrated and Basic....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.